- SAQ-A consists of 22 multiple-choice questions that cover the way you manage credit card information in your firm.
- For each question, you must select True, False, or Not Applicable.
- We have included hints below each question to hep you understand these question and answer correctly.
- If you follow this question and hint guide you'll be PCI compliant in a matter of minutes!
- Click here for a guide on how to correctly access the SAQ-A questionnaire.
1. All media is physically secured. (Media is considered all paper and electronic files containing cardholder data.)
Hint: Credit card information is kept safe and secure either by locking it up in a filing cabinet or keeping it within a folder in a locked office.
2. Strict control is maintained over the storage and accessibility of media.
Hint: At any given time, you know where to find this credit card information on paper. We recommend you treat your credit card authorization forms as you would your client files.
3. Media is classified/confidential, so the sensitivity of the data can be determined.
Hint: Any credit card information stored on paper in the office must be regarded as classified or confidential. You limit access to people on a need-to-know basis.
4. Strict control is maintained over the internal or external distribution of any kind of media.
Hint: The only people with access to the credit card information have permission.
5. Management approval is obtained prior to moving the media (especially when media is distributed to individuals).
Hint: If the business is large and folders are easily lost, it is advised they maintain a log of all movement.
6. Media is sent by secured courier or other delivery method that can be accurately tracked.
Hint: If you send or receive credit card information on paper through the mail, it must be sent and received through secure courier such as UPS, FedEx, USPS.
7. All media is destroyed when it is no longer needed for business or legal reasons.Hint: Once the credit card is no longer needed for business reasons (we recommend a maximum of 9 months after the last transaction is run on that card) it must be destroyed.
8. For destruction, hardcopy materials are cross-cut shredded, burned, or pulped so that cardholder data cannot be reconstructed.
Hint: Paper with credit card information on it must be destroyed so that it cannot be reconstructed if it is found (cross-cut shredding is the most common option).
9. For destruction, containers that store information to be destroyed are secured to prevent access to the contents.
Hint: Between the time the merchant receives the information and the time they shred it, it must be kept safe and secure.
10. Vendor-supplied defaults are always changed before installing a system on the network.
Hint: All login access (from virtual terminals to email to Facebook) must have an updated, secure, personal password utilizing both numbers and letters.
11. Unnecessary default accounts are removed or disabled before installing a system on the network.
Hint: If you have a secondary user, the second user must either have a strong, encrypted password OR be removed from the virtual terminal entirely.
12. All users are assigned a unique ID before allowing them to access system components or cardholder data.
Hint: Users in the system can log in with their own email address/username to process payments or access the system.
13. Access for any terminated users is immediately deactivated or removed on all systems.
Hint: If someone leaves the company, their access is terminated from any system associated with credit card payments.
14. In addition to assigning a unique ID, one or more of the following methods are employed to authenticate all users.
Hint: To access the system, a unique password or a token (i.e. Validation code) is used for verification.
15. User password parameters are configured to require passwords/passphrases that meet the following
Hint: LawPay/AffiniPay requires at least 8 characters, including a combination of letters/numbers and a capital letter.
16. Group, shared, or generic accounts and passwords or other authentication methods are prohibited as follows
Hint: Each user is assigned a unique account.
17. A list of service providers is maintained.
Hint: A service provider is someone who assists a merchant in processing credit cards. LawPay is your service provider.
18. A written agreement is maintained with all service providers that store, process, transmit, or impact the security of cardholder data. The agreement includes an acknowledgment that the service providers are responsible for the security of cardholder data.
Hint: You understand that LawPay is responsible for the security of the information that the merchant puts inside the virtual terminal.
19. There is an established process for engaging service providers, including proper due diligence prior to engagement.
Hint: Prior to choosing LawPay as your service provider, you did your research and chose us.
20. Service providers' PCI DSS compliance status is monitored at least annually.
Hint: LawPay must have their PCI Compliance monitored at least annually.
21. Information is maintained about which PCI DSS requirements are managed by each service provider, and which are managed by your organization.
Hint: You are in charge of secure passwords, no electronic storage, no CVV code storage, and handling any credit card information on paper carefully in your office.
The Service Provider (LawPay) is in charge of cryptography, encryption, providing a safe and secure payment page, technical support, truncation on receipts, and PCI scans.
22. An incident response plan has been created and is ready for use in the event of system breach.
Hint: If there is suspicious activity on the account (i.e multiple charges from different cards) the firm/association should contact us immediately.
23. Attestation: Write your name in the blank field and certify you were authorized to complete the questionnaire.
24. Congratulations! You have successfully finished your questionnaire!
You're all done! Feel free to download your certificate!