Iâm trying to figure out where my client stands with PCI, as well. We take credit cards in Magento using Authorize.Net, so nothing is stored on our server. But we also take card numbers over the phone, which are entered into a retail-style credit card machine. Does anyone know if this places us into SAQ D category?
It really depends on how those credit cards are handled on the phone side. I know some brick and mortar type systems will just transmit the card information over the phone line.
The information here will determine where you stand:
You may only have to worry about SAQ B if:
- Imprint-only merchants with no electronic cardholder data storage
- Stand-alone terminal merchants, no electronic cardholder data storage
In both of these cases, the terminals are not connected to the internet (either imprint only or over a telephone line).
Once you hit “Merchants with POS systems connected to the Internet, no electronic cardholder data storage “ you are instantly in C.
Now if their phone ordering system stores the credit card information at any point for any amount of time (encrypted or not) then you are going to be falling into category D.
The one thing I’m not sure about is if you have your two systems (website and phone) and if they fall under different SAQs, can you apply say SAQ B to your phone system and SAQ C to your website or, if one of your systems is in a higher SAQ, do you have to apply that higher SAQ to both.
Because you are taking credit cards in two systems though, you will most certainly have to apply a SAQ to both your website system and the phone ordering system.
Also, in the SAQ part 2c Transaction Processing asks for âPayment Application in useâ and the version - do write in Magento?
If it’s a built in plugin, I would include Magento and your current version. If it’s a seperate plugin, you may have to include some information on that plugin.
And for the Requirements that have to do with network/data security - thatâs all on our web hostâs back, not ours. Should I write N/A and state that, or just check Yes?
Yes and No. Because you state that the customer takes credit cards over the phone, it is also on the back of your clients network where these phone orders are being placed as well. As for your website side, part of it is on the web host’s back. Firewall settings on the server that are under your control are on you. Access controls to the server room and other things out of your control are obviously on the host. Before putting in “Yes” you will want to make sure that the host *is* PCI compliant.
As I put in another post above, I’m certainly no expert on the subject and you may want to consult an expert before submitting anything (especially as it isn’t clear what needs to be done for the phone ordering system). You may be able to give Authorize.net a call and get some questions answered from them for free (as you are a customer of theirs and it is in their best interest that you are PCI compliant).