Once you've signed up through Gingr to accept credit cards, you'll receive a notification from our parent processor, CardConnect, that you need to complete your PCI compliance questionnaire and scan - or at least you should, but ultimately it is your responsibility as the business owner to complete this information. PCI is the Payment Card Industry Data Security Standard (aka PCI-DSS) and it is a guideline for how you accept, transmit, and store credit card information from your customers. Luckily, Gingr has made this process fairly easy for you to remain compliant through our secure tokenization of customer card data. You never have your customers' card information and all transactions are immediately encrypted with the first swipe of their card. Nowhere in the Gingr remote databases nor on your computer locally is that card information stored. All card info is stored through CardConnect's secure, Level I PCI-compliant data centers and when Gingr calls up that info so you can keep "cards on file" the transmission is tokenized where a token representing that customer's info is pulled back. The token represents the customer's info, but does not contain the specific card information. So as long as you follow a few basic procedures, you will have no issue with maintaining your compliance.
The Trustwave online questionnaire, which you access for the first time here: https://pci.trustwave.com/cardconnect, is reasonably straight forward, but has a few places that will likely leave you scratching your head wondering what to do which is why we created this step by step guide for you.
BIG DISCLAIMER - PLEASE READ
PCI-DSS is a guideline for how you operate to ensure your customers' credit card safety and security. The Trustwave questionnaire is a best effort attempt to ensure that you follow these guidelines and it leads you, quite forcefully, to only one or two answers that will allow you to be considered compliant. Being compliant will save you money - CardConnect will charge you $3.50 per month if you remain compliant, but non-compliance will cost you $19.95 per month. Our goal in this guide is to show you how to be compliant and how not to spend the extra money each month. We will show you the way you need to answer the questionnaire to get Trustwave's stamp of approval and be deemed to be compliant. However we cannot enforce your compliance and we cannot, nor are we suggesting that we will, ensure your compliance by following these instructions. These instructions will show you how you should be answering if you are to be considered compliant. You need to put the answers from this questionnaire into practice if you are truly to be considered compliant We are not suggesting that you should answer these questions untruthfully just to avoid the monthly fee. If you cannot abide by the terms of the questionnaire, you might need to pay the added monthly expense of non-compliance until you can truthfully answer in a way that gives you a compliant score.
OK then, let's get started:
1. First go to CardConnect MerchantCenter to start the process: https://gingr.cardconnect.com/account/login#/login
If you don't have a MerchantCenter account, now's your chance to sign up. There's a lot of useful account info here like transaction reports, on-demand statements, equipment, and documentation.
2. Once logged into the MerchantCenter, select My Account from the top menu bar:
and right at the top of the page, you'll see your PCI status:
3. Copy your Merchant ID as you will need that in a bit (it's blacked out here, but will be visible when you log in) and click the circled "Learn how to get compliant" link to take you to the CardConnect/Trustwave Portal, or you can get there directly via https://pci.trustwave.com/cardconnect:
You can learn a bit by watching the video, and then click the Get Started button to move forward if this is your first time on the site. Once you register, you can use the Login link to check on the status of your account.
4. Once in Trustwave site, you'll need to fill out some basic info about your business. You should have copied your MID at the beginning of step 3. and now you can paste it in here:
5. Most Gingr users will be primarily accepting payment in person:
6. You will then be selecting Internet as way you connect your system to process credit cards. Then choose Virtual Terminal as the type of Point of Sale device you use
7. After selecting Virtual Terminal, a pop up window will appear:
As a reminder, we are telling you how you need to answer these questions in order to be "compliant" per the confines of the questionnaire. You must follow up and be sure you actually put these practices into place in order to be truly compliant.
8. With the profile set, we now set up the scan:
9. For the most part, Gingr users will be considered Retail for the Industry Type:
10. You do have a relationship with one or more service providers, but there is only one acquirer:
11. This screen should have your correct merchant ID (MID) listed (blacked out in example below):
12. Now you'll see a summary of your answers so far:
13. At this point you'll need to enter a Product or Vendor. Type in CardConnect and choose the first option from the drop down:
And choose the most recent version of the software:
14. We're looking for the green square under severity, indicating this is a known commodity with a strong data safety record:
15. Now we need to add a scan location:
And we will choose E-Commerce Web Site:
Then enter fts.cardconnect.com in item 1. to scan the CardConnect network and answer questions 2. and 3. as follows:
After submitting, choose Scan Now:
16. Now the questionnaire begins (and you thought you must be just about done!). Don't worry, most of these answers are common sense and go pretty quickly:
17. There's not much explanation to be done for the following answers, as they all ascribe the greatest level of security and level of protection to your customer's credit card data. The answers are somewhat leading when you take the perspective of which answer give the greatest protection - and again, these answer are how you should respond if you are to be considered compliant, but answering them in this manner will only allow you to avoid paying a non-compliance fee - you must put them into practice to be considered truly compliant:
Internet and Network Security
Device & Computer Security
Secure Management and Monitoring
Whoo hoo - just about there!!!
18. At this point you can go through and review a summary of all your answers if you wish by clicking on the Sections Completed:
19. If you answered any questions incorrectly (a non-compliant answer), the section will not have a check box and you can click on those answers that will give you a compliant score:
20. Once all sections have been completed, you can now click the Acknowledge & Submit button
21. Confirm that all questions answered are valid and electronically sign the document:
22. At this point you have completed all that you can do. You'll still be waiting for the scan to run, and you will be alerted by email that the scan has completed and that you are either compliant or not. You will generally receive the scan email within a few hours of completing the questionnaire.
23. Congratulations! You gutted it out and completed that sucker - and the good news is that you only have to do it once a year! A compliant score will keep your costs down, and by actually implementing the steps required to receive that compliant score, you can sleep well knowing you are taking good care of your customers' credit card data. Security breeches from hackers are all too common these days, so we strongly encourage you to follow the PCI-DSS to ensure that you and your customers are not another one of the victims we seem to read and hear about almost daily in the news.