PCI Compliance
      Back to home
      1. Help Center
      2. PCI Compliance

      How to complete SAQ B-IP

      SAQ B-IP is a PCI compliance questionnaire for merchants using standalone, IP-based payment terminals that connect over the internet.

      How do I start? 

      Paystri has partnered with SecureTrust to provide you with the tools to complete the SAQ online, as well as schedule any necessary scans. You should receive an email when it's time to attest to your annual compliance.  You will need to log in to the SecureTrust Portal.

      If this is your first time completing your PCI SAQ, you will need to complete your business profile. You will only need to do this once, the information will be saved for you next year, and you can simply update it if something has changed. 

       

      Select Manage on the business profile section to begin. 

       

       

      You will be taken to a page detailing the next steps. Click Next until you are asked to pick an assessment method. Choose Expert then click Next.

       

       

      You will need to select your PCI DSS compliance assessment type. For CCI merchants, choose type B-IP for card-present using stand alone terminals that fully outsource all cardholder data functions to a PCI DSS validated third-party service.

       

       

       

      When asked if your compliance assessment requires scanning, answer by choosing "No."

       

      Third Party payment service providers

      When asked if your company shares cardholder data with third-party providers or uses more than one acquirer, Answer "No.".

      Next, it will ask if you enforce a minimum password length of seven characters. Answer "Yes."

       

       

       

       

      Third Party Managed System Service Providers

      When asked if your company has relationships with one or more third party service providers that manage system components, Answer "NO". 

       

      Other Third Party Service Providers that may impact card data security.

      When asked if your company has relationships with other third party service providers, Answer "NO"

      When you arrive at the summary page, hover over the orange question marks for additional details on each description box. See below for some examples of what information to include.

       

       

       

      Your next steps

      Once you've completed the above steps, your next step is to complete your PCI compliance questionnaire.

       

       

       

       

       

      Completing your Security Assessment Questionnaire

      The answers you provide on the business profile will determine which Self Assessment Questionnaire (SAQ) you need to complete. The answers you have already provided are used to fill out the SAQ as thoroughly as possible, though there are likely to still be a handful of questions you will need to answer.

       

      On your dashboard, under the Complete security assessment section, select Manage, then choose Answer Now. 

                                                                                           

       

       

       

      The rest of the questions will will be about your specific business practices, computer use and security, and physical security. If you need clarification on a question, there will be a blue information box with additional details. You can also call Secure Trust at 1-800-363-1621 for assistance.

       

       

       



       

       

      What to Expect When Completing PCI SAQ B-IP

      Questions are divided into seven sections. The SAQ B-IP is designed for merchants using stand alone terminals who have outsourced all cardholder data functions to third-party service providers. You should be answering "yes," to most if not all questions indicating compliance with the PCI DSS requirements. Below is a guide on how to approach the questions, and why you should answer yes to each question.

      This is what the opening dashboard looks like, and you will notice it lists the number of questions in each section. As you go through each section it is a good practice to check that all questions have been answered in each section before moving to the next section.

      Question 1.2.3

      Why You Should Answer "Yes"

      • An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks: Having an accurate network diagram(s) is helpful in the event of a breach of the system so you can check all connections.

        These practices maintain secure access and comply with PCI DSS requirements.

       

      Question 1.2.5

      Why You Should Answer "Yes"

      • All services, protocols and ports allowed are identified, approved, and have a defined business need: Defined business needs and approvals for all services, protocols and ports help to keep systems hardened and secure.

        These practices maintain secure access and comply with PCI DSS requirements.

       

       

      Question 1.2.6

      Why You Should Answer "Yes"

      • Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated: In some instances insecure services or protocols may be used within a network that require security features to mitigate that risk.

        These practices maintain secure access and comply with PCI DSS requirements.

       

       

      Question 1.3.1

      Why You Should Answer "Yes"

      • To only traffic that is necessary: Keeping systems secure requires that only traffic that is necessary be allowed.
      • All other traffic is specifically denied: By keeping all other traffic out of the system it minimizes the chance of malicious individuals compromising the network.

        These practices maintain secure access and comply with PCI DSS requirements.

       

       

       

      Question 1.3.2

      Why You Should Answer "Yes"

      • To only traffic that is necessary: Keeping systems secure requires that only traffic that is necessary be allowed.
      • All other traffic is specifically denied: By keeping all other traffic out of the system it minimizes the chance of malicious individuals compromising the network.

        These practices maintain secure access and comply with PCI DSS requirements.

