| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Scoping Question | Client Response (Kindly be as detailed as possible) | Assessor/ Implementer Notes | |||||||||||||||||||||||
2 | Cardholder Data Environment (CDE) Identification | |||||||||||||||||||||||||
3 | Do you store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD)? | No. We do not store, process, or transmit CHD or SAD. All payment handling is done by Paystack (PCI DSS Level 1 validated). We only receive non-sensitive transaction references and tokens. | Confirmed. Ikigai has no direct CHD handling. Fully outsourced model supports SAQ A eligibility. | |||||||||||||||||||||||
4 | Where is CHD stored within your environment, and what is the business or technical justification for retaining it? | Nowhere. CHD is not stored in our environment. Paystack handles all storage. We have no business justification to store CHD. | Verified. No CHD storage eliminates major scoping burden. Key requirement for SAQ A. | |||||||||||||||||||||||
5 | What systems, applications, and databases handle CHD or SAD? | None. Our systems (website, database, servers) only process transaction IDs and order data—never raw CHD or SAD. | Confirmed. No systems in scope for CHD handling. Only token/transaction data flows internally. | |||||||||||||||||||||||
6 | Do you use tokenization, encryption, or truncation to reduce CHD exposure? | Yes, indirectly. Paystack provides tokens after each transaction. We store these tokens for reconciliation and order matching, not the actual CHD. | Good practice. Tokens are not considered CHD. This further reduces scope and risk. | |||||||||||||||||||||||
7 | Where is CHD captured (e.g., POS terminals, web applications, IVR, call centers)? | On Paystack's hosted page only. Customers enter CHD directly on Paystack's secure checkout page via redirect. No CHD capture occurs on Ikigai's website or systems. | Verified. CHD capture happens entirely within Paystack's PCI DSS validated environment. | |||||||||||||||||||||||
8 | Do you have any storage of SAD (e.g., full track data, CVV, PIN blocks)? | No. We never receive or store SAD. Paystack does not send CVV or track data to us—only transaction status and tokens. | Confirmed. No SAD storage. This would immediately disqualify SAQ A if present. | |||||||||||||||||||||||
9 | If SAD is stored after authorization and please explain why? | N/A. Not applicable. We do not store SAD at any time. | Noted. No further action required. | |||||||||||||||||||||||
10 | Data Flow Mapping | |||||||||||||||||||||||||
11 | Can you provide a data flow diagram showing how CHD moves through your environment? | Yes. Customer → Ikigai website → Redirect to Paystack → Paystack processes CHD → Paystack sends token to Ikigai → Ikigai confirms order. CHD never enters our environment. | Simple flow. Diagram will show CHD stops at Paystack. Only tokens/confirmations enter Ikigai environment. No CDE exists internally. | |||||||||||||||||||||||
12 | Which networks, servers, and applications connect to the Cardholder Data Environment (CDE)? | None. We do not connect to Paystack's CDE. We only connect to their API endpoints via HTTPS to receive transaction status and tokens. | Confirmed. API connections are one-way and do not constitute "connecting to CDE." Paystack's CDE is isolated. | |||||||||||||||||||||||
13 | Are there third-party service providers in the CHD flow (payment processors, gateways)? List the third-party service providers if "yes'' | Yes. Paystack (primary payment processor). They handle all CHD. | Noted. Paystack is the only third party in the CHD flow. Their valid PCI DSS AOC must be collected. | |||||||||||||||||||||||
14 | How is CHD transmitted (e.g., internet, wireless, VPN)? | N/A. CHD is not transmitted by us. Paystack handles transmission over encrypted channels (TLS 1.2+). | Out of scope. CHD transmission is Paystack's responsibility. Ikigai only receives tokens via HTTPS. | |||||||||||||||||||||||
15 | Do you use mobile devices (company-owned or BYOD) to capture, process, or access cardholder data (e.g., mobile POS, payment apps)? | No. No mobile POS, payment apps, or CHD capture via mobile devices. | Confirmed. Mobile devices not in scope. | |||||||||||||||||||||||
16 | Are mobile devices used by staff to remotely administer systems in the CDE? | No CDE exists. There is no internal CDE to administer. | Not applicable. | |||||||||||||||||||||||
17 | Do remote employees, contractors, or third parties access systems within the CDE? | No. No CDE exists. Remote staff access corporate systems (email, admin dashboard) but these do not store/process CHD. | Important distinction. Corporate systems are not CDE. Remote access controls still need review for Req 8. | |||||||||||||||||||||||
18 | If yes, how is that access secured (VPN, MFA, jump servers)? | N/A for CDE access. For corporate systems: Google Workspace MFA enabled for all staff. | Noted. MFA for corporate systems will be relevant for Req 8 assessment later. | |||||||||||||||||||||||
19 | Do you use any cloud-hosted infrastructure, platforms, or SaaS applications that store, process, or transmit CHD? | No. Our cloud infrastructure (hosting, databases, SaaS tools) only handles order data and tokens—never raw CHD. | Confirmed. Cloud providers not in CDE scope. No CHD touches these platforms. | |||||||||||||||||||||||
