Section 1: Assessment Information

(1)

Section 1: Assessment Information

Instructions for Submission

7KLVGRFXPHQWPXVWEHFRPSOHWHGDVDGHFODUDWLRQRIWKHUHVXOWVRIWKHPHUFKDQW¶VVHOIDVVHVVPHQWZLWKWKH Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS).&RPSOHWHDOOVHFWLRQV7KHPHUFKDQWLVUHVSRQVLEOHIRUHQVXULQJWKDWHDFKVHFWLRQLVFRPSOHWHGE\WKH UHOHYDQWSDUWLHVDVDSSOLFDEOH&RQWDFWDFTXLUHUPHUFKDQWEDQNRUWKHSD\PHQWEUDQGVWRGHWHUPLQHUHSRUWLQJ DQGVXEPLVVLRQSURFHGXUHV

Part 1. Merchant and Qualified Security Assessor Information

Part 1a. Merchant Organization Information

&RPSDQ\1DPH '%$GRLQJ EXVLQHVVDV &RQWDFW1DPH 7LWOH ,6$1DPHVLIDSSOLFDEOH 7LWOH 7HOHSKRQH (PDLO %XVLQHVV$GGUHVV &LW\ 6WDWH3URYLQFH &RXQWU\ =LS 85/

Part 1b. Qualified Security Assessor Company Information (if applicable) &RPSDQ\1DPH /HDG46$&RQWDFW1DPH 7LWOH 7HOHSKRQH (PDLO %XVLQHVV$GGUHVV &LW\ 6WDWH3URYLQFH &RXQWU\ =LS 85/

Part 2. Executive Summary

Part 2a. Type of Merchant Business (check all that apply)

5HWDLOHU 7HOHFRPPXQLFDWLRQ *URFHU\DQG6XSHUPDUNHWV

3HWUROHXP (&RPPHUFH 0DLORUGHUWHOHSKRQHRUGHU0272

2WKHUVSOHDVHVSHFLI\ :KDWW\SHVRISD\PHQWFKDQQHOVGRHV\RXUEXVLQHVV VHUYH" 0DLORUGHUWHOHSKRQHRUGHU0272 (&RPPHUFH &DUGSUHVHQWIDFHWRIDFH :KLFKSD\PHQWFKDQQHOVDUHFRYHUHGE\WKLV6$4" 0DLORUGHUWHOHSKRQHRUGHU0272 (&RPPHUFH &DUGSUHVHQWIDFHWRIDFH

Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.

PCI DSS SAQ A, v3.0 –Section 1: Assessment Information February 2014 © 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 1 (QWHU\RXU FRPSDQ\ LQIRUPDWLRQ LQWKLV VHFWLRQ <RXUVPDOO EXVLQHVV ZLOOOLNHO\ QRWKDYHDQ ,QWHUQDO 6HFXULW\ $VVHVVRU ,6$ 7KLV VHFWLRQ LV OHIW EODQN EHFDXVH \RX DUH FRPSOHWLQJ WKH TXHVWLRQDLUH \RXUVHOI &KHFN 0DLO 2UGHU 7HOHSKRQH2UGHU LI \RX KDYH D 0272 PHUFKDQW DFFRXQW &KHFN0272 DQGDOVRFKHFN (&RPPHUFH LI\RXXVH 3D\6LPSOH ZHESD\PHQW IURPVDQGRU RQOLQHLQYRLFH SD\PHQWV

Sample Company, Inc. The Sample Company

Sam Pell Owner

303-555-1234 [email protected] 123 Any St. Denver CO USA 80202 www.samplecompany.com

✔

(2)

Part 2b. Description of Payment Card Business +RZDQGLQZKDWFDSDFLW\GRHV\RXUEXVLQHVV VWRUHSURFHVVDQGRUWUDQVPLWFDUGKROGHUGDWD" Part 2c. Locations /LVWW\SHVRIIDFLOLWLHVDQGDVXPPDU\RIORFDWLRQVLQFOXGHGLQWKH3&,'66UHYLHZIRUH[DPSOHUHWDLORXWOHWV FRUSRUDWHRIILFHVGDWDFHQWHUVFDOOFHQWHUVHWF

Type of facility Location(s) of facility (city, country)

Part 2d. Payment Application

'RHVWKHRUJDQL]DWLRQXVHRQHRUPRUH3D\PHQW$SSOLFDWLRQV" <HV 1R 3URYLGHWKHIROORZLQJLQIRUPDWLRQUHJDUGLQJWKH3D\PHQW$SSOLFDWLRQV\RXURUJDQL]DWLRQXVHV Payment Application Name Version Number Application Vendor Is application PA-DSS Listed?

