What is PCI Compliance?
PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. Major card companies such as Visa, MasterCard, American Express, and Discover, are responsible for enforcing the security of cardholder information.
Merchants are responsible for ensuring their equipment, networks, and employees meet the PCI security standard.
How do I become PCI Compliant?
Stax by Fattmerchant is a Level 1 PCI Service Provider. Level 1 is the high level of compliance available, and we adhere to industry-leading PCI standards. To become PCI compliant, the following steps need to be taken:
- Complete business profile
- Complete Annual PCI Questionnaire
- Set up Quarterly Scanning (if necessary)
Where do I take my PCI questionnaire?
If your merchant ID starts with 444, 010, or 08 - click here. If you have never logged in before, please use the Registration email that was sent to the account owner. If you no longer have this email you can use your MID as the username and choose forgot password. Once you reset your password you can log in to complete the compliance.
Your PCI certificate will be valid for one year. After the certificate has expired, merchants must renew using the same process as above.
You can call the PCI team at (800) 370-9180 for assistance with getting started with the questionnaire.
If your merchant ID starts with 8739, 5347 or 5544 - Please see below the steps to complete the PCI Compliance for your merchant processing account.
If you Merchant ID begins with 52000 - click here. If you have never logged in before, select first sign-in, enter your Merchant ID (MID) and set your password. Your Merchant ID can be found in the settings tab in Stax Pay. The questionnaire will take approximately 10 minutes to complete.
You can call the PCI team at 833-534-8422 for assistance with getting started with the questionnaire. The PCI team is available M-F 8am-10pm EST.
Additional Resources for becoming PCI compliant:
How do I complete my business profile?
How do I know which questionnaire I need to take to become compliant?
The Security Council has broken out each questionnaire by product and networks. Please complete the questionnaire which best fits your processing style.
SAQ A - Merchants whose cardholder data functions are completed outsourced to a validated third party. They do not store, process, or transmit any cardholder data in electronic format on their systems or premises.
SAQ B - Card imprinter or a physical machine processing over a phone line connection
SAQ C - Merchants who use point of sale system processing over an internet connection. You do not store any credit card information electronically. Requires a vulnerability scan of your network.
SAQ D - Merchants who electronically store cardholder data, use a customer or proprietary payment application, or a payment application installed on a network. Requires a vulnerability scan of your network.
SAQ EP - Merchants with an e-commerce website that do not store credit card information. Your payments are redirected to a third-party processor. Requires a vulnerability scan of your network.
SAQ B-IP - Merchants who process using a stand alone terminal over an IP connection. You do not store any credit card information electronically. Requires a vulnerability scan of your network.
SAQ C-VT - Merchants who process using a virtual terminal. You do not store any credit card information electronically.
SAQ P2PE - Your company uses hardware payment terminals included in a validated and PCI-listed Point-to-Point Encryption solution. You do not store, process, or transmit data outside of the hardware payment terminal.
Each questionnaire produces a PCI certificate that is valid for one year. Vulnerability scans will only be valid for three months.
What is a vulnerability scan?
Vulnerability scans are required for merchants processing over an internet network. Whether it's with a credit card machine or a shopping cart, it is important to make sure your networks are as secure as possible.
Vulnerability scans test the security of your network by skimming through the ports which are open and closed on your internet router. Ports dictate the security level and strength of the network. Vulnerability scans also test a website's security by making sure all security certificates are up to date.
What happens if I am not compliant?
Merchants have 60 days from when their new merchant account is approved with Stax to become PCI Compliant. After 60 days, merchants are subject to a non-compliance fee from the major card companies for not complying with their security standards.
If you have any questions or need further support with becoming PCI Compliant, please reach out to the Stax support team at 855-550-3288.