Attestation of Compliance, SAQ A, Version 3.1

Similar documents
Self-Assessment Questionnaire (SAQ) A and Attestation of Compliance Guidance Document. Self-Assessment Questionnaire A

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Onsite Assessments Service Providers. Version 1.

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) A GUIDE

Payment Card Industry (PCI) Payment Applicaton Data Security Standard (PA-DSS) Attestation of Validation Version 2.01

Understanding the SAQs for PCI DSS v3.0

Payment Card Industry Compliance. May 12, 2011

Payment Card Industry Data Security Standard Self-Assessment Questionnaire B Guide

Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS) Attestation of Validation Version 2.02

WHO, WHAT, WHY: PCI. Tess Casey Flanagan Senior Manager and Counsel, Global Compliance Operations

Completing Self Assessment Questionnaire B

PCI Requirements Office of Business and Finance Issued July 2015

Visa Level 4 Merchant Requirements PCI DSS Validation & QIR Technician Requirements Effective January 31, 2017

PCI Requirements Office of Business and Finance Issued July 2015

Policies and Procedures

AUTHORIZE.NET SAQ ELIGIBILITY WHITE PAPER NICK TRENC CISSP, CISA, QSA, PA- QSA. North America Europe coalfire.

What is Stripe? Is Stripe secure? PCI compliant?

Best Practices for Securing E-commerce

Getting Out of PA-DSS Scope and Eliminating the High Cost of EMV: What you need to know

BANK OF BARODA - RFP for Selection of Qualified Security Assessor (QSA) for PCI-DSS Certification Replies / Clarifications to Queries

PCI Information Session. May NCSU PCI Team

PCI DSS practical guide for Travel Agents

Receivables and Secure Payment Processing

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

FI0311 Credit Card Processing

Protecting Payments Throughout the Ecosystem. Emma Sutcliffe Senior Director, Data Security Standards PCI Security Standards Council

3.17 Payment Card Industry (PCI) Compliance Policy

falanx Cyber PCI-DSS: How can your organisation achieve and maintain compliance?

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 04/29/2016

Version 7.4 & higher is Critical for all Customers Processing Credit Cards!

What is DTMF Masking?...1. How does it work for credit card payment processing?...2. PCI DSS Compliance for Contact Centres...3

UNIVERSITY OF OKLAHOMA Campus Payment Card Security Standard Norman Campus

PCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS

Attachment 2: Merchant Card Services

Wirecard CEE Integration Documentation

SAMPLE DATA FLOW DIAGRAMS for MERCHANT ENVIRONMENTS

Semi-Integrated EMV Payment Solution

Liverpool Hope University

International Operators Seminar. Bem-vindo! Bienvenidos! Bonjour! Croeso! Foon ying! Hujambo! Velkomen! Welkom! Welcome!

Making Sense of the PCI Puzzle

COLUMBIA UNIVERSITY CREDIT CARD ACCEPTANCE AND PROCESSING POLICY

Payment Card Industry Data Security Standards (PCI-DSS) Guide for Contact Center Managers

The Changing Landscape of Card Acceptance

PCI & Small Merchant Compliance: What Does the Future Hold? Presenter: Chris Bucolo, ControlScan, Inc.

A REPORT TO THE CITIZENS OF SALT LAKE COUNTY. BEN McADAMS, MAYOR. An Audit of the Key Controls of. Clark Planetarium.

Risk-based Approach to PCI DSS Validation

What Do Merchants Need to Be Successful Online?

Payment Gateway Overview. Get familiar with credit card processing & our platform

CCV s self-service payment solutions drive PCI-DSS-compliant security

A TECHNICAL SPECIFICATIONS LOCK BOX PAYMENTS

Tokenization: The Future of Payments

C&H Financial Services. PCI and Tin Compliance Basics

Unattended Payment Terminal

PCI FOR HIGHER EDUCATION. John Musgrove, MS, CISA Deputy Director, Technology Audit

Streamline PCI Compliance in a Diverse Hospital Environment

EMV, PCI, Tokenization, Encryption What You Should Know for Presented by: The Bryan Cave Payments Team

Card Payment acceptance at Common Use positions at airports

OHIO TURNPIKE AND INFRASTRUCTURE COMMISSION 682 Prospect Street Berea, Ohio 44017

Visa and MasterCard Drive Adoption of EMV Payment Technologies in the United States

Sage Payment Solutions. Reduce your PCI liability with integrated payment solutions

EMV Implementation Guide

Third Party Risk Security Insights and Program Updates

PCI FAQS AND MYTHS. Presented by BluePay

Online Payment Services

Transaction Management & Payment Solutions

FUTURE OF CREDIT CARD PAYMENT APPLICATION SECURITY:

THE UNIVERSITY OF GEORGIA INTERNAL AUDITING DIVISION INTERNAL CONTROL QUESTIONNAIRE GENERAL

EMV and Educational Institutions:

Merchant Services What You Need to Know. Agenda 6/5/2017. Overview of Merchant Services. EMV, Tokenization/Encryption, and PCI (Oh My!

Payment Card Industry Data Security Standard Compliance: Key Players and Relationships. By Jason Chan

EMV Basics and the market

PAYMENT CARD STANDARDS

FIS Global Retail Payments. Centralize your enterprise with ONE trusted partner.

TOUCHNET THE COMPLETE APPROACH

Datacap Systems NETePay with dsipdcx OOS PCI PA-DSS Out Of Scope Technical Assessment White Paper July 6, 2011

OVER THE PHONE CREDIT CARD FRAUD: A PCI Compliance Guide for Business and Government

EMV Terminology Guide

White Paper PCI-Validated Point-to-Point Encryption On Microsoft Azure. By Christopher Kronenthal, Chief Technology Officer

PCI BLOG. P2PE, EMV, Tokenization, Oh My!

