Knowledgebase

SecurityMetrics' self-assessment guides you through the SAQ form required for PCI compliance. This should be completed soon after the account setup and resubmitted on an annual basis. The self-assessment asks questions to determine which version of the SAQ form is appropriate for your organization and answers will pre-fill the appropriate SAQ form. This will expedite and streamline the SAQ submission and help your organization manage PCI compliance. If a gap in compliance is identified, it is the responsibility of the chapter to address those issues quickly in order to avoid a non-compliance fee. For any questions or assistance regarding the PCI Compliance Program, contact SecurityMetrics' 24/7 support at 801-705-5700 or [email protected].

The following screenshots indicate the questions that may be included in the self-assessment. Since the form adapts to your responses, you will not see all questions and may see them in a different order.

Self-Assessment

• StarPay is integrated into StarChapter using an i-frame. Since StarChapter and StarPay are managed separately, it is a 3rd party source, relative to the StarChapter system.

Scoping Process

• This question refers to individuals managing the organization, and not regular members. This may include board members, committee members, and staff.

• Most chapters and volunteer-run organizations do not have an IT department, as this is larger in scope than a website chair, director of technology, or other board members who tend to handle more technical aspects of the organization.

• StarChapter does not store full credit card information, so this question refers to processes managed outside of StarChapter. Please note that no credit card information should be shared through email or fax and any phone messages including sensitive information should be deleted after they are reviewed.

• This question will only be presented if the previous questions was answered affirmatively. StarChapter strongly recommends selecting and following through on Option B, if this question is included in your self-assessment.

• This will be the URL of the StarChapter system where the associated StarPay account is connected.

• These services may result in additional charges, beyond that of your StarPay and StarChapter fees. These are optional for all organizations.

• It is the responsibility of each organization to login to their SecurityMetrics account and initiate quarterly vulnerability scans. Please note that failure to complete these scans may result in a non-compliance fee being assessed.

• This would refer to software or websites written/created by your organization that are managed outside of your StarChapter system. The website associated with your StarChapter system is already included in this self-assessment.

• This question refers to individuals managing the organization, and not regular members. This may include board members, committee members, and staff.

• StarChapter does not store full credit card information, so this question refers to processes managed outside of StarChapter. 

Outcome

After all answers have been submitted, the Outcome will detail which SAQ type is appropriate for your organization, which SAQ forms will be pre-filled, and which are not applicable to your situation. Most StarChapter customers will be using the SAQ A form, since StarChapter manages credit card security and processing on our end. External processes may result in other SAQ forms being recommended. Please note that this may change year to year based on your organization's activities, processes, and evolving PCI standards.

Scheduling a Scan

Since StarChapter accounts are hosted on StarChapter's servers, it will not be appropriate to use your IP address for scans. Doing so may result in a positive or negative scan result, but neither will apply to your StarChapter system, which is what you are required to scan. Instead, select the option to enter the domain name. The domain name will be the web address associated with your StarChapter system.