PCI Compliance

What is PCI Compliance?

PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. Major card companies such as Visa, MasterCard, American Express, and Discover, are responsible for enforcing the security of cardholder information. 

Merchants are responsible for ensuring their equipment, networks, and employees meet the PCI security standard.


How do I become PCI Compliant?

Stax is a Level 1 PCI Service Provider. Level 1 is the high level of compliance available, and we adhere to industry-leading PCI standards. To become PCI compliant, the following steps need to be taken:

  1. Complete business profile
  2. Complete Annual PCI Questionnaire
  3. Set up Quarterly Scanning (if necessary)

If your merchant ID starts with 444, 01, or 08 - Go to this website

  • You can call the PCI team at 888-543-4743 for assistance with getting started with the questionnaire. The PCI team is available M-F 8am-10pm EST.

If your merchant ID starts with 520 - Go to this website

  • You can call the PCI team at 833-534-8422 for assistance with getting started with the questionnaire. The PCI team is available M-F 8am-10pm EST. 

If you have never logged in before, select first sign-in, enter your Merchant ID (MID) and set your password. Your Merchant ID can be found in the settings tab in Stax Pay. The questionnaire will take approximately 10 minutes to complete.


If your merchant ID starts with 8739, or 5544 - Please see below the steps to complete the PCI Compliance for your merchant processing account.

1. Go to https://mxmerchant.com/mx6/login then click "Sign In", then type in your username and password in order to log in to the system. Please note, it is best to complete these steps on a desktop/laptop computer through Google Chrome or Mozilla Firefox.
2. Once logged into mxmerchant.com, scroll down to "Apps" (towards the bottom of the left side menu).
3. Find the application labeled "Control Scan" and click on the green "Activate" button located on the Control Scan icon.
4. It will take you to the ControlScan website where you will need to create a username and password.
5. After the required information is entered you will see a pop-up asking for Priority Payment Systems to have access to your ControlScan account. MAKE SURE YOU HIT ALLOW. This will allow ControlScan and your MXMerchant account to talk to each other allowing a much smoother process.
6. Once complete, you will be directed back to MXMerchant. Navigate back to "Apps", hover your mouse over the "ControlScan" app, and click on "Log-In".
7. Here you will be taken back to ControlScan.com where you will type in your username and password that you created in step number 4 to access your ControlScan.com account.
8. At this point you will complete the registration process with ControlScan.com where you will be guided to begin the SAQ Questionnaire and (if necessary) schedule the quarterly scans.If at any time you need assistance completing the SAQ or have any questions regarding your PCI Compliance you can contact Control Scan Support directly at 1-800-370-9180.


Additional Resources for becoming PCI compliant:

Your guide to PCI Compliance

Frequently Asked Questions about PCI Compliance


How do I complete my business profile? 


How do I know which questionnaire I need to take to become compliant?

The Security Council has broken out each questionnaire by product and networks. Please complete the questionnaire which best fits your processing style.

SAQ A - Merchants whose cardholder data functions are completed outsourced to a validated third party. They do not store, process, or transmit any cardholder data in electronic format on their systems or premises.

SAQ B - Card imprinter or a physical machine processing over a phone line connection

SAQ C - Merchants who use point of sale system processing over an internet connection. You do not store any credit card information electronically. Requires a vulnerability scan of your network. 

SAQ D - Merchants who electronically store cardholder data, use a customer or proprietary payment application, or a payment application installed on a network. Requires a vulnerability scan of your network. 

SAQ EP - Merchants with an e-commerce website that do not store credit card information. Your payments are redirected to a third-party processor. Requires a vulnerability scan of your network. 

SAQ B-IP - Merchants who process using a stand alone terminal over an IP connection. You do not store any credit card information electronically. Requires a vulnerability scan of your network. 

SAQ C-VT - Merchants who process using a virtual terminal. You do not store any credit card information electronically. 

SAQ P2PE - Your company uses hardware payment terminals included in a validated and PCI-listed Point-to-Point Encryption solution. You do not store, process, or transmit data outside of the hardware payment terminal. 

Each questionnaire produces a PCI certificate that is valid for one year. Vulnerability scans will only be valid for three months. 


What is a vulnerability scan?

Vulnerability scans are required for merchants processing over an internet network. Whether it's with a credit card machine or a shopping cart, it is important to make sure your networks are as secure as possible.

Vulnerability scans test the security of your network by skimming through the ports which are open and closed on your internet router. Ports dictate the security level and strength of the network. Vulnerability scans also test a website's security by making sure all security certificates are up to date. 


What happens if I am not compliant? 

Merchants have 60 days from when their new merchant account is approved with Stax to become PCI Compliant. After 60 days, merchants are subject to a non-compliance fee from the major card companies for not complying with their security standards. 


If you have any questions or need further support with becoming PCI Compliant, please reach out to the Stax support team at 855-550-3288.