       

       

      Question 1.3.3

      Why You Should Answer "Yes"

      • All wireless traffic from wireless networks into the CDE is denied by default: Wireless networks can be more susceptible to a breach so the default is to deny all wireless traffic.
      • Only wireless traffic with an authorized business purpose is allowed into the CDE: By keeping only wireless networks with an authorized business purpose allowed into the CDE the network remains as secure as possible.

        These practices maintain secure access and comply with PCI DSS requirements.

       

      Question 1.4.3

      Why You Should Answer "Yes"

      • Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network: Security measures like Anti-spoofing are necessary to keep the network secure from constant attacks.

        These practices maintain secure access and comply with PCI DSS requirements.

       

       

      Question 2.2.2

      Why You Should Answer "Yes"

      • If the Vendor Default Account(s) will be used, the Default Password is changed as per Requirement 8.3.6: Ensures nobody can gain access with the default password.
      • If the Vendor Default Account(s) will not be used, the account is removed or disabled: Helps control access, enhancing security.

      These practices maintain secure access and comply with PCI DSS requirements.

       

       

      Question 2.2.7

      Why You Should Answer "Yes"

      • All non-console administrative access is encrypted using strong cryptography: This keeps access from outside the console secure.

      Implementing this policy strengthens security and ensures PCI DSS compliance.

       

      Question 2.3.1

      :

      Why You Should Answer "Yes"

      • Default wireless encryption keys: By using default wireless encryption keys the system is not secure.
      • Passwords on wireless access points: Use real-time security assessments to control access.
      • SNMP defaults: These are usually public so it is important to ensure they are secured.
      • Any other security-related wireless vendor defaults. It is important to eliminate all vendor defaults. as they are easy to find

      Both methods enhance security and ensure PCI DSS compliance.

       

      Question 2.3.2

      Why You Should Answer "Yes"

      • Whenever personnel with knowledge of the keys leaves the company or the role where the knowledge was necessary : Only people whose job function requires the knowledge of the keys should have that access.
      • Whenever a key is suspected of or known to be compromised: If a key is suspected of or known to be compromised it must be changed immediately.

        These practices ensure security, accountability, and compliance with PCI DSS.

       

      Question 3.1.1

      Why You Should Answer "Yes"

       

      • Documented: To ensure everyone understands what the policies and procedures are.
      • Kept up to date: Policies and procedures change over time so they must be kept up to date.
      • In use: The required policies and procedures must be followed at all times.
      • Known to all affected parties: This is to ensure everyone is on the same page so to speak.

      Properly securing offline backups ensures data safety and PCI DSS compliance.

       

      Question 3.3.1

      Why You Should Answer "Yes"

       

      • SAD is not retained after authorization: All SAD is stored at the network so there is no reason to retain it after the authorization.

      These practices enhance data protection and ensure PCI DSS compliance.

       

       

      Question 3.3.1.1

      Why You Should Answer "Yes"

       

      • The full contents of any track are not retained upon completion of the authorization process: All track data is stored at the network so there is no reason to retain it after the authorization.

      These practices enhance data protection and ensure PCI DSS compliance.

       

      Question 3.3.1.2

      Why You Should Answer "Yes"

       

      • The card verification code is not retained after the authorization process: The card verification code is part of the SAD so it is never retained.

      These practices protect cardholder data during transit and ensure PCI DSS compliance.

       

      Question 3.3.1.3

      Why You Should Answer "Yes"

      • The personal identification number (PIN) and PIN block are not retained after authorization: The PIN and PIN block are also parts of the SAD and are never retained.
        .

      These practices ensure oversight and security, maintaining PCI DSS compliance.

       

      Question 3.4.1

      Why You Should Answer "Yes"

      • PAN is masked when displayed (The BIN and last 4 digits are the only things allowed to be displayed) such that only personnel with a legitimate business need can see more than the BIN and last 4: By limiting the number of people with access to SAD, we are minimizing the risks of a breach.

      These practices ensure data is irrecoverable and maintain PCI DSS compliance.

       

      Question 4.2.1.a

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: By using only trusted keys and certificates we ensure the SAD can't be compromised.

      These practices ensure oversight and accountability, supporting PCI DSS compliance.

       

      Question 4.2.1.c

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: By using only secure versions and configurations we are further hardening the system from to combat fraud.
        .

      These practices ensure clear responsibilities and PCI DSS compliance.

       

      Question 4.2.1.d

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks:
         The encryption strength should always be appropriate for encryption methodology in use.

      These practices ensure the security and compliance of TPSPs with PCI DSS requirements.

