PatronManager Help

PatronManager Help  /  PatronManager Administration  /  Bluefin

SecureTrust: PCI Compliance Questionnaire

Updated on

Use this link to share with your colleagues:

SecureTrust: PCI Compliance Questionnaire: https://help.pm.leapevent.tech/a/829774

Bluefin is the payment processor we've partnered with to bring secure credit card transactions to PatronManager - and the SecureTrust platform is part of that security.

You might have received an email from SecureTrust informing you you're not currently PCI compliant.  It might look like spam, but it's not! SecureTrust is a packaged service with Bluefin you'll use to verify your PCI compliance on an annual basis.

Remaining PCI compliant is important for the safety and security of your patrons.  Additionally, Bluefin will charge you a PCI non-compliance fee for each month of non-compliance, and who wants more fees?

This article will cover:

  • Log in to SecureTrust
  • Create your Business Profile
  • Prepare for your PCI compliance self-assessment questionnaire (SAQ)
  • Complete your annual PCI SAQ (and understand its questions)

We'll also hit some Frequently Asked Questions (FAQs) at the end.

If you've used SecureTrust before, please note that the portal received an upgrade. You can download and watch a brief video about the updates, and we also have a PDF User Guide for you. 

When you log into the new portal for the first time, you may have to set up your Profile by following the prompts in the SecureTrust portal.

SecureTrustUserGuide032022.pdf

Log in to SecureTrust

Login screen

Here's a direct link:

https://portal.securetrust.com/

Don't have a SecureTrust account?

If your organization uses Bluefin, ask your colleagues - someone at your organization should be your PCI Compliance Officer and should have login credentials already.

If no one has been logging in to SecureTrust, PayConex, or Payments Insider, submit a support request via the Client Community - we'll need to help you get a new PCI Compliance Officer.

Create your Business Profile

If this is your first time logging into SecureTrust, or if some things have changed at your organization, you may be prompted to create your Business Profile.

Click Start Business Profile
Let's do it!

1. You'll get a screen explaining what this is - click Next

Next

2. Select Guide Me as your assessment method, then Next

Guide Me

3. Select all options that you use to accept credit cards, then click Next

Select all

4. Because you use Bluefin and PatronManager, select None of the above, then Next

Select None of the above

5. Because you use Bluefin with PatronManager, select No, then Next

Select No

6. Answer the prompts, then click Next

Answer

Specifically, here's some guidance to answer some of these questions:

  1. Generally, how does your business store, process and/or transmit cardholder data?: Mention using Bluefin with PatronManager
  2. Briefly describe the environment and/or systems covered by this assessment: Mention your different Bluefin devices (i.e. SREDKeys, PAX devices), your Public Ticketing Site, and your Donation Forms in PatronManager that use a Bluefin iFrame
Add site link

To get your public site URL, use your Public Ticketing Site (PTS) URL, then remove everything after .com.

So, for example, if your PTS URL is

https://superherotheatre.my.salesforce-sites.com/ticket/#/

then for this page, enter the URL

https://superherotheatre.my.salesforce-sites.com

8. Find and select Bluefin Payment Systems

Bluefin Payment Systems

9. Find and select Salesforce.com, Inc

Salesforce.com, Inc

10. Select whether you receive hard copies with full credit card information, then Next

Answer honestly

11. Answer, then click Next

Answer honestly

If you're using a version of our policies and procedures template, then select Yes.

12. Select the first three options, then Next

Select the first three options

Since this is required by Bluefin's P2PE Manager, this is accurate.

13. Select Yes, then Next

Yes

Since this is required by Bluefin's P2PE Manager, this is accurate.

14. Answer how your organization works, then Next

Answer honestly

15. Answer, then Next

Answer honestly

If you're using a version of our policies and procedures template, then select No.

16. Answer, then Next

Answer honestly

If you're using a version of our policies and procedures template, then select Yes.

17. Answer, then Next

Answer honestly

If you're using a version of our policies and procedures template, then select Yes.

18. Answer, then Next

Answer honestly

If you're using a version of our policies and procedures template, then select Yes.

19. Select the first three options, then Next

Select the first three

If you're using a version of our policies and procedures template and Bluefin's P2PE Manager, you should be set here.

20. Answer, then click Next

Answer honestly

If you're using a version of our policies and procedures template, then select Yes.

21. Answer honestly, then Next

Answer honestly

If you're using a version of our policies and procedures template, then select Yes.

22. Answer how you train, then Next

Answer honestly

If you're using a version of our policies and procedures template, then select Yes.

23. Select Yes, then Next

Yes

Since Bluefin devices have anti-tamper features built in, select Yes.

Your Profile is set!

Click Manage

Make sure that your SAQ Type is P2PE! If it isn't, you'll need to Manage your business profile to fix it and ensure your PCI compliance is completed properly.

