References

PCI Compliance Portal Guide: Business Profile Questions

Navigate the SecureTrust PCI Portal with Confidence: A Comprehensive Guide for Campspot Users

Introduction to PCI Compliance Process

To begin your journey towards PCI compliance, you'll need to navigate through the SecureTrust PCI Portal. Access the portal here.

Before diving into the portal, it's essential to understand that completing the PCI compliance process involves several key steps:

  1. Business Profile Completion: Provide detailed information about your business operations, payment acceptance methods, and security practices.
  2. Network Scanning: Conduct scans on your network infrastructure to identify potential vulnerabilities and ensure secure data transmission.
  3. Security Assessment: Evaluate your security measures and practices to ensure compliance with PCI standards.

To assist Campspot users specifically with completing the Business Profile section, we've compiled comprehensive guidance below. For instructions on network scanning and security assessment, refer to slides 17 and 27, respectively, in the attached document. Let's proceed to address the Business Profile FAQs.

Business Profile FAQs

Below are the questions you'll encounter while completing your Business Profile on the SecureTrust PCI Portal. For each question, we've provided guidance on selecting the appropriate response or providing necessary information.


What assessment method should be chosen?

Customer’s should select the “Guide Me” option.  


How do you accept payment cards?

This question will need to be answered by each merchant specific to the ways they accept payments. A customer should select all the ways that they accept payments at their business (face to face, online, and/or via telephone).  


Pay by Link

Can your customers make card payments via a Pay by Link solution (a secure payment link is sent to the customer to allow them to make a payment)?

This does not apply for customers using Campspot to take online payments and should be answered “No”.


How do you accept online e-commerce customer card payments?

A customer using Campspot for e-commerce payments should select the “My customers make online payments to my business via a website accessed using a web browser” and should input their unique Campspot booking link (https//www.campspot.com/book/(your park name) for their e-commerce URL.  Example:  https://www.campspot.com/book/casiniranch


Note that this does not apply to customer’s using Campspot’s Online Booking API and who have created their own e-commerce checkout experience using the Campspot API.  



E-Commerce website management

Is your entire online payments e-Commerce website fully managed, operated and maintained by a third party? This means you have completely outsourced all operations in relation to your online payments e-commerce website.

A customer using Campspot for online payments outsources their online payments e-commerce website to Campspot and should select “Yes”.


Note that this does not apply to customer’s using Campspot’s Online Booking API.


Your website shopping cart

Please select your website package or shopping card provider.

A customer should enter Campspot for this response.  To add your own, click the "Next" button without making a selection for one of the existing vendors. After entering Campspot, you will click the "next" button again.


Your outsourced e-Commerce service provider

Is your outsourced e-Commerce service provider PCI DSS compliant for the services they provide to you?

Campspot completes the SAQ A-EP type attestation of compliance annually as our e-commerce site uses iframes from CardConnect in our integration; Campspot does not not store customer credit card information and CardConnect provides the fields via this iframe for passing card holder information.  CardConnect is PCI DSS compliant and customer’s using Campspot’s integration with CardConnect can answer “Yes”.  


Is ASV scanning performed by your ecommerce website provider?

Can you verify or provide proof that your ecommerce package provider is performing ASV scanning on your website on at least a quarterly basis for the purposes of maintaining PCI DSS compliance?

Campspot does not perform ASV scanning on each customer's e-commerce site.  


Your payment gateway/processor

Please select your payment gateway/processor

Cardpointe should be entered for those merchants using Campspot and for those using CloverConnect as their merchant services provider.  Note that there is an option to “add your own” as Cardpointe does not appear in the dropdown.  


Is your payment gateway/processor PCI DSS compliant?

Can you verify or provide proof that your payment gateway/processor is PCI DSS Compliant for the services they provide to you?

Cardpointe is PCI DSS Compliant for the services they provide and this can be answered “Yes”.


How you accept your mail and telephone order customer card payments?

This will need to be answered by each customer according to how they accept payments; typically it is via phone.  


How you accept card payments via mail and telephone order

Do you fully outsource your telephone or mail ordering service including payment capture to a third party?

This will need to be answered by each customer according to how they accept payments; typically it is no.  


