PQ Pay PCI Compliance Guide

The primary purpose of Payment Card Industry (PCI) Data Security Standards (DSS) is to ensure the secure handling and protection of customer credit card data, reducing the risk of data breaches and fraud. 

To comply with the PCI standards, our processing partner, Stax, has created the PCI Toolkit which each PQ Pay merchant must complete to attest to their compliance. Within 2 weeks of your PQ Pay account activation, you will be welcome to the PCI Toolkit platform. 

For more information on PCI Compliance, please see our informational article  PracticeQ Payments PCI Compliance

We have created this guide to aid you in completing the steps of the toolkit, and urge you to reach out to us at hello@intakeq.com if you have any questions on this. Additionally, the PCI Support team is available for technical assistance via the toolkit Support tab, or via email to support@pcitoolkit.com

Step 1

The first step of the toolkit is a questionnaire that determines what category of card processing you perform. Upon completion of the Step 1 questionnaire, you will be assigned an SAQ (self-assessment questionnaire) for Step 2. 

It's important that you are categorized correctly in this first step to avoid being assigned to the wrong SAQ. If you have already complete this step and believe you were categorized incorrectly, you can reset the SAQ Category in two ways:

  1. Reach out to the PCI support team via the Support tab of the toolkit and ask them to reset the SAQ for you.
  2. Go back to where your SAQ Type is listed, along with Step 1 and Step 2, etc. Clicking on your SAQ type will give you the option to retake the Step 1 questionnaire to re-assign you. 

Please review the categories below to determine which SAQ you should be assigned, and then follow the instructions on completing the Step 1 questionnaire for your SAQ Category. If you belong to multiple categories, choose the option that occurs most often.

Tip: If you aren't sure which category you belong to, reach out to us at hello@intakeq.com to let us know if your own words how you obtain card data and process payments, we will be happy to identify your group for you!

To get started click "Next" under “Step 1 Information”. 

SAQ A

Here is how you'll want to answer the questions in Step 1:
  1. Ecommerce
  2. I have a website that I sell goods or services on and/or accept payments online
  3. It is hosted and managed by a PCI Compliant provider
  4. When credit card data is collected, it is collected on a PCI DSS validated third party website. 
  5. For questions 5 through 9, please double check your own operations but in general these should be No.

SAQ C-VT

Here is how you'll want to answer the questions in Step 1:

  1. MOTO
  2. Virtual Terminal
  3. I type them in using a keyboard
  4. We cannot answer this for you, but can advise that card data collected via PQ is stored at the payment processor exclusively. The payment system does not allow you to see full card data.
  5. For questions 5 through 9, please double check your own operations but in general these should be No.

SAQ B-IP

Here is how you'll want to answer the questions in Step 1:

  1. Face to Face
  2. Stand Alone Terminal
  3. No
  4. Select WiFi or Network cable (ethernet cord) accordingly, then manually enter Dejavoo and QD2.
  5. We cannot answer this for you, but can advise that card data collected via PQ is stored at the payment processor exclusively. The payment system does not allow you to see full card data.
  6. For questions 6 through 9, please double check your own operations but in general these should be No.

Step 2

Once you have completed Step 1 and have been assigned your SAQ, you will be assigned a Step 2 questionnaire. 

If you are confident that you do not hold cardholder data outside of PracticeQ, you can answer Yes to all the questions in Step 2. Any card data you collect via PracticeQ is held at the payment processor and is within the standards of the industry.
Tip: If you are unsure whether you hold card data outside of PracticeQ, please reach out to us at  hello@intakeq.com  for assistance. 

Step 3

Some of our users (SAQ categories A and B-IP) will also be required to perform a vulnerability scan. 
If you manually input any card details, you should be using the public IP (ip,me) address of the network where the user is inputting cards. However, if you only have clients enter their own card details online, this would be done via intakeq.com (216.21.12.26) and that address may be entered. The scan will perform on a 12 hour rotation, so it should be done by the following day.

You will be notified of the scan results by email and through the toolkit dashboard. 

Step 4

Step 4 should not be required for any PQ Pay users. If you have been assigned a Step 4 task, please review your SAQ Category above and reset the SAQ to begin back at Step 1. You can reset the SAQ Category in two ways:
  1. Reach out to the PCI support team via the Support tab of the toolkit and ask them to reset the SAQ for you.
  2. Go back to where your SAQ Type is listed, along with Step 1 and Step 2, etc. Clicking on your SAQ type will give you the option to retake the Step 1 questionnaire to re-assign you. 

Step 5

This is for you to submit your attestation for compliance. 

Once you submit your attestation, your SAQ Status should move to "Confirmed"!

Ongoing Tasks

Each user will be assigned several ongoing tasks. These tasks are future dated to keep compliance and security on your mind throughout the year, until you re-attest to compliance in 12 months. 
You can simply click and confirm to complete them whenever you choose. 

Questions?

The PCI Compliance toolkit includes technical language and standards that most of our users are unfamiliar with. Please don't hesitate to reach out to us at hello@intakeq.com if you have any questions. We will be happy to assist you in gaining compliance successfully! 

Still need help? Contact Us Contact Us