PA-DSS Listing Expiry date (if applicable) <HV 1R

<HV 1R <HV 1R

Part 2e. Description of Environment

3URYLGHDhigh-levelGHVFULSWLRQRIWKHHQYLURQPHQWFRYHUHGE\ WKLVDVVHVVPHQW

For example:

Connections into and out of the cardholder data environment (CDE).

Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.

'RHV\RXUEXVLQHVVXVHQHWZRUNVHJPHQWDWLRQWRDIIHFWWKHVFRSHRI\RXU3&,'66 HQYLURQPHQW"

(Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)

<HV 1R

PCI DSS SAQ A, v3.0 –Section 1: Assessment Information February 2014 © 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 2 3URYLGHDEULHI GHVFULSWLRQRI KRZ\RXU FRPSDQ\ SURFHVVHVFUHGLW FDUGWUDQVDFWLRQV DQGVWRUHV FDUGKROGHUGDWD (QWHU\RXU PDLQRIILFH RQ/LQH DQGOLVW DQ\DGGLWLRQDO ORFDWLRQV ZKHUH\RX DFFHSWFUHGLW FDUGV &KHFNWKH1R ER[KHUHWR LQGLFDWHWKDW \RXDUHQRW XVLQJDQ\ SD\PHQW SURFHVVLQJ VRIWZDUHWKDWLV LQVWDOOHGRQ \RXUFRPSXWHU /HDYHWKHUHVW RIWKHVHFWLRQ EODQN (QWHUDEULHI GHVFULSWLRQRIWKH SURFHVVHVDQG SURFHGXUHV\RXU FRPSDQ\XVHV ZLWKUHODWLRQWR FUHGLWFDUG SURFHVVLQJDQG VWRUDJH &KHFN1R KHUH$V\RXXVH 3D\6LPSOH\RX GRQRWXVH VHJPHQWDWLRQ

We use the PCI Compliant PaySimple service for credit card processing, transmission, and storage. We also store cardholder data on paper authorization forms which are kept in a locked file drawer with access granted on a business-need basis only.

Office

Denver, CO USA

✔

Desktop/Laptop Computers connect via the Internet to the PCI Compliant PaySimple service for processing credit card transactions.

A locked file drawer with

business-need-to-know access is used to store paper recurring billing authorization forms that contain cardholder data.

(3)

Part 2f. Third-Party Service Providers 'RHV\RXUFRPSDQ\VKDUHFDUGKROGHUGDWDZLWKDQ\WKLUGSDUW\VHUYLFHSURYLGHUVIRUH[DPSOH JDWHZD\VSD\PHQWSURFHVVRUVSD\PHQWVHUYLFHSURYLGHUV363ZHEKRVWLQJFRPSDQLHV DLUOLQHERRNLQJDJHQWVOR\DOW\SURJUDPDJHQWVHWF" <HV 1R If Yes:

Name of service provider: Description of services provided:

Note: Requirement 12.8 applies to all entities in this list.

Part 2g. Eligibility to Complete SAQ A

0HUFKDQWFHUWLILHVHOLJLELOLW\WRFRPSOHWHWKLVVKRUWHQHGYHUVLRQRIWKH6HOI$VVHVVPHQW4XHVWLRQQDLUH EHFDXVHIRUWKLVSD\PHQWFKDQQHO 0HUFKDQWDFFHSWVRQO\FDUGQRWSUHVHQWHFRPPHUFHRUPDLOWHOHSKRQHRUGHUWUDQVDFWLRQV $OOSD\PHQWDFFHSWDQFHDQGSURFHVVLQJDUHHQWLUHO\RXWVRXUFHGWR3&,'66YDOLGDWHGWKLUGSDUW\ VHUYLFHSURYLGHUV 0HUFKDQWKDVQRGLUHFWFRQWURORIWKHPDQQHULQZKLFKFDUGKROGHUGDWDLVFDSWXUHGSURFHVVHG WUDQVPLWWHGRUVWRUHG 0HUFKDQWGRHVQRWHOHFWURQLFDOO\VWRUHSURFHVVRUWUDQVPLWDQ\FDUGKROGHUGDWDRQPHUFKDQWV\VWHPV RUSUHPLVHVEXWUHOLHVHQWLUHO\RQDWKLUGSDUW\VWRKDQGOHDOOWKHVHIXQFWLRQV 0HUFKDQWKDVFRQILUPHGWKDWDOOWKLUGSDUW\VKDQGOLQJDFFHSWDQFHVWRUDJHSURFHVVLQJDQGRU WUDQVPLVVLRQRIFDUGKROGHUGDWDDUH3&,'66FRPSOLDQWand 0HUFKDQWUHWDLQVRQO\SDSHUUHSRUWVRUUHFHLSWVZLWKFDUGKROGHUGDWDDQGWKHVHGRFXPHQWVDUHQRW UHFHLYHGHOHFWURQLFDOO\

