PCI Compliance

Security Metrics PCI Questionnaire

In This Article

Logging into Security Metrics and answering questions


Logging into Security Metrics and Answering Questions

  1. Log in to Security Metrics
  2. Accept Terms
  3. Click Getting Started
  4. Verify Customer Information
  5. Select processing methods:

    Note: If you're only processing on Fullsteam Payments, and not utilizing any other vendors or applications to process payments, you can answer the processing questions as below.

    • If you have EMV terminals
      • Select "Terminal"
      • Select "My terminal features validated P2PE(point-to-point encrypted) hardware"
    • If you have a website integrated with Commerce7
      • Select "eCommerce"
      • Select "I accept payments through a 3rd Party Store (Amazon, Etsy, etc)"

    image (3)-1

  6. Electronic Storage
    All cardholder data is managed by Commerce7, so this answer should be No, unless you have processes or systems in place to record phone calls or receive credit cards through other electronic methods outside of Commerce7.
  7. Questionnaire Type 
    SAQ A 3.2.1. Click Activate and Continue.
  8. Verify SAQ A 3.2.1 is the correct form.
    Commerce7 is a PCI compliant third party provider, if we are the only vendor handling all your cardholder transmission and processing, and you do not store cardholder data electronically through other means, then click continue.
  9. Answer SAQ A security questions (5 pages).
    1. Note: When you get to the end of the SAQ, you will be presented with the 'How do you accept Cards' page. Scroll to the Web Host section.
      image (3)-2
    2. Type in 'Commerce7' and click the Add button.
      image (4)-1
    3. Once added, it will be highlighted yellow and look like this:
      image (5)
  10. Once you have completed the questions, you will be taken back to the Dashboard to view your compliance status. 


  1. Is the email / questionnaire from Security Metrics legitimate? Is it spam or phishing?
    It is legitimate. Please fill it out.
  2. What are the Security Metrics fees? If you successfully complete the questionnaire, you will be charged a PCI Management fee per month. However, if you do not complete the questionnaire (even if your winery is compliant), an additional fee per month will be added on top of the PCI Management fee as a non-compliance fee. These fees vary based on a number of factors including volume, business history, etc.
  3. Why do I have to fill out the questionnaire?
    PCI, or Payment Card Industry, includes major card brands like Visa, Mastercard, Discover, American Express, and JCB. They've set up comprehensive security rules, the PCI Data Security Standards (PCI DSS), to protect card info in transactions. Your participation is crucial as your software's payment solution (Commerce7), partnered with Fullsteam, helps gather and report compliance to these brands. As a card data handler, annual validation of adherence is necessary. You need to submit an Attestation of Compliance and complete a Self-Assessment Questionnaire. Quarterly scans are essential too, finding and addressing security gaps. 
  4. Having issues with the questionnaire?
    Reach out to Security Metrics Support
    Phone: 801.705.5700
    Email: support@securitymetrics.com
  5. How do I find my MID?
    You can find your MID under the Commerce7 Payments section of Settings > Payments.
    Screen Shot 2023-08-30 at 3.50.25 PM
  6. I filled out the form incorrectly. How can I restart the process?
    Click the Restart SAQ link at the bottom of the page.

    Click the Confirm button to restart.
  7.  When a client is newly onboarding with C7 Payments, when should they expect to get their email for the PCI questionnaire?
    Two weeks after processing their first payment, the merchant account is picked up and provided to Security Metrics to be enrolled in PCI compliance. Once a successful transaction is processed through a MID, a daily task is triggered to pick up the transaction and add it to a queue in Security Metrics for boarding.
  8. Who is receiving the email from Security Metrics?
    The welcome email from Security Metrics is sent to the primary contact who is listed on the merchant agreement (MA) with Fullsteam. Additional users can be set up and added as administrators by the merchant. The primary contact has the ability to validate their SecurityMetrics user account and then add other employees as administrators. Alternatively, you can inform Commerce7 Support about any additional individuals who need to be set up under the merchant's Security Metrics account.