WHAT IS THE BUSINESS PROFILE?
To initiate the process to become PCI Compliant, merchants must first complete the Business Profile section. This section guides the merchant through questions asking how they accept payments, the technology they use and how they transfer or store data. The purpose of this Business Profile section is to assign the merchant the correct Self-Assessment Questionnaire (SAQ) for their business and will usually take between 5-10 minutes to complete.
THE BUSINESS PROFILE SECTION
1. Once a merchant logs in for the first time, they will be brought to an informational modal which will give them an overview of what they need to do along with an informational video. They can click on the “Start Business Profile” to begin.
-
The merchant can come back to the Business Profile section at any time by clicking on “Manage” in the “Your business profile” section, under “Here are your available compliance tools” on the Dashboard.
-
Have you already completed a PCI DSS Self Assessment Questionnaire (SAQ) or Attestation of Compliance (AoC) that you would like to upload?
a. Most merchants will need to choose the first option: Select this option if it is your first time to go through this process, OR if you completed this process more than 12 months ago.
b. If the merchant has a valid SAQ from a different program, they can choose the second option and upload the documentation. Please note, the merchant may still need to go through the rest of the Business Profile section depending on their profile and how their business operates.
4. Does your company have a relationship with one or more third-party service providers (for example, gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc)?
a. For most merchants, this would be “No”
5. Select Your Merchant Type: Please use the selection tools below to describe the category and type of business that best describes your business. You can select multiple types.
a. The merchant would select the information that most closely describes their business. They can select more than one option, and if they don’t see anything that applies to their business - they can choose “other” and type in their business type.
6. Payment Related Services: Does your organization provide payment related services, have access to credit card information for another company's customers, or provide services that could impact the security of credit card information for another organization?
a. For most merchants, the answer would be “No”
7. Select Your Processing Method: Please select all of the methods that you use to accept card payments in your business.
a. Select “Virtual Terminal” for Card Not Present (CNP) processing
8. Virtual Terminal: Indicate how credit card numbers are entered into the Virtual Terminal a. For merchants using just the Virtual Terminal for their CNP processing, select
“Manual Entry ONLY”
9. Does your business electronically store credit card numbers?
a. For most merchants, the answer would be “No”. Tokenizing card data does not
qualify as electronically storing credit card numbers
10. Qualifications: Does your business use or allow any remote administrative access? Does your company have a wireless network connected to the cardholder data environment?
a. For most merchants, the answers to both of these would be “No”
11. Eligibility: To be eligible to take the reduced Self Assessment Questionnaire C-VT (SAQ C-VT), you must agree to the listed bullet points. If you cannot agree to the eligibility statements, then you must either select a different processing method, OR indicate that you don't agree to the statements in which case you will be directed to complete the full SAQ D-Merchant.
a. This is a question summarizing and validating what the merchant has entered on their Business Profile and should be answered with a “Yes” to confirm.
12. Your company policy for information security: To handle payment cards you are required by the Payment Card Industry Data Security Standard (PCI DSS) to have an Information Security Policy in place for your organization. This must cover all relevant areas of the standard. If you do not currently have one, we can provide you with a policy template below.
-
The merchant can answer with either the first or second option in this case. The first option would indicate that the merchant does not have an Information Security Policy in place at the moment, but plans to implement the one provided. They can then proceed to download the document provided.
-
The second option would indicate that the merchant already has an Information Security Policy in place that covers the Payment Card Industry Data Security Standard (PCI DSS)
13. The Business Profile is now complete! The merchant will now be navigated to the Dashboard where they can start their Self-Assessment Questionnaire (SAQ) C-VT. This particular SAQ will be 26 questions long and can be started by clicking on “Manage” under “Complete security assessment” OR “Begin step” under “Your next step” at the top right of the dashboard.
THE SELF-ASSESSMENT QUESTIONNAIRE - SAQ C-VT for Card Not Present (CNP) Merchants
Here is a list of the questions that your merchants can expect to receive as part of their SAQ C-VT for their CNP processing:
-
Is personal firewall software (or equivalent functionality) installed and active on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE?
-
Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices?
-
Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure?
-
Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
-
Are common system security parameters settings included in the system configuration standards?
-
Are security parameter settings set appropriately on system components?
-
Has all unnecessary functionality such as scripts, drivers, features, subsystems, file
systems, and unnecessary web servers been removed?
-
Are enabled functions documented and do they support secure configuration?
-
Is only documented functionality present on system components?
-
Is sensitive authentication data deleted or rendered unrecoverable upon completion of
the authorization process?
-
The card verification code or value (three-digit or four-digit number printed on the front or
back of a payment card) is not stored after authorization?
-
The personal identification number (PIN) or the encrypted PIN block is not stored after
authorization?
-
Are only trusted keys and/or certificates accepted?
-
Are security protocols implemented to use only secure configurations, and to not support
insecure versions or configurations?
-
Is the proper encryption strength implemented for the encryption methodology in use
(check vendor recommendations/best practices)?
-
For TLS implementations, is TLS enabled whenever cardholder data is transmitted or
received?
-
Isthereaprocesstoidentifysecurityvulnerabilities,includingthefollowing:
-
Using reputable outside sources for vulnerability information?
-
Assigning a risk ranking to vulnerabilities that includes identification of all "high"
risk and "critical" vulnerabilities?
-
-
Is access for any terminated users immediately deactivated or removed?
-
In addition to assigning a unique ID, is one or more of the following methods employed to
authenticate all users?
-
Something you know, such as a password or passphrase
-
Something you have, such as a token device or smart card
-
Something you are, such as a biometric
-
-
Are user password parameters configured to require passwords/passphrases meet the following?
-
A minimum password length of at least seven characters
-
Contain both numeric and alphabetic characters
-
Alternatively, the passwords/passphrases must have complexity and strength at
least equivalent to the parameters specified above.
-
-
Are group, shared, or generic accounts, passwords, or other authentication methods
prohibited as follows:
a. Generic user IDs and accounts are disabled or removed;
-
Shared user IDs for system administration activities and other critical functions do not exist; and
-
Shared and generic user IDs are not used to administer any system components?
-
Are appropriate facility entry controls in place to limit and monitor physical access to
systems in the cardholder data environment?
-
Are penetration-testing procedures defined to test all segmentation methods, to confirm
they are operational and effective, and isolate all out-of-scope systems from systems in
the CDE?
-
"Does penetration testing to verify segmentation controls meet the following?
-
Performed at least annually and after any changes to segmentation controls/methods
-
Covers all segmentation controls/methods in use
-
Verifies that segmentation methods are operational and effective, and isolate all
out-of-scope systems from systems in the CDE."
-
-
Are tests performed by a qualified internal resource or qualified external third party, and if
applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Helpful Definitions
PCI - Payment Card Industry
SAQ - Self-Assessment Questionnaire
NCF - Non-Compliance Fee
PCI DSS - Payment Card Industry Data Security Standards