There's a growing number of merchants contacting us asking for help in filling out their PCI Self-Assement Questionnaire (SAQ) forms. We can empathize with anyone going through this certification process as it is also something we have to endure every year as a mandatory part of our card processing service. Our PCI Certification accreditation information can be found here. The QSA auditors really want you to take the time and think hard about your systems and how your organization interacts with credit card data, specifically credit card numbers.
Many of the important documents you'll need can be found on the PCI Security Standards Document Library page. A document that you will find critical in planning and determining the amount of effort you'll need.
- Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire Instructions and Guidelines, Version 2.0
Finding Your Applicable Category
Check out page 12, Selecting the SAQ and Attestation that Best Apply to Your Organization. As they instruct, "Use the table to gauge which SAQ applies to your organization, then review the detailed descriptions to ensure you meet all the requirements for that SAQ."
Here's a screenshot of the most recent version to give you a brief intro:
The PCI Security Standards Document Library page contains links to each category's Self-Assessment Questionnaire.
Applicability to E-xact
It's critical that Merchants evaluate their whole payment solution as E-xact may only be a part of a broader payment system. For those Merchants that only use E-xact - here are some guidelines for chosing the appropriate SAQ:
- If the organization does not see, touch, or key-in any credit card numbers AND the only service used to take payment is the Hosted Payment Page service, then Category A may be applicable. There can be NO keying in of any credit card numbers within the Realtime Payment Manager application either through Virtual Point of Sale, Quick Key, or Recurring.
- If your organization is using any of the Virtual Point-of-Sale functionality including Quick Key or Recurring then Category C-VT may be the most applicable.
- If your organization is using our Web Service API, then Category D may be the most applicable.
If you have any questions about E-xact's Services and applicabilities to SAQ's, send an email to our Support Team and we'll do our best to steer you. Your best reference always is to visit the PCI Security Standards Organization website and seek clarity there.