Support

PCI Responsibility Matrix

 

Moneris, a leading provider of payment processor solutions, offers a comprehensive suite of products including Smart Devices, Payment Devices, Online Payments, and Self-Checkout Kiosks. Our commitment to maintaining the highest level of security is demonstrated through our adherence to the Payment Card Industry Data Security Standard (PCI DSS) v4.0 requirements for both our products and underlying infrastructure.

More information

  • Moneris, a leading provider of payment processor solutions, offers a comprehensive suite of products including Smart Devices, Payment Devices, Online Payments, and Self-Checkout Kiosks. Our commitment to maintaining the highest level of security is demonstrated through our adherence to the Payment Card Industry Data Security Standard (PCI DSS) v4.0 requirements for both our products and underlying infrastructure.

    We understand the diverse needs of our merchants, which is why we provide a range of payment solutions. Our Integrated Devices, for instance, empower merchants with greater control over their Devices. However, it is important to note that, with the exception of Standalone and Semi-Integrated Devices, Moneris does not have full control over the security of the operating system, packages, or applications deployed by our merchants.

    In accordance with the PCI DSS, it is the responsibility of our merchants to ensure compliance with the relevant requirements pertaining to merchant-deployed operating systems, packages, and applications. While Moneris is responsible for meeting PCI DSS compliance and providing an Attestation of Compliance (AOC), this document serves as an outline of the specific responsibilities for merchants that are leveraging Moneris solutions.

    It is crucial for merchants to understand that certain requirements are solely the responsibility of Moneris, while others are solely the responsibility of the merchant. Additionally, there are shared responsibilities that require collaboration between both parties. Merchants who utilize Moneris products within their cardholder data environment (CDE) must deploy services in a manner that aligns with the PCI DSS.

    To facilitate the pursuit of PCI compliance, we highly recommend that merchants refer to the responsibility matrix provided in this document. This matrix serves as a valuable tool during PCI audits, enabling merchants to effectively fulfill their obligations and maintain a secure environment for cardholder data.

    Purpose:

    This document outlines the PCI DSS v4.0 responsibilities between Moneris as a Service Provider and its merchants.  The guidance within this document applies only to merchants and not service providers who leverage Moneris solutions.  Please reach out to your Moneris contact for additional support.


    Third Party Service Provider (TPSP) Responsibilities Matrix Overview:

    According to PCI DSS v4.0 Requirement 12.9.2, Moneris, as a service provider, is obligated to support its merchant's information requests in order to fulfill Requirements 12.8.4 and 12.8.5. This includes providing the following upon merchant request:

    • PCI DSS compliance status information for any service performed by the TPSP on behalf of merchants (Requirement 12.8.4).
    • Information regarding the TPSP's and the merchant's respective responsibilities for PCI DSS requirements, including any shared responsibilities (Requirement 12.8.5).

    This document details the PCI DSS requirements that fall under the Moneris' responsibility as a TPSP and those that are the merchant's responsibility, including any shared responsibilities (Requirement 12.8.5).


    Scope and Approach:

    The approach for determining responsibilities between Moneris and its merchants were to categorize the several types of Moneris payment Devices and solutions based on their functionalities and use. This categorization helped define the scope of the Devices and solutions. The scope of the TPSP RACI Matrix encompasses the PCI DSS responsibilities between Moneris and it's merchants which are categorized by Moneris' seven (7) types of payment Devices and solutions described below. 

    1. Standalone Devices - Dial up: Payment devices that use a dial up network connection. The application used in these devices are developed and managed by Moneris. The Moneris application handles the cardholder data (CHD) and the communication with the Moneris host, while the merchant only sends the transaction amount and other parameters to the device. This reduces the merchant's PCI compliance scope and responsibility, as they do not have to deal with the payment host interface or the encryption of the CHD. To determine Merchant responsibilities for Standalone Devices - Dial Up, we have leveraged the guidance found under Merchant Eligibility Criteria for Self-Assessment Questionnaire (SAQ) B. For more information, please see the Appendix for reference.

    In scope products: Moneris ICT250, Moneris VX 520, Moneris VX 820, Moneris IWL220

    2. Standalone Devices: Payment and smart devices with wireless / IP network connection. The application used in these devices are developed and managed by Moneris. The Moneris application handles the CHD and the communication with the Moneris host, while the merchant only sends the transaction amount and other parameters to the device. This reduces the merchant's PCI compliance scope and responsibility, as they do not have to deal with the payment host interface or the encryption of the CHD. To determine Merchant responsibilities for Standalone Devices, we have leveraged the guidance found under Merchant Eligibility Criteria for SAQ B-IP. For more information, please see the Appendix for reference.