       

      Maintain a Vulnerability Management Program

       

       

      Question 6.3.1

       

       

       

      Why You Should Answer "Yes"

      • New security vulnerabilities are identified using industry recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTS): As industry-accepted secure coding practices change, organizational coding practices and developer training may need to be updated to address Classifying the risks (for example, as critical, high, medium, or low) allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited.
      • Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact: When an entity is assigning its risk rankings, it should consider using a formal, objective, justifiable methodology that accurately portrays the risks of the vulnerabilities pertinent to the organization and translates to an appropriate entity-assigned priority for resolution.
      • Risk rankings identify, at a minimum, all vulnerabilities considered to be a high risk or critical to the environment: Some organizations that issue alerts to advise entities about urgent vulnerabilities requiring immediate patches/updates are national Computer Emergency Readiness/Response Teams (CERTs) and vendors.
      • Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered: If software is developed inhouse, the internal development team should also consider sources of information about new vulnerabilities that may affect internally developed applications.

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

       

      Question 6.3.3

      Why You Should Answer "Yes"

      • Critical or high security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.: Prioritizing security patches/updates for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released.



      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

       

      Implement Strong Access Control Measures

       

       

      Question 7.2.2

      Why You Should Answer "Yes"

      • Job classification and function: Once needs are defined for user functions (per PCI DSS requirement 7.2.1), it is easy to grant individuals access according to their job classification and function by using the already created roles.
      • Least privileges necessary to perform job responsibilities: When assigning privileged access, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator.



      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

       

       

       

      Question 8.1.1

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Documented: To ensure everyone understands what the policies and procedures are.
      • Kept up to date: Policies and procedures change over time so they must be kept up to date.
      • In use: The required policies and procedures must be followed at all times.
      • Known to all affected parties: This is to ensure everyone is on the same page so to speak.

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

       

      Question 8.2.2

       

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Account use is prevented unless needed for an exceptional circumstance: An example of an exceptional circumstance is where all other authentication methods have failed, and a shared account is needed for emergency use or “break the glass” administrator access.
      • Use is limited to the time needed for the exceptional circumstance: This keeps the systems secure by limiting the time someone has access secure data and information.
      • Business justification for use is documented: The documentation of the business justification is essential for future reference if any issues arise from resolving the exceptional circumstance.
      • Use is explicitly approved by management: If shared accounts are used for any reason, strong management controls need to be established to maintain individual accountability and traceability.
      • Individual user identity is confirmed before access to an account is granted: Tools and techniques can facilitate both management and security of these types of accounts and confirm individual user identity before access to an account is granted.
      • Every action taken is attributable to an individual user: The ability to associate individuals to the actions performed with an account is essential to provide individual accountability and traceability regarding who performed an action, what action was performed, and when that action occurred.

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

       

       

      Question 8.2.7

      Why You Should Answer "Yes"

      • Enabled only during the time period needed and disabled when not in use: Enabling access only for the time periods needed and disabling it as soon as it is no longer required helps prevent misuse of these connections.
      • Use is monitored for unexpected activity: Monitoring third-party access helps ensure that third parties are accessing only the systems necessary and only during approved time frames. Any unusual activity using third-party accounts should be followed up and resolved.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

       

       

      Question 8.4.3

      Why You Should Answer "Yes"

      • All remote access by all personnel, both users and administrators, originating from outside the entity's network: By using MFA for all users outside the network it is more difficult for a malicious individual to gain access to the CDE.
      • All remote access by third parties and vendors: By using MFA for all users outside the network it is more difficult for a malicious individual to gain access to the CDE.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 9.1.1

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Documented: To ensure everyone understands what the policies and procedures are.
      • Kept up to date: Policies and procedures change over time so they must be kept up to date.
      • In use: The required policies and procedures must be followed at all times.
      • Known to all affected parties: This is to ensure everyone is on the same page so to speak.

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

       

       

      Question 9.2.2

       

      Why You Should Answer "Yes"

      • Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility: Whether logical or physical controls, or a combination of both, are used, they should prevent an individual or device that is not explicitly authorized from being able to connect to the network.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 9.4.1

      Why You Should Answer "Yes"

      • All media with cardholder data is physically secured: Controls for physically securing media are intended to prevent unauthorized persons from gaining access to cardholder data on any media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 9.4.1.1

      Why You Should Answer "Yes"

      • Offline media backups with cardholder data are stored in a secure location: For secure storage of backup media, a good practice is to store media in an off-site facility, such as an alternate or backup site or commercial storage facility.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 9.4.2