Checklist to prepare for your PCI compliance SAQ

The SAQ basically asks you, "Are you following safe and secure policies when processing credit cards?"  If you want your answer to be "Yes" (and you do), follow along the checklist below before you even open the SAQ.

If you're not using any credit card readers, skip this section and head right to Complete your PCI compliance SAQ.

First, review workplace policies and procedures

The technologies surrounding P2PE card readers and network vulnerability scans go a long way towards PCI compliance.  However, it can't account for everything - for example, making sure to properly dispose of credit card information written down on a piece of paper.  That's why PCI compliance also requires you to answer questions about your workplace policies and procedures in an SAQ.

Don't already have a set of policies in place?  Not to worry - we've prepared a template for you.  

Review the attached document, and then make it your own!

  • Insert your organization's name where appropriate, and add job titles to assign specific responsibilities where appropriate
  • Add any relevant policies specific to the physical spaces your organization accepts credit cards in
    • e.g. "At the Alfred F. Small theatre, all credit card transactions are to be run through SREDKey device 1 or 2.  Never transport SREDKey 3 to the Alfred F. Small theatre."
  • Add any relevant policies regarding security responsibilities of specific roles in your organization
    • e.g. "The box office manager is responsible for overseeing use of the P2PE card readers at each performance.  When the box office closes for the night, the box office manager will collect all devices and transport them back to the office."

When you're done tailoring the document to your organization's needs, have all employees, and anyone else handling credit cards for your organization, sign the policy.

Security_Policies_and_Procedures_-_Template.docx

If you do already have a set of policies like this one in place, it's good idea to compare yours to the template we've prepared. It's a collection of best practices, and you might find you need to change the way you and your colleagues handle credit card information - especially in the way you might keep credit cards "on file."

Review this document annually - if there's been any changes to the way you do business, or the places in which you accept credit cards, you may need to update your policies and procedures accordingly.

Then, ensure your P2PE card readers have been audited within the last year

Your P2PE card readers are designed to securely transmit credit card data from your box office to the bank, and that's a big part of staying PCI compliant.  Once a year, though, you need to take a look at your card readers to make sure they're up to snuff and haven't been tampered with.  

Before you complete your SAQ, check to make sure all of your "next audit dates" are in the future.  Once you know you have no outstanding audits to complete, you're ready to complete the SAQ!

Complete your PCI compliance self-assessment questionnaire (SAQ)

Once per year, you'll need to complete your PCI compliance self-assessment questionnaire (SAQ).  SecureTrust has an SAQ Wizard that guides you through, pointing out any non-PCI-compliant answers along the way.

Below, we'll show you how to find the survey. We'll also explain some of the questions and concepts in-depth, in case you get stumped during the SAQ.

Important reminder:

When answering questions in SecureTrust, you're basing your answers only on how you use PatronManager systems:

  • Your Bluefin P2PE card readers
  • Your PatronManager public ticketing site
  • Your PatronManager donation forms.

If you've got other merchant systems, do not consider those systems for the purposes of SecureTrust! Examples of other merchant systems include:

  • A PayPal account
  • A third-party vendor that sells your tickets
  • Your organization's bank account transactions
  • A separate donation processing system
  • Etc.
Click here to see how to get to the Wizard

1. Log in to SecureTrust, then click Manage in the Complete security assessment card

Click Manage

2. Follow the prompts and answer the questions until you finish the SAQ

If you run into some tricky questions, check our SAQ explanation section below!

Click here if, while filling out the SAQ, you're not sure how to answer a question

Some of the SAQ questions are technically and/or confusingly worded. To help you out, we've outlined some of these questions below and provided some context.

We recommend using CTRL+F to find relevant phrases - we've put a lot of information below!

Protect Cardholder Data questions

  • "Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements?"
    • Select: N/A
    • Reason: Since Bluefin and PatronManager never store cardholder data, you're automatically limiting your data storage properly.
  • "Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, and/or business requirements?"
    • Select: N/A
    • Reason: You do have processes in place - that is, Bluefin and PatronManager never store cardholder data, so you don't ever need to delete it.
  • "Are there specific retention requirements for cardholder data?"
    • Select: N/A
    • Reason: Again, by using Bluefin and PatronManager, your retention requirements are inherently 'cardholder data should never be held'.
  • "Is there a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements?"
    • Select: N/A
    • Reason: As you might have guessed, your quarterly process is that you never store cardholder data.
  • "Does all stored cardholder data meet the requirements defined in the data-retention policy?"
    • Select: N/A
    • Reason: It does meet those requirements - by virtue of not existing.
  • "For all paper storage, the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization?"
    • If you're using a version of the policies and procedures template we've provided,  then you should be destroying any hard copies that contain card information after authorization.
  • "Are security policies and operational procedures for protecting stored cardholder data: (a) Documented (b) In use (c) Known to all affected parties?"
    • If you're using a version of the policies and procedures template we've provided, and disseminated it correctly amongst your staff, you've documented and circulated your policy to not store cardholder data.

