Resources

• Frequently Asked Questions
• Account Forms
  • Forms & Agreements
  • Application Status
  • Account Logins
• PCI & IRS Compliance
  • Compliance Overview
  • Our Compliance Solutions
  • IRS Compliance
• Supported Shopping Carts
• Gateway Documentation
• Credit Card Test Numbers
• Card Logos & Branding
• eBay Processing
• Free Payment Scripts
• Retail Terminals
  • Terminal Purchase
  • Terminal Leasing

Home / Resources / PCI & IRS Compliance / Compliance Overview

Compliance Overview

At MerchantPlus, we’ve always taken cardholder security very seriously and have offered PCI Compliance programs and solutions for over 2 years.  However, recent changes by the Card Associations (Visa, MasterCard, Discover, AMEX) have changed the reporting guidelines for merchant PCI-DSS compliance.  As such, there are some important steps you need to take in order to ensure you meet all the PCI-DSS requirements.  Remember, every merchant is required to be PCI-DSS compliance regardless of business type, size or processing methods.

To fulfill your obligation and be compliant, you are required to take a Self Assessment Questionnaire (SAQ) and undergo quarterly scanning services of your payment network.   MerchantPlus provides 2 options to become compliant:

1. You may leverage the PCI-DSS solution from your processor, iPayment.  This solution is included with your service and ensures that your processor will always have active, up-to-date reporting of your PCI-DSS status, helping to avoid an fines or fees associated with non-compliance. Click here for this option: iPayment Solution
2. If Bluepay is your processor, you would use their PCI-DSS software. This solution is included with your account and provides real time reporting of your PCI-DSS status to help avoid non-compliance fees. Click here for this option: BluePay Solution

It is our goal to ensure that you can quickly and easily obtain PCI-DSS compliance and we have provided 2 competitive options for your convenience.  As always, if you have any questions or concerns, please contact us immediately at 800-546-1997 or by emailing support@merchantplus.com.  Our representatives will help you decide on the proper method for your business and answer any PCI questions you may have.

Still sending us quarterly scans of your website? Find out how we’re making it easier by emailing us at support@merchantplus.com.

Self Assessment Questionnaires (SAQs)

You may download the appropriate SAQ’s by following the following link.  (For clarity, we’ve provided a description of which document you should download in the descriptions below): 
https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

SAQ A: Card not present; All Cardholder Data Functions Outsourced

• Your company does not store, process, or transmit any cardholder data on merchant systems or premises but relies entirely on third party service provider(s) to handle these functions.
• Your company has confirmed that the third party service provider(s) handling storage, processing, and/or transmission of cardholder data is confirmed to be PCI DSS compliant.
• Your company does not store any cardholder data in electronic format.
• If your company does store cardholder data, such data is only in paper reports or copies of receipts and is not received electronically.

Source: Payment Card Industry Data Security Standard: Self-Assessment Questionnaire A and Attestation of Compliance, Version 2.0, October 2010

SAQ B: Imprint Machines or Standalone Dial-out Terminals only; no Electronic Cardholder Data Storage

• Your company uses only an imprint machine to imprint customers’ payment card information and does not transmit cardholder data over either a phone line or the Internet; or your company uses only standalone, dial-out terminals; and the standalone, dial-out terminals are not connected to the Internet or any other systems within your environment.
• Your company does not store any cardholder data in electronic format.
• If your company does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically.

Source: Payment Card Industry Data Security Standard: Self-Assessment Questionnaire B and Attestation of Compliance, Version 2.0, October 2010

SAQ C-VT: Web-Based Virtual Terminal, No Electronic Cardholder Data Storage

• Your company’s only payment processing is via a virtual terminal accessed by an Internet-connected web browser.
• Your company accesses the virtual terminal via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment.
• Your company’s virtual terminal solution is provided and hosted by a PCI DSS validated third party service provider.
• Your company’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward).
• Your company’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached).
• Your company does not otherwise receive or transmit cardholder data electronically through any channels (for example, via an internal network or the Internet).
• Your company does not store cardholder data in electronic format (for example, cardholder data is not stored in sales or marketing tools such as CRM).
• If your company does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically.

Source: Payment Card Industry Data Security Standard: Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 2.0, October 2010

SAQ C: Merchants with Payment Application connected to the Internet, No Electronic Cardholder Data Storage

• Your company has a payment application system and an Internet or public network connection on the same device and/or same local area network (LAN).
• The payment application system/Internet device is not connected to any other system within your environment.
• Your company store is not connected to other store locations, and any LAN is for a single store only.
• Your company does not store cardholder data in electronic format.
• If your company does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically.
• Your company’s payment application software vendor uses secure techniques to provide remote support to your payment application system.

Source: Payment Card Industry Data Security Standard: Self-Assessment Questionnaire C and Attestation of Compliance, Version 2.0, October 2010

SAQ D: All other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ

• SAQ D applies to SAQ-eligible merchants not meeting the criteria for SAQ types A through C, above and all service providers defined by a payment brand as being SAQ-eligible.

Source: Payment Card Industry Data Security Standard: Self-Assessment Questionnaire D and Attestation of Compliance, Version 2.0, October 2010