Although PayJunction is Level 1 PCI compliant (highest level of compliance), it is still very important for each business to also be PCI compliant. Utilizing PayJunction's service covers some PCI requirements, however, it does not make a business PCI compliant.
PCI compliance should be obtained by all businesses to protect their customers and themselves from security threats. However, PayJunction does not impose any fees for SAQ's and does not believe that PCI compliance should be treated as a profit center.
In order to be recognized as a PCI compliant business, merchants are responsible for following all PCI rules and guidelines. In order to confirm compliance, merchants must complete the Self-Assessment Questionnaire (aka SAQ). The Self-Assesment Questionnaire is a tool that allows each business to self-validate their processes with regard to cardholder data.
PayJunction's PCI compliance program is available for all PayJunction merchants. The PCI Security Standards Council requires that businesses complete the SAQ each year.
The SAQ involves answering multiple questions that verify whether the business is following correct procedure on a number of topics, for example:
- Does the business regularly update the operating systems for all devices (Windows Updates, Apple/Mac Updates)? These updates are crucial to protect against potential security threats.
- Are software updates being regularly performed on all devices (computers, laptops, phones, routers)? For instance, Anti-Virus programs should be set to automatically download updates in order to ensure protection against the latest security threats. Also, internet browsers (Internet Explorer, Safari, Firefox, Chrome, etc.) should be regularly updated in order to ensure all security threats are patched.
- Is Anti-Virus software installed on all computers? This includes Mac's. Apple products are also vulnerable to viruses.
- Is WiFi Password Protected?
- Are Card Numbers, Expiration Dates or any other cardholder data being stored anywhere other than PayJunction? We highly recommend against storing any cardholder data. Instead, it's best to rely on PayJunction to save this information for you.
- Does the business use any default passwords? For example: admin, password1, etc.
Most of the businesses that use PayJunction qualify for SAQ A, SAQ B-IP, SAQ C-VT. Make sure to select the SAQ that best describes your business.