Attestation of Compliance, SAQ A, Version 3.0 Part
1a. Qualified Security Assessor Company Information (if applicable)
Part 2. Merchant Organization Information
Company Name: MessageKey
Title: Company Representative
Email: [email protected]
Business Address: 4400 N. Scottsdale Road Ste 9850 City: Scottsdale
Part 2a: Relationships
Does your company have a relationship with one or more third-party agents (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc.)?
Does your company have a relationship with more than one acquirer? NO
Part 2c. Eligibility to Complete SAQ A
Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because:
YES – Merchant does not store, process, or transmit any cardholder data on merchant premises but relies entirely on third party service provider(s) to handle these functions;
YES – The third party service provider(s) handling storage, processing, and/or transmission of cardholder data is confirmed to be PCI DSS compliant;
YES – Merchant does not store any cardholder data in electronic format; and
YES – If Merchant does store cardholder data, such data is only in paper reports or copies of receipts and is not
Part 3. PCI DSS Validation
Based on the results noted in the SAQ A dated 2015-10-07, asserts the following compliance status (check one):
YES – Compliant: All sections of the PCI SAQ are complete, and all questions answered yes, resulting in an overall COMPLIANT rating, thereby has demonstrated full compliance with the PCI DSS.
NO – Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered no, resulting in an overall NON-COMPLIANT rating, thereby has not demonstrated full compliance with the PCI DSS.
Target Date for Compliance: N/A
Part 3a. Confirmation of Compliant Status
YES – PCI DSS Self-Assessment Questionnaire A, Version 3.0, was completed according to the instructions therein.
YES – All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment.
YES – I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times.
Part 3b. Merchant Acknowledgement
Signature of Merchant Executive Officer: /s/ Bryan Millhouse Date: 2015-10-07
Merchant Executive Officer Name: Bryan Millhouse
Title: Company Representative
Merchant Company Represented: MessageKey
Part 4. Action Plan for Non-Compliant Status
Self-Assessment Questionnaire A Date of Completion: 2015-10-07
9.6: Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, media refers to all paper and electronic media containing cardholder data. YES
9.7: Is strict control maintained over the internal or external distribution of any kind of media?
Do controls include the following: YES
9.7.1: Is media classified so the sensitivity of the data can be determined? YES
9.7.2: Is media sent by secured courier or other delivery method that can be accurately tracked? YES
9.8: Are logs maintained to track all media that is moved from a secured area, and is management approval obtained prior to moving the media (especially when media is distributed to individuals)? YES
9.9: Is strict control maintained over the storage and accessibility of media? YES
9.10: Is all media destroyed when it is no longer needed for business or legal reasons? Is destruction performed as follows: YES
9.10.1: (a) Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?
(b) Are containers that store information to be destroyed secured to prevent access to the contents? (For example, a to-be-shredded container has a lock preventing access to its contents.) YES
12.8: If cardholder data is shared with service providers, are policies and procedures maintained and implemented to manage service providers, as follows: YES
12.8.1: Is a list of service providers maintained? YES
12.8.2: Is a written agreement maintained that includes an acknowledgement that the service providers are
responsible for the security of cardholder data the service providers possess? YES
12.8.3: Is there an established process for engaging service providers, including proper due diligence prior to engagement? YES
12.8.4: Is a program maintained to monitor service providers PCI DSS compliance status at least annually? YES