Additionally, for e-commerce channels:

7KHHQWLUHW\RIDOOSD\PHQWSDJHVGHOLYHUHGWRWKHFRQVXPHU¶VEURZVHURULJLQDWHVGLUHFWO\IURPDWKLUG SDUW\3&,'66YDOLGDWHGVHUYLFHSURYLGHUV

6HOHFW<HVWR GLVFORVH\RXU UHODWLRQVKLSZLWK 3D\6LPSOH 'LVFORVH\RXU UHODWLRQVKLSZLWK 3D\6LPSOHLQ WKHILUVWURZ. ,I\RXVKDUH FDUGKROGHUGDWD ZLWKDQ\RWKHU WKLUGSDUWLHV HQWHUWKHPLQ WKHVXEVHTXHQW URZV &KHFNWKLVER[LI\RXXVH3D\6LPSOH:HE3D\PHQW IRUPVDQGRURQOLQHLQYRLFHSD\PHQWIRUPV 2WKHUZLVHOHDYHLWEODQN <RXPXVWEH DEOHWR WUXWKIXOO\FKHFN DOORIWKHVH ER[HVLQRUGHU WR&RPSOHWH 6$4$ 1RWHWKDW 3D\6LPSOHLV 3&,&RPSOLDQW DQGWKDWRXU V\VWHPIXOO\ FRQWUROVDOO DVSHFWHVRI FDUGKROGHU GDWDFDSWXUH WUDQVPLVVLRQ DQGVWRUDJH

✔

PaySimple, Inc.

Payment Processing

✔

(4)

Section 2: Self-Assessment Questionnaire A

Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the3&,'66

5HTXLUHPHQWVDQG6HFXULW\$VVHVVPHQW3URFHGXUHVdocument.

Self-assessment completion date:

Requirement 9:

Restrict physical access to cardholder data

PCI DSS Question Expected Testing

Response

(Check one response for each question) Yes Yes with CCW No N/A $UHDOOPHGLDSK\VLFDOO\VHFXUHGLQFOXGLQJEXWQRW OLPLWHGWRFRPSXWHUVUHPRYDEOHHOHFWURQLFPHGLD SDSHUUHFHLSWVSDSHUUHSRUWVDQGID[HV"

For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.

5HYLHZSROLFLHVDQGSURFHGXUHVIRU SK\VLFDOO\VHFXULQJPHGLD

,QWHUYLHZSHUVRQQHO

D ,VVWULFWFRQWUROPDLQWDLQHGRYHUWKHLQWHUQDORU

H[WHUQDOGLVWULEXWLRQRIDQ\NLQGRIPHGLD" 5HYLHZSROLFLHVDQGSURFHGXUHVIRUGLVWULEXWLRQRIPHGLD E 'RFRQWUROVLQFOXGHWKHIROORZLQJ ,VPHGLDFODVVLILHGVRWKHVHQVLWLYLW\RIWKHGDWDFDQEH GHWHUPLQHG" 5HYLHZSROLFLHVDQGSURFHGXUHVIRU PHGLDFODVVLILFDWLRQ ,QWHUYLHZVHFXULW\SHUVRQQHO ,VPHGLDVHQWE\VHFXUHGFRXULHURURWKHUGHOLYHU\ PHWKRGWKDWFDQEHDFFXUDWHO\WUDFNHG" ,QWHUYLHZSHUVRQQHO ([DPLQHPHGLDGLVWULEXWLRQWUDFNLQJORJV DQGGRFXPHQWDWLRQ ,VPDQDJHPHQWDSSURYDOREWDLQHGSULRUWRPRYLQJWKH PHGLDHVSHFLDOO\ZKHQPHGLDLVGLVWULEXWHGWR LQGLYLGXDOV" ,QWHUYLHZSHUVRQQHO ([DPLQHPHGLDGLVWULEXWLRQWUDFNLQJORJV DQGGRFXPHQWDWLRQ ,VVWULFWFRQWUROPDLQWDLQHGRYHUWKHVWRUDJHDQG DFFHVVLELOLW\RIPHGLD" 5HYLHZSROLFLHVDQGSURFHGXUHV

