Filling out the Self-Assessment Questionnaire For Merchants Using ServiceBox and Paysafe

(For the latest eligibility criteria, refer to: listings.pcisecuritystandards.org)

1. Eligibility Confirmation

Before beginning, verify that your business meets the following updated criteria for SAQ A eligibility:

Card-Not-Present Transactions Only: Your business accepts only e-commerce or mail/telephone-order transactions.

Outsourced Payment Processing: All payment processing is handled by a PCI DSS–validated third-party provider (e.g., Paysafe).

Ensure you have the most recent Attestation of Compliance (AOC) from your provider.

No Electronic Cardholder Data Storage: You do not store, process, or transmit cardholder data on your systems or premises.

Any cardholder data retained must only exist in paper form (e.g., printed reports or receipts) and not be received electronically.

Confirm that your business model strictly adheres to these standards before proceeding.

2. Gathering Required Information

Before filling out the SAQ A, collect the following:

Business Information:

Legal business name
DBA name (if applicable)
Full business address
Contact details

Third-Party Provider Information:

The most recent Attestation of Compliance (AOC) from Paysafe
Any additional compliance documentation verifying Paysafe’s PCI DSS status

Internal Policies & Procedures:

Up-to-date security policies and procedures related to PCI DSS requirements

IT Systems Overview:

Confirmation that no cardholder data is stored or processed on internal systems

3. Complete Section 1 – Merchant Information

Enter the following details accurately:

Merchant Name: Provide the legal name of your business.

DBA Name (if applicable): Enter the trade name if it differs from the legal name.

Business Address: Enter the full physical address.

Contact Person: List the name and role (e.g., CEO, Compliance Officer) of the individual responsible for PCI compliance.

Third-Party Provider: Specify Paysafe as your PCI DSS–compliant payment processor.

4. Section 1: Assessment Information

Part 1: Contact Information

Company Name: Enter your legal business name.

DBA (Doing Business As): Provide the trade name if applicable.

Company Mailing Address: Include the full address (city, state, and country).

Company Website: Provide the URL.

Contact Name & Title: Enter the full name and title (e.g., CEO, Compliance Officer) of the responsible party.

Contact Phone & Email: Provide a valid phone number and email address.

5. Section 2: PCI DSS Scope Information

Part 2a: Merchant Business Payment Channels

Select the applicable channels:

E-Commerce: ✅ (Checked in PDF)
Mail Order/Telephone Order: ❌ (Not applicable)
Card-Present Transactions: ❌ (Not applicable)

Part 2b: Role with Payment Cards

Describe your role:

Narrative: "Our business uses ServiceBox in conjunction with Paysafe. We do not store, process, or transmit cardholder data internally. All transactions are handled by a PCI DSS–validated third-party service provider."

Channel Entry: Enter “ServiceBox” where required.

Ensure this narrative is consistent throughout your SAQ.

Part 2c: Payment Card Environment Description

Provide an overview of your payment processing setup:

Sample Text: "Our business uses ServiceBox software integrated with Paysafe’s hosted payment solution. Transactions are securely processed via a redirect to the Paysafe system, and no cardholder data is stored, processed, or transmitted within our environment."

Segmentation: Select “Yes” if ServiceBox restricts internal access to cardholder data processing to Paysafe.

Make sure this description accurately represents your setup with ServiceBox and Paysafe.

Part 2d: In-Scope Locations/Facilities

Instructions: List all physical locations relevant to PCI DSS compliance. If transactions are exclusively online, note that no physical locations are in scope.

Part 2e: PCI SSC Validated Products and Solutions

Question: “Does the merchant use any item identified on any PCI SSC Lists of Validated Products and Solutions?”

Answer: Yes

Details:

Payment Processor: Paysafe
Payment Solution: Hosted Payment Page (iFrame/Redirect)
Version Number: (If applicable)
Compliance: Confirm that the Paysafe solution is listed on the PCI SSC's validated applications list, if applicable.

Part 2f: Third-Party Service Providers

Answer the following:

Storing/processing/transmitting account data on behalf of the merchant? Answer: Yes
Managing system components included in the PCI DSS scope? Answer: Yes
Could impact the security of the CDE? Answer: No

Details:

Primary Payment Processor: Paysafe
Application: ServiceBox processes payments via the Paysafe API.

Part 2g: Summary of Assessment

For each requirement, indicate the status and provide supporting evidence or documentation:

Requirement 2 (Secure Configurations): Status: ✅ In Place

Documentation should verify the removal of vendor default accounts and proper security configurations.

Requirement 3 (Protect Stored Account Data): Status: ✅ In Place (or Not Applicable if no data is stored)

Provide documentation or a policy confirming that cardholder data is neither stored nor electronically processed.

