Although PayJunction is Level 1 PCI compliant (highest level of compliance), it is still very important for each business to also be PCI compliant. Utilizing PayJunction's service covers some PCI requirements, however, it does not make a business PCI compliant.
PCI compliance should be obtained by all businesses to protect their customers and themselves from security threats. Although PayJunction highly recommends that every business be PCI compliant, we do not actively verify whether or not all businesses are PCI compliant. Therefore, unlike other merchant services, PayJunction does not impose any fees for SAQ's and does not believe that PCI compliance should be treated as a profit center.
In order to be recognized as a PCI compliant business, merchants are responsible for following all PCI rules and guidelines. In order to confirm compliance, merchants must complete the Self-Assessment Questionnaire (aka SAQ). The Self-Assesment Questionnaire is a tool that allows each business to self-validate their processes with regard to cardholder data.
Self Assessment Questionnaires are available for download, for free, on the PCI Security Standards Council's website (www.pcisecuritystandards.org). The PCI Security Standards Council recommends that businesses complete the SAQ each year.
The SAQ involves answering multiple questions that verify whether the business is following correct procedure on a number of topics, for example:
- Does the business regularly update the operating systems for all devices (Windows Updates, Apple/Mac Updates)? These updates are crucial to protect against potential security threats.
- Are software updates being regularly performed on all devices (computers, laptops, phones, routers)? For instance, Anti-Virus programs should be set to automatically download updates in order to ensure protection against the latest security threats. Also, internet browsers (Internet Explorer, Safari, Firefox, Chrome, etc.) should be regularly updated in order to ensure all security threats are patched.
- Is Anti-Virus software installed on all computers? This includes Mac's. Apple products are also vulnerable to viruses.
- Is WiFi Password Protected?
- Are Card Numbers, Expiration Dates or any other cardholder data being stored anywhere other than PayJunction? We highly recommend against storing any cardholder data. Instead, it's best to rely on PayJunction to save this information for you.
- Does the business use any default passwords? For example: admin, password1, etc.
Most of the businesses that use PayJunction qualify for SAQ A, or SAQ C-VT, or SAQ C. Make sure to select the SAQ that best describes your business.
Third Party Self Assessment Questionnaires
Certain third party providers like CHI Payment Systems (aka CardPayment Solutions / iPayment) and iPayment require you to submit your SAQ to them directly online. Merchants can find the SAQ website by clicking on the following link:
Username: MERCHANT NUMBER
Password: MERCHANT AND ZIP CODE (ex. 93101ca)
There is a phone number listed on the website, in case merchants need assistance with this process.