Revel Advantage XT How to answer PCI Questions

by Craig Saling

RELEASED June 2024...  Before you start your business profile...  Read this:

PCI-DSS compliance is mandatory for all merchants processing credit card transactions. This guide will navigate you through the first step of your compliance journey - determining your SAQ type through the merchant profile questionnaire.

The question path changes depending on various factors, such as how you accept payment cards, what gateway and/or encryption technology, and what payment devices are used. Because of this, the guide is separated into questions that may or may not be presented depending on the previously stated factors.

Remember that the questionnaire can be paused with answers saved or re-submitted anytime.

For your convenience you will find a list of questions below - click on any one of the questions to jump to the corresponding explanation and guidance on the correct answer for your business.

Some questions are fixed with predefined answers to Revel Systems users, and some will vary depending on the nature of your business.

If you have any additional questions or concerns, please do not hesitate to contact risk-payments@revelsystems.com.

YOUR PROFILE

PLEASE READ: PCI DSS 4.0 UPDATE

  • I understand

CHOOSE AN ASSESSMENT METHOD

  • Guide Me - Select this option to use our profiling tool to help you determine the scope of your PCI DSS compliance requirements and to complete your PCI DSS assessment.

HOW DO YOU ACCEPT PAYMENT CARDS?

  • Face to face (the customer is present and the payment card is inserted, tapped or swiped to complete the transaction. This includes unattended kiosks.)
  • Online payments (incl. e-Commerce website/shop, consumer mobile app, Secure payment links / Pay By Link)

HOW DO YOU ACCEPT ONLINE E-COMMERCE CUSTOMER CARD PAYMENTS?

  • My customers make online payments to my business via a website accessed using a web browser

YOUR PAYMENT SOFTWARE PROVIDER

  • Type in: Revel Systems

HOW YOU ACCEPT CARD PAYMENTS

  • I use a counter-top Point of Sale (POS) terminal to accept face to face payments

PAYMENT TERMINALS IN USE

  • Ingenico Lane/3000 6.x 4-30414
  • Ingenico Lane/3000, Desk/1500 5.x 4-30310

REMOTE ACCESS

Does anyone in your company or any third party (contractor/vendor/your processor) require remote access to your point-of-sale devices/payment application or other network components?
  • No

PRINTED PAPER RECEIPTS AND REPORTS

Do you print, receive or have access to paper receipts or reports that contain the full payment card number?
  • No

OTHER USES OF CARD NUMBERS

Does anyone in your organisation send or receive full card numbers via email or instant messaging?
  • No
Does your company otherwise store, transmit or receive cardholder data electronically in any other way and for any other purpose? This could be via removable electronic media, such as usb flash drives, memory cards or dvds, or an internet network
  • No

THIRD PARTY MANAGED SYSTEM SERVICE PROVIDERS

Do you have relationships with one or more third-party service providers that manage system components included in the scope of this assessment, for example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud provider?
  • Yes

MANAGED SYSTEM COMPONENT PROVIDERS

Your service providers. You can add a new one or remove if the existing one is incorrect.

OTHER THIRD PARTY SERVICE PROVIDERS THAT MAY IMPACT CARDHOLDER DATA SECURITY

Do you have relationships with one or more third-party service providers that could impact the security of the merchant’s cardholder data environment (CDE)? For example, vendors providing support via remote access, and/or bespoke software developers.
  • No

DO YOU USE AN INTERNAL SECURITY ASSESSOR FOR YOUR PCI DSS?

Are you validating your compliance through an Internal Security Assessor (ISA) who is certified by the Payment Card Industry Security Standards Council (PCI SSC)?
  • No

SUPPORT FROM A PCI QUALIFIED SECURITY ASSESSOR

Have you appointed a Qualified Security Assessor (QSA) to assist you in achieving, assessing and/or maintaining your compliance with the Payment Card Industry Data Security Standard (PCI DSS)?
  • No

YOUR COMPANY POLICY FOR INFORMATION SECURITY

I already have an Information Security Policy in place that covers ALL of the relevant clauses of the Payment Card Industry Data Security Standard (PCI DSS)

A SUMMARY OF HOW AND WHERE YOU HANDLE CARD PAYMENTS

List your business premises type(s) and a summary of locations that are relevant to your PCI DSS assessment (eg, retail outlets, corporate offices, data centres, call centres etc..)
  • I own a Breakfast Restaurant that has a retail storefront on a public street
How and in what capacity does your business store, process and/or transmit cardholder data?
  • Through an Ingenico Lane 3000 provided by our revel point of sale system
Provide a high level description of your overall business environment, applicable to your PCI DSS assessment. For example describe the type of equipment you use for card processing, storage and transmission; such as POS devices any databases and webservers, include a description as to how they connect both externally and any internal connections.
  • Customers tap or insert their card in to Ingenico Lane 3000 device

***Below is from Revel Support but the above is pretty straight forward as you fill it out...

 

Contents

  • ●  Starting the questionnaire

  • ●  Questions for all Revel Advantage XT merchants

    • ○  How do you accept payment cards?

