Payment Card Processing
      Back to home
      1. EBMS Knowledge Base
      2. Sales
      3. Payment Card Processing

      SaferPayments FAQ

      SaferPayments is a Self-Assessment Questionnaire (SAQ). It's designed to help you attest that you are PCI compliant, and have you review any potential security threats.

      You should answer all questions in the context of Koble Payments Only. If you also accept payments through another provider (Stripe, PayPal, etc.), those are not part of the scope of SaferPayments through Koble. Those providers would have their own PCI compliance questionnaire that you would need to answer for those payment channels.

      Business Profile (first thing that you do after creating your account)

      Each question is about your business and your practices. Certain answers may lead to a bigger assessment. Please think through each question carefully and answer truthfully.

      If you already answered the questions, and need to re-evaluate your answer, you can login to SaferPayments, click "Manage" under Your Business Profile on the bottom left, and then click Re-profile to go through the business profile questions again.

      Each question should have a symbol that can give you more info about the question or the answer options.

      As you are going through the business profile section, here are some things we would like to note for you:

      • On questions about “How do you accept online e-commerce customer card payments?”, you should only select the first option (we do not offer any app integration at this time).
      • If you get the question about “YOUR PAYMENT SOFTWARE PROVIDER”, type in “Koble Payments”, if it doesn’t come up in the search list, click “add your own” (that is a link, though it’s hard to tell), and add Koble Payments
      • EBMS does not store any actual credit card numbers, so any question about storing full card numbers, or people having access to full card numbers, you can answer “No” to UNLESS you are writing full card numbers down on paper, in memo notes on invoices, in emails, IM’s, Word documents, Excel sheets, phone recordings, etc.
        • Writing down full card number is generally a VERY bad practice and something we recommend you don't do.
        • If you answer “yes” to any question about storing full credit card information, that will increase the scope of the assessment, and you’ll need to answer questions about how you securely destroy that information both during the business profile and the actual SAQ
      • Devices are listed as “Ingenico Lane(or Link)/numbers". There may be multiple that are available. It doesn’t REALLY matter which one you pick, but these are the correct versions for each device:
        • Ingenico Lane/7000 6.x
        • Ingenico Lane/3000 6.x
        • Ingenico Link/2500 5.x
        • If for some reason the list doesn't load when you start to type, you can add your own and put the above values in there
      • Questions about remote access generally don’t apply to Koble. This would be other third-party vendors (like IT companies, other software providers, other payment processors, etc.)
        • If they have access to your systems, think about what they have access to and how that could affect the security of credit card info. For example, can they access your server, firewall, or POS stations without local user interaction? Are they able to put keyloggers, packet sniffers, etc. on your computers/network?
      • The question near the end about password enforcement: EBMS itself does not enforce a minimum password requirement. This is on you as the business to setup and enforce for your users, either for logging in to EBMS, or into the computers themselves.
        • NOTE: the password requirement does NOT apply to computers/users whose ONLY function is a single transaction at a time (like checkout POS at a store where all the cashier is doing is scanning products and taking payment, generally in-person with a physical card).
      • On the question about “Do you use an Internal Security Assessor for your PCI DSS?”, the answer is “No” unless you have specifically had an employee there trained and certified by the PCI Security Council
      • On the question about “Support from a PCI Qualified Security Assessor”, the answer is “No”, unless you have contracted with someone independently to assist. Koble is not a PCI Qualified Security Assessor.

      Once you have completed the business profile, you will need to run a scan to validate your PCI Compliance and answer a few questions to complete the security assessment (if your business practices are all mostly PCI compliant already, you should only have about 20-30 questions to answer).

      Be scan compliant

      You should provide any IP addresses or URL's where Koble Payments is accepted, like each location's public IP address, the URL of your website if you accept Koble Payments on it, etc.

      You do NOT need to include your WebPay Portal URL or any third party website where Koble Payments is not accepted.

      When the scan is completed, there may or may not be things you need to address. If the things you need address are related to your Koble hosted ecommerce site, please reach out to our support team. All other issues that arise out of the scan should be addressed by your IT provider.

      Complete security assessment

      None of the questions should be directly related to EBMS or Koble Payments, and because Koble is not a PCI Qualified Security Assessor, we cannot answer the questions for you on the security assessment. We can help you understand the question, but that is the extent of what we are authorized to do.

      If there is an acronym or term you do not understand, please reference this PCI Glossary for definitions.

      If you need help beyond what we are authorized to provide, you'll need to reach out to a PCI Qualified Security Assessor.