You are here

Schedule A/B/C/D Compliance - Self Assessment Questionnaire

Subscribe to Syndicate
The Self Assessment Questionnaire (SAQ) is a self-validation tool for merchants who, because of transaction volume or other criteria, are not required to do on-site assessments for PCI DSS compliance. The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQ was revised and now allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation (see chart below). The SAQ validation type does not correlate to the merchant classification or risk level. Source: PCI 3.0 quick reference guide

The PCI council has established 4 main levels for merchant compliance; schedules 'A', 'B','C' or 'D' with some variations at each level. You can use the table to the right to help determine the level that applies to your organization below.

 

Compliance Summary

Theatre Manager can achieve compliance for

  • schedule 'A' using Moneris Hosted Payment Page and only web sales with no card holder data storage
  • schedule 'B' or 'B-IP' if using pin pad machines for walk up and using Moneris Hosted Payment Page for web sales with no card holder data storage
  • schedule 'C' using a setting in System Preferences for venues processing cards through TM for both box office and e-comerce -and- no storage of card holder data
  • schedule 'D' using a setting in System Preferences for venues processing cards through TM for both box office and e-comerce -and- storing cardholder data for any purpose such as recurring transactions and post date payments.

 

Compliance Levels

The inherent nature of the ticketing business with a combination of walk up, phone and/or internet sales means that Theatre Manager (or any other ticketing system for that matter - hosted or non-hosted) probably results in Schedule 'C' or 'D' compliance when card data is stored. Per the table above, Schedule 'A' may be possible for venues using Moneris Hosted Payment Page and e-commerce only. Schedule 'B' may be possible if using point of sale terminals and no card holder data storage.

  • Schedule "A": means that credit card information is never touched, stored or processed within an organization. This is possible for organizations doing web sales using a hosted payment page (eg Moneris Hosted Payment Page. If phone or walk up ticket sales by credit card are entered to a pin pad terminal, it may allow you to stay at Schedule 'A' or move you to Schedule 'B' - please talk to your PCI assessor.
  • Schedule "B": could apply to merchants who only use point of sales terminals at box office and do not store any card data:
    • Schedule 'B' Those who do not use electronic processing and write credit card slips by hand apply to this level. Those that use stand alone DIAL UP terminals to process credit cards may also apply. DIAL UP means that the standalone POS terminal is not connected to a processor until an authorization is required. Not applicable to e-commerce channels.
    • Schedule 'B-IP' Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
  • Schedule "C": means that Theatre Manager will render the cards useless by shredding them after use and never storing the data in the database (voids are done by sending a token, refunds may need the card entered again). If you do not want credit card information onsite, please select this option and select a merchant provider from one of the Direct Credit Card Processors.

    This also changes the scope of which part of the system is needs to be included for PCI reasons.

  • Schedule "D": means that you wish to store some or all credit card data using strong encryption for a period of time. Possible uses are for recurring credit card transaction for monthly donations, or the need to refund to a patron if they are displeased with the show. If you chose this option, you can also chose how long to store data for previously authorized cards. After this 'Retention Period', all credit cards are shredded doing a deposit (end of day process) unless still required for a future post dated payment, or it has been specifically marked as retain permanently under the patron record.