Hi,

I have a very small beauty salon and I use an Ingenico 5100 PED. Every transaction is face to face in the shop so there's no internet, email or telephone transactions.

This is my first attempt at a SAQ B and I don't understand the questions in Part 2c (Transaction Processing) of the Attestation of Compliance SAQ B.

What do I write after 'Payment Application in use:' do I write PED or Ingenico 5100?

What about 'Payment Application Version'? I have no idea what this question is asking for!:o

Thanks in anticipation,

Jane

Hi Jane

When you mentioned that "Every transaction is face to face...", I'm going to assume that you have a swipe terminal that customers give you a credit card to swipe and you ask them to sign their receipts? I would venture a strong guess that your terminal has an attached RJ11 jack (ie. a telephone cord) that processes each cc transaction so your assertion that "there's no internet, email or telephone transactions" is INCORRECT. A quick research on what a "Ingenico 5100" is and one of the specs states that it has a "V34 modem provides fast transaction times (33,600 bps)" which further strengthens my guess...

How do you figure that your customers' credit cards are being authorized if there are no "internet or telephone transactions?" ;)

Not knocking you... just informing you...

When you mentioned that "Every transaction is face to face...", I'm going to assume that you have a swipe terminal that customers give you a credit card to swipe and you ask them to sign their receipts? No, the Ingenico 5100 is a PED.
I would venture a strong guess that your terminal has an attached RJ11 jack (ie. a telephone cord) that processes each cc transaction so your assertion that "there's no internet, email or telephone transactions" is INCORRECT. Yes, I didn't explain properly. The PED is connected to the telephone line. What I was trying to say is that no credit card details are sent to me via internet, email or telephone;)

Thanks
Jane

No, the Ingenico 5100 is a PED.
Yes, I didn't explain properly. The PED is connected to the telephone line. What I was trying to say is that no credit card details are sent to me via internet, email or telephone;)

Thanks
Jane

Thanks for the clarification... To answer your original question and others can chime in if I'm off base:

1) In part 2c, you would enter "Ingenico 5100" (it matters not if you enter "PED" or not as it is a Pin Entry capable device)...

2) Payment Application version would most likely refer to the firmware version on the Ingenico 5100 that you have, which you can probably tell either on the outside labels or in your manuals. Quickest way to find out would probably be a quick call to their Tech Support and ask them directly on what it is or how you would be able to find out - which in most cases can be found by powering off and then on the devices and watch for any flash of firmware version numbers

If you still have the Instruction Manual or User Guide for your terminal, there is usually an administrative function that will display or print out all of the configuration information for the device.

I don't see how you could consider a PED a payment application.

In Jane's case it look like she only does card present transaction on a independent PED. A payment application would be a software running on her POS that receive CHD and process a transaction.

IMHO, She can put N/A under the payement application section...

I could be wrong tho !

Here's the problem, the software that runs on the terminal is PCI DSS in scope and technically, should also be PA-DSS certified. However, for whatever reason, no one is doing that yet.

The reason I know this is the fact that I am in the middle of a couple of projects where we have found that the payment terminals are storing PANs unencrypted until the end-of-day process is run. Anyone that has administrative access to these terminals (just about anyone) has access to the PANs. There is limited logging done, so we have a compliance issue there as well.

These terminals are PCI PTS (formerly PED) certified, but that only deals with the entry of PINs, not the storage of PANs. Storage of PANs is addressed by the PA-DSS and the PCI DSS, not the PTS.

Well, the PA-DSS states the following:

Hardware terminals with resident payment applications (also called dumb POS terminals or standalone POS terminals) do not need to undergo a PA-DSS review if all of the following are true:

The terminal has no connections to any of the merchant’s systems or networks;
The terminal connects only to the acquirer or processor;
The payment application vendor provides secure remote 1) updates, 2) troubleshooting, 3) access and 4) maintenance; and

The following are never stored after authorization: the full contents of any track from the magnetic stripe (that is on the back of a card, in a chip, or elsewhere), card-validation code or value (three- or four-digit number printed on front or back of payment card), PIN or encrypted PIN block.

So the PCI-SSC seems to differentiate a payment application from a "resident" payment application.