PCI DSS Questionnaire Help

If you are unsure of the answer to some of the questions asked on the PCI DSS Card Not Present questionnaire issued by Clearent, please refer to the following. The first three questions are merchant specific:

 

4. Please name the software you use to process payments, such as a shopping cart, payment gateway such as Authorize.net, virtual terminal, or other software:

Cart32

 


5. Please indicate the version of the software.

If you have a black log in box, you are on v8.0

If you have a blue log in box, you are on v7.0

 


6. Do you have any agreements in place with merchant services providers other than Clearent for the purpose of accepting payments (excluding American Express)?

No

 

7. Do you have validation that these providers and software are in compliance with the PCI DSS?

Yes

 

8. How and in what capacity does your business store or maintain cardholder data? Generally such data should not be sotred, if for business purposes it is stored such data must be stored in a secure manner with restricted access.

This information is not stored.

 

9. How and in what capacity does your business process and/or transmit cardholder data?

We do not process/transmit cardholder data.

 

10. Do you have firewalls that prevent access to cardholder data from the public Internet?

Yes

 

11. Do the firewalls prevent any public access between the public Internet and processing system where credit card, debit card, and/or other payment card data is processed, stored or managed?

Yes

 

12. Do you maintain secure passwords for system access?

Yes

 

13. Are all passwords changed on a regular basis?

Yes

 

14. Are vendor supplied default settings pertaining to security changed immediately?

Yes

 

15. Are vendor supplied passwords changed immediately?

Yes

 

16. Are employee passwords deleted whenever an employee leaves your company?

Yes

 

17. Does your system deploy any unencrypted Wi-Fi communications?

No

 

18. If your system employs Wi-Fi, are all Wi-Fi communications encrypted?

Yes (or not applicable)

 

19. Is all credit card, debit card, and/or other payment card data stored by your software or system provider?

Yes

 

20. Is any credit card, debit card, and/or other payment card data stored on your servers, hardware, or system?

No

 

21. Is all credit card, debit card, and/or other payment card data encrypted when being transmitted to your provider?

Yes

 

22. Is access to the data restricted and limited to only those with a need to know?

Yes

 

23. Are security controls, limitations, network connections, and restrictions, tested annually?

Yes

 

24. Do you self test or do you employ a third party to complete your security testing?

Third Party

 

25. If requested, can you provide a copy of their audit report?

Yes

 

26. Do you perform quarterly system scans to test the ability to prevent unauthorized system access? For Level 1, 2, and 3 merchants, the PCI DSS requires quarterly network scans by an approved scan vendor.

Yes

 

27. Do you have a written security policy that is reviewed annually and is required reading by all employees?

Yes

 

28. Does your security policy state that all third parties you use must be in compliance with the PCI DSS?

Yes

 

29. Do all written agreements with vendors establish that the vendors who store data on your behalf assume responsibility for the security of such data?

Yes

 

30. Do you store credit card, debit card, and/or other payment card receipts?

Yes

 

31. If you store receipts, are these receipts stored in a secured manner accessible only by authorized employees?

Yes (or not applicable)

 

32. When credit card, debit card, and/or other payment card receipts are destroyed, are they done so in a manner so that they are unreadable?

Yes

 

33. Do your credit card, debit card, and/or other payment card transaction receipts display the customer’s entire cardholder account number?

No

Log in