No, the PCI Security Standards Council does not replace the individual brands' compliance programs. The individual participating payment brands (Visa, MasterCard, etc) will separately determine what entities must be compliant, including any brand-specific enforcement programs.

In order to log into the site you must have been previously added. If you are a new customer to Sage Payment Solutions, use of the Portal to validate/certify is not required for 90 days. If it has been 90 days, or you are a long-standing Sage Payment Solutions customer, please contact 1-800-261-0240 and ask to speak to a Compliance representative, or you may contact a Compliance representative via email at pcicompliance@sagepayments.com.

All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards. For questions regarding compliance validation requirements and deadlines as well as compliance reporting requirements, it is recommended that you contact your Merchant Acquirer (credit card processor).

For more information regarding the PCI security standards and supporting documentation, including the "Navigating the PCI DSS" as well as targeted Self Assessment Questionnaires to assist small and medium merchants, please visit the PCI SSC website at: www.pcisecuritystandards.org.

PCI DSS is the standard for merchants and service providers to protect cardholder data. The PA-DSS and PTS (formerly PED) device security requirements support the overall implementation of PCI DSS by allowing merchants to choose from Council certified payment applications and PTS devices to further cardholder data security. PA-DSS and PTS are not merchant initiatives. Rather, they are geared toward the application providers and PTS device manufacturers who must submit their applications and devices for testing against the standards. That said, merchants that utilize these applications and PTS devices must validate that they are using certified applications/approved devices when asked to do so by their Merchant Acquirer (credit card processor).

A list of certified QSA's are located at the following link: https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.

Scans can take 30 minutes to 1 1/2 hours and depends on where you are in the queue when you request the scan.

Log into Trustwave (https://login.trustwave.com/portal-core/home) and click on your dashboard. If you have any questions related to what you need to do, please contact Trustwave at (1-800-239-2468) or you may email them at spssupport@trustwave.com.

During your self assessment Trustwave will give you the ability to download samples to use for your company. The exception is SAQd merchants where infrastructures are more complex and for which customized policies and procedures to deal with the complexity are required. For these the merchant can customize their own or hire Trustwave or another QSA to create the policies and procedures for them.

During your self assessment Trustwave will give you the ability to download samples to use for your company.

Anyone that stores, processes or transmits credit cards is subject to some sort of certification with respect to PCI. Your customers credit card information is being entered into an external website (whether by you or your customers) and as such you as the merchant are ultimately responsible for ensuring the data is being handled safely. Fortunately PCI has regulations in place that also extend to the companies that run these external websites (Service Providers) and they too must receive certification. As you complete your PCI-DSS, the Self Assessment Questionnaire (SAQ) should ask you whether you have validated that the Service Provider you chose is PCI Compliant. With an entirely hosted (Saas-based) application, that would mean that they would have achieved their PCI-DSS Service Provider Level 1 or Level 2 certification. Level 1 certifications can be verified online with Visa or MasterCard.

Level 2 Service Providers must submit their application through a Level 1 Service Provider to Visa and MasterCard, but should have some confirmation from either the Service Provider or Visa/MasterCard of their Service Level 2 certification and when it expires. As a merchant, your decision to enlist the services of an 3rd party to store, process or transmit your customers credit card data does not relieve you of the need to ensure that data is being handled pursuant to the PCI-DSS. The SAQ is the means by which the card brands ensure you remain engaged and are actively involved in ensuring the Service Provider receives/maintains their PCI certification.

It is actually commonplace for a merchant to have multiple MID's for different terminals in their business. If the MID's are all in the same industry (Mail Order Telephone Order-MOTO; Retail; e-Commerce) and are all at the same location, then yes, we can "chain" the MID's together so that your PCI-DSS Self Assessment Questionnaire covers all of the MID's. If however the MID's are for separate industries and/or are for multiple locations, "chaining" of the MID's cannot be done, and separate PCI-DSS SAQ's must be completed that relate to the different industry and/or locations. If you have multiple MID's that meet the above criteria for chaining, please contact pcicompliance@sagepayments.com and provide the list as well as your contact information. A compliance representative will respond to you and confirm the chaining has taken place. You may also contact us at 1-800-261-0240 and ask to speak to a Compliance Representative.

The PCI DSS analysis is $50.00, billed on an annual basis. It will be debited to the merchant's end of the month processing fees. The PCI DSS Certificate fee will be billed annually beginning in the applicable month required for recertification.

If the multiple MID's are in the same location and the same industry (Retail, MOTO, eCommerce), we can "chain" the MID's to a master MID and will only be required to pay one $50.00 fee and complete the PCI DSS once. If the MID's are for different locations and/or different industries, the $50.00 fee must be paid for each and the PCI-DSS certification must be completed for each.

Yes, the merchant will have to upload their PCI DSS certificate on theTrustwave/Trustkeeper site (https://sagepayments.pci.trustwave.com)

Sage will manually validate the PCI DSS certificate and credit $40 of the $50 PCI DSS fee charged to the merchant account to offset the administrative costs of validating the certificate.

Yes. If you have 10 or more locations, a break will be applied based on the total volume. To qualify for the break though, you must notify pcicompliance@sagepayments.com and provide the MID's and request the credit.

Yes, Sage has partnered with Trustwave to provide a bundled rate for this program. This Fee is extremely competitive with what other processors are billing for this service. Our competitive analysis revealed annual rates from $139.00 - $250.00.

Yes, Sage has partnered with Trustwave to provide a bundled rate for this program. This Fee is extremely competitive with what other processors are billing for this service. Our competitive analysis revealed annual rates from $139.00 - $250.00.

Yes, the requirement is for merchants to have their businesses reviewed annually to ensure compliance.