Getting Ready for PCI Scope Wizard Self Service 

Getting Ready Instructions

For the PCI Scope Wizard (Self-Service Edition)

Set Yourself Up for Success

Welcome!

Before beginning the PCI Scope Wizard, please take a few minutes to collect some information about your credit card collection and handling methods. We recommend that you print this page and write down all your details before heading back to the PCI Scope Wizard.

The PCI Scope Wizard will ask questions about your card collection methods to determine which Self-Assessment Questionnaires (SAQs) your organization are eligible to complete for you to achieve PCI compliance.

If you have already collected this information, the process will be quick and easy!

Information to Collect

Payment Processor General Information

1. List all credit card Payment Processors that you use:

A “payment processor” is a type of service provider that processes credit card transactions on the behalf of merchants, including directly communicating with the card issuer to authorize the card and settle payments of these transactions. When reporting for PCI compliance, you will also need to collect additional information about each connected “payment method” that you use to process credit card transactions with each payment processor you have listed.

  • Example 1: if customers tap cards at a point-of-sale card terminal that’s connected to one payment processor, this is one “payment method”
  • Example 2: if customers tap cards at a point-of-sale card terminal that’s connected to a different payment processor, then this is another “payment method”

2. List your Total Annual Number of credit card Transactions:

Enter the total number (not the dollar amount) of card transactions processed each year. A close estimate is acceptable. If you use more than one payment processor for this then you will also need to list the annual number of transactions for each processor.

  • Merchant Tip: For Merchants it is important to know if you process more than, or less than, Six Million transactions per year (estimates are acceptable).
  • Service Provider Tip: For Service Providers, it is important to know if you process more than, or less than, Three Hundred Thousand transactions per year (estimates are acceptable).

3. Electronic Storage of Payment Card data in Merchant Systems:

Confirm that you do not store credit card information electronically in any systems or applications that your business directly manages or that operate on infrastructure you directly control. This includes all storage of credit cards on your own servers, databases, or other electronic systems you directly manage or host. This does not include storage by a PCI compliant Service Provider (e.g. a payment processor, or token service provider).

  • Example 1: If you store card information electronically in any application, systems or infrastructure that your business either directly manages or hosts then you are storing cards electronically.
  • Example 2: If you can retrieve or view the original stored card information, after electronically storing it in any application, whether it was stored encrypted or not, then you are storing cards electronically.
  • Example 3: If you accept card information electronically by email or fax, whether it was encrypted or not, then you should also report this as storing cards electronically in your systems, and speak to a PCI QSA about the reporting requirements.

Card Present (In-Person) Payments

1. Customer Card Entry in Terminals:

List all types of card readers (terminals) that your business uses for customers to enter/tap/swipe their own cards in person. For each of these payment methods used, you will also need to identify what payment processor is connected to each terminal you have listed. Refer to the descriptions of the various methods listed below:

Dial-up terminals – Stand-alone card readers that are connected by a telephone line (dial-up) to a processor.

PTS terminals – Stand-alone card readers that are connected by the internet to a processor. PTS terminals also accept PIN code entry for debit card transactions. Do not include terminals that are connected to a POS system.

POS terminals – Integrated or Semi-Integrated card readers that are connected to a POS system to exchange sales data with merchant records, including terminals that are connected to electronic cash drawers or self-serve check-out kiosks. Do not include terminals that are part of a PCI listed P2PE system.

P2PE systems – Secure card readers that are part of a P2PE certified solution. Contact your vendor to verify if your system is P2PE listed.

SPoC systems – Secure card readers that are part of a SPoC certified solution, and which use a separate merchant operated mobile device or tablet for PIN code entry. Contact your vendor to verify if your system is SPoC listed.

Card Imprinters – Mechanical devices that take a carbon paper copy of the card (also referred to as “knuckle busters”).

  • Tip: For each electronic method above, you also need to know the card reader Brand and Model.
  • Tip: If you’re unsure of your terminal types (i.e., whether your terminal is a PTS terminal or a POS terminal) contact your terminal vendor. You can also check your merchant agreement to confirm what equipment you purchased or leased.