PCI DSS SAQ A, v3.0 –Section 2: Self-Assessment Questionnaire February 2014

)RUHDFKRI WKHVH TXHVWLRQV VHOHFW 21/<21( DQVZHU <HVRU1$ ,I\RXHQWHU1$ \RXZLOOQHHGWR SURYLGHDQ H[SODQDWLRQLQ $SSHQGL[& ,I\RXIHHO\RX QHHGWRFKHFN 1RSOHDVH FRQWDFWXVIRU DVVLVWDQFHGR QRWVXEPLWWKH IRUP 0RXVHRYHUWKHKHOSLFRQVIRUDGHWDLOHGH[SODQDWLRQRIHDFKTXHVWLRQ

✔

(5)

PCI DSS Question Expected Testing

Response

(Check one response for each question) Yes

Yes with

CCW No N/A

D ,VDOOPHGLDGHVWUR\HGZKHQLWLVQRORQJHUQHHGHG

IRUEXVLQHVVRUOHJDOUHDVRQV" 5HYLHZSHULRGLFPHGLDGHVWUXFWLRQSROLFLHVDQGSURFHGXUHV F,VPHGLDGHVWUXFWLRQSHUIRUPHGDVIROORZV D $UHKDUGFRS\PDWHULDOVFURVVFXWVKUHGGHG LQFLQHUDWHGRUSXOSHGVRWKDWFDUGKROGHUGDWD FDQQRWEHUHFRQVWUXFWHG" 5HYLHZSHULRGLFPHGLDGHVWUXFWLRQ SROLFLHVDQGSURFHGXUHV ,QWHUYLHZSHUVRQQHO 2EVHUYHSURFHVVHV E $UHVWRUDJHFRQWDLQHUVXVHGIRUPDWHULDOVWKDW FRQWDLQLQIRUPDWLRQWREHGHVWUR\HGVHFXUHGWR SUHYHQWDFFHVVWRWKHFRQWHQWV" ([DPLQHVHFXULW\RIVWRUDJHFRQWDLQHUV

)RUHDFKRI WKHVH TXHVWLRQV VHOHFW 21/<21( DQVZHU <HVRU1$ ,I\RXHQWHU1$ \RXZLOOQHHGWR SURYLGHDQ H[SODQDWLRQLQ $SSHQGL[& ,I\RXIHHO\RX QHHGWRFKHFN 1RSOHDVH FRQWDFWXVIRU DVVLVWDQFHGR QRWVXEPLWWKH IRUP 0RXVHRYHUWKHKHOSLFRQVIRUDGHWDLOHGH[SODQDWLRQRIHDFKTXHVWLRQ

✔

(6)

Maintain an Information Security Policy

Requirement 12:

Maintain a policy that addresses information security for all personnel

Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.

PCI DSS Question Expected Testing

Response

(Check one response for each question) Yes Yes with CCW No N/A $UHSROLFLHVDQGSURFHGXUHVPDLQWDLQHGDQG LPSOHPHQWHGWRPDQDJHVHUYLFHSURYLGHUVZLWKZKRP FDUGKROGHUGDWDLVVKDUHGRUWKDWFRXOGDIIHFWWKH VHFXULW\RIFDUGKROGHUGDWDDVIROORZV ,VDOLVWRIVHUYLFHSURYLGHUVPDLQWDLQHG" 5HYLHZSROLFLHVDQGSURFHGXUHV 2EVHUYHSURFHVVHV 5HYLHZOLVWRIVHUYLFHSURYLGHUV ,VDZULWWHQDJUHHPHQWPDLQWDLQHGWKDWLQFOXGHVDQ DFNQRZOHGJHPHQWWKDWWKHVHUYLFHSURYLGHUVDUH UHVSRQVLEOHIRUWKHVHFXULW\RIFDUGKROGHUGDWDWKH VHUYLFHSURYLGHUVSRVVHVVRURWKHUZLVHVWRUHSURFHVV RUWUDQVPLWRQEHKDOIRIWKHFXVWRPHURUWRWKHH[WHQW WKDWWKH\FRXOGLPSDFWWKHVHFXULW\RIWKHFXVWRPHU¶V FDUGKROGHUGDWDHQYLURQPHQW"

Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the

responsibilities assigned to each party. The

acknowledgement does not have to include the exact wording provided in this requirement.

2EVHUYHZULWWHQDJUHHPHQWV 5HYLHZSROLFLHVDQGSURFHGXUHV ,VWKHUHDQHVWDEOLVKHGSURFHVVIRUHQJDJLQJVHUYLFH SURYLGHUVLQFOXGLQJSURSHUGXHGLOLJHQFHSULRUWR HQJDJHPHQW" 2EVHUYHSURFHVVHV 5HYLHZSROLFLHVDQGSURFHGXUHVDQG VXSSRUWLQJGRFXPHQWDWLRQ ,VDSURJUDPPDLQWDLQHGWRPRQLWRUVHUYLFHSURYLGHUV¶ 3&,'66FRPSOLDQFHVWDWXVDWOHDVWDQQXDOO\" 2EVHUYHSURFHVVHV 5HYLHZSROLFLHVDQGSURFHGXUHVDQG VXSSRUWLQJGRFXPHQWDWLRQ

6HOHFW<HV IRUDOORIWKH TXHVWLRQV $V 3D\6LPSOH LV\RXU VHUYLFH SURYLGHU DQVZHULQJ 1$LVQRW YDOLGLQWKLV VHFWLRQ ,I\RXIHHO \RXQHHGWR FKHFNQR SOHDVH FRQWDFWXV IRU DVVLVWDQFH GRQRW VXEPLWWKH IRUP 0RXVHRYHU WKHKHOS LFRQVIRUD GHWDLOHG H[SODQDWLRQ RIHDFK TXHVWLRQ

✔

(7)

PCI DSS Question Expected Testing

Response

(Check one response for each question) Yes Yes with CCW No N/A ,VLQIRUPDWLRQPDLQWDLQHGDERXWZKLFK3&,'66 UHTXLUHPHQWVDUHPDQDJHGE\HDFKVHUYLFHSURYLGHU DQGZKLFKDUHPDQDJHGE\WKHHQWLW\" 2EVHUYHSURFHVVHV 5HYLHZSROLFLHVDQGSURFHGXUHVDQG VXSSRUWLQJGRFXPHQWDWLRQ

0RXVHRYHUWKH KHOSLFRQIRUD GHWDLOHGH[SODQDWLRQ RIWKHTXHVWLRQ 6HOHFW<HVIRUWKLVTXHVWLRQ $V3D\6LPSOHLV\RXUVHUYLFHSURYLGHUDQVZHULQJ 1$LVQRWYDOLG ,I\RXIHHO\RXQHHGWRFKHFNQRSOHDVHFRQWDFW XVIRUDVVLVWDQFHGRQRWVXEPLWWKHIRUP

✔

(8)

Appendix C: Explanation of Non-Applicability

If the “N/A” (Not Applicable) column was checked in the questionnaire, use this worksheet to explain why the related requirement is not applicable to your organization.

Requirement Reason Requirement is Not Applicable &DUGKROGHUGDWDLVQHYHUVWRUHGHOHFWURQLFDOO\

As we entered N/A for question 9.6.2 above, we enter that number in

the "Requirement" field, and in the "Reason..." field provide a short

explanation of why the question is not applicable to our organization.