      Why You Should Answer "Yes"

      • All media with cardholder data is classified in accordance with the sensitivity of the data: Media not identified as confidential may not be adequately protected or may be lost or stolen.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 9.4.3

      Why You Should Answer "Yes"

      • Media is sent by secured courier or other delivery method that can be accurately tracked: The use of secure couriers to deliver any media that contains cardholder data allows organizations to use their tracking systems to maintain inventory and location of shipments.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 9.4.4

      Why You Should Answer "Yes"

      • Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals): Without a firm process for ensuring that all media movements are approved before the media is removed from secure areas, the media would not be tracked or appropriately protected, and its location would be unknown, leading to lost or stolen media.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 9.4.6

      Why You Should Answer "Yes"

      • Materials are cross-cut shredded, incinerated, or pulped so cardholder data cannot be reconstructed: If steps are not taken to destroy information contained on hard-copy media before disposal, malicious individuals may retrieve information from the disposed media, leading to a data compromise.
      • Materials are stored in secure storage containers prior to destruction: Securing storage containers used for materials that are going to be destroyed prevents sensitive information from being captured while the materials are being collected.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 9.5.1

      Why You Should Answer "Yes"

      • Maintaining a list of POI devices: By maintaining a list of POI devices and you can clearly see if an unauthorized POI has been placed.
      • Periodically inspecting POI devices to look for tampering or unauthorized substitution: Inspecting the POI devices can detect if they have been tampered with rendering them unsecured.
      • Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution devices: By training personnel to be aware of suspicious behavior it is harder for malicious individuals to tamper with POI devices.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 9.5.1.1

      Why You Should Answer "Yes"

      • Make and model of the device: The method for maintaining a list of devices may be automated (for example, a device management system) or manual (for example, documented in electronic or paper records).
      • Location of the device: Methods to maintain device locations include identifying the address of the site or facility where the device is located.
      • Device serial number or other methods of unique identification: Keeping a list of the device serial number and other unique identifiers allows you to determine if a device was switched out or has gone missing.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 9.5.1.2

      Why You Should Answer "Yes"

      • POI device surfaces are periodically inspected to detect tampering or unauthorized substitution: Methods for periodic inspection include checking the serial number or other device characteristics and comparing the information to the list of POI devices to verify the device has not been swapped with a fraudulent device.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 9.5.1.3

      Why You Should Answer "Yes"

      • Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, before granting them access to modify or troubleshoot devices: All third parties requesting access to devices should always be verified before being provided access—for example, by checking with management or phoning the POI maintenance company, such as the vendor or acquirer, for verification. 
      • Procedures to ensure devices are not installed, replaced, or returned without verification: Inspecting the POI devices can detect if they have been tampered with rendering them unsecured.
      • Being aware of suspicious behavior around devices: Suspicious behavior that personnel should be aware of includes attempts by unknown persons to unplug or open devices.
      • Reporting suspicious behavior and indications of tampering or substitution to appropriate personnel: Another trick that criminals use is to send a “new” POI device with instructions for swapping it with a legitimate device and “returning” the legitimate device. The criminals may even provide return postage to their specified address. Therefore, personnel should always verify with their manager or supplier that the device is legitimate and came from a trusted source before installing it or using it for business.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

       

      Regularly Monitor and Test Networks

       

      Question 11.4.5

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • At least once every 12 months and after any changes to segmentation controls/methods: Performing penetration testing at regular intervals and after any changes to segmentation controls/methods keep the systems secure.
      • Covering all segmentation controls/methods in use: If any of the segmentation controls/methods are not covered they become a weakness in the system.
      • Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems: Techniques such as host discovery and port scanning can be used to verify out-of-scope segments have no access to the CDE.
      • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3): By following Requirement 2.2.3 you can confirm the effectiveness of the isolation to separate systems with differing security levels.
      • Performed by a qualified internal resource or qualified external third party: A good practice is to utilize a qualified external third party for penetration testing to ensure organizational independence.
      • Organizational independence of the tester exists (not required to be a QSA or ASV): Use of a qualified third party testers accomplishes that.

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      You will need to indicate when was the last time these tasks were completed as shown in the screenshot below. Select the beginning of the current month and select finish to move to the next question.

       

      Maintain an Information Security Polic

       

      Question 12.1.1

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Established: The security policy for the organization identifies the purpose, scope, accountability, and information that clearly defines the organization’s position regarding information security.
      • Published: The organizations security policies must be kept published to all affected parties both internally and externally.
      • Maintained: The security policy for the organization may change over time and must be updated in all published forms.
      • Disseminated to all relevant personnel, as well as to relevant vendors and business partners: It is important that all relevant personnel within the organization, as well as relevant third parties, vendors, and business partners are aware of the organization’s information security policy and their responsibilities for protecting information assets.