    In scope products: Moneris Go Terminal Plus, Moneris Go Terminal, Moneris Core V400m, Moneris Core V400c, Moneris Core Desk/5000, Moneris Core Move/5000, Moneris ICT250, Moneris VX 520, Moneris VX 820, Moneris IWL220, Moneris IWL255

    3. Semi-Integrated Devices: These devices use a Moneris application that runs on a device such as a PIN pad or a mobile phone. The Moneris application handles the CHD and the communication with the Moneris host, while the merchant only sends the transaction amount and other parameters to the device. This reduces the merchant's PCI compliance scope and responsibility, as they do not have to deal with the payment host interface or the encryption of the CHD. To determine Merchant responsibilities for Semi-integrated Devices, we have leveraged the guidance found under Merchant Eligibility Criteria for SAQ B-IP. For more information, please see the Appendix for reference.

    Note: Moneris Kiosks are considered an semi-integrated solution. However, these devices are not in scope as Moneris does not manage the software in the kiosks and only provides the hardware to merchants.

    In scope products: Moneris Go PINPad, Moneris Go Slim, Moneris Go Unattended, Moneris Go Terminal Plus, Moneris Go Terminal, Moneris Core V400m, Moneris Core V400c, Moneris Core Desk/5000, Moneris Core Move/5000, Moneris ICT250, Moneris VX 520, Moneris VX 820, Moneris IWL220, Moneris IWL255, POSPad IPP320, POSPad P400, POSPad E355, POSPad ICMP, Direct Connect UX301, Direct Connect UX410, Direct Connect UX300

    4. Point-to-Point Encryption (P2PE) Devices: These devices are PCI SSC-listed approved devices that Moneris provides to its merchants. P2PE Devices helps reduce the PCI scope of merchants. To determine Merchant responsibilities for P2PE Devices, we have leveraged the guidance found under Merchant Eligibility Criteria for SAQ P2PE. For more information, please see the Appendix for reference.

    In scope products: POSPad P400, Moneris Go Slim, Moneris Go Terminal Plus

    5. Payment Platforms & Gateways: Payment platforms & gateways are Moneris solutions that allow merchants to accept online payments from their merchants through a secure and encrypted connection. To determine the merchant responsibilities for Payment Platforms & Gateways, we have leveraged the guidance found under Merchant Eligibility Criteria for SAQ D. For more information, please see the Appendix for reference.

    In scope products: IPGate, Moneris Gateway, Transit Gateway, Terminal Gateway, Moneris Cloud

    6. Hosted Solutions - Cardholder Facing: Hosted Solutions - Cardholder Facing including Moneris Checkout are hosted eCommerce (iFrame with JavaScript integration) solution that collects CHD and sends it to Moneris Gateway to process transactions. This solution is an integration option for merchants to process e-commerce transactions from their website. To determine the merchant responsibilities for this hosted solution, we have leveraged the guidance found under Merchant Eligibility Criteria for SAQ A-EP. For more information, please see the Appendix for reference.

    In scope products: Moneris Checkout, Hosted Pay Page (HPP)

    7. Hosted Solutions - Merchant Facing: These are Moneris hosted solutions that allow merchants to process payments online using their own computer and web browser, also known as a Virtual Terminal. They are typically used for eCommerce and card-not-present transactions (e.g., such as phone orders, mail orders, or recurring payments). To determine the merchant responsibilities for this hosted solution, we have leveraged the guidance found under Merchant Eligibility Criteria for SAQ C-VT. For more information, please see the Appendix for reference.

    In scope products: Virtual Terminal, Moneris Go Portal, Merchant Direct, Merchant Resource Centre

    8. Merchant Integrated Devices: These are devices where the merchant's point of sale software, Electronic Cash Register (ECR), is responsible for creating and sending the payment messages to the Moneris host. The merchant also integrates with a device to capture the CHD and send it back to the ECR. The merchant has more control and customization over the payment process, but also more responsibility for securing the CHD in their environment. To determine the merchant responsibilities for Merchant Integrated Devices, we have leveraged the guidance found under Merchant Eligibility Criteria for SAQ C. For more information, please see the Appendix for reference.

  • Download the TPSP Responsibilities Matrix

  • Determining Merchant Eligibility Criteria for Standalone Devices (Dial-up)  (SAQ-B)

    To determine merchant responsibilities for standalone devices - dial up, we have leveraged the guidance found under the Self-Assessment Questionnaire (SAQ) B which includes only those PCI DSS requirements. SAQ B merchants may be either brick-and-mortar (card-present) or mail/telephone order (card-not-present) merchants, and do not store account data on any computer system.

