PCI Smart helps your business complete and validate PCI compliance for card payments processed through Pocketbook.
This article explains what PCI Smart is, why it's required, how to access the questionnaire, and how to answer questions based on your relationship with Pocketbook.
1. What is PCI Smart?
PCI Smart is a compliance tool that helps businesses complete their annual Payment Card Industry Data Security Standard (PCI DSS) requirements.
PCI standards are designed to protect cardholder data wherever it is stored, processed, or transmitted. Every business that accepts card payments is responsible for validating and maintaining PCI compliance each year.
PCI Smart walks you through this process by asking questions about how your business accepts and processes card payments. Based on your answers, PCI Smart assigns the appropriate Self-Assessment Questionnaire (SAQ).
2. Why do I need to complete the PCI Smart Questionnaire?
As a credit card acceptor, you are ultimately responsible for protecting your customers' cardholder data.
This questionnaire ensures that you are following the compliance guidelines laid out by PCI Smart
Key things to know:
- PCI compliance must be completed once per year.
- After the account is approved, merchants typically have 90 days to complete the questionnaire.
- A $15 monthly non-compliance fee will apply if compliance is not completed within the required timeframe.
3. How to access the PCI Smart Questionnaire
Log in through the PCI Smart website
- Go to pcismart.com.
- Select Get Started Today!
- Do not select First Time User.
- Log in using:
- Username: Your 16-digit MID
- Password: The last 5 digits of your Merchant Identification Number (MID) followed by the 2-letter postal abbreviation for your state
The email you received after your application was approved will contain your MID
Example: If the last 5 digits of your MID are 12345 and your business is in Alabama, your password would be 12345AL. No spaces, and the state abbreviation should be capitalized.
4. How to Complete the Pre-Assessment
Before assigning you a questionnaire, PCI Smart will ask a series of questions about how your business accepts and processes card payments. Your answers to these questions determine which questionnaire (SAQ) you're assigned.
Answer every question based on how your business accepts payments through Pocketbook only.
Do not include other payment methods, websites, physical terminals, processors, or merchant relationships your business uses outside of Pocketbook.
For example, if your business accepts card-present payments through a separate terminal, that should not be included in this assessment unless specifically instructed otherwise.
Use the guidance below to answer each question based on your relationship with Pocketbook. Answering accurately ensures you're assigned the correct questionnaire for your business.
Part 1: Merchant Information
Q1: Is your organization a service provider as defined by the PCI Council?
Answer: No
Reason: Your business is completing this questionnaire as a merchant that accepts payments through Pocketbook — not as a service provider. Even though Pocketbook and its payment partners help facilitate payment processing, your business is not considered a service provider in this context.
Part 2: Merchant Business Payment Channels
Q1: Indicate all payment channels used by the business that are included in this assessment.
Answer: Select E-Commerce
Reason: Payments made through Pocketbook are completed electronically through a secure online payment experience. Even if your business accepts payments through other channels, this assessment should reflect only how payments are accepted through Pocketbook.
Q1 Follow-up: Do you electronically store or transmit consumer account data?
Answer: No
Reason: Pocketbook’s partner, Deluxe, handles cardholder data. Your business does not directly store, process, or transmit sensitive payment information through Pocketbook.
Q2: Are any payment channels not included in this assessment?
Answer: No
Reason: This assessment is scoped to your use of Pocketbook. The relevant payment activity is covered under the E-Commerce selection.
Part 3: Relationships
Q1: Do you have relationships with third-party service providers that handle your account data, such as payment gateways or processors?
Answer: Yes
Reason: Pocketbook’s merchant processing partner, Deluxe, processes payments on your behalf, which counts as a third-party service provider relationship for the purposes of this questionnaire.
Q2: Do you engage with third-party service providers managing system components within your PCI DSS assessment scope?
Answer: Yes
Reason: The payment experience provided through Pocketbook depends on third-party payment systems and infrastructure through Deluxe. Even though your business does not directly manage these systems, they are part of the overall payment flow used to process payments through Pocketbook.
Q3: Do you work with third-party service providers that could impact the security of your Cardholder Data Environment?
Answer: No
Reason: Your business does not directly handle or control systems that store or process cardholder data. Pocketbook and Deluxe manage the secure handling of cardholder data on your behalf.
Service Provider Details:
If the questionnaire asks you to enter service provider details, use the following:
| Field | Value |
|---|---|
| Service Provider | Deluxe |
| Description | Payment processor |
Part 4: Processing Solution
Q1: What solution do you use to process credit cards?
Answer: Select Moto/E-commerce
Reason: Payments made through Pocketbook are completed electronically through an online payment experience. Complete this section based only on how payments are processed through Pocketbook.
Add Solution Details
After selecting Add Solution, enter the following:
| Field | Value |
|---|---|
| Service Provider | Deluxe Corporation |
| Service Name | Third Party Servicer |
Part 5: Additional Questions
Q1: Do you store any sensitive cardholder data electronically?
Answer: No
Reason: Sensitive cardholder data is securely handled by Pocketbook Deluxe. Your business does not store or have access to sensitive cardholder data through Pocketbook.
Q2: Does your business use network segmentation to affect the scope of your PCI DSS environment?
Answer: No
Reason: Because your business does not directly manage, store, or process cardholder data through Pocketbook, network segmentation is not applicable for this assessment.
Q3: How do you process payments? (MOTO/E-Commerce section)
Answer: Select Hosted Payment and iFrame
Reason: Payments are completed through a secure, hosted payment experience provided by Pocketbook and Deluxe. Your business does not directly handle card information — Pocketbook and Deluxe handle the secure payment flow.
Even if the option includes "iFrame," the key point is that your business is not directly collecting or managing cardholder data.
Q4: Does your website use either a redirection mechanism or an embedded payment form?
Answer: No
Reason: Your customers complete payment through a secure, hosted experience provided by Pocketbook and Deluxe — not directly on your business's website.
5. Your Assigned Questionnaire
Once you've completed the pre-assessment questions above, PCI Smart will assign you a questionnaire based on your answers. By following the guidance in this article, you'll be directed to Questionnaire A, which applies to merchants that outsource payment processing and don't directly store, process, or transmit cardholder data. That describes your relationship with Pocketbook.
If PCI Smart asks you to select a questionnaire manually, choose Questionnaire A.
Questionnaire A Guidance
While completing Questionnaire A, you may see questions about storing cardholder data, restricting physical access, or maintaining security policies. Use the following guidance:
- Electronic storage: Your business does not store full card numbers, card verification codes, or PIN data through Pocketbook. You may see limited or masked payment information, but not sensitive cardholder data.
- Physical access: If your business does not store paper records containing sensitive cardholder data related to Pocketbook payments, physical access requirements likely do not apply.
- Security policies: Even though Pocketbook and Deluxe handle sensitive payment data, your business may still be expected to maintain reasonable security practices for employees, devices, passwords, and access to business systems.
Once Completed
PCI Smart will determine whether any additional steps are needed. Depending on your answers, PCI Smart may:
- Confirm your compliance status
- Determine whether network vulnerability scans are required
- Prompt you to schedule or complete additional actions
In most cases, the initial steps should take 30 minutes or less. Once complete, your compliance status will be recorded in PCI Smart.
Still need help? Contact Support@Pocketbook.tech
Comments
0 comments
Article is closed for comments.