PCI SAQ Assistance

As part of PCI-DSS requirements, you may be required to fill out a 12 section PCI-DSS SAQ (Self Assessment Questionnaire). If credit cards are retained as part of doing business, you must fill out SAQ D. SAQ D includes many detailed questions about our application and how it is used. Questions that apply to Fore! Reservations PA-DSS versions comply with these questions. Unfortunately, the questions intermix company policy with software features so we can't just tell you to answer yes to each since we don't know your policy.

To help you navigate this questionnaire, we will attempt to elaborate how Fore! Reservations PA-DSS compliant versions address each that apply. However, your answers may differ for your situation based on other tools you use or how you use Fore! Reservations. We are not Qualified Security Assessors (QSA) and recommend you consult your credit card processor (ETS, MPS, etc.) if you have further questions.

3.1 - Fore! Reservations gives you tools that help you manage your retention policy. It is up to you to develop a policy and configure Fore! Reservations to match this policy. By default, no credit cards are retained. It is up to you to determine if this restriction should be loosened (See Credit Card Retention in Implementation Guide).

3.2 - Fore! Reservations handles these requirements when credit card numbers are entered in the credit card fields.

3.3 - Fore! Reservations can be configured to allow employees with a specific need to know to view full credit cards. By default, no employee has this right. It is up to you to identify which employees, if any, are given this privilege (See User-Level Cardholder Data Access in Implementation Guide).

3.4 - through 3.6 Fore! Reservations handles this as long as the supported magnetic swipe readers are used and credit card numbers are ONLY entered in the credit card fields.

4.1 - Fore! Reservations interfaces with ETS and MPS. Our part of the communications is compliant and they address their end as part of their Gateway compliance. Otherwise, this question does not apply to Fore! Reservations.

6.3 through 6.4 - Fore! Reservations PA-DSS product development comply with these requirements.

6.5 through 6.6 - deals with web applications and Fore! Reservations PA-DSS product is not a web application.

10.2 through 10.3 - Fore! Reservations creates, manages and protects required PA-DSS audit trails and logs within the application. By default no user can view these logs. It is up to you to define who can see the logs and when to monitor them (see Fore! Reservations Log Tables in Implementation Guide). It is also your responsibility to archive and backup your database which includes these logs. However, we cannot address audit trails and logs outside of Fore! Reservations such as network and operating system logs.

All other points don't directly apply to Fore! Reservations.

In addition to this information, I would reach out to your credit card processor. If you use Mercury Payment Systems, contact Graham Daugherty at 970-335-4892. For ETS please call Hadi Akkad at 800-834-7790 x205. 

Perhaps the best solution is to contact a QSA (Qualified Security Assessor). This is a vendor who is authorized by the PCI Council to do security scans and audits. We have used 403 Labs to do some of our audits. While we have no formal agreement with them, they usually give our customers preferred pricing on their services. I think that they can assist you with filling out the PCI questionnaire, performing your required network scan or both. Again, I do not know the exact price, but it is usually worth every penny to get some professional help at navigating this difficult subject. You can call Brad Lutgen at 403 Labs at 877-403-5227.