PCI Deadlines and Merchant Enforcement
PA-DSS and PCI-PTS Validation
Visa mandates for PA-DSS and PCI-PTS require Merchant Acquirers (credit card processors) like Sage Payment Solutions to ensure that all merchants validate to both.
Payment Application - Data Security Standard PA-DSS)
If a merchant is storing, processing or transmitting credit card data via a software product, they must be using a PA-DSS certified software by July 1, 2010. Validation is required by all Sage Payment Solutions merchants to signify that they are either using compliant software – or are not subject to the requirement as they are not storing, processing or transmitting credit card data via a software product.
Payment Card Industry - PIN Transaction Security (PCI-PTS)
If a merchant is processing debit cards, they must be using a PCI-PTS approved device by July 1, 2010. Validation is required by all Sage Payment Solutions merchants to signify that they are either using an approved PED device – or are not subject to the requirement as they are not processing debit cards.
Annual PCI-DSS certification (based on your PCI Merchant Level) is required and must be completed by August 1, 2010.
Re-certification going forward will be required on the anniversary of your certification. For all Sage Payment Solutions merchants certifying by August 1st that anniversary date will be August 1st each year.
For new merchants joining Sage Payment Solutions, certification is required within 90 days. Re-certification will be required on the first of the month following the anniversary of the 90 day original certification date.
Sage Payment Solutions (SPS) requires PCI-DSS certification on or before August 1, 2010 for those merchants that received notification of the need to certify by that date. SPS has varying deadlines depending on when merchant accounts were opened.
Sage Payment Solutions understands and applauds the PCI Council and Card Associations for their continued focus on cardholder security and helping to reduce the possibility of breaches for our merchant customers. That said, the Sage Payment Solutions PCI Enforcement Policy was created to work with our merchant customers to ensure a plan for compliance is in place. The intent of the policy is not to postpone adherence to the PCI deadline requirements, without first providing a plan. The plan should detail a targeted date/milestones towards a merchants compliance if it/they cannot be achieved by August 1, 2010.
As with other Merchant Acquirers (credit card processors), Sage Payment Solutions will be implementing a monthly $15 non-compliance fee to merchants who have not received their PCI-DSS certification by August 1st. Non-compliance fees will remain in place (even if plans are provided) to incent merchants to meet their targeted date/milestones to maintain a diligent focus on meeting the targeted date.