    SAQ B merchants confirm that, for this payment channel:
    - The merchant uses only an imprint machine and/or uses only standalone, dial-out Devices
    (connected via a phone line to the merchant processor) to take customers’ payment card
    information;
    - The standalone devices dial-up  are not connected to any other systems within the merchant
    environment;

    - The standalone devices - dial up are not connected to the Internet;

    - The merchant does not store account data in electronic format

    - Any account data the merchant might retain is on paper (for example, printed reports or receipts),
    and these documents are not received electronically.

    This SAQ includes only those requirements that apply to a specific type of merchant environment, as
    defined in the above eligibility criteria. If there are PCI DSS requirements applicable to the cardholder
    data environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for
    the merchant’s environment.
    Determining Merchant Eligibility Criteria for Standalone (Wireless/IP) and Semi-integrated Devices  (SAQ B-IP)
     
    To determine Merchant responsibilities for Semi-integrated Devices, we have leveraged the guidance found under Merchant Eligibility Criteria for SAQ B-IP for Standalone (Wireless/IP) and Semi-integrated Devices. This SAQ template includes only those PCI DSS requirements applicable to merchants that process account data below.

    SAQ B-IP merchants confirm that, for this payment channel:

    - The merchant uses only standalone, PCI-listed approved PTS POI devices (excludes SCRs and
    SCRPs) connected via IP to merchant’s payment processor to take customers’ payment card
    information;

    - The standalone, IP-connected POI devices are validated to the PTS POI program as listed on the
    PCI SSC website (excludes SCRs and SCRPs);

    - The standalone, IP-connected PTS POI devices are not connected to any other systems within the
    merchant environment (this can be achieved via network segmentation to isolate PTS POI devices
    from other systems

    - The only transmission of account data is from the approved PTS POI devices to the payment
    processor 

    -The PTS POI device does not rely on any other device (e.g., computer, mobile phone, tablet, etc.) to
    connect to the payment processor;
    - The merchant does not store account data in electronic format

    - Any account data the merchant might retain is on paper (for example, printed reports or receipts),
    and these documents are not received electronically

    This SAQ includes only those requirements that apply to a specific type of merchant environment, as
    defined in the above eligibility criteria. If there are PCI DSS requirements applicable to the cardholder
    data environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for
    the merchant’s environment. 

    Determining Merchant Eligibility Criteria for Integrated Devices (SAQ C)
    To determine Merchant responsibilities for integrated Devices, we have leveraged the guidance found under Merchant Eligibility Criteria for SAQ C. This SAQ template includes only those PCI DSS requirements applicable to merchants that process account data below.

    SAQ C merchants confirm that, for this payment channel:
    - The merchant has a payment application system and an Internet connection on the same device
    and/or same local area network (LAN);

    - The payment application system is not connected to any other systems within the merchant
    environment (this can be achieved via network segmentation to isolate payment application
    system/Internet device from all other systems);

    - The physical location of the POS environment is not connected to other premises or locations,
    and any LAN is for a single store only;

    - The merchant does not store account data in electronic format

    - Any account data the merchant might retain is on paper (for example, printed reports or receipts),
    and these documents are not received electronically.

    This SAQ includes only those requirements that apply to a specific type of merchant environment, as
    defined in the above eligibility criteria. If there are PCI DSS requirements applicable to the cardholder
    data environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for
    the merchant’s environment.

    Determining Merchant Eligibility Criteria for P2PE Devices (SAQ P2PE)
    To determine Merchant responsibilities for P2PE devices, we have leveraged the guidance found under Merchant Eligibility Criteria for Self-Assessment Questionnaire for Point-to-Point Encryption (SAQ P2PE). This SAQ template includes only those PCI DSS requirements applicable to merchants that process account data only via a validated PCI-listed P2PE Solution. SAQ P2PE merchants do not have access to clear-text account data on any computer system, and only enter account data via payment Devices from a validated PCI-listed P2PE solution. SAQ P2PE merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not present) merchants. For example, a mail/telephone-order merchant could be eligible for SAQ P2PE if they receive account data on paper or over a telephone, and key it directly and only into payment terminal from a validated PCI-listed P2PE solution.

    SAQ P2PE merchants confirm that, for this payment channel:

    - All payment processing is via a validated PCI-listed P2PE solution.
    - The only systems in the merchant environment that store, process or transmit account data are the payment Devices from a validated PCI-listed P2PE solution.
    - The merchant does not otherwise receive, transmit, or store account data electronically.
    - Any account data the merchant might retain is on paper (for example, printed reports or receipts),
    and these documents are not received electronically; and 
    - The merchant has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.