20 | If yes, which provider(s) are PCI DSS compliant? | N/A. | Not applicable. | |||||||||||||||||||||||
21 | Network Segmentation & Isolation | |||||||||||||||||||||||||
22 | Have you segmented the CDE from the rest of the corporate network? | Not applicable. We do not have a CDE. All payment processing is outsourced to Paystack. Our corporate network handles only business operations (email, admin, website hosting). | Key scoping observation. No internal CDE means segmentation requirements do not apply. | |||||||||||||||||||||||
23 | What firewall rules or access controls enforce this segmentation? | Not applicable. No CDE exists to segment. Standard firewall protects corporate network from external threats. | Confirmed. Firewall rules are for general corporate security, not CDE segmentation. | |||||||||||||||||||||||
24 | Which systems are connected-to or security-impacting the CDE (e.g., AD servers, logging systems, patch servers)? | None. Our systems (hosting servers, corporate laptops, Google Workspace) do not connect to or impact Paystack's CDE. | Verified. No connectivity to Paystack's CDE. API calls to Paystack are outbound-only and do not provide access to their internal systems. | |||||||||||||||||||||||
25 | Do any non-CDE systems have direct or indirect access to CHD? | No. Non-CDE systems (our website, database, staff devices) have no access to CHD. They only receive tokens and order confirmations. | Confirmed. Zero CHD access from any Ikigai system. This is the ideal state for SAQ A eligibility. | |||||||||||||||||||||||
26 | Payment Channels & Acceptance Methods | |||||||||||||||||||||||||
27 | How do you accept payments? (In-store POS, e-commerce, mail/telephone order, mobile apps, etc.) | E-commerce only. Customers pay via our website. All payments go through Paystack's online checkout. No physical stores, POS terminals, phone orders, or mobile apps. | Simple channel. Single e-commerce channel makes scoping straightforward. No complex payment environments to assess. | |||||||||||||||||||||||
28 | Do you outsource any payment channels (e.g., hosted payment page, redirect, iframe)? | Yes. Fully outsourced. We use Paystack's hosted payment page via redirect. Customers leave our site, pay on Paystack, then return. | Correct SAQ A model. Redirect method ensures CHD never touches Ikigai. Iframe would also qualify if hosted by Paystack. | |||||||||||||||||||||||
29 | Do you use P2PE (Point-to-Point Encryption) solutions? | No. P2PE applies to physical POS terminals. We are e-commerce only. Paystack handles encryption via standard TLS. | Correct. P2PE not applicable for e-commerce SAQ A scope. | |||||||||||||||||||||||
30 | Do you rely on third-party service providers for payment processing, and if so, which ones? | Yes. Paystack is our sole payment processor. They handle all cardholder data and payment processing. | Single provider. Easy to manage. Need to collect Paystack's AOC and confirm their PCI DSS validated status annually. | |||||||||||||||||||||||
31 | Third Parties & Outsourcing | |||||||||||||||||||||||||
32 | Which vendors or partners have access to your CDE (e.g., IT support, managed services, cloud providers)? | None. We have no internal CDE. Paystack does not provide us access to their CDE. Our IT support and cloud providers (HostAfrica, Google Workspace) only access corporate systems—no CHD present. | Clean scope. No vendors with CDE access simplifies third-party management significantly. | |||||||||||||||||||||||
33 | Do you validate their PCI DSS compliance (AOC, ROC, attestation)? | For Paystack: Yes. We obtain Paystack's PCI DSS AOC annually from their website or compliance team. For others: Not applicable. They do not access or impact CHD. | Good practice. Documented AOC on file for Paystack is essential evidence for SAQ A. | |||||||||||||||||||||||
34 | Do you have written agreements with service providers about PCI responsibilities? | Yes. Paystack's Terms of Service and our contract outline their responsibility for CHD security and PCI compliance. We do not have such agreements with other vendors as they are not in scope. | Sufficient. Standard TOS/contract acceptable. Key is ensuring Paystack acknowledges their PCI responsibility in writing. | |||||||||||||||||||||||
35 | Technology & Infrastructure | |||||||||||||||||||||||||
36 | What operating systems, databases, and applications make up the CDE? | None. We do not operate a CDE. Our technology stack (Ubuntu servers, MySQL database, custom PHP application) supports the e-commerce website only—no CHD storage or processing. | Confirmed. Technology stack is completely outside CDE scope. Only order data and tokens reside here. | |||||||||||||||||||||||
37 | Are there wireless networks in or near the CDE? | Not applicable. No CDE exists. Our office has standard Wi-Fi for corporate devices, but these do not access or store CHD. | Out of scope. Corporate Wi-Fi not relevant for CDE scoping. | |||||||||||||||||||||||
38 | Do you use virtualization or cloud infrastructure for the CDE? | No. Our website is hosted on a virtual private server (HostAfrica). No CHD touches this environment. Paystack manages their own PCI-compliant cloud infrastructure. | Confirmed. Hosting provider not in scope. Paystack's infrastructure is their responsibility. | |||||||||||||||||||||||
