PCI Compliance

Security Metrics PCI Questionnaire

In this Article

Filling out the Questionnaire

FAQ


Logging into Security Metrics and Filling out Questionnaire

  1. Log into your Security Metrics account.
  2. On the Dashboard, click on the Get Started message.
    1-Oct-16-2024-10-20-18-4817-PM
  3. Click the Next button.
    2-Oct-16-2024-10-21-59-3908-PM
  4. Enter your business address and phone number.
  5. Click the Next button.
    3-Oct-16-2024-10-22-38-0406-PM

Scoping Process

The following questions will determine the specific PCI compliance questionnaire you need to complete. (This article uses a winery that processes payments solely through Commerce7 as an example).

  1. If you do not process payments outside of Commerce7, then choose 'No'. 
  2. If you have a website where Customers can purchase your products, choose 'Yes'. 
  3. If you have a terminal (say, in your tasting room) that you use for processing, choose 'Yes'. 

    scoping
  4. Scroll down and choose whether you'd like to learn more about what Security Metrics has to offer and then choose the Next button.
    Screen Shot 2024-10-16 at 3.02.37 PM
  5. You will be presented with a message indicating which form you are to fill out. 
    Click the Activate and Continue button.
    activate SAQ

Answering the Questions

Next, you will be asked a series of questions regarding data security.

Note that if you answer anything other than 'In Place' or 'Not Applicable', then you will not pass compliance. 

If you have any questions about what the questions mean or how to fill out the questionnaire, please contact Security Metrics Support here: 

Phone: 801.705.5700
Email: support@securitymetrics.com

  1. Click the Begin button.
    begin SAQ
  2. Policy Questions: Scroll down until you see the questions. Choose the applicable answers for your business. Note that if you do not choose 'In Place' or 'Not Applicable', you will not pass compliance. 
  3. Click the Physical Address button to move to next page.
    physical access
  4. Physical Address Questions: Scroll down until you see the questions. Choose the applicable answers for your business. Note that if you do not choose 'In Place' or 'Not Applicable', you will not pass compliance. 
  5. Click the Stored Data button to move to next page.
    stored data
  6. Stored Data Questions: Scroll down until you see the questions. Choose the applicable answers for your business. Note that if you do not choose 'In Place' or 'Not Applicable', you will not pass compliance. 
  7. Click the Authentication button.
    auth
  8. Authentication Questions: Scroll down until you see the questions. Choose the applicable answers for your business. Note that if you do not choose 'In Place' or 'Not Applicable', you will not pass compliance. 
  9. Click the Security Configuration button.
    sec config
  10. Security Configuration Questions: Scroll down until you see the questions. Choose the applicable answers for your business. Note that if you do not choose 'In Place' or 'Not Applicable', you will not pass compliance.
  11. Click the Secure Systems button.
    secure sys
  12. Secure Systems Questions: Scroll down until you see the questions. Choose the applicable answers for your business. Note that if you do not choose 'In Place' or 'Not Applicable', you will not pass compliance.
  13. Click the Testing Button.
    testing
  14. Testing Questions: Scroll down until you see the questions. Choose the applicable answers for your business. Note that if you do not choose 'In Place' or 'Not Applicable', you will not pass compliance.
  15. Click the Attest button. 
    attest-1
  16. If everything is good, check the box and click the Submit button.
    submit
  17. If you are compliant, then you will see the Congratulations screen and you're done!
    congrats-1
  18. If you are not compliant, please contact Security Metrics for further assistance. 
    Phone: 801.705.5700
    Email: support@securitymetrics.com

FAQ

  1. Is the email / questionnaire from Security Metrics legitimate? Is it spam or phishing?
    It is legitimate. Please fill it out. After you have successfully completed the questionnaire, you will be charged a PCI Management fee per month. You will have 90 days to come into compliance to avoid the additional non-compliance fee.
  2. What happens if I don't complete the questionnaire? 
    If you do not complete the questionnaire (even if your winery is compliant), an additional fee per month will be added on top of the PCI Management fee as a non-compliance fee. These fees vary based on a number of factors including volume, business history, etc.
  3. Why do I have to fill out the questionnaire?
    PCI, or Payment Card Industry, includes major card brands like Visa, Mastercard, Discover, American Express, and JCB. They've set up comprehensive security rules, the PCI Data Security Standards (PCI DSS), to protect card info in transactions. Your participation is crucial as your software's payment solution (Commerce7), partnered with Fullsteam, helps gather and report compliance to these brands. As a card data handler, annual validation of adherence is necessary. You need to submit an Attestation of Compliance and complete a Self-Assessment Questionnaire. Quarterly scans are essential too, finding and addressing security gaps. 
  4. Having issues with the questionnaire?
    Reach out to Security Metrics Support
    Phone: 801.705.5700
    Email: support@securitymetrics.com
  5. How do I find my MID?
    You can find your MID under the Commerce7 Payments section of Settings > Payments.
    Screen Shot 2023-08-30 at 3.50.25 PM
    payments-1

  6. When a client is newly onboarding with C7 Payments, when should they expect to get their email for the PCI questionnaire?
    7 days after their first batch has settled, the merchant account is picked up and provided to Security Metrics to be enrolled in PCI compliance. Once a successful transaction is processed through a MID, a daily task is triggered to pick up the transaction and add it to a queue in Security Metrics for boarding.
  7. Who is receiving the email from Security Metrics?
    The welcome email from Security Metrics is sent to the primary contact who is listed on the merchant agreement (MA) with Fullsteam. Additional users can be set up and added as administrators by the merchant. The primary contact has the ability to validate their SecurityMetrics user account and then add other employees as administrators. Alternatively, you can inform Commerce7 Support about any additional individuals who need to be set up under the merchant's Security Metrics account.