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

       

      Question 12.1.2

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Reviewed at least once every 12 months: The information security policy for the organization should be reviewed annually at a minimum.
      • Updated as needed to reflect to reflect changes to business objectives or risks to the environment: The organizations security policies must be updated to reflect changes in business objectives or risks to the environment.

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      You will be asked to document when you last completed this task as noted in the screenshot below. Click on the calendar and select the 1st of the current month. Then select finish.

       

      Question 12.1.3

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities: Without clearly defined security roles and responsibilities assigned, there could be misuse of the organization’s information assets or inconsistent interaction with information security personnel, leading to insecure implementation of technologies or use of outdated or insecure technologies.

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

       

       

      Question 12.6.1

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data: If personnel are not educated about their company’s information security policies and procedures and their own security responsibilities, security safeguards and processes that have been implemented may become ineffective through unintentional errors or intentional actions.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 12.8.1

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided: Maintaining a list of all TPSPs identifies where potential risk extends outside the organization and defines the organization’s extended attack surface.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 12.8.2

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.: The written acknowledgment from a TPSP demonstrates its commitment to maintaining proper security of account data that it obtains from its customers and that the TPSP is fully aware of the assets that could be affected during the provisioning of the TPSP’s service.
      • Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.: The extent to which a specific TPSP is responsible for the security of account data will depend on the service provided and the agreement between the provider and assessed entity (the customer). In conjunction with Requirement 12.9.1, this requirement is intended to promote a consistent level of understanding between parties about their applicable PCI DSS responsibilities. 

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 12.8.3

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement: Specific due-diligence processes and goals will vary for each organization. Elements that should be considered include the provider’s reporting practices, breach-notification and incident response procedures, details of how PCI DSS responsibilities are assigned between each party, how the TPSP validates their PCI DSS compliance and what evidence they provide.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 12.8.4

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months: All merchants need to confirm their PCI DSS compliance every 12 months to ensure the security of cardholder data.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      You will be asked to document when you last completed this task as noted in the screenshot below. Click on the calendar and select the 1st of the current month. Then select finish.

      Question 12.8.5

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity: Entities can document these responsibilities via a matrix that identifies all applicable PCI DSS requirements and indicates for each requirement whether the entity or TPSP is responsible for meeting that requirement or whether it is a shared responsibility.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Question 12.10.1

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum.: It is important to keep the plan up to date with current contact information of all individuals designated as having a role in incident response. 
      • Incident response procedures with specific containment and mitigation activities for different types of incidents: Entities should consider how to address all compromises of data within the CDE in their incident response plans, including to account data, wireless encryption keys, encryption keys used for transmission and storage or account data or cardholder data, etc.
      • Business recovery and continuity procedures: The incident response plan should be thorough and contain all the key elements for stakeholders (for example, legal, communications) to allow the entity to respond effectively in the event of a breach that could impact account data.
      • Data backup processes: A formal data backup process approved by management should be in place at all times.
      • Analysis of legal requirements for reporting compromises: Entities should consider how to address all compromises of data within the CDE in their incident response plans, including to account data, wireless encryption keys, encryption keys used for transmission and storage or account data or cardholder data, etc.
      • Coverage and responses of all critical system components:  It is important to keep the plan up to date with current contact information of all individuals designated as having a role in incident response. Other relevant parties for notifications may include customers, financial institutions (acquirers and issuers), and business partners.
      • Reference or inclusion of incident response procedures from the payment brands: A good practice is to always include incident response procedures from V/MC/Disc/Amex.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

       

      Question A2.1.1

      Why You Should Answer "Yes"

      **This is managed by the Gateway and requires no action on your part. Please answer yes.**

      • Where POS POI terminals at the merchant or payment acceptance location use SSL and/or early TLS, the entity confirms the devices are not susceptible to any known exploits for those protocols.: POS POI terminals used in card-present environments can continue using SSL/early TLS when it can be shown that the POS POI terminal is not susceptible to the currently known exploits.

       

      These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

      Now that you have answered all of the questions you will need see the screen below. You will select next to move to the page where you confirm your compliance.

       

      On this page you will fill in the areas you see highlighted and then scroll to the bottom of the page and select confirm your attestation.

      You will then see the screen below showing you are now PCI compliant for the next 12 months. Congratulations!!!