Requirement 6 (Vulnerability Management):

6.3.1 Vulnerability Identification: Status: ❌ Not Applicable (transactions are processed via Paysafe)

6.3.3 Protection Against Known Vulnerabilities: Status: ✅ In Place

Maintain evidence that systems accessing ServiceBox are up-to-date with security patches.

Requirement 8 (Access Control):

8.2.1 Unique User Identification: Status: ✅ In Place
8.2.2 Restrictions on Shared/Generic IDs: Status: ✅ In Place
8.2.5 Revoking Access for Terminated Users: Status: ✅ In Place

Requirement 9 (Physical Access): Status: ❌ Not Applicable (no physical cardholder data storage)

Requirement 11 (Security Testing):

11.3.2.1 External Vulnerability Scans: Status: ❌ Not Applicable

11.6.1 Change/Tamper Detection: Status: ❌ Not Applicable

Requirement 12 (Information Security Policy):

Policy Maintenance and Third-Party Management: Status: ✅ In Place

Ensure you have documentation, written agreements, and annual reviews of Paysafe’s compliance.

12.3.1 Risk Analysis (for CHD): Status: ❌ Not Applicable until mandated (after March 31, 2025)

For each requirement marked “Not Applicable,” include a clear explanation in Appendix D of your SAQ to justify the response.

Part 2h: Eligibility for SAQ A

Confirm the following:

Only e-commerce transactions are processed.
All cardholder data processing is outsourced to a PCI DSS–validated third party (Paysafe).
No electronic storage, processing, or transmission of cardholder data occurs.
There is no internal access to full Primary Account Numbers (PAN).
No on-premises cardholder data environment exists.

Statement:

"Merchant qualifies for SAQ A as all transactions are processed through a PCI DSS–validated payment gateway. No cardholder data is stored or transmitted within our environment."

6. PCI DSS Self-Assessment Questionnaire Responses

For each PCI DSS requirement, ensure that your selected response ("In Place," "Not Applicable," etc.) is fully justified with evidence or documentation. Briefly summarize the evidence and refer to supporting documentation as needed.

Requirement 2: Secure Configurations

2.2.2 Vendor Default Accounts:

Response: ✅ In Place
Explanation: Default accounts on systems used to access ServiceBox are either removed or secured according to industry best practices.

Requirement 3: Protect Stored Account Data

3.1.1 Security Policies and Procedures:

Response: ✅ In Place
Explanation: A documented policy confirms that no cardholder data is stored electronically.

3.2.1 Minimized Data Storage:

Response: ✅ In Place
Explanation: Policies are in place to minimize or eliminate the storage of cardholder data (e.g., printed receipts are secured).

Requirement 6: Vulnerability Management

6.3.1 Security Vulnerabilities Identification:

Response: ❌ Not Applicable
Explanation: Since all transactions are processed through Paysafe’s PCI DSS–validated gateway, this requirement is not applicable.

6.3.3 Protection Against Known Vulnerabilities:

Response: ✅ In Place
Explanation: Systems used to access ServiceBox are maintained with up-to-date security patches and vendor updates.

Requirement 8: Access Control Measures

8.2.1 Unique User Identification:

Response: ✅ In Place

8.2.2 Restrictions on Shared/Generic IDs:

Response: ✅ In Place

8.2.5 Revoking Access for Terminated Users:

Response: ✅ In Place

Requirement 11: Security Testing

11.3.2.1 External Vulnerability Scans:

Response: ❌ Not Applicable

11.6.1 Change/Tamper Detection for Payment Pages:

Response: ❌ Not Applicable

Requirement 12: Information Security Policy

12.3.1 Risk Analysis:

Response: ❌ Not Applicable (until required after March 31, 2025)

12.8.x Third-Party Service Provider Management:

Response: ✅ In Place
Explanation: Documentation, written agreements, and annual monitoring verify that Paysafe remains PCI DSS–compliant.

12.10.1 Incident Response Plan:

Response: ✅ In Place
Explanation: An incident response plan is documented and ready to guide actions in the event of a data breach.

7. Validation and Attestation

Part 3a: Merchant Acknowledgment

The merchant must confirm:

SAQ A was completed following the provided instructions.
All information accurately reflects the assessment results.
PCI DSS controls will be maintained at all times.

All checkboxes should be selected as required.

Part 3b: Merchant Attestation

The Merchant Executive Officer must complete and sign the attestation by providing:

Merchant Executive Officer Name: (Enter full name)
Title: (e.g., CEO, Owner, Compliance Officer)
Date: (Enter in YYYY-MM-DD format)

Example Statement: "Electronically signed by [Merchant Name] on behalf of [Business Name]."