Transactions over the telephone

How do you accept payments over the phone?

This will need to be answered by each customer according to how they accept payments. Typically for those taking payments over the phone, it is “My Customers give their payment card number over the phone to a person in my organization or call center.”


Your telephone system call handling

Do you record calls made and received by your business?

This will need to be answered by each customer according to how they accept payments.  Typically the response is no and that calls are not recorded.


Customer Relationship Management (CRM) software setup

Do you store cardholder data in any of your CRM systems?

This will need to be answered by each customer according to how they accept payments; raw cardholder data is never stored in Campspot and therefore this can typically be answered No.  


Your employees access to data

Do any of your employees have access to any electronically stored cardholder data?

This will need to be answered by each customer according to the access their employees have; note that raw cardholder data is not stored or accessible in Campspot and therefore this can typically be answered No.



How you accept card payments

Please select all the methods that you use to accept card payments in your business

For merchants accepting card payments in Campspot via a terminal integration and from a terminal purchased from CloverConnect, the “I use an integrated/electronic Point of Sale (iPOS/ePOS) system (a POS computer system running a payment application that includes an attached or integrated card reader device)” option should be selected.


Your Point-to-Point Encryption system

Is your Point-of-Sale system a PCI SSC approved Point-to-Point Encryption (P2PE) hardware solution?

For merchants who have purchased a terminal from CloverConnect and integrated with Campspot, this response would be Yes.  


Your Point-to-Point Encryption system

Can you confirm that ALL of your payment terminals and/or POS systems use a PCI SSC validated Point2Point Encryption solution?


For merchants who have purchased a terminal from CloverConnect and integrated with Campspot, this response would be Yes.  


Your Point-to-Point Encryption implementation

Can you confirm that all controls specified in the P2PE Instruction Manual (PIM) have been implemented?

For merchants who have purchased a terminal from CloverConnect and integrated with Campspot, this response would be Yes.  


Your Point-to-Point Encryption system

Please select your P2PE solution from the list  

For merchants who have purchased a terminal from CloverConnect and integrated with Campspot, this response would be the correct selection: CardConnect, LLC - CardSecure P2PE


Your CardSecure P2PE PTS device

Please select your PCI Pin Transaction Security (PTS) device utilized within the PCI valuidated/P2PE Solution

Customers should select the device type they have purchased from CloverConnect.  


Remote access

Does anyone in your company or any third party (contractor/vendor/your processor) require remote access to your point-of-sale devices/payment application or other network components?

This will need to be answered by each customer according to how they accept payments; typically it is no.  


Your customer's payment card authentication data

Do you receive the security/validation/verification code from your customers to authorize their transactions? This is the three or four digit number located in either the signature panel of your customer's payment card or on the front of the card.

Campspot does require receipt of the security code for authorization of transactions processed in Campspot and therefore this response should be “Yes”


Your customer's payment card authentication data

Do you store the payment card security/validation/verification code in any electronic format? (e.g. databases, files, emails, scanned copies etc?)

This will need to be answered by each customer according to how they accept payments; note that raw cardholder data is not stored in Campspot and therefore this can typically be answered No. 


Do you securely destroy the payment card security/validation/verification code once the transaction has been authorized?

This will need to be answered by each customer according to how they accept payments; note that this information is not stored in Campspot when a transaction has been authorized and therefore this can typically be answered as Yes.   


Printed paper receipts and reports

Do you print, receive or have access to paper receipts or reports that contain the full payment card number?

This will need to be answered by each customer according to how they accept payments; note that the full payment card number is not included on receipts or reservation confirmations provided by Campspot and therefore this typically can be answered as No.


Other uses of card numbers

Does anyone in your organisation send or receive full card numbers via email or instant messaging?

This will need to be answered by each customer according to how they accept payments.  Customers are advised not to transmit card data in these ways.  


Does your company store, transmit or receive cardholder data electronically in any other way and for any other purpose? This could be via CD-ROM, USB drive or an internet network.

This will need to be answered by each customer according to how they accept payments; note that raw cardholder data is not stored in Campspot and therefore this can typically be answered No.


