Getting Ready for PCI Scope Wizard Self Service 

Getting Ready Instructions

For the PCI Scope Wizard (Self-Service Edition)

Set Yourself Up for Success

Welcome!

Before beginning the PCI Scope Wizard, please take a few minutes to collect some information about your credit card collection and handling methods.

The Wizard asks questions about your collection methods to determine which Self-Assessment Questionnaires (SAQs) your organization is eligible to complete to achieve PCI compliance.

If you have already collected this information the process will be quick and easy!

Information to Collect

Payment Processor General Information

1. List all credit card Payment Processors that you use to process transactions, for each separate payment method that you use to enter the card information:

• Example 1: if your staff accept cards verbally by phone for manual entry into a card terminal connected to a payment processor, this is one payment method
• Example 2: if your customers tap or swipe cards in person, using a point-of-sale card terminal connected to a payment processor, this is another payment method
• Tip: For each method used, you need to know both how the card is entered for processing transactions and what payment processor is used with this

2. List your estimated Total Annual Number of credit card transactions:

• Merchant Tip: For Merchants it is important to know if you process more than, or less than, Six Million transactions per year (estimates are acceptable).
• Service Provider Tip: For Service Providers, it is important to know if you process more than, or less than, Three Hundred Thousand transactions per year (estimates are acceptable).
  

3. Confirm that you do not store credit card information electronically in any systems that your business directly manages or that operate on infrastructure you directly control:

• Tip: Include all storage of credit cards on your own servers, databases, or other electronic systems you directly manage or host. Do not include storage by a PCI compliant Service Provider (e.g. a payment processor, or token service provider).
• Example 1: If you store card information electronically in any application that you operate and manage, either on your own systems or in the cloud, whether encrypted or not, then you are storing cards electronically.
• Example 2: If you can retrieve or view the original stored card information, after electronically storing it in any application, whether it was stored encrypted or not, then you are storing cards electronically.
• Example 3: If you accept card information electronically by email or fax, whether it was encrypted or not, then you are storing cards electronically.

Card Present (In-Person) Payments

1. List all types of card readers that you are using in your business for your customers to enter/tap/swipe their own cards in person:

• Stand-alone card readers that connect by a telephone jack (Dial-up)
• Stand-alone card readers that connect by an Internet cable (PTS)
• POS card readers or devices (example: connected to a Point-of-Sale system or to electronic cash drawers)
• PCI-listed P2PE card reader solutions
• PCI-listed SPoC card reader solutions
• Mechanical card imprint devices that take carbon paper card copies?
• Tip: For all methods above, you need to know both the card reader type and which processor you use with this method to charge the sale amount to the card.
• Tip: If you’re unsure of your card reader type, contact your service provider. You can also check your merchant agreement to confirm what equipment you purchased or leased.

2. If your staff accept card information verbally, visually or in writing, then list all methods your staff use to enter the card information for a transaction:

• Tip: This includes any cases where staff “physically” enter card details into either a virtual terminal (payment software) or into a hardware terminal (card readers)
• Tip: For each method used, you need to know the card reader type or virtual terminal used by your staff, and what payment processor is used for with this
• Example 1: Your staff might use a virtual terminal (software) provided by your payment processor, to manually enter the card number for a transaction.
• Example 2: Your staff might use a hardware terminal (such as POS card reader), to manually enter the card number for a transaction.

Mail Order & Telephone Order (MOTO) Payments

1. If your staff accept card information, either verbally by phone, or by postal mail, list all methods that your staff use to process these transactions:

• Tip: This includes any cases where staff “physically” enter card details into either a virtual terminal (payment software) or into a hardware terminal (card readers)
• Tip: For each method used, you need to know the card reader type or virtual terminal used by your staff, and what payment processor is used for with this
• Example 1: Your staff might use a virtual terminal (software) provided by your payment processor, to manually enter the card number for a transaction.
  

2. List any IVR phone payment systems used, that are fully managed by a PCI compliant third-party provider, to accept customer entry of card information:

• Tip: This only includes IVR phone payment systems that are fully delivered by a PCI compliant Service Provider. Exclude any solutions that reside on your own infrastructure or hosted solutions that you can directly manage

Online (Ecommerce / Bill Pay) Payments

1. List all online payment forms used, that are fully provided by a PCI compliant service provider to process credit card transactions:

• Tip: all elements of the payment form must be delivered by a service provider (the form can be displayed on your site, by either a URL redirect or iframe, but no card information can be directly handled or transmitted by your own systems)

2. List all online payment forms used, that are partly provided by a PCI compliant service provider and have some elements provided by your own systems?

• Tip: Partly provided means that some fields in the actual payment form are displayed by, processed by, or transmitted by your own systems. This includes any fields on the form accessed by your systems by Direct Post or JavaScript.

3. List any online payment system that is fully managed by your own business:

• Tip: This means all payment forms that are not delivered by a PCI compliant third-party Service Provider — your company manages the technology.
• Example: You have a shopping cart, or built a payment page, that connects directly from your systems to your payment processor using an API or SDK.

Tips for Success

• Work with your IT, Finance, and Customer Service teams to collect the required information.
• If you are unsure about your card reader type, reach out to the vendor that supplied this hardware, or email us the terminal model and brand for help.
• If unsure about your type of online payment solution, ask your IT team, contact the solution vendor, or email us for help.
• Allow about 15–30 minutes to complete the Wizard once your information is ready.