2. Staff Manual Card Entry in Person:

If your staff accept card information physically in person, then for each payment processor(s) that you use, list these payment methods (refer to the descriptions of the applicable card present methods listed below):

  • Example 1: Your staff might use a virtual terminal (a software app), in a browser, to manually enter a transaction.
  • Example 2: Your staff might use a hardware terminal (such as POS card reader), to manually enter a transaction.

Virtual Terminal Software – A third-party hosted software application that accepts manual card entry for payment processing. Most commonly this is the merchant terminal application that is hosted by your payment processor or payment gateway.

Dial-up terminals – Stand-alone card readers that are connected by a telephone line (dial-up) to a processor.

PTS terminals – Stand-alone card readers that are connected by the internet to a processor. PTS terminals also accept PIN code entry for debit card transactions. Do not include terminals that are connected to a POS system.

POS terminals – Integrated or Semi-Integrated card readers that are connected to a POS system to exchange sales data with merchant records, including terminals that are connected to electronic cash drawers or self-serve check-out kiosks. Do not include terminals that are port of a PCI listed P2PE system.

Card Imprinters – Mechanical devices that take a carbon paper copy of the card (also referred to as “knuckle busters”).

  • Tip: Include all cases where staff “physically” enter card details into either a virtual terminal (payment software) or into a hardware terminal (card readers)
  • Tip: For each electronic method above, you also need to know the card reader Brand and Model or the Virtual Terminal vendor.

Mail Order & Telephone Order (MOTO) Payments

1. Customer Card Entry in third-party hosted IVR Payments systems:

If your customers can directly enter their own card info by phone keypad in any IVR Payment applications that are fully hosted by a PCI compliant third-party service provider, then list these payment methods for each payment processor(s) that you use with these:

IVR Phone Payments Software – A third-party hosted IVR software application that accepts customer card entry over the phone. Do not Include systems that your business hosts on your own infrastructure or that you self-manage on leased cloud infrastructure.

  • Tip: If you host your own IVR Payments solution on your own infrastructure, including self-managed cloud based infrastructure, speak to a PCI QSA about the reporting requirements. For our scope evaluation questionnaire here, treat these as being a self-hosted ecommerce solution.

2. Staff Manual Card Entry from Phone or Mail Orders:

If your staff accept card information verbally by phone, or by mail, then for each payment processor(s) that you use, list these payment methods:

Virtual Terminal Software – A third-party hosted software application that accepts manual card entry for payment processing. Most commonly this is the merchant terminal application that is hosted by your payment processor or payment gateway.

Dial-up terminals – Stand-alone card readers that are connected by a telephone line (dial-up) to a processor.

PTS terminals – Stand-alone card readers that are connected by the internet to a processor. PTS terminals also accept PIN code entry for debit card transactions. Do not include terminals that are connected to a POS system.

POS terminals – Integrated or Semi-Integrated card readers that are connected to a POS system to exchange sales data with merchant records, including terminals that are connected to electronic cash drawers or self-serve check-out kiosks. Do not include terminals that are port of a PCI listed P2PE system.

Tip: Include all cases where staff “physically” enter card details in either a virtual terminal (payment software) or in a hardware terminal (card readers)

Tip: For each electronic method above, you also need to know the card reader Brand and Model or the Virtual Terminal vendor.

Online (Ecommerce / Bill Pay) Payments

1. Customer Card Entry in fully third-party hosted Online Payment Forms:

If your customers can directly enter their own card information online in Payment Form applications that are fully hosted by PCI compliant third-party service providers, then list this payment method for each payment processor(s) that you use with these applications:

Hosted Payment Forms – A fully third-party hosted online payment application that accepts customer card entry. Your website may use a redirect URL to link customers to this payment page. Do not include if your business hosts these payment forms or directly transmits any card data.

  • Tip: All elements on the payment form must be delivered by a service provider (the form can be linked to by your own website using a URL redirect, but no card information can be directly handled or transmitted by your own system.)

