PCI Compliance for Sail/EMV/Swipe
Introduction
What is PCI?
Payment Card Industry Data Security Standards (PCI DSS) compliance is mandated by credit card companies and the payment network to ensure the security of credit card transactions and cardholder data. It exists to protect cardholders from having their sensitive card data stolen and subsequently used without their consent.
Are we required to complete this?
Even if you do not actively accept card payments, this PCI questionnaire is required.
What is the benefit or cost?
PCI questionnaires that are left uncompleted and fined by the card network and processor. The current processor fee is $39.95/mo. This fee is $0 with a completed PCI questionnaire.
Overview
This guide will assist you with the login and profile questions for your business. This form will not provide answers to the questionnaire and only the merchant can complete the questionnaire. We are not authorized to complete this questionnaire for you and this is not legal or compliance advice.
Step-by-Step PCI Guide:
Step 1 - Login to MX Merchant
- Click the link in the email from noreply@mxmerchant.com or go to www.mxmerchant.com
- Login using your existing username and password.
You must use the Google Chrome web browser. Other web browsers are not fully supported for all features and may cause technical issues.
If you forgot your password, click the "Forgot Password" link to have a reset process emailed to you.
If you forgot your username or are having another issue/error, please contact us for assistance.
If you do not have credentials for mxmerchant.com, please contact us for assistance.
Step 2 - Select Business Merchant ID
Please note: Many merchants have both an in-person, “Brick & Mortar” account as well as an online, “e-Commerce” account. Ensure you have the proper account selected before you begin.
If you have more than one ID/location, verify you are connected to the right account. You may have to edit your "Location".
- To do this, select the
in the top right-hand corner. - Select "Edit" next to "Location". A pop-up will appear. Search for the correct location by name.
- Select the checkbox next to the correct location and hit "Save".
Step 3 - Enable PCI Application
- In the lefthand menu, select
. A grid layout will appear. - Navigate to the app titled "Sysnet Global Solutions". On the app, in the lower righthand corner, select
.
Sysnet is a third-party PCI Compliance vendor that supports the PCI compliance process on behalf of payment processors.
- An activation confirmation message will appear. Select "OK".
A green bar will appear at the top of your web browser window confirming the app has successfully been activated.
On the app, you should now see the 
button where the 
button was before. This means the app is now activated.
Step 4 - Create Your Account
The application has been activated, but you must create an account. For security, you will be required to re-login after creating your account for the first time.
Hover over the Sysnet app with your mouse:
Click 
. You will be redirected to a webpage at https://pciprotection.com.
- Create a username and password by selecting "Register" and following the prompts.
A pop-up confirming you are integrating your compliance into your online portal will appear. - Select "Allow".
You will be redirected back to the "Apps" page of your MX Merchant account.
Like before, hover over the Sysnet app with your mouse. Click .
Alternatively, you can navigate to: pciprotection.com.
Step 5 - Complete Your Compliance
Your dashboard will show “Not compliant” and three boxes for:
- Your Business Profile
- Be Scan Compliant
- Complete Security Assessment
You'll start with the business profile. Correctly answering the business profile is critical – if the wrong profile is selected, your security assessment or “questionnaire” will not be accurate to your business.
Step 6 - Business Profile: SAQ-C
Under "Your business profile", select "Manage".
Follow the prompts. If you are using the integrated point-of-sale, complete the following:
Q: Payment related services: Does your organization provide payment related services, have access to credit card information for another company's customers, or provide services that could impact the security of credit card information for another organization?
A: No
Q: Select Your Processing Method
A: POS Terminal
Q: Your Point-to-Point Encryption system: Is your Point-of-Sale system a PCI SSC approved Point-to-Point Encryption (P2PE) hardware solution?
A: No
Q: Does your business electronically store credit card numbers?
A: No
Q: Third Party Managed System Service Providers: Do you have relationships with one or more third-party service providers that manage system components included in the scope of this assessment, for example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud provider?
A: Yes
Q: Managed system component providers: Your service providers. You can add a new one or remove if the existing one is incorrect.