Cardholder data is never transported via courier. 9.6.2

(9)

Section 3: Validation and Attestation Details

Part 3. PCI DSS Validation

%DVHGRQWKHUHVXOWVQRWHGLQWKH6$4$GDWHG(completion date)WKHVLJQDWRULHVLGHQWLILHGLQ3DUWVEGDV DSSOLFDEOHDVVHUWVWKHIROORZLQJFRPSOLDQFHVWDWXVIRUWKHHQWLW\LGHQWLILHGLQ3DUWRIWKLVGRFXPHQWDVRI (date)check one):

Compliant:$OOVHFWLRQVRIWKH3&,'666$4DUHFRPSOHWHDOOTXHVWLRQVDQVZHUHGDIILUPDWLYHO\ UHVXOWLQJLQDQRYHUDOOCOMPLIANTUDWLQJWKHUHE\(Merchant Company Name)KDVGHPRQVWUDWHGIXOO FRPSOLDQFHZLWKWKH3&,'66

Non-Compliant: 1RWDOOVHFWLRQVRIWKH3&,'666$4DUHFRPSOHWHRUQRWDOOTXHVWLRQVDUHDQVZHUHG DIILUPDWLYHO\UHVXOWLQJLQDQRYHUDOONON-COMPLIANTUDWLQJWKHUHE\(Merchant Company Name)KDV QRWGHPRQVWUDWHGIXOOFRPSOLDQFHZLWKWKH3&,'66

Target DateIRU&RPSOLDQFH

$QHQWLW\VXEPLWWLQJWKLVIRUPZLWKDVWDWXVRI1RQ&RPSOLDQWPD\EHUHTXLUHGWRFRPSOHWHWKH$FWLRQ 3ODQLQ3DUWRIWKLVGRFXPHQWCheck with your acquirer or the payment brand(s) before completing Part 4.

Compliant but with Legal exception:2QHRUPRUHUHTXLUHPHQWVDUHPDUNHG³1R´GXHWRDOHJDO UHVWULFWLRQWKDWSUHYHQWVWKHUHTXLUHPHQWIURPEHLQJPHW7KLVRSWLRQUHTXLUHVDGGLWLRQDOUHYLHZIURP DFTXLUHURUSD\PHQWEUDQG

If checked, complete the following:

Affected Requirement Details of how legal constraint prevents requirement being met

Part 3a. Acknowledgement of Status Signatory(s) confirms:

(Check all that apply)

3&,'666HOI$VVHVVPHQW4XHVWLRQQDLUH$9HUVLRQ(version of SAQ)ZDVFRPSOHWHGDFFRUGLQJWRWKH LQVWUXFWLRQVWKHUHLQ $OOLQIRUPDWLRQZLWKLQWKHDERYHUHIHUHQFHG6$4DQGLQWKLVDWWHVWDWLRQIDLUO\UHSUHVHQWVWKHUHVXOWVRI P\DVVHVVPHQWLQDOOPDWHULDOUHVSHFWV ,KDYHFRQILUPHGZLWKP\SD\PHQWDSSOLFDWLRQYHQGRUWKDWP\SD\PHQWV\VWHPGRHVQRWVWRUHVHQVLWLYH DXWKHQWLFDWLRQGDWDDIWHUDXWKRUL]DWLRQ ,KDYHUHDGWKH3&,'66DQG,UHFRJQL]HWKDW,PXVWPDLQWDLQ3&,'66FRPSOLDQFHDVDSSOLFDEOHWR P\HQYLURQPHQWDWDOOWLPHV ,IP\HQYLURQPHQWFKDQJHV,UHFRJQL]H,PXVWUHDVVHVVP\HQYLURQPHQWDQGLPSOHPHQWDQ\DGGLWLRQDO 3&,'66UHTXLUHPHQWVWKDWDSSO\

PCI DSS SAQ A, v3.0 – Section 3: Validation and Attestation Details February 2014 © 2006-2014 PCI Security Standards Council, LLC. All Rights Reserved. Page 11 Check the "Compliant" box. If for any reason you feel you cannot check this box, do not submit the form; contact us for assistance. Check each box. If for any reason you feel you cannot check all boxes, do not submit the form; contact us for assistance. Mouse over the help icon for a detailed explanation of each item.