Implement Strong Access Control Measures questions

Media in this section refers to all paper and electronic record containing cardholder data.

This can range from subscriber order forms, on which your patrons have written down their credit card data, to sticky notes on which someone wrote down a credit card number from a patron over the phone, to an old computer where cardholder data was kept on an Excel spreadsheet.

The list in this section refers to the list of your P2PE devices you've provided to SecureTrust via your Merchant Profile and/or this questionnaire.

  • "Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper report, and faxes)?"
    • If you do have donation or ticket order forms with credit card data in your office, are they locked up (e.g. in a filing cabinet)?
  • "Is all media destroyed when it is no longer needed for business or legal reasons?"
    • After you've entered payment information contained on a paper order form into PatronManager, do you dispose of the order forms?
  • "Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?"
    • When you dispose of order forms, do you do so via one of the methods above?  Here, they want to make sure you're not simply throwing the order forms away, or tossing them in a recycle bin.
  • "Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?"
    • If you keep a "To Shred" folder in your office, is that folder locked up (e.g. in a filing cabinet)?
  • "Do policies and procedures require that a list of such devices be maintained?"
    • Select: Yes
    • Reason: The devices they're referring to here are your Bluefin P2PE card readers.  Bluefin is pretty airtight on the security of their card readers, and requires you to register your devices on their P2PE Manager portal.  
      By virtue of using Bluefin, you have policies and procedures that require you to maintain a list of your P2PE devices.
  • "Do policies and procedures require that devices are periodically inspected to look for tampering or substitution?"
    • Select: Yes
    • Reason: An annual inspection of your card readers is required via Bluefin's P2PE Manager, so by using Bluefin, you have these policies in place.
  • "Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices?"
    • The policies and procedures template we've provided includes mandatory training for suspicious behavior and how to report it.  If you're using a version of that template, you have these policies in place.
  • "Does the list of devices include the following? (a) Make, model of device (b) Location of device (for example, the address of the site or facility where the device is located) (c) Device serial number or other method of unique identification"
    • Select: Yes
    • Reason: Again, Bluefin requires you to enter this information into P2PE Manager to even accept payments on your card readers - so yes, your list of devices does include this information.
  • "Is the list accurate and up to date?"
    • Select: Yes
    • Reason: Bluefin requires you to update your list of devices in P2PE Manager when you purchase new devices or dispose of old ones - so yes, your list of devices is up to date.
  • "Is the list of devices updated when devices are added, relocated, decommissioned, etc.?"
    • Select: Yes
    • Reason: As stated above, Bluefin requires you to update your list of devices in P2PE Manager when you purchase new devices or dispose of old ones.
  • "Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows?"
    • Select: Yes
    • Reason: An annual inspection of your card readers is required via Bluefin's P2PE Manager, so by using Bluefin, you are required to inspect your card readers.
  • "Are personnel aware of procedures for inspecting devices?"
    • The policies and procedures template we've provided includes mandatory training on how to spot potential tampering, and how to report it.  If you're using a version of that template, your personnel should be aware of what to look for.
  • "Do training materials for personnel at point-of-sale locations include the following? (a) Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. (b) Do not install, replace, or return devices without verification. (c) Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). (d) Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer)."
    • They want to make sure your personnel can tell an actual service provider for your P2PE card readers and someone trying to pose as one.  
    • The policies and procedures template we've provided includes mandatory training for how to make this distinction, and how to report suspicious persons or behavior.  If you're using a version of that template, your personnel should be aware of what to look for.
  • "Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices?"
    • As stated above, the policies and procedures template we've provided includes mandatory training for how to identify and report suspicious persons or behavior.  If you're using a version of that template, your personnel should be aware of what to look for.
  • "Are security policies and operational procedures for restricting physical access to cardholder data: (a) Documented (b) In use (c) Known to all affected parties?"
    • The policies and procedures template we've provided includes mandatory training for keeping unauthorized personnel away from your P2PE card readers.  If you're using a version of that template, your personnel should be aware of what to look for.

