Columbia Kansas City Rolla St. Louis

Payment Card Policies

Payment Card Policies

Merchant Policies Templates (VERSION 3.2.1)

ALL merchants must select the correct template, update the template, save, and include with their merchant manual.

Merchant Specific Policies & Procedures Template	Description	Operational Policies & Procedures Template	Description
Category 1	All credit card processing is outsourced (SAQ A).	Category 1	All credit card processing is outsourced (SAQ A).
Category 2	Merchant only processes payments using a dial up (copper phone line or cellular) terminal (SAQ B).	Category 2	Merchant only processes payments using a dial up (copper phone line or cellular) terminal (SAQ B).
Category 2 and 1	Merchant Business Unit processes payments by dial up or cellular terminal and accepts payments by outsourced e-commerce website (SAQ A & SAQ B).	Category 2 and 1	Merchant Business Unit processes payments by dial up or cellular terminal and accepts payments by outsourced e-commerce website (SAQ A & SAQ B).
Category 3	Merchant only processes payments using an IP terminal (SAQ B-IP).	Category 3	Merchant only processes payments using an IP terminal (SAQ B-IP).
Category 3 and 1	Merchant Business Unit processes payments by IP terminal and accepts payments by outsourced e-commerce website (SAQ A & SAQ B-IP).	Category 3 and 1	Merchant Business Unit processes payments by IP terminal and accepts payments by outsourced e-commerce website (SAQ A & SAQ B-IP).
Category 4	Merchant only processes payments using a web-based (virtual terminal, and does not store cardholder data electronically (SAQ C-VT).	Category 4	Merchant only processes payments using a web-based (virtual terminal, and does not store cardholder data electronically (SAQ C-VT).
Category 4 and 1	Merchant only processes payments by outsourced e-commerce website and also by virtual terminal (SAQ A and SAQ C-VT).	Category 4 and 1	Merchant only processes payments by outsourced e-commerce website and also by virtual terminal (SAQ A and SAQ C-VT)
Category 4, 2, and 1	Merchant Business Unit processes payments by dial up or cellular terminal, accepts payments by outsourced e-commerce website, and also by virtual terminal (SAQ A, SAQ B, & SAQ C-VT).	Category 4, 2, and 1	Merchant Business Unit processes payments by dial up or cellular terminal, accepts payments by outsourced e-commerce website, and also by virtual terminal (SAQ A, SAQ B, & SAQ C-VT).
Category 5	Merchant only processes payments with payment application systems connected to the internet and NO electronic cardholder data storage (SAQ C).	Category 5	Merchant only processes payments with payment application systems connected to the internet and NO electronic cardholder data storage (SAQ C).
Category 5 and 1	Merchant Business Unit processes payments with payment application systems (NO electronic cardholder data storage) and also with outsourced e-commerce website (SAQ A & SAQ C).	Category 5 and 1	Merchant Business Unit processes payments with payment application systems (NO electronic cardholder data storage) and also with outsourced e-commerce website (SAQ A & SAQ C).
Category 5 and 2	Merchant Business Unit processes payments with payment application systems (NO electronic cardholder data storage) and also with dial up or cellular terminals (SAQ B & SAQ C).	Category 5 and 2	Merchant Business Unit processes payments with payment application systems (NO electronic cardholder data storage) and also with dial up or cellular terminals (SAQ B & SAQ C).
Category 5, 2, and 1	Merchant Business Unit processes payments with payment application systems (NO electronic cardholder data storage), dial up or cellular terminal, and outsourced e-commerce website (SAQ A, SAQ B, & SAQ C).	Category 5, 2, and 1	Merchant Business Unit processes payments with payment application systems (NO electronic cardholder data storage), dial up or cellular terminal, and outsourced e-commerce website (SAQ A, SAQ B, & SAQ C).
Category 5, P2PE, and 2	Merchant Business Unit processes payments with payment application systems (NO Electronic cardholder data storage), dial up or cellular terminal, and P2PE solution (SAQ B, SAQ C, & SAQ P2PE-HW).	Category 5, P2PE, and 2	Merchant Business Unit processes payments with payment application systems (NO Electronic cardholder data storage), dial up or cellular terminal, and P2PE solution (SAQ B, SAQ C, & SAQ P2PE-HW).
Category P2PE	Merchant only processes payments using a validated P2PE solution or is using an E2EE solution that was audited by our QSA and scope reduction was granted by our acquiring bank (SAQ P2PE-HW).	Category P2PE	Merchant only processes payments using a validated P2PE solution or is using an E2EE solution that was audited by our QSA and scope reduction was granted by our acquiring bank (SAQ P2PE-HW).
Category P2PE and 1	Merchant Business Unit processes payments using validated P2PE solution and is also processing payments by outsourced e-commerce website (SAQ A & SAQ P2PE-HW).	Category P2PE and 1	Merchant Business Unit processes payments using validated P2PE solution and is also processing payments by outsourced e-commerce website (SAQ A & SAQ P2PE-HW).
Category P2PE and 2	Merchant Business Unit processes payments using validated P2PE solution and is also processing payments by dial up or cellular terminal(s) (SAQ B & SAQ P2PE-HW).	Category P2PE and 2	Merchant Business Unit processes payments using validated P2PE solution and is also processing payments by dial up or cellular terminal(s) (SAQ B & SAQ P2PE-HW).
Category P2PE, 2, and 1	Merchant Business Unit processes payments using validated P2PE solution, by dial up or cellular terminal, and also by outsourced e-commerce website (SAQ A, SAQ B, & SAQ P2PE-HW).	Category P2PE, 2, and 1	Merchant Business Unit processes payments using validated P2PE solution, by dial up or cellular terminal, and also by outsourced e-commerce website (SAQ A, SAQ B, & SAQ P2PE-HW).

Supplemental Forms

Diagram Guidance

Network and Connectivity Diagram Examples and Guidance

General Merchant Policies

IT / Advanced Security Policies

Reviewed 2021-06-09