Data security and customer privacy are crucial to every online business. An especially important goal is to secure and protect the credit card information of your customers. In 2006, to help achieve this goal, American Express, Discover, JCB International, MasterCard, and Visa Inc. created the Payment Card Industry Security Standards Council (PCI SSC). Working together, these five major card companies created the PCI Data Security Standard (PCI DSS). The PCI DSS is an information security standard for organizations that access, handle, process, or store credit card information. The PCI Standard is industry mandated and administered by the PCI SSC.
- PCI Self-Assessment Questionnaires
- Your Responsibility
- FAQs About the SAQ Process
- How to Use SecurityMetrics
- Starting Your SAQ
- Completing Your SAQ
PCI Self-Assessment Questionnaires
The PCI Self-Assessment Questionnaires (SAQs) are tools designed to assist retailers in validating and reporting their PCI DSS self-assessment. All retailers are required to complete a PCI SAQ. If you are becoming a Bolt retailer, Bolt is asking that you complete an SAQ as a part of your onboarding process within one month of launch. If you are an existing Bolt retailer, Bolt is requesting that you complete an SAQ annually, with your first SAQ completed before June 30, 2020.
This process is a crucial improvement for Bolt and our retailers, but we recognize that this may be an additional burden. To make the process as pain-free, easy, and transparent as possible, Bolt has partnered with SecurityMetrics, a Qualified Security Assessor (QSAs). QSAs are independent security agencies qualified by the PCI Security Standards Council to validate an entity’s adherence to the PCI DSS. SecurityMetrics can help you choose the right SAQ and support you through the process.
The SecurityMetrics SAQ uses a simple SAQ with just Yes-or-No questions for all relevant PCI DSS requirements. How you capture, handle and store card data will determine which SAQ is appropriate for you. The SecurityMetrics process will make it easy for you to select the correct SAQ for your business. You can read more about SAQs on the PCI website.
Covering your Costs:
- For New Retailers — Bolt will cover the SAQ fee, and the ongoing annual renewal fees charged by SecurityMetrics. If you’d like to purchase additional products from SecurityMetrics, you’ll be responsible for those fees. Bolt has negotiated a 20% discount for Bolt retailers for all additional SecurityMetrics services.
- For Existing Retailers — We know we’re asking you to take an extra step. In addition to covering the SecurityMetrics fee for the SAQ, Bolt is providing a free security scan, plus PCI training for 1 person. Bolt will also cover the cost of the ongoing annual renewal fee. If you’d like to purchase additional products from SecurityMetrics, you’ll be responsible for those fees. Bolt has negotiated a 20% discount for Bolt retailers for all additional SecurityMetrics services.
While Bolt itself follows PCI compliance procedures and securely stores and processes card data, this does not automatically fulfill your PCI compliance requirements. Indeed, Bolt may not take responsibility for a retailer’s compliance, as PCI requires each party in the payment chain to take responsibility for their compliance. You are still required to complete an annual SAQ to be PCI compliant.
Caution! — Failure to complete your SAQ as required for PCI compliance might result in substantial fines and the suspension of your ability to accept credit card payments.
Note — Regarding PCI compliance, Bolt is always willing to help in any way we can. However, SecurityMetrics is a specialist PCI company and is consequently better equipped to answer specific questions about your compliance. To find the best way to contact SecurityMetrics, visit their website.
FAQs About the SAQ Process
Q: What happens if I can’t complete the SAQ before the due date?
A: Life is busy - we get that. If you can’t complete the SAQ before the designated due date, you will be responsible for a monthly penalty fee ($20 per month) for every month that you don’t complete the SAQ. After another 3 months, if the SAQ is still not completed, Bolt Compliance will reach out directly to ask for an explanation and to agree to the next steps.
Q: How long will it take for me to complete the SAQ?
A: By engaging with SecurityMetrics, Bolt has made this process as simple and painless as possible. Most retailers complete their SAQ within 7 days.
Q: What do I do if I need help with the SAQ?
A: SecurityMetrics will have dedicated resources to walk you through the steps. Otherwise, feel free to contact us either through your Bolt representative or via firstname.lastname@example.org and we can help.
Q: Will I need to renew the SAQ on a regular basis?
A: Yes, you will need to renew your SAQ once a year. SecurityMetrics and Bolt will provide reminders and support to help you through the process. Bolt will cover the cost of the renewal fee.
Q: What if I already completed an SAQ through a different method?
A: You will not need to complete the SAQ again, but you will need to send in your completed SAQ to Bolt. You can do this by enrolling into Security Metrics and uploading your SAQ to the portal. If there is anything missing from your previous SAQ, we’ll reach out to align on next steps.
Q: What if we are not using Bolt as the processor (using Stripe, Braintree, or another payments processor instead)?
A: You still need to complete the SAQ for the Bolt portion of your business.
How to Use SecurityMetrics
The first thing you need to do is create an account on SecurityMetrics.
Follow these steps to create an account:
- Look for an email titled 'Action Needed: Bolt and Retailer PCI Compliance for [Company Name] at Bolt'. It will include the necessary links and starting instructions.
- Click the Sign Up button, and you'll go to the Create Account Page.
- Fill out the form using the email address that you provided to Security Metrics and then click the Create Account button.
- An email will be sent to you to verify the email address that you provided.
- Open the email and click the Click Here button.
Starting Your SAQ
The first stage of the process is designed to help you find out which kind of SAQ you need to complete.
The following process will prepopulate questions on your SAQ.
- Log into the portal.
- You will be taken to your dashboard with a To Do item on the TO DO List.
- Answer each question until the Next button is highlighted in blue and then click the button.
Completing Your SAQ
Now that the correct SAQ has been ascertained, you will need to complete the SAQ itself.
Use the following steps to complete the SAQ:
- You will be taken to a summary page showing the SAQ assigned to you, and:
- A short description of your processing method.
- A display showing how much of the SAQ has been pre-completed by the processing method.
- Continue by clicking the Activate and Continue button. This action will take you to the SAQ itself.
- Each question will have a How to complete this section annotation accompanied by a short video explaining what to do.
- Continue and answer each question as it pertains to your business.
- These questions have been simplified for Bolt customers. If desired, the original PCI is available for review as well.
- In some sections within the SAQ, Security Metrics will offer products that will help you fulfill obligations within the SAQ. It is entirely up to you if you want to use additional products. Please note that the cost will not be covered by Bolt.
- In some cases, one question will answer two or three sub-questions within the SAQ.
- Once a section has been completed, you will need to click the Next button to proceed to the next section.
- Continue and answer each question as it pertains to your business.
- If you answer a question indicating that you're not fulfilling the requirement:
- The color at the top of the page will turn orange.
- You can still keep moving forward within the SAQ, but you will have to come back and address the pages that are marked in orange.
- At the end of the SAQ, there will be a notification that items need to be addressed.
- Near the end of the SAQ, you'll come to some free form questions. Follow the prompts on the screen.
- At this point, if any issues have arisen from your answers, you will need to fix the issue before moving forward. As a reminder, if you need help at any stage, please use the contact links in the Security Metrics portal or contact your CSM.
- Once you have fixed the issue and updated the response to the question, press the Continue button to get to the Attestation page of the SAQ.
- Click the I Agree button to finish attestation.
- You will receive notification that you are compliant.
- Click the Dashboard button. The dashboard will show that you are compliant.
- If you want, you can now click the menu button in the upper left corner and select Reports. This will give access to the list of PCS DSS reports which are available for you.