    This SAQ includes only those requirements that apply to a specific type of merchant environment, as
    defined in the above eligibility criteria. If there are PCI DSS requirements applicable to the cardholder
    data environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for
    the merchant’s environment.

    Determining Merchant Eligibility Criteria for Hosted Solutions (Moneris Checkout) (SAQ A-EP)
    To determine Merchant responsibilities for Hosted Solutions (Moneris Checkout), we have leveraged the guidance found under Merchant Eligibility Criteria for SAQ A-EP. SAQ A-EP includes only those PCI DSS requirements applicable to ecommerce merchants with a website(s) that does not itself receive account data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. SAQ A-EP merchants are e-commerce merchants that partially outsource their e-commerce payment channel to PCI DSS validated and compliant third parties and do not electronically store, process, or transmit any account data on their systems or premises. This SAQ template includes only those PCI DSS requirements applicable to merchants that process account data below.

    SAQ A-EP merchants confirm that, for this payment channel:
    - The merchant accepts only e-commerce transactions;
    -  All processing of account data, with the exception of the payment page, is entirely outsourced to a PCI DSS compliant third-party service provider (TPSP)/payment processor;
    -  The merchant’s e-commerce website does not receive account data but controls how customers, or their account data, are redirected to a PCI DSS compliant TPSP/payment processor;
    - If the merchant website is hosted by a TPSP, the TPSP is compliant with all applicable PCI DSS requirements (including PCI DSS Appendix A if the TPSP is a multi-tenant hosting provider);
    -  Each element of the payment page(s) delivered to the customer’s browser originates from either the merchant’s website or a PCI DSS compliant TPSP;
    -  The merchant does not electronically store, process, or transmit any account data on merchant systems or premises, but relies entirely on a TPSP(s) to handle all these functions;
    -  The merchant has reviewed the PCI DSS Attestation of Compliance form(s) for its TPSP(s) and has confirmed that the TPSP(s) are PCI DSS compliant for the services used by the merchant; and
    -  Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically.

    This SAQ includes only those requirements that apply to a specific type of merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to the CHD environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for the merchant’s environment.
     
    Determining Merchant Eligibility Criteria for Hosted Solutions (Virtual Devices) (SAQ C-VT)
     
    To determine Merchant responsibilities for Hosted Solutions (Virtual Devices), we have leveraged the guidance found under Merchant Eligibility Criteria for SAQ C-VT. SAQ C-VT includes only those PCI DSS requirements applicable to merchants that process account data only via third-party virtual payment terminal solutions on an isolated computing device connected to the Internet. A virtual payment terminal is third-party solution used to submit payment card transactions for authorization to a PCI DSS compliant third-party service provider (TPSP) website. Using this solution, the merchant manually enters account data from an isolated computing device via a securely connected web browser. Unlike physical Devices, virtual payment Devices do not read data directly from a payment card. This SAQ option is intended to apply only to merchants that manually enter a single transaction at a time via a keyboard into an Internet-based virtual payment terminal solution. SAQ C-VT merchants may be
    brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants, and do not store account data on any computer system. This SAQ template includes only those PCI DSS requirements applicable to merchants that process account data below.

    SAQ C-VT merchants confirm that, for this payment channel:
    - The only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser;
    - The virtual payment terminal solution is provided and hosted by a PCI DSS compliant third-party service provider;
    - The PCI DSS-compliant virtual payment terminal solution is only accessed via a computing device that is isolated in a single location, and is not connected to other locations or systems;
    - The computing device does not have software installed that causes account data to be stored (for example, there is no software for batch processing or store-and-forward);
    - The computing device does not have any attached hardware devices that are used to capture or store account data (for example, there are no card readers attached);
    - The merchant does not otherwise receive, transmit, or store account data electronically through any channels (for example, via an internal network or the Internet); and
    - Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically.

    This SAQ includes only those requirements that apply to a specific type of merchant environment, as
    defined in the above eligibility criteria. If there are PCI DSS requirements applicable to the cardholder
    data environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for
    the merchant’s environment.


    TPSP Responsibilities Matrix Legend
    The PCI DSS Requirement responsibilities assigned in the TPSP Responsibilities are defined as follows:

    1. Moneris: Moneris as the TPSP is fully responsible to comply with the associated PCI DSS Requirement.

    2. Merchant: The merchant is fully responsible to comply with the associated PCI DSS Requirement.
    3. N/A: The responsibility is not applicable to either Moneris or the Merchant.

     

Need Additional Help?

Talk to one of our business advisers for additional troubleshooting.

Contact Us