39 | Are there shared services (e.g., DNS, authentication, backups) touching both CDE and non-CDE networks? | No. No shared services. Our DNS, Google Workspace authentication, and backups are for corporate use only. Paystack manages their own separate services. | Clean separation. No shared services reduces risk of CDE contamination. Ideal for SAQ A. | |||||||||||||||||||||||
40 | Business & Organizational Context | |||||||||||||||||||||||||
41 | What business units, departments, or teams handle cardholder data? | None. No department handles CHD. Finance team accesses transaction reports (tokens only) for reconciliation. Customer support sees order status but never CHD. | Key observation. No CHD handling by any team. This is critical for maintaining SAQ A eligibility. | |||||||||||||||||||||||
42 | Approximately how many payment card transactions does your organization process annually, across all payment channels (e.g., e-commerce, POS, mobile, mail/telephone orders)? | ~50,000 transactions annually. All are e-commerce via Paystack. No other payment channels. | Volume noted. Transaction volume does not impact SAQ A eligibility. Relevant for understanding business scale. | |||||||||||||||||||||||
43 | Where are payment systems physically located (offices, data centers, stores)? | No payment systems onsite. Our website is hosted in HostAfrica's data center (South Africa). No servers in our Lagos office. No physical stores. | Confirmed. Physical location irrelevant as no CHD touches Ikigai infrastructure. | |||||||||||||||||||||||
44 | Do call center agents handle CHD verbally or electronically? | No call center. We do not have a call center. All customer support is via email or chat. Agents do not request or receive CHD. | Good control. No phone orders eliminates major risk vector. | |||||||||||||||||||||||
45 | Do remote employees or contractors access systems within the CDE? | No CDE exists. Remote employees (all staff work remotely) access corporate systems (email, admin dashboard) which contain no CHD. | Important distinction. Remote access to corporate systems will be assessed under Req 8, but not as CDE access. | |||||||||||||||||||||||
46 | Compliance History & Gaps | |||||||||||||||||||||||||
47 | In your last PCI DSS assessment, what was your validation level (SAQ or ROC)? | This is our first formal PCI DSS assessment. We have previously relied on Paystack's compliance but never completed our own SAQ. | Baseline established. First assessment means no historical gaps to remediate. Clean slate for SAQ A preparation. | |||||||||||||||||||||||
48 | Have there been changes in systems, applications, locations or business processes since the last assessment? | N/A. No prior assessment. However, we migrated from a basic shared hosting to HostAfrica VPS 6 months ago. No impact on CHD handling. | Noted change. VPS migration does not affect scope as CHD still never touches our environment. Document for awareness. | |||||||||||||||||||||||
49 | Have you experienced a data breach or incident that impacted scoping? | No. No data breaches, security incidents, or CHD exposure events in our history. | Clean record. No incidents simplifies scoping and reduces risk profile. | |||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | In-Scope Components Summary (Based on responses) | |||||||||||||||||||||||||
52 | List of In-Scope Payment Channels | E-commerce website (redirect to Paystack). This is the only channel where payments originate. The channel itself is out-of-scope because CHD entry happens on Paystack's domain. | Confirmed. Payment channel is the website, but CHD capture is outsourced. No CHD touches Ikigai. Channel is not part of CDE. | |||||||||||||||||||||||
53 | List of In-Scope Applications | None. Our applications (custom PHP e-commerce platform, MySQL database) handle order data and tokens only—no CHD. Therefore, no applications are in CDE scope. | Verified. Applications process only non-CHD data. Fully outsourced payment means no applications in CDE. | |||||||||||||||||||||||
54 | List of In-Scope Vendors/Service Providers | Paystack (payment processor). Only vendor with CHD responsibility. HostAfrica (web hosting). Not in CDE scope as no CHD touches our servers. Google Workspace (email). Not in scope. | Correct. Paystack is the only vendor requiring PCI DSS validation. Their AOC must be collected annually. Others are business vendors only. | |||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | High-Level Risk Impact Assessment | Rating (Low/Med/High) | Justification | |||||||||||||||||||||||
57 | Risk of CHD Breach from Internal Systems: | LOW | No CHD stored, processed, or transmitted internally. Systems handle tokens only. No internal CDE exists. Risk is minimal. | |||||||||||||||||||||||
58 | Risk of Non-Compliance due to Scope Creep: | LOW | No connections between corporate network and any CDE. Clear separation maintained. No shared services. Scope remains tightly defined. | |||||||||||||||||||||||
59 | Risk of Service Provider Failure: | LOW | Only one payment vendor (Paystack). They are PCI DSS Level 1 validated. AOC obtainable annually. Contract clarifies their PCI responsibility. | |||||||||||||||||||||||
60 | Overall Risk to Audit Readiness: | LOW | Clean, simple e-commerce model with fully outsourced payment processing. No internal CDE. Ideal SAQ A profile. Minimal barriers to compliance. | |||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 | ||||||||||||||||||||||||||