Pinless Transaction Clarifications

Cashless 3.0. Partner Program Overview. TAS Group 2017

Cashless 3.0. Partner Program Overview. TAS Group 2017

UNDERSTANDING PCI COMPLIANT DESKTOPS

Mobile and Contactless Payments Requirements and Interactions

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

City and County of San Francisco Office of the Treasurer-Tax Collector ( TTX )

EMV Migration Forum. How EMV Significantly Lessens the Impacts of Data Breaches. David Worthington, Principal Consultant// 12th March 2014

EMV Frequently Asked Questions for Merchants May, 2015

PCI DSS SECURITY AWARENESS

Introduction. Scott Jerabek. The CBORD Group. Product Manager

Frequently Asked Questions for Merchants May, 2015

Consultation on Guidelines on Internet Payments Security ( Guidelines )

esocket POS Integrated POS solution Knet

Security enhancement on HSBC India Debit Card

EMV A Chip Off the New Block

White Paper. Payment fraud threatens retail business. P2PE helps you fight back

CONTRACTUAL COMPLIANCE DEADLINE COMPOUNDED FINES FOR MISSING THE REVIEW APPROACHING DEADLINES

Is there a case for the regulation of Tokenization services?

Transcription:

Attestation of Compliance, SAQ A, Version 3.1 Section 1: Assessment Information Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: Rhys Williams DBA(s): CODEWORKSHOP Contact Name: Rhys Williams Title: Company Representative Email: rwilliams@codeworkshop.com.au Telephone: 0404123300 Business Address: 87 Elvy Street City: Yanderra State: NSW Zip: 2574 Country: AU URL: www.codeworkshop.com.au Part 1b. Qualified Security Assessor Company Information (if applicable) Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) [ ] Retailer [ ] Telecommunication [ ] Grocery and Supermarkets [ ] Petroleum [ ] Others What types of payment channels does your business serve?

[ ] Card-present (face-to-face) Which payment channels are covered by this SAQ? [ ] Card-present (face-to-face) Part 2b. Description of Payment Card Business How and in what capacity does your business store, process and/or transmit cardholder data? We do not store, process and/or transmit cardholder data Part 2c. Locations Part 2d. Payment Application Does the organization use one or more Payment Applications? NO Provide the following information regarding the Payment Applications your organization uses: Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment: Our customers dispatch all cardholder data securely to Stripe, our payments processor, via an iframe. Our company's servers receive an opaque token object, from which the original cardholder data cannot be derived. Does your business use network segmentation to affect the scope of your PCI DSS environment? YES Part 2f. Third-Party Service Providers Does your company share cardholder data with any third-party service providers (for example, gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.)? YES Name of service provider: Stripe, Inc. Description of services provided: Collection, storage and processing of all cardholder data. Part 2g. Eligibility to Complete SAQ A Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because: YES - Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions); YES - All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers; YES - Merchant does not electronically store, process, or transmit any cardholder data on merchant systems or premises, but relies entirely on a third party(s) to handle all these functions; YES - Merchant has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and

YES - Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically. YES - For e-commerce channels, all elements of the payment page or pages delivered to the consumer's browser originate only and directly from a PCI DSS validated third-party service provider. Section 2: Self-Assessment Questionnaire A 9.5: Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? Media refers to all paper and electronic media containing cardholder data. 9.6: Is strict control maintained over the internal or external distribution of any kind of media? Controls should include the following: 9.6.1: Is media classified so the sensitivity of the data can be determined? 9.6.2: Is media sent by secured courier or other delivery method that can be accurately tracked? 9.6.3: Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? 9.7: Is strict control maintained over the storage and accessibility of media? 9.8: Is all media destroyed when it is no longer needed for business or legal reasons? Media destruction should be performed as follows: 9.8.1: (a) Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed? (b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? 12.8: Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: YES 12.8.1: Is a list of service providers maintained? YES 12.8.2: Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment? YES 12.8.3: Is there an established process for engaging service providers, including proper due diligence prior to engagement? YES 12.8.4: Is a program maintained to monitor service providers PCI DSS compliance status at least annually? YES 12.8.5: Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity? YES Section 3: Validation and Attestation Details Part 3. PCI DSS Validation Based on the results noted in the SAQ A dated 2016-06-26, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of 2016-06-26: YES - Compliant: All sections of the PCI SAQ are complete, and all questions answered yes, resulting in an overall COMPLIANT rating, thereby Rhys Williams has demonstrated full compliance with the PCI DSS.

NO - Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby Rhys Williams has not demonstrated full compliance with the PCI DSS. Target Date for Compliance: An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4. NO - Compliant but with Legal exception. One or more requirements are marked NO due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand. Part 3a. Acknowledgement of Status YES - This PCI DSS Self-Assessment Questionnaire, Version 3.1, was completed according to the instructions therein. YES - All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects. YES - I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization. YES - I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times. YES - If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply. YES - No evidence of full track data1, CAV2, CVC2, CID, or CVV2 data2, or PIN data3 storage after transaction authorization was found on ANY system reviewed during this assessment. - ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name). Part 3b. Merchant Attestation Signature of Merchant Executive Officer: Rhys Williams Date: 2016-06-26 Merchant Executive Officer Name: Rhys Williams Title: Company Representative Merchant Company Represented: Rhys Williams Part 3c. QSA Acknowledgement (if applicable) Part 3d. ISA Acknowledgement (if applicable) Part 4. Action Plan for Non-Compliant Requirements Appendix C: Explanation of Non-Applicability

Requirement: 9.X Reason Requirement is Not Applicable: No part of our environment, including any type of media, transmits, stores or processes cardholder data. As such, there is no cardholder data to restrict access to.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback