I use the Customer Information Manager for storing customer data and capturing charges. I capture the customer credit card through a website and then pass it through to the CIM using John Conde's PHP class. It is not stored on my system.
I'm having a difficult time selecting the correct Self Assessment Questionairre for my annual PCI Compliance. Last year I registered as an A but am thinking that the CIM in this manner is an A-EP. Below are the guidelines for A vs A-EP.
SAQ A:
SAQ A-EP:
Does anyone have any thoughts, comments or suggestion?
03-24-2015 11:41 AM
Hello @pberce Hello
It doesn't look like anyone has responded yet, but someone still may have feedback on what you're looking for.
You might also consider checking with your QSA. If you don't have one, you can checkwith our preferred partner TrustWave at http://www.authorize.net/qsa
I'd recommend subscribing to this topic so that you'll be alerted via email if anyone else from the community is able to respond with any comments. To subscribe, click Topic Options at the top of this thread and then select Subscribe. You'll then receive an email once anyone replies to your post.
Thanks,
Richard
03-26-2015 02:42 PM
Richard,
Thank you for your reply.
Just wanted to pass this along, found it in my travels. It answered my question about which SAQ to select. This is the clearest description I could find about the selection process. It can be found here:
https://www.pcicomplianceguide.org/wp-content/uploads/2014/03/PCI-3.0-SAQ-Chart.jpg
According to this I need to select A-EP.
04-02-2015 08:59 AM - edited 04-02-2015 09:01 AM
I wanted to post a follow-up on the subject.
Here's my scenario:
Website is hosted in a shared environment with a unique IP address. We capture the customers credit cards on a page encrypted with an SSL Certificate and then pass it through to the Authorize.net CIM system for storage and future charging.
I talked with a Qualified Security Assessor provided by my Merchant Provider(a service that most provide for free). According to them, given our method of capturing and storing the credit card number, we are classified as an SAQ-D. Even though we don't store the credit card number on our system, touching the card number puts us into this category. This is new with PCI DSS 3.0. SAQ-D is the most restrictive classification for PCI-Compliance.
The two options for me, at this moment, are to either move my site to a host that provides PCI Compliant hosting. Or I capture the credit card information using the CIM iFrame Hosted Form.
04-22-2015 08:21 AM - edited 04-22-2015 08:25 AM