PCI Deadlines and Merchant Enforcement
PA-DSS and PCI-PTS Validation
Visa mandates for PA-DSS and PCI-PTS require Merchant Acquirers (credit card processors) like Sage Payment Solutions to ensure that all merchants validate to both.
Payment Application - Data Security Standard (PA-DSS)
If a merchant is storing, processing or transmitting credit card data via a software product, they must be using a PA-DSS certified software by July 1, 2010. Validation is required by all Sage Payment Solutions merchants to signify that they are either using compliant software – or are not subject to the requirement as they are not storing, processing or transmitting credit card data via a software product.
Payment Card Industry - PIN Transaction Security (PCI-PTS)
If a merchant is processing debit cards, they must be using a PCI-PTS approved device by July 1, 2010. Validation is required by all Sage Payment Solutions merchants to signify that they are either using an approved PED device – or are not subject to the requirement as they are not processing debit cards.
Annual PCI-DSS certification (based on your PCI Merchant Level) was mandated as of August 1, 2010.
Re-certification going forward will be required on the anniversary of your certification.
For new merchants joining Sage Payment Solutions, certification is required within 90 days of your approval date. Re-certification will be required annually.
Sage Payment Solutions (SPS) requires PCI-DSS certification within 90 days of your approval date.
Sage Payment Solutions understands and applauds the PCI Council and Card Associations for their continued focus on cardholder security and helping to reduce the possibility of breaches for our merchant customers. That said, the Sage Payment Solutions PCI Enforcement Policy was created to work with our merchant customers to ensure a plan for compliance is in place. The intent of the policy is not to postpone adherence to the PCI deadline requirements, without first providing a plan. The plan should detail a targeted date/milestones towards a merchants compliance if it/they cannot be achieved within the 90 days following their approval date.
As with other Merchant Acquirers (credit card processors), Sage Payment Solutions will be implementing a monthly $35 non-compliance fee to merchants who have not received their PCI-DSS certification within 90 days of their approval date. Non-compliance fees will remain in place (even if plans are provided) to incent merchants to meet their targeted date/milestones to maintain a diligent focus on meeting the targeted date.