7

My system is passed card data securely over HTTPS from an upstream system. The upstream system captures information via telephone input. This telephone input is sent to us, to invoke payments via Paycorp's API (Paycorp is PCI compliant). The up stream system is a different vendor, and they are handling their environments PCI compliance assessment.

Our application receives this data, and then transmits the credit card numbers to Paycorp.

We do not store any card data, log, or record any CC information. We only transmit.

I am having a hard time working out which self assessment questionaire to fill out.

I feel as thought it doesn't fall into any category outlined here https://www.pcisecuritystandards.org/pci_security/completing_self_assessment

But I also don't feel like that justifies it being SAQ D. So which SAQ fits my circumstance?

chicks
  • 145
  • 1
  • 6
Sim
  • 173
  • 5

1 Answers1

9

Unfortunately for you, because the raw card data transits your servers in cleartext, you have to use SAQ D, and because you aren't the merchant yourself, it would be SAQ D for Service Providers.

There may be entire sections of the SAQ that don't apply to you and can just be marked N/A, but you still have to fill out the whole thing.

If you could get the upstream system to encrypt the card data in a way that only Paycorp can decrypt (public key cryptography is good for this), you'll no longer have cleartext card numbers, and can probably use a shorter SAQ - or at least be able to mark even more of SAQ D as N/A. But if that's not an option, you're stuck with it. Sorry.

Bobson
  • 1,456
  • 10
  • 12