✔

(10)

Part 3a. Acknowledgement of Status FRQWLQXHG

1RHYLGHQFHRIIXOOWUDFNGDWD_{&$9&9&&,'RU&99GDWD}_RU3,1GDWD_VWRUDJHDIWHU WUDQVDFWLRQDXWKRUL]DWLRQZDVIRXQGRQ$1<V\VWHPUHYLHZHGGXULQJWKLVDVVHVVPHQW $69VFDQVDUHEHLQJFRPSOHWHGE\WKH3&,66&$SSURYHG6FDQQLQJ9HQGRU(ASV Name)

Part 3b. Merchant Attestation

Signature of Merchant Executive Officer Ç Date: Merchant Executive Officer Name: Title:

Part 3c. QSA Acknowledgement (if applicable) ,ID46$ZDVLQYROYHGRUDVVLVWHGZLWKWKLV

DVVHVVPHQWGHVFULEHWKHUROHSHUIRUPHG

Signature of QSA Ç Date:

QSA Name: QSA Company:

Part 3d. ISA Acknowledgement (if applicable) ,ID,6$ZDVLQYROYHGRUDVVLVWHGZLWKWKLV

DVVHVVPHQWGHVFULEHWKHUROHSHUIRUPHG

Signature of ISA Ç Date:

ISA Name: Title:

_{'DWDHQFRGHGLQWKHPDJQHWLFVWULSHRUHTXLYDOHQWGDWDRQDFKLSXVHGIRUDXWKRUL]DWLRQGXULQJDFDUGSUHVHQWWUDQVDFWLRQ(QWLWLHV} PD\QRWUHWDLQIXOOWUDFNGDWDDIWHUWUDQVDFWLRQDXWKRUL]DWLRQ7KHRQO\HOHPHQWVRIWUDFNGDWDWKDWPD\EHUHWDLQHGDUHSULPDU\ DFFRXQWQXPEHU3$1H[SLUDWLRQGDWHDQGFDUGKROGHUQDPH _{7KHWKUHHRUIRXUGLJLWYDOXHSULQWHGE\WKHVLJQDWXUHSDQHORURQWKHIDFHRIDSD\PHQWFDUGXVHGWRYHULI\FDUGQRWSUHVHQW} WUDQVDFWLRQV _{3HUVRQDOLGHQWLILFDWLRQQXPEHUHQWHUHGE\FDUGKROGHUGXULQJDFDUGSUHVHQWWUDQVDFWLRQDQGRUHQFU\SWHG3,1EORFNSUHVHQW} ZLWKLQWKHWUDQVDFWLRQPHVVDJH

Have the

Authorized Signer for your NPC Merchant

Services Agreement digitally sign here, and enter

date, name, and title. As you completed this form yourself, leave this section blank. As a small business, you will not have an

Internal Security Assessor (ISA).

Leave this section blank.

Check this box. PaySimple's PCI Compliance certification means that an independent third party has verified that there is no evidence of full track data, CAV2, CVC2, CID, CVV2, or PIN data stored on our system after authorization.

Leave this box unchecked. PaySimple SAQ A merchants are not required to do AVS scans.

✔

Owner

Sam Pell

Digitally signed by Sam Pell DN: cn=Sam Pell, o=Sample Company, ou=Owner, [email protected], c=US Date: 2015.01.21 13:18:57 -07'00'

(11)

Part 4. Action Plan for Non-Compliant Requirements

6HOHFWWKHDSSURSULDWHUHVSRQVHIRU³&RPSOLDQWWR3&,'665HTXLUHPHQWV´IRUHDFKUHTXLUHPHQW,I\RX DQVZHU³1R´WRDQ\RIWKHUHTXLUHPHQWV\RXPD\EHUHTXLUHGWRSURYLGHWKHGDWH\RXU&RPSDQ\H[SHFWVWR EHFRPSOLDQWZLWKWKHUHTXLUHPHQWDQGDEULHIGHVFULSWLRQRIWKHDFWLRQVEHLQJWDNHQWRPHHWWKHUHTXLUHPHQW Check with your acquirer or the payment brand(s) before completing Part 4.

PCI DSS

Requirement Description of Requirement

Compliant to PCI DSS Requirements

6HOHFW2QH

Remediation Date and Actions

,I³12´VHOHFWHGIRUDQ\ 5HTXLUHPHQW YES NO 5HVWULFWSK\VLFDODFFHVVWR FDUGKROGHUGDWD 0DLQWDLQDSROLF\WKDWDGGUHVVHV LQIRUPDWLRQVHFXULW\IRUDOO SHUVRQQHO

Check "yes" for both sections to indicate that you are compliant. If for any reason you feel you cannot check yes, do not submit the form; contact us for assistance.

Save the completed and digitally signed form to your computer. Then click this button to go to the PaySimple Support Center where you can securely upload the form.

✔