For the purposes of this exercise, consider your organization/association/club to be the Merchant.  Although your transactions are being processed through the Magnet Platform by CyberSource, in the end, your organization/association/club is the entity collecting the online payment.  Please see below to determine which SAQ form needs to be filled out and submitted by your organization/association/club.  In many cases, the SAQ A form will be sufficient.

Additional Resources:
Self Assessment Questionnaire A (SAQ A) and Attestation of Compliance (AOC) Help Guide
Additional info on the various SAQ forms and when they are required

Any company or organization that accepts credit cards or debit cards as a form of payment is required by Visa, MasterCard, AMEX and the other card brands to be compliant with the Payment Card Industry Data Security Standard (PCI DSS).  Companies like CyberSource that provide merchant accounts are required to implement programs to help their merchants achieve PCI DSS compliance.  In addition merchants are required to provide proof of compliance to their merchant account providers.

Some merchants who do not handle credit card data in any way but rather use the services of PCI DSS compliant service provides can significantly reduce their effort to become PCI compliant.  If a merchant does not handle credit card data they would be eligible to complete Self Assessment Questionnaire A (SAQ A) along with its associated Attestation of Compliance (AOC) and are not required to have their computer network scanned.

To be eligible to complete SAQ A and the accompanying AOC a CyberSource/Authorize.net merchant acquiring customers must meet ALL of the following conditions:

• Merchant (Association/Club) does not process any card-present transactions.
• Merchant (Association/Club) does not process credit card payments through the CyberSource virtual terminal or the Authorize.net virtual terminal.
• Merchant (Association/Club) does not electronically store*, process, or transmit any credit card data on or from any of their locations or facilities but rather outsources all of these functions to PCI compliant third party service providers.
• Merchant (Association/Club) has confirmed that all third party service providers that handle credit card data on their behalf are PCI compliant.
  
  * Storage of paper reports and paper receipts containing credit card data is permitted as long as the reports and receipts are NOT received electronically such as via email.

(Click the above link to down load the appropriate form)

Due to the complexity of the PCI DSS and the requirements to validate compliance we recommend that all merchants, including those that are eligible for SAQ A, take advantage of the Trustwave Trustkeeper portal as part of the CyberSource PCI Compliance Program.  Benefits of this program are…

• SAQ wizard to guide them through identifying and completing the correct SAQ. 
• Setting up and performing a network vulnerability scan if needed.
• Online help tools
• 24/7 call center support
• 24/7 email support
• Monthly vulnerability scans for up to 6 IP addresses
• Unlimited on-demand scans (merchant initiated)
• Free Trustkeeper Agent for up to 3 computers/devices – (application to help monitor compliance details of your network.  Available via download)
• Free first year OV SSL certificate
• Automatic deliver of compliance documentation to CyberSource