We're RAMP clients and have a very small staff. Nearly 50% of our staff are responsible for selling tickets and/or processing payments in some form or fashion in the course of a work week. Some of our staff workly remotely and as a presenting partner, all of our venues and our main ticket window are remote from our office location.
We're trying to figure out how to certify for PCI compliance and keep going around in circles with our out-sourced IT vendor, Vantiv, and Trustwave. The network segmentation required for PCI compliance seems impossible to us as everyone wears multiple hats and we can't figure out how they can do their "day jobs" AND be able to process payments when orders come in.
Our card readers (Verifone Vx805 units) are P2PE certified. However, we primarily type in credit card numbers using our keyboards since most payments are for card-not-present transactions. In the rare case where we have a card present transaction, we do use the card readers. We're trying to decide if we should implement ONLY card readers for credit card payments (no more typing in cc numbers) and thus complete the P2PE SAQ for PCI certification or if we should continue with our current practices and complete SAQ C for PCI certification.
If you've certified using the P2PE SAQ, what do you do to enforce using only card readers to enter credit card info (so staff can't use their keyboards to type in credit card info anymore)? If your card readers are P2PE approved devices and you still type credit card numbers in as well, did you certify for PCI compliance using SAQ C instead If you used SAQ C and have a distributed workforce with multiple responsibilities outside of taking payments, did you segment your network and if so, how?
Thanks,Sara