The Self Assessment Questionnaire (SAQ) is a self-validation tool for merchants who, because of transaction volume or other criteria, are not required to do on-site assessments for PCI DSS compliance. The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQ was revised and now allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation (see chart below). The SAQ validation type does not correlate to the merchant classification or risk level. Source: PCI 1.2 quick reference guide

The PCI council has established 4 levels for merchant compliance; schedules 'A', 'B','C' or 'D'. You can use the table below to determine the level that applies to your organization below.

Theatre Manager can easily achieve schedule 'C' or 'D' compliance. Schedule 'A' and 'B' are far more difficult to achieve because of the definitions that the PCI council provide - essentially you must do paper processing of credit card and or use older, dial-up only, stand-alone terminals. Any merchant with walk up ticket sales of any volume and/or the faster stand alone internet terminals automatically default to Schedule 'C' as the minimum possible level based on the PCI definition.

Because of the inherent nature of the ticketing business has a combination of walk up, phone and/or internet sales, Theatre Manager (or any other ticketing system for that matter - hosted or non-hosted) needs to ensure that a vendor has their choice of Schedule 'C' or 'D' compliance - since the others are not possible and are intended to help small volume mom and pop corner stores be compliant through manual processing.

• Schedule "C": means that Theatre Manager will store the credit cards in 3DES format and then render the cards useless by shredding them during batch settlement in the end of day process after which they are no longer required for voids. If you do not want credit card information onsite, please select this option along with Paymentech Orbital or Authorize.net as the merchant services provider.
• Schedule "D": means that you wish to store some or all credit card data in 3DES encrypted format for a period of time. Possible uses are for recurring credit card transaction for monthly donations. If you chose this option, you can also chose how long to store data for previously authorized cards. After this 'Retention Period', all credit cards are shredded doing a deposit (end of day process) unless still required for a future post dated payment, or it has been specifically marked as retain permanently under the patron record.

• Schedule "A": means that credit card information is never touched, stored or processed within an organization. This is not possible for any organization with walk up ticket sales that might include payment by credit card.
• Schedule "B": applies to two types of merchants. Those who do not use electronic processing and write credit card slips by hand could apply to this level. Also, those that use stand alone DIAL UP terminals to process credit cards could also apply. DIAL UP means that the standalone POS terminal is not connected to a processor until an authorization is required. Any merchant with fast authorization through internet connectivity cannot apply for Schedule 'B' compliance - even with stand alone terminals.