Payment Card Industry Data Security Standards (PCI DSS) Compliance
Any State agency accepting credit cards as a form of payment must complete a yearly Self-Assessment Questionnaire (SAQ), reviewed and signed by the agency’s Merchant Executive Officer. The State agency will send the completed SAQ(s) to the State’s Internal Security Assessor (ISA) for review and approval. The ISA will submit a report of the submitted SAQs to the State Treasurer’s Office.
Required information before meeting with ISA
At a minimum the following items should be physically available in the Merchant Manual for review by the ISA.
Merchant Manual
Each State agency must have available a "Merchant Manual" which will be reviewed by the State's ISA and will include the following items:
Section 1: Responsibility Matrix(es) from Third-Party Service Providers (TPSPs)
The State PCI Agency is responsible for obtaining the Responsibility Matrix from all other TPSPs involved in payment card processing with the agency.
Section 2: Annual PCI Self-Assessment Questionnaire (SAQ)
Completed & signed SAQ.
• SAQ B-IP, SAQ P2PE, and SAQ D:
◦ List of Point-of-interaction (POI) devices that capture payment card data via direct physical interaction (REQ 9.5.1.1)
◦ List of when inspections happened on devices (REQ 9.5.1.2)
▹ Sample Terminal Inspection Log [1-page PDF]
• Copy of training provided to staff who operate the POI devices (REQ 9.5.1.3)
If you have questions about submitting your SAQ, please refer to the presentation in Additional Resources.
Which SAQ Do I Complete? Show SAQ Link buttonsHide SAQ Link buttons
(Click on SAQ linkbuttons below to view/download SAQ PDF for each SAQ type)
SAQ A
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises.
*Not applicable to face-to-face channels.
SAQ A-EP
E-commerce merchants who outsource all payment processing to PCI DSS Validated third parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises.
*Applicable only to e-commerce channels.
SAQ B
Merchants using only:
- Imprint machines with no electronic cardholder data storage; and/or
- Standalone, dial-out terminals with no electronic cardholder data storage.
*Not applicable to e-commerce channels.
SAQ B-IP
Merchants using only standalone, PIN Transaction Security(PTS)-approved payment terminals with an Internet Protocol (IP) connection to the payment processor, with no electronic cardholder data storage.
*Not applicable to e-commerce channels.
SAQ C
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
*Not applicable to e-commerce channels.
SAQ C-VT
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic data storage.
*Not applicable to e-commerce channels.
SAQ P2PE
Point-to-Point Encryption (P2PE). Merchants using only hardware payment terminals that are included in and managed via a validated, PCI Security Standards Council listed P2PE solutions, with no electronic cardholder data storage.
*Not applicable to e-commerce channels.
SAQ D for Merchants
All merchants not included in any other descriptions for the previous SAQ types.
SAQ D for Service Providers
All service providers defined by a payment card brand as eligible to complete an SAQ.
SAQ SPoC
For Software-based PIN entry on COTS (SAQ SPoC) is for merchants using a commericial off the shelf mobile device (example: phone or tablet) with a secure card reader that is part of a SPoC Solution included on PCI SSC's list of validated software-based PIN Entry on COTS (SPoC) Solutions.
*This SAQ is not applicable to unatteded card-present (example: kiosks, self-checkout), mail-order/telephone order (MOTO) or e-commerence channels.
*This SAQ is not appliable to service providers.
Hide SAQ Linkbuttons
Section 3: Vulnerability Scans or Attestation Of Compliance (AOC) and Approved Vendor Scans (ASV)
SAQ A, B-IP, and D: copy of the previous four (4) Passing PCI ASV Scans (REQ 11.3.2)
SAQ A and D: copy of the external vulnerability scans as applicable (REQ 11.3.2.1)
SAQ D: Most recent internal and external penetration test (REQ 11.4.2 and 11.4.3)
SAQ B-IP and D: Penetration tests performed on segmentation controls (REQ 11.4.5)
Section 4: Cardholder Data Flow Diagram
Cardholder data flow diagrams (include all cardholder data processes and detail all types of authentication data uses (e.g. PAN, CVV, Track, etc.).
Section 5: Agency Policies and Procedures
Agency procedures to process credit card transactions
The State PCI Agency is responsible for the policies and procedures listed as the agency’s responsibility in the responsibility matrix.
State Treasurer Incident Response Plan (State PCI Agencies and boards may request a copy via the contact form below)
State Treasurer Information Security Policy (State PCI Agencies and boards may request a copy via the contact form below)
Section 6: Agreements with Treasurer's Office/Third Party Service Providers
Copies of all agreements with vendor's processing credit card transactions and/or hosting your website. The Treasurer has a copy of the following agreement(s):
If you do not have a copy of the agreement(s), you can request it from the State Treasurer on the form below. If the Treasurer does not have a copy of the agreement(s), the state agency is responsible for requesting the agreement from the Third-Party Service Providers (TPSPs).
Additional Resources:
Request Additional Information or Forms: