Loading... Please wait...


Payment Security

Attestation of Compliance, SAQ A, Version 3.0

Part 1a. Qualified Security Assessor Company Information (if applicable)


Part 2. Merchant Organization Information

Company Name: Bathe Happy
DBA(s): Bathe Happy

Contact Name: Heather Cox

Title: Company Representative
Email: admin@bathehappy.com

Telephone: (903) 689-2912

Business Address: 5114 Balcones Woods Dr., Ste. 307-397
City: Austin

State: TX

Zip: 78759
Country: US
URL: www.bathehappy.com

Part 2a: Relationships

Does your company have a relationship with one or more third-party agents (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc.)?

Does your company have a relationship with more than one acquirer?

Part 2c. Eligibility to Complete SAQ A

Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because:

YES - Merchant does not store, process, or transmit any cardholder data on merchant premises but relies entirely on third party service provider(s) to handle these functions;

YES - The third party service provider(s) handling storage, processing, and/or transmission of cardholder data is confirmed to be PCI DSS compliant;

YES - Merchant does not store any cardholder data in electronic format; and

YES - If Merchant does store cardholder data, such data is only in paper reports or copies of receipts and is not received electronically.

Part 3. PCI DSS Validation

Based on the results noted in the SAQ A dated 2015-04-05, asserts the following compliance status (check one):

YES - Compliant: All sections of the PCI SAQ are complete, and all questions answered yes, resulting in an overall COMPLIANT rating, thereby has demonstrated full compliance with the PCI DSS.

NO - Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered no, resulting in an overall NON-COMPLIANT rating, thereby has not demonstrated full compliance with the PCI DSS.

Target Date for Compliance: N/A

Part 3a. Confirmation of Compliant Status

Merchant confirms:

YES - PCI DSS Self-Assessment Questionnaire A, Version 3.0, was completed according to the instructions therein.

YES - All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment.

YES - I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times.

Part 3b. Merchant Acknowledgement

Signature of Merchant Executive Officer: /s/ Heather Cox
Date: 2015-04-05

Merchant Executive Officer Name: Heather Cox

Title: Company Representative

Merchant Company Represented: Bathe Happy

Part 4. Action Plan for Non-Compliant Status


Self-Assessment Questionnaire A

Date of Completion: 2015-04-05

9.6: Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, media refers to all paper and electronic media containing cardholder data. YES

9.7: Is strict control maintained over the internal or external distribution of any kind of media?

Do controls include the following: YES

9.7.1: Is media classified so the sensitivity of the data can be determined? YES

9.7.2: Is media sent by secured courier or other delivery method that can be accurately tracked? YES

9.8: Are logs maintained to track all media that is moved from a secured area, and is management approval obtained prior to moving the media (especially when media is distributed to individuals)? YES

9.9: Is strict control maintained over the storage and accessibility of media? YES

9.10: Is all media destroyed when it is no longer needed for business or legal reasons? Is destruction performed as follows: YES

9.10.1: (a) Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?

(b) Are containers that store information to be destroyed secured to prevent access to the contents? (For example, a to-be-shredded container has a lock preventing access to its contents.) YES

12.8: If cardholder data is shared with service providers, are policies and procedures maintained and implemented to manage service providers, as follows: YES

12.8.1: Is a list of service providers maintained? YES

12.8.2: Is a written agreement maintained that includes an acknowledgement that the service providers are

responsible for the security of cardholder data the service providers possess? YES

12.8.3: Is there an established process for engaging service providers, including proper due diligence prior to engagement? YES

12.8.4: Is a program maintained to monitor service providers PCI DSS compliance status at least annually? YES


our newsletter

Recent Updates