Maintain an Information Security Policy Questions

  • "Is a security policy established, published, maintained, and disseminated to all relevant personnel?"
  • "Is the security policy reviewed at least annually and updated when the environment changes?"
    • We recommend that you review your policy prior to answering this questionnaire, so it should be reviewed at least annually. You can then use the date you reviewed this policy for the Last completion date.
    • They're also asking if, when something about the way you accept credit card payments changes, you also update your policies and procedures (e.g. "At the Alfred F. Small theatre, all credit card transactions are to be run through SREDKey device 1 or 2.  Never transport SREDKey 3 to the Alfred F. Small theatre.").
  • "Do security policy and procedures clearly define information security responsibilities for all personnel?"
    • The policies and procedures template does include a baseline of security responsibilities for any personnel handling credit card payments or cardholder data.  If you have specific security responsibilities for specific roles at your organization, you should add them to your policies and procedures.
  • "Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations?"
    • Is there someone at your organization responsible for dealing with any security incidents (e.g. reporting potential device tampering to Bluefin)?
  • "Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures?"
    • Have you properly disseminated your security policies and procedures, and/or had a meeting with your staff to review those policies and procedures?  When a new staff member joins your team, are they properly trained on your security policies and procedures?
  • "Is a list of service providers maintained, including a description of the service(s) provided?"
    • Select: Yes
    • By virtue of your contract with PatronManager and Bluefin, you maintain a list of service providers like the one they're referring to.
  • "Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment?"
    • Select: Yes
    • By virtue of your contract with PatronManager and Bluefin, you maintain a written agreement like the one they're referring to.
  • "Is there an established process for engaging service providers, including proper due diligence prior to engagement?"
    • Select: Yes
    • As long as you're not calling someone besides PatronManager (and by extension, Bluefin) to service your P2PE card readers, you have an established process like the one they're referring to.
  • "Is a program maintained to monitor service providers' PCI DSS compliance status at least annually?"
  • "Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?"
    • Select: Yes
    • Bluefin is responsible for:
      • Providing a P2PE solution for accepting credit card payments
      • Safe handling of cardholder data transmitted through their P2PE card readers
    • Your organization (the "entity") is responsible for:
      • Safe and secure procedures when handling credit card transactions and/or cardholder information
      • Custody and inspection of your P2PE devices
      • Reporting and responding to potential security breaches
  • "Has an incident response plan been created to be implemented in the event of a system breach?"


Once you're certified PCI compliant, you'll get an email confirmation, and your SecureTrust Home screen will have a happy green checkmark!

Home screen when PCI Compliant

Frequently Asked Questions (FAQs)

I was using Trustwave Trustkeeper- what's SecureTrust and how is it different?

SecureTrust is an upgraded interface to the old Trustkeeper, but it just makes doing your job a bit easier.

You, or someone at your organization, should have received an email like this informing you of the upgrade:

If you haven't been upgraded to SecureTrust, contact them at:

We got a message saying our monthly security scan failed!  What do we do?

If you've followed along with our setup steps, you shouldn't need to do any monthly security scans.  However, if you decided (or needed) to set up monthly security scans, you may receive a message informing you the scan has failed, and you are thus no longer PCI compliant.  What to do now?

First, log into SecureTrust account and go to the Scanning tab.  You'll see the details of the scan in Scan Results, and you can download a PDF Report. 

We recommend bringing these results to your organization's IT specialist to investigate any potential weaknesses in your network security.  You may also contact SecureTrust support via your SecureTrust account - use the Contact Support button and ask for further guidance on the scan result.

When I try to complete the PCI Self-Questionnaire, I get an error saying 'an error occurred when using the PCI Wizard'.  How do I complete my questionnaire?

Instead of using the PCI Wizard when completing your PCI Self-Questionnaire, use the expert form.  For more details, follow our detailed instructions above.

I tried to set up my SecureTrust account, but got a 'Your account already exists' error message.  What now?

If you're getting a "Your account already exists" error message when setting up your SecureTrust account, it's likely you already have a SecureTrust account connected to a different payment processor.

To get around this, SecureTrust recommends you create a new account with your existing Merchant ID - but with a slightly different username (e.g "k.johnson" instead of "kjohnson"). If this does not rectify the error, take a picture of your error message and get in touch with SecureTrust support - they'll want to see it.

Can I add additional users?

If you're not going to be the person handling PCI compliance at your organization, you probably want to hand the reins off to the person who is.  

Follow these steps to add a user to your SecureTrust account.
1. Log in to SecureTrust, then click on your profile icon and select Users
Click your Profile and select Users
2. Click Create New User
Click Create New User
3. Fill in the details of the new user in the popup, and click Submit when you're done
Fill in details and click Submit
Previous Article Bluefin P2PE Manager: Auditing Your Card Readers
Next Article Bluefin PayConex: Daily Reports and Transactions

PatronManager Administration

Welcome to Lightning! 11
The Basics 19
Setting up Your PatronManager Account 8
Managing Users 8
Chatter: The Best Tool You're Not Using 2
Accounts and Contacts 16
Duplicate Management 5
Customizing PatronManager 39
Testing Customizations in a Sandbox: "Try Before You Buy" 8
Tasks, Events, & Activities 3
Accessibility 3
How to Troubleshoot in PatronManager 10
The PatronManager Client Community 2
Analytics and Tracking 5
Leap Merchant Services 8
Bluefin 17
Automating PatronManager 8
Still Need Help? Continue to the Client Community