What is PCI Compliance?
PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. Major card companies, such as Visa, MasterCard, American Express, and Discover, are responsible for enforcing cardholder information security.
Merchants are responsible for ensuring their equipment, networks, and employees meet the PCI security standard.
What happens if I am not compliant?
Merchants have 60 days from when their new merchant account is approved with Stax to become PCI Compliant. After 60 days, merchants are subject to a non-compliance fee of up to $79.99 from the major card companies for not complying with their security standards.
How do I become PCI Compliant?
Stax is a Level 1 PCI Service Provider. Level 1 is the highest level of compliance available, and we adhere to industry-leading PCI standards. To become PCI compliant, the following steps need to be taken:
- Complete your business profile.
- Complete the Annual PCI Questionnaire.
- Set up Quarterly Scanning (if necessary).
If your merchant ID starts with 444, 01, or 08 - Go to this website
- You can call the PCI team at 888-543-4743 to get started with the questionnaire. The PCI team is available M-F, 8 am-10 pm EST.
If your merchant ID starts with 520 - Go to this website
- You can call the PCI team at 833-534-8422 for assistance with getting started with the questionnaire or scan. The PCI team is available M-F, 8 am-10 pm EST.
- If you have never logged in before, select first sign-in, enter your Merchant ID (MID) and set your password. Your Merchant ID can be found on the Settings tab in Stax Pay. The questionnaire will take approximately 10 minutes to complete.
If your merchant ID starts with 5121, 5179, 5185, 5347, 5353, 4983, or 4987 - Go to this website
- You can call the PCI team at (866) 957-1807 for assistance with getting started with the questionnaire or scan.
If your merchant ID starts with 5436 or 3930 - Go to this website
- You can call the PCI team at (800) 571-3928 for assistance with getting started with the questionnaire or scan.
If your merchant ID starts with 8739 or 5544
Below are the steps to complete the PCI Compliance for your merchant processing account.
- Go to https://mxmerchant.com/mx6/login, click "Sign In," and enter your username and password. Please note that completing these steps on a desktop/laptop computer through Google Chrome or Mozilla Firefox is best.
- Once logged into mxmerchant.com, scroll down to "Apps" (towards the bottom of the left side menu).
- Find the application labelled Control Scan and click the green Activate button located on the Control Scan icon.
- On the ControlScan website, create a username and password.
- After entering the required information, you will see a pop-up asking for Priority Payment Systems to access your ControlScan account. MAKE SURE YOU HIT ALLOW. This will allow ControlScan and your MXMerchant account to talk to each other, allowing a much smoother process.
- Once complete, you will be directed back to MXMerchant. Navigate to Apps, hover your mouse over the ControlScan app, and click Log-In.
- You will be redirected to ControlScan.com. Enter the username and password you created in step 4 to access your ControlScan.com account.
- Complete the registration process with ControlScan.com, the SAQ Questionnaire, and (if necessary) schedule the quarterly scans. If at any time you need assistance completing the SAQ or have any questions regarding your PCI Compliance, you can contact Control Scan Support directly at 1-800-370-9180.
Additional Resources for becoming PCI compliant:
Frequently Asked Questions about PCI Compliance
How do I know which questionnaire I need to take to become compliant?
The Security Council has broken out each questionnaire by product and network. Please complete the questionnaire which best fits your processing style.
- SAQ A - Merchants whose cardholder data functions are completed outsourced to a validated third party. They do not store, process, or transmit cardholder data in electronic format on their systems or premises.
- SAQ B - Card imprinter or a physical machine processing over a phone line connection
- SAQ C - Merchants who use point-of-sale system processing over an internet connection. You do not store any credit card information electronically. Requires a vulnerability scan of your network.
- SAQ D - Merchants who electronically store cardholder data, use a customer or proprietary payment application, or a payment application installed on a network. Requires a vulnerability scan of your network.
- SAQ EP - Merchants with an e-commerce website that does not store credit card information. Your payments are redirected to a third-party processor. Requires a vulnerability scan of your network.
- SAQ B-IP - Merchants who process using a stand-alone terminal over an IP connection. You do not store any credit card information electronically. Requires a vulnerability scan of your network.
- SAQ C-VT - Merchants who process using a virtual terminal. You do not store any credit card information electronically.
- SAQ P2PE - Your company uses hardware payment terminals included in a validated and PCI-listed Point-to-Point Encryption solution. You do not store, process, or transmit data outside the hardware payment terminal.
Each questionnaire produces a PCI certificate that is valid for one year. Vulnerability scans will only be valid for three months.
What is a vulnerability scan?
Vulnerability scans are required for merchants processing over an internet network. Whether with a credit card machine or a shopping cart, it is important to ensure your networks are as secure as possible.
Vulnerability scans test the security of your network by skimming through the open and closed ports on your internet router. Ports dictate the security level and strength of the network. Vulnerability scans also test a website's security by ensuring all security certificates are up to date.