I'm hoping someone here can help me. I'm attempting to get the small nonprofit I work at PCI compliant, as we have been paying an additional $20/month in noncompliance fees to our processor since we started taking credit card YEARS ago (apparently I'm the only person to look at statements).
I'm not an IT person, I do accounting/billing. We process credit cards two ways. First, 95% of our credit card payments are entered into our software which then speaks to the processor. We access this software through a remote server physically located in Denver. Second, the remaining 5% of our credit card payments are entered on my computer keyboard directly into the processor website (this is for recurring payments, which we have to enter manually into our software after the payment has processed).
So my questions are:
- Am I correct that given the way we take payments we should complete PCI SAQ C?
- Do I need to involve both the county IT people that we contract with for services in our offices and the software IT people located in Denver, given the way we take payments? If so, do I need to ensure that answer to each question matches for both of them?
- Most importantly, when the questions referenced in my title talk about limiting outbound traffic (all inbound is limited per our county IT people, I'm having difficulties getting answers back from our software IT people in Denver), does that mean that the computer(s) we use to process credit cards need to be completely limited to only process credit cards? This would be quite an inconvenience, and I don't know many small businesses (hotels especially immediately come to mind) that limit their computer functions in this way. If I'm misunderstanding the requirements, can someone explain them in more depth?