    • ○  How do you accept online e-commerce customer card payments?

    • ○  Your payment software provider

    • ○  How you accept card payments

    • ○  Payment terminals in use

    • ○  Use of wireless networks

    • ○  Remote access

    • ○  Printed paper receipts and reports

    • ○  Other use of card numbers

    • ○  Third-party managed system service providers

    • ○  Managed system component providers

    • ○  Other third-party service providers that may impact cardholder data security

    • ○  Password policy

    • ○  Do you use an internal security assessor for your PCI DSS?

    • ○  Support from a PCI-qualified security assessor

  • ○  List your business premises type(s) and a summary of locations that are relevant to your PCI DSS assessment

  • ○  How and in what capacity does your business store, process, and/or transmit cardholder data?

  • ○  Provide a high-level description of your overall business environment, applicable to your PCI DSS assessment

    Starting the questionnaire

To begin your merchant profile questionnaire, click the Start business profile button.

Check the I understand box and click Next on this screen to continue.

  • ●  If your payment processing account has been boarded recently, or you have previously completed PCI compliance via Saferpayments, choose the first option.

  • ●  If you already have a valid AOC, please choose the second option.

Questions for all Revel Advantage XT merchants How do you accept payment cards?

  • ●  Face-to-face should be selected by all merchants taking in-store payments, except in cases where the merchant processing account is e-commerce only.

  • ●  Online payments should only be selected if:

    • ○  The profiled merchant processing account is using Revel Online Ordering.

    • ○  The profiled merchant processing account is e-commerce only.

  • ●  Mail or telephone orders should only be selected if you are taking credit card payments over the phone.

    How do you accept online e-commerce customer card payments?

  • ●  Choose the first option if you are using Revel Online Ordering XT, Revel Smart Pay, or another e-commerce payment tool that works via a web browser.

  • ●  Choose the second option if you have a phone application for taking online payments.

Your payment software provider

Click add your own

Type in “Revel Systems” in the additional text box and click Next How you accept card payments

● Choose I use a countertop Point of Sale if you are using a wired card swipe. Models include:

  • ○  Lane 3000

  • ○  Lane 3600

  • ○  iPP350

  • ●  Choose I use an integrated device if you are using a wireless card swipe. Models include:

    • ○  ISMP4

    • ○  Lane 2500

    • ○  Moby 5500

  • ●  Choose I use the browser-based Merchant Dashboard or Portal if you use the Revel Merchant Portal to process telephone orders

  • ●  Choose I use a browser-based payment page accessed via my Partner’s software platform if you process manual transactions on the POS (entering full card information on the POS screen)

    Payment terminals in use

Select the payment terminal models that you are using in your establishment. The only payment terminals Revel merchants can use are:

  • ●  Ingenico iPP350

  • ●  Ingenico ISMP4

  • ●  Ingenico Lane 3000

  • ●  Ingenico Link 2500

  • ●  Ingenico Moby 5500

  • ●  Ingenico Lane 3600

    Use of wireless networks

● Choose No because Revel Systems does not sell card swipes that could be used with a SIM card

Remote access

The answer is No as Revel cannot access any Cardholder Data Environment (CDE) nor does the platform allow you to access this data.

Printed paper receipts and reports

Choose No as merchants processing with Revel Advantage cannot view full card numbers.

Other use of card numbers

For both questions - Merchants should operate in such a way that the answer is always No by default.

Third-party managed system service providers

Choose Yes as Revel Systems is a SAAS provider.

Managed system component providers

Please include all third parties that are involved in the management of your system components. Revel Systems should be the default answer.

Other third-party service providers that may impact cardholder data security

Revel Advantage does not allow merchants to view or otherwise interact with sensitive parts of the CDE, so the answer should be No unless you are using a 3rd party e-commerce platform that does have access to sensitive information, in that case, please consult with your 3rd party vendor on their level of access to the CDE.

Password policy

Merchants should operate in such a way that the answer is always Yes by default.

Do you use an internal security assessor for your PCI DSS?

Choose the answer that applies to your business. Revel Systems is not an ISA. The most common answer is No unless you are using a third party.

Support from a PCI-qualified security assessor

Choose the answer that applies to your business. Revel Systems is not a QSA. The most common answer is No unless you are using a third party.

List your business premises type(s) and a summary of locations that are relevant to your PCI DSS assessment

Describe your business vertical type and location where card payments are taken. Examples:

  • ●  I own a pizza shop that has a retail storefront on public street.

  • ●  I own a bakery kiosk inside a mall.

    How and in what capacity does your business store, process, and/or transmit cardholder data?

Merchants should operate in such a way that the following statement could be used. Examples:

  • ●  My business takes payment only in-store through the Revel POS and does not store any cardholder data in any shape or form.

  • ●  My business accepts payments both online and in-store. Our platform providers do not store data and neither do we.

    Provide a high-level description of your overall business environment, applicable to your PCI DSS assessment

An example: My business uses ingenico encrypted swipes to collect payment and sends it to the POS for fulfillment of the order.

 

Back to Useful