Your company policy for information security

To handle payment cards you are required by the Payment Card Industry Data Security Standard (PCI DSS) to have an Information Security Policy in place for your organization.  This must cover all relevant areas of the standard.  If you do not currently have one, we can provide you with a policy templste below.  

This will need to be answered by each customer according to their Information Security policies. If a policy does not exist, the recommended response is to implement one using the template provided.   


Password policy

Do you enforce a minimum password length of seven characters, containing both numeric and alphabetic characters, for user accounts on all POS devices, computers and systems in your business?

This will need to be answered by each customer according to their business’ computer policies; In Campspot, the user account password settings meets this requirement (with 12 characters, including a requirement of 1 upper, 1 lower case letter and 1 one number).  


Your business environment

Do you use wireless technology anywhere in your business environment?

This will need to be answered by each customer according to their business environment.  


Is virtualization technology used in your network?

This will need to be answered by each customer according to their business environment; typically the response is no.  


Is disk encryption used to protect cardholder data?

If the customer is only using Campspot to process payments, Campspot uses RSA encryption through its integration with CardConnect and therefore this can be answered Yes.  If you are storing cardholder data outside of Campspot, it is up to your business to encrypt cardholder data.  


Do you write/develop your own custom applications internally?

This will need to be answered by each customer according to their business environment; typically the response is no.  


Do you have public facing web applications in your environment?

Your booking link (e.g.www.campspot.com/book/yourparkname) is a public facing web application and therefore this should be answered “Yes”


Do you have facilities with sensitive areas (sensitive areas refers to any data center, server room or any area that houses systems that store, process or transmit cardholder data. This excludes the areas where only point of sale terminals are present, such as the cashier area in a retail store)?

This will need to be answered by each customer according to their business environment; note that raw cardholder data is not stored in Campspot.  


If you are only processing payments via Campspot, then generally this can be answered No.  


Do you permit any of your employees, contractors or vendors (particularly POS integrators or suppliers) to access systems that store cardholder data remotely?

This will need to be answered by each customer according to their business environment; note that raw cardholder data is not stored in Campspot and therefore this typically can be answered No.  



Do you use an Internal Security Assessor for your PCI DSS?

Are you validating your compliance through an Internal Security Assessor (ISA) who is certified by the Payment Card Industry Security Standards Council (PCI SSC)?

This will need to be answered by each customer individually; typically the response is no.  



Support from a PCI Qualified Security Assessor

Have you appointed a Qualified Security Assessor (QSA) to assist you in achieving, assessing and/or maintaining your compliance with the Payment Card Industry Data Security Standard (PCI DSS)?

This will need to be answered by each customer individually; typically the response is no.  



Third Party Managed System Service Providers

Do you have relationships with one or more third-party service providers that manage system components included in the scope of this assessment, for example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud provider?

The response for this should be “Yes” and a customer should enter Campspot for this response.  



Other Third Party Service Providers that may impact cardholder data security

Do you have relationships with one or more third-party service providers that could impact the security of the merchant’s cardholder data environment (CDE)? For example, vendors providing support via remote access, and/or bespoke software developers.

This will need to be answered by each customer individually.  If you are only using Campspot to process payments, the answer to this question can be no.  



A summary of how and where you handle card payments

List your business premises type(s) and a summary of locations that are relevant to your PCI DSS assessment (eg, retail outlets, corporate offices, data centres, call centres etc..)

This will need to be answered by each customer individually; typically this will include information on locations where the customer has terminals to take card payments or office locations where payments are taken over the phone.  


How and in what capacity does your business store, process and/or transmit cardholder data?

This will need to be answered by each customer individually; note that raw cardholder data is not stored in Campspot.  


Suggested response for customers who are only processing payments through Campspot: 


We use Campspot’s application to process cardholder data.  Campspot utiliizes CardConnect’s hosted iFrame tokenizer to process and/or transmit cardholder data.  No cardholder data is ever stored through Campspot.  



Provide a high level description of your overall business environment, applicable to your PCI DSS assessment. For example describe the type of equipment you use for card processing, storage and transmission; such as POS devices any databases and webservers, include a description as to how they connect both externally and any internal connections.

This will need to be answered by each customer individually; typically this will include a summary of any card terminals used.