About UsStatus Page
Documentation
Start typing to search…

Overview of PCI Compliance

An overview of PCI and what merchants can expect when going through the process.

PCI

Payment Card Industry (PCI) security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. Major card companies, such as Visa, MasterCard, American Express, and Discover, enforce cardholder information security.


Merchants ensure their equipment, networks, and employees meet the PCI security standard. PCI Compliance is not optional and is required by all merchants by the card brands. If the merchant does not become compliant within 90 days of being enrolled in PCI Toolkit, then they will be charged the PCI Non-Compliance Fee monthly until they become compliant.

What happens if I am not PCI Compliant?

Merchants have 90 days from when their new merchant account is APPROVED with Stax to become PCI compliant.

After 90 days, merchants who fail to meet their data security standards (DSS) are subject to a non-compliance fee of up to $79.99 from the major card companies.

How do I become PCI Compliant?

Stax is a Level 1 PCI Service Provider. Level 1 is the highest level of compliance available, and we adhere to industry-leading PCI standards. For a merchant to become PCI compliant, the following steps need to be taken in the PCI Portal (varies depending on the processor):

  1. Complete your Business Profile
  2. Complete the Annual PCI Questionnaire
  3. Set up Quarterly Vulnerability Scanning (only required for card present processing)

What is a vulnerability scan?

  • Vulnerability scans assess the security of a website by checking that all security certificates are up to date.
  • Vulnerability scans assess the security of your network by examining the open and closed ports on your internet router (the ports play a crucial role in determining your network's security level and strength).
  • Merchants processing over the Internet (network) with a credit card machine or a shopping cart require vulnerability scans. It is important to ensure your networks are as secure as possible.

Additional Resources for becoming PCI compliant

PCI by Merchant ID

To get started, follow the below instructions based on what your Merchant ID (MID) begins with.

Merchant ID 631, 444, 01, or 08 (and you boarded to Stax after 1/25/24)

CLICK HERE

Your PCI compliance is completed through Conformance.

The PCI welcome email will be sent within the first week after boarding from [email protected]. Your merchant email will be the username, and you will create a password to login to the PCI Portal.
Please contact [email protected] for assistance completing the PCI compliance.

Merchant ID starts with 631, 444, 01, or 08 (and you boarded to Stax before 1/25/24)

CLICK HERE

Your PCI compliance is completed through Sysnet.

You can call the PCI team at 888-543-4743 to get started with the questionnaire. The PCI team is available M-F, 8 am-10 pm EST.

Merchant ID 520

CLICK HERE
You can call the PCI team at 833-534-8422 for assistance starting the questionnaire or scan. The PCI team is available M-F, 8 am-10 pm EST.

If you have never logged in, select first sign-in, enter your Merchant ID (MID) and set your password. Your Merchant ID can be found on the Settings tab in Stax Pay. The questionnaire will take approximately 10 minutes to complete.

Merchant ID 5121, 5179, 5185, 5347, 5353, 4983, or 4987

CLICK HERE
You can call the PCI team at (833) 207-8338 for assistance with getting started with the questionnaire or scan.

Merchant ID 5436 or 3930

CLICK HERE
Call the PCI team at (800) 571-3928 for assistance with starting the questionnaire or scan.

Merchant ID 8739 or 5544

CLICK HERE
Anytime you need assistance completing the Self-Assessment Questionnaire (SAQ) or have questions regarding your PCI Compliance, you can contact Sysnet Support at 1-888-543-4743.

  1. Once logged into MXMerchant, navigate to Apps (at the bottom left menu).
  2. Locate the app Sysnet and select the green Activate button (located on the Sysnet icon).
  3. On the Sysnet website, create a Username and Password.
  4. After creating your credentials, you will see a pop-up asking for "Priority Payment Systems to access your Sysnet account."
  5. SELECT ALLOW. This will allow Sysnet and your MXMerchant account to talk to each other, allowing a seamless process.
  6. Once synced, you will be directed back to MXMerchant.
  7. Go to Apps, select Sysnet, and sign in using the username and password you just created.
  8. Complete the following:
    1. Registration process with Sysnet
    2. Self-Assessment Questionnaire (SAQ) Questionnaire
    3. If necessary, schedule quarterly vulnerability scans.

FAQs

How do I know which questionnaire to complete to become compliant?

The Security Council has divided each questionnaire into products and networks. Please complete the questionnaire according to your processing style.

Completing the questionnaire produces a PCI Certificate that is valid for one year. Vulnerability scans will only be valid for three months.

Who does PCI Compliance apply to?

PCI applies to ALL organizations or merchants that accept, transmit, or store cardholder data.
We have merchants with multiple business locations. Is each location required to validate PCI Compliance?
Your Growth Manager can help you determine if each location must be validated separately. Usually, if multiple business locations process under the same Tax ID, you must only validate once for all locations.
It is worth noting that if you validate once for all locations, all locations will be subject to a “Failed Questionnaire” if the primary location fails.

What is defined as ‘cardholder’ data?

Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc.

What if a merchant refuses to cooperate?

PCI is not a law in itself. The standard was created by major card brands such as Visa, MasterCard, Discover, and AMEX. Merchants that do not comply with PCI will be subject to a Non-Compliance Fee and could potentially be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., if a breach should occur.

Where can I find the PCI Data Security Standards (PCI DSS)?

The Standard can be found on the PCI SSC’s website www.pcisecuritystandards.org

How long is PCI Compliance valid for?

Each questionnaire produces a PCI certificate for one year, and vulnerability scans are valid for three months.

What is the scan process like for our terminal merchants?

The merchant will be able to begin their scan inside the PCI Portal. They will need to retrieve their IP address to initiate the scan. After the scan is successful and validated by the merchant, they will become compliant. At this point, the scan will automatically run in the background every quarter.
If the scan ever fails, the merchant will receive an email notifying them to take action. There is no limit to the amount of failed scans a merchant can have on file. If a merchant fails, they commonly implement remediation steps and scan again to complete the process successfully. If no action is taken, a failed scan can result in a merchant becoming non-compliant and billed for PCI Non-Compliance.

What if the information a merchant initially entered in their Business Profile has changed? Do they need to go through the process again?

If a merchant has a CardX Present solution after completing an SAQ C-VT for Card Not Present (CNP) processing, it is recommended that they re-profile and go through the new Self-Assessment Questionnaire (SAQ) and scan process.

Updated 7 months ago