Trustwave PCI Compliance Questionnaire

Overview: What are we talking about?

Once you've signed up through Gingr to accept credit cards, you'll receive a notification from our parent processor, CardConnect, that you need to complete your PCI compliance questionnaire and scan - or at least you should, but ultimately it is your responsibility as the business owner to complete this information.

PCI is the Payment Card Industry Data Security Standard (aka PCI-DSS) and it is a guideline for how you accept, transmit, and store credit card information from your customers. Luckily, Gingr has made this process fairly easy for you to remain compliant through our secure tokenization of customer card data. You never have your customers' card information and all transactions are immediately encrypted with the first swipe of their card. Nowhere in the Gingr remote databases nor on your computer locally is that card information stored. All card info is stored through CardConnect's secure, Level I PCI-compliant data centers and when Gingr calls up that info so you can keep "cards on file" the transmission is tokenized where a token representing that customer's info is pulled back. The token represents the customer's info, but does not contain the specific card information.

So as long as you follow a few basic procedures, you will have no issue with maintaining your compliance. Our goal in this guide is to show you how to be compliant and how not to spend the extra money each month. 

Helpful Hints: Before you begin.

• The Trustwave online questionnaire can be found here: https://pci.trustwave.com/cardconnect.
  
  
• Being compliant will save you money - CardConnect will charge you $3.50 per month if you remain compliant, but non-compliance will cost you $19.95 per month. 
  
  
• In this guide, we will show you the way you need to answer the questionnaire to get Trustwave's stamp of approval and be deemed to be compliant.
  
  
• We cannot enforce your compliance and we cannot, nor are we suggesting that we will, ensure your compliance by following these instructions. 
  
  
• These instructions will show you how you should be answering if you are to be considered compliant. You need to put the answers from this questionnaire into practice if you are truly to be considered compliant. 
  
  
• We are not suggesting that you should answer these questions untruthfully just to avoid the monthly fee. If you cannot abide by the terms of the questionnaire, you might need to pay the added monthly expense of non-compliance until you can truthfully answer in a way that gives you a compliant score.

How to: Complete the Trustwave PCI Compliance Questionnaire.

Getting Started:

1. First go to CardConnect MerchantCenter to start the process:  https://gingr.cardconnect.com/account/login#/login
   
   
   
   
   If you don't have a MerchantCenter account, now's your chance to sign up. There's a lot of useful account info here like transaction reports, on-demand statements, equipment, and documentation.
   
   
   
2. Once logged into the MerchantCenter, select My Account from the top menu bar:
   
   
   
   and right at the top of the page, you'll see your PCI status:
   
   
   
   
   
3. Copy your Merchant ID as you will need that in a bit, and click the circled "Learn how to get compliant" link to take you to the CardConnect/Trustwave Portal, or you can get there directly via https://pci.trustwave.com/cardconnect.
   
   
   Click the Get Started button to move forward if this is your first time on the site. Once you register, you can use the Login link to check on the status of your account.
   
   
   
4. Once in Trustwave site, you'll need to fill out some basic info about your business. You should have copied your MID at the beginning of step 3 to use here.
   
   
   
5. Most Gingr users will be primarily accepting payment in person:
   
   
   
   
6. You will then be selecting Internet as way you connect your system to process credit cards.
   
   
   
   
7. Then choose Virtual Terminal as the type of Point of Sale device you use.
   
   
   
   
8. After selecting Virtual Terminal, and clicking continue, a pop up window will appear. This is what your answers will look like if you are compliant.
   
   
   
   
9. With the profile set, we now set up the scan. For the most part, Gingr users will be considered Retail for the Industry Type.You do have a relationship with one or more service providers, but there is only one acquirer.
   
   
   
   
   
10. This screen should have your correct merchant ID (MID) listed (blacked out in example below):
    
    
    
    
11. Now you'll see a summary of your answers so far:
    
    
    
    
12. At this point you'll need to enter a Product or Vendor. Type in "CardConnect" under Product or Vendor and choose the second option from the drop down. And then choose the most recent Version of the software. Click Save.
    
    
    
    
    
13. We're looking for the green square under severity, indicating this is a known commodity with a strong data safety record:
    
    
    
    
14. Now we need to add a scan location:
    
    
    
    And we will choose E-Commerce Web Site:
    
    
    
    
15. Then enter fts.cardconnect.com in item 1. to scan the CardConnect network and answer questions 2. and 3. as follows:
    
    
    
    
    
16. After submitting, choose Scan Now.
    
    
    

The Questionnaire

Now the questionnaire begins (and you thought you must be just about done!).  Don't worry, most of these answers are common sense and go pretty quickly

There's not much explanation to be done for the following answers, as they all ascribe the greatest level of security and level of protection to your customer's credit card data. The answers are somewhat leading when you take the perspective of which answer give the greatest protection - and again, these answer are how you should respond if you are to be considered compliant, but answering them in this manner will only allow you to avoid paying a non-compliance fee - you must put them into practice to be considered truly compliant:


Card Data Storage & Processing









Internet and Network Security

Secure Communications








Device & Computer Security

Secure Management and Monitoring





















Physical Security













Security Policies














Whoo hoo - just about there!!!

At this point you can go through and review a summary of all your answers if you wish by clicking on the Sections Completed:



If you answered any questions incorrectly (a non-compliant answer), the section will not have a check box. You can click on those sections, and review the incorrect answers and change your answers if needed.


Once all sections have been completed, you can now click the Acknowledge & Submit button. Confirm that all questions answered are valid and electronically sign the document:




At this point you have completed all that you can do. You'll still be waiting for the scan to run, and you will be alerted by email that the scan has completed and that you are either compliant or not. You will generally receive the scan email within a few hours of completing the questionnaire.

Congratulations! You gutted it out and completed that sucker - and the good news is that you only have to do it once a year!  A compliant score will keep your costs down, and by actually implementing the steps required to receive that compliant score, you can sleep well knowing you are taking good care of your customers' credit card data. Security breeches from hackers are all too common these days, so we strongly encourage you to follow the PCI-DSS to ensure that you and your customers are not another one of the victims we seem to read and hear about almost daily in the news.