Have have searched with nothing really answering my specific need, so here it goes.

Scenerio: Small time eCommerce shopping cart on shared hosting. Once products are selected by the customer, s/he is taken to secure, PCI compliant third party web site to enter CC number, address etc... No CC data is stored, processed or, transmitted by merchant. This scenario doesn't even meet the requirements for PCI as all since CC data is stored, processed, and transmitted by PCI compliant third party? Right?

But, now the merchant accesses the web based (secure) Portal for this PCI compliant gateway to see his sales account info. PCI still not required since no Credit Card number is ever displayed back to the merchant. Right?

But, the merchant now needs to manually enter in a CC number for a sale taken over the phone into the Virtual Terminal. S/he is on a small SOHO intranet with one or two computers, no servers etc.... only the router and cable modem. Now we have transmitted? Yes or No?

If yes? Which SAQ? A? C? or heaven forbid D?

Do I need to scan the SOHO network quarterly?

Your responses are greatly appreciated.

According to https://www.pcisecuritystandards.org/pdfs/instructions_guidelines_v1-1.pdf
you fit the SAQ C category, for the ecommerce site, and hand entered payments.

lyalc

According to https://www.pcisecuritystandards.org/pdfs/instructions_guidelines_v1-1.pdf
you fit the SAQ C category, for the ecommerce site, and hand entered payments.

lyalc

Thank you, just to clarify, the payment application system is not on the merchants computer in his Small Office/Home Office (SOHO). It is auth.net

I am assuming if no wireless is used in the SOHO that those requirements are N/A, I see no way to document n/a.

By the way, very good site, with lots of good reading, yes I actually have been hunting for answers before asking.

Thanks