A: INGAGE LLC
Q: Other Third Party Service Providers that may impact cardholder data security: Do you have relationships with one or more third-party service providers that could impact the security of the merchant’s cardholder data environment (CDE)? For example, vendors providing support via remote access, and/or bespoke software developers.
A: Yes
Q: Does your business use or allow any remote administrative access?
A: Yes
Q: Does your company have a wireless network connected to the cardholder data environment?
A: Yes
Q: Do you agree with all of the above statements?
A: Yes
Q: Your company policy for information security
A: I already have an Information Security Policy in place that covers ALL of the relevant clauses of the Payment Card Industry Data Security Standard (PCI DSS)
Q: All policies and procedures involving the identification and tracking of devices relating to the cardholder data environment, as listed below, are followed
A: Yes
Q: All of the proper controls are in place as listed, to ensure that only those who need access are granted such access:
A: Yes
Q: All of the proper encryption and communication protocols are in place, as listed, in order to protect cardholder data as necessary.
A: Yes
Q: All requirements surrounding the creation and management of network connections and configurations, as listed, are met:
A: Yes
Q: All software and related system components are kept patched and updated, as listed, in order to provide protection from attack
A: Yes
Q: There is a process to identify newly discovered security vulnerabilities as listed.
A: Yes
Q: Upon completion of a significant change, all relevant PCI DSS requirements are implemented on all new or changed systems and networks, and documentation is updated as applicable.
A: Yes
Q: All Remote access is implemented with the proper encryption and is configured to be secure as listed
A: Yes
Q: All password standards are followed as listed
A: Yes
Q: All testing involving scans and penetration testing, as listed, are being met
A: Yes
Q: All of the systems and processes are in place to meet the requirements to address attacks from viruses and malware, as listed
A: Yes
Q: All media (electronic and Hard copy) is physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes), as listed
A: Yes
Q: Appropriate facility entry controls are in place to limit and monitor physical access to systems in the cardholder data environment as listed
A: Yes
Q: All of the proper controls are in place as listed, to ensure that only those who need access are granted such access:
A: Yes
Q: Multi-factor authentication is incorporated and followed as listed below: Multi-factor authentication is incorporated and followed as listed
A: Yes
Q: All media (electronic and Hard copy) is physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes), as listed
A: Yes
Q: All requirements involving audit trails, as listed below, are being met: All requirements involving audit trails, as listed, are being met:
A: Yes
Q: All requirements involving log management and file integrity monitoring, as listed, are being met:
A: Yes
Q: All security policies, operational procedures and the implementation and use of them, as listed, are in place and being met:
A: Yes
Q: All requirements involving service providers, as listed, are being met:
A: Yes
Q: All Remote access is implemented with the proper encryption and is configured to be secure as listed
A: Yes
Q: All requirements involving the establishment and ongoing management of wireless endpoints, as listed, are being met:
A: Yes
Q: All requirements involving log management and file integrity monitoring, as listed below, are being met:
A: Yes
Q: All security policies, operational procedures and the implementation and use of them, as listed, are in place and being met:
A: Yes
Q: Password policy: Do you enforce a minimum password length of seven characters, containing both numeric and alphabetic characters, for user accounts on all POS devices, computers and systems in your business?
A: Yes
If the resulting SAQ bullet points do not match your business, please email us to review together: support@ingageipayments.com
Move on to the next step. Select the logo or "Home" button if needed.
Step 7 - PCI Scan
Under the "Be scan compliant" section, select "Manage".
Select "Schedule scan". 
Your IP address will populate in the gray bubble. If you are at the location of the business, this is the business' IP address.
If you are not at the business, you must get the local IP address from the business. This can be done via Google and searching, "What is my IP address"***
For "Scan Date", enter today's date. You can also set it
for any time in the near future.
Scans can take 24-72 hours to run.
Set "Load Balancer?" to "No".
Under "Sysnet access", check the box at the bottom and select "Schedule Scan".
Step 8 - Finish Questionnaire
Under "Complete security assessment", select "Manage".
Follow the prompts. Select "Click to start your questionnaire".
The last question requires our scan to be done and passed.
All other questions are the responsibility of the merchant and must be answered according to the business’ unique handling of processing and policies. You will receive an opportunity to change your