2. Customer Card Entry in partly third-party hosted Online Payment Forms:

If your customers can directly enter their own card information online in Payment Form applications that are “partly” hosted by PCI compliant third-party service providers, then list this payment method for each payment processor(s) that you use with these applications:

Partly Hosted Payment Forms – A “partly” third-party hosted online payment application that accepts customer card entry. Your website may use Direct Post, Java Script, or an iframe to embed the payment form on your own webpage or shopping cart. Do not include if your business hosts these payment forms or directly transmits any card data.

  • Tip: Partly hosted means that some fields in the actual payment form are displayed by, processed by, or transmitted by your own systems. This includes any fields on the form accessed by your systems by Direct Post or JavaScript.

3. Customer Card Entry in self-hosted Online Payment Forms:

If your customers can directly enter their own card info online in Payment Form applications that are self-hosted, then list this payment method for each payment processor(s) that you use with these applications:

Self-Hosted Payment Forms – A self-hosted online payment application that accepts customer card entry and directly transmits card information to the payment processor using an API connection with your own webpage, shopping cart, or other applications that you host.

  • Tip: If you are unclear whether your Payment Form solution is self-hosted, i.e., if it your systems are directly integrated to your payment processor, speak to your IT team that manages this solution for you.

More Tips for Success

  • Work with your IT, Finance, and Customer Service teams to collect the required information.
  • If you are unsure about your card reader type, reach out to the vendor that supplied this hardware, or review your hardware lease for help.
  • If unsure about your type of online payment solution, ask your IT team, contact the solution vendor, or email us for help.
  • Allow about 15–30 minutes to complete the Wizard once your information is ready.

Need Help?

Need expert help getting this done right?

Request Expert Support

Our PCI Scope Live Session is designed to guide you through the tough parts and save you hours of guesswork.

We’re here to help you move forward with confidence.

Thank you for taking the time to prepare your efforts today are a powerful first step toward simplifying your PCI compliance journey.

We’re Here to Help.

Call 1 800 831 6660 or

What our clients are saying about us

“Never any issues with you guys! Things just work.”

Gerry Henstra, CEO, Henstra Business Solutions

“Customer service is a really big deal to us, and I am glad to do business with a company that obviously takes it as seriously as we do.”

Jeff Boatman, Global Client Solutions

“We’re happy with the IVR Payment system and it has been working well for us. Recently we also setup your newest SMS (text) receipts and found it to work great.”

IT Manager

“I want to command you and your team at Datatel on the job just completed for Tele-Response Center. The attention to detail and professionalism with which you approached the project was exemplary and greatly appreciated especially considering the several applications that needed to be implemented on short notice. Thanks again for your assistance getting this project off the ground so smoothly.”

Joe Grossman, Sr. Vice President, 121 Direct Response

“My team and I would like to commend Datatel on creating an IVR application that adds great value to our new Travel product. Your knowledge, input and expertise in IVR scripting, call flow management and overall IVR logistics made the development and implementation stages extremely easy to manage. Thank you for a well executed campaign that was launched on time and on budget.”

Ryan McCullough, Marketing Manager, Aegon Direct

“Great team to work with. I look forward to utilizing some additional capabilities in the future.”

Bob Griffin, VP of Operations, MedA/Rx

“We are very grateful for many years of mutually beneficial business relationship with Datatel and for impeccable customer service we have received during these years.”

Director of Student Accounts

“We, Standard Life, very much appreciated Datatel’s expertise, knowledge and support as we worked through the development and implementation stages. Our Clients appreciate the simplicity of the capability, while gathering very valuable feedback. Thanks for making this a very positive experience.”

Anne Pennell, VP, Customer Services Operations, Standard Life

“This was one of the best implementations I have been a part of. The communication was excellent and everything was responded to and dealt with swiftly. A real pleasure. We are looking forward to the impact this will have on our patient payments! Thank you!”

Kim Pace, Director Patient Accounts and Revenue, Chatham-Kent Health Alliance