PracticeQ Payments - PCI Compliance Guide

Use the guide below to become PCI compliant so you can process credit card payments with PracticeQ Payments.

• The primary purpose of Payment Card Industry (PCI) Data Security Standards (DSS) is to ensure the secure handling and protection of customer credit card data, reducing the risk of data breaches and fraud. 
• To comply with the PCI standards, our processing partner, Stax, has created the PCI Toolkit which each PQ Pay merchant must complete to attest to their compliance. Within 2 weeks of your PQ Pay account activation, you will be welcomed to the PCI Toolkit platform. 
• Link to the toolkit: https://stax.pcitoolkit.com/version3/SignIn.aspx
• For more information on PCI Compliance, please see our informational article PracticeQ Payments PCI Compliance. 
• We have created this guide to aid you in completing the steps of the toolkit, and urge you to reach out to us at hello@intakeq.com if you have any questions on this. Additionally, the PCI Support team is available for technical assistance via the toolkit Support tab, or via email to support@pcitoolkit.com. 

Step 1

• The first step of the toolkit is a questionnaire that determines what category of card processing your business performs. Upon completion of the Step 1 questionnaire, you will be assigned an SAQ (self-assessment questionnaire) for Step 2. 
• It is very important that you are categorized correctly in this first step to avoid being assigned to the wrong SAQ. If you have already completed this step and believe you were categorized incorrectly, reset the SAQ Category in two ways:
  
  • Reach out to the PCI support team via the Support tab of the toolkit and ask them to reset the SAQ for you.
  • Return to where your SAQ Type is listed, along with Step 1 and Step 2, etc. Click on your SAQ type and you will be given the option to retake the Step 1 questionnaire to re-assign you. 
• Please review the categories below to determine to which SAQ you should be assigned, and then follow the instructions to complete the Step 1 questionnaire. If you belong to multiple categories, choose the option that occurs most often.
  
  • SAQ A - You have clients provide card details online via the portal, forms, invoices, or booking system. 
  • SAQ C-VT - You manually enter card details yourself, either in person or over the phone. 
  • SAQ B-IP - You use one of our terminals to swipe cards.
• Note: If you aren't sure which category you belong to, reach out to us at hello@intakeq.com to let us know in your own words how you obtain card data and process payments. We are happy to identify your group for you!
• To get started, click Next under Step 1 Information. 

SAQ A

1. E-commerce
2. I have a website that I sell goods or services on and/or accept payments online
3. It is hosted and managed by a PCI Compliant provider
4. When credit card data is collected, it is collected on a PCI DSS validated third party website. 
5. For questions 5 through 9, please double-check your own operations, but in general these should be No.

SAQ C-VT

Here is how you will want to answer the questions in Step 1:

1. MOTO
2. Virtual Terminal
3. I type them in using a keyboard
4. We cannot answer this for you, but can advise that card data collected via PQ is stored at the payment processor exclusively. The payment system does not allow you to see full card data.
5. For questions 5 through 9, please double-check your own operations, but in general these should be No.

SAQ B-IP

Here is how you will want to answer the questions in Step 1:

1. Face-to-Face
2. Stand Alone Terminal
3. No
4. Select WiFi or Network cable (ethernet cord) accordingly, then manually enter Dejavoo and QD2.
5. We cannot answer this for you, but can advise that card data collected via PQ is stored at the payment processor exclusively. The payment system does not allow you to see full card data.
6. For questions 6 through 9, please double-check your own operations, but in general these should be No.

Step 2

• Once you have completed Step 1 and have been assigned your SAQ, you will be assigned a Step 2 questionnaire. 
• If you are confident that you do not hold cardholder data outside of PracticeQ, you can answer Yes to all the questions in Step 2. Any card data you collect via PracticeQ is stored with the payment processor and is within the standards of the industry.

Step 3

• Some of our users (SAQ categories A and B-IP) will also be required to perform a vulnerability scan. 

• If you manually enter any card details, use the public IP (ip,me) address of the network where the user is inputting cards. 
• If you only have clients enter their own card details online, this would be done via PracticeQ and the IP 216.21.12.26 may be used. The scan will perform on a 12 hour rotation, so it should be done by the following day.
• You will be notified of the scan results by email and through the toolkit dashboard. 

Step 4

Step 5

• Submit your attestation for compliance. 

• Once you submit your attestation, your SAQ Status should update to Confirmed!

Ongoing Tasks

• Each user will be assigned several ongoing tasks. These tasks are future dated to keep compliance and security on your mind throughout the year, until you re-attest to compliance in 12 months. 
• Simply click and confirm to complete them whenever you choose. 

Questions?

• The PCI Compliance toolkit includes technical language and standards that most of our users are unfamiliar with. Please do not hesitate to reach out to us at hello@intakeq.com if you have any questions. We will be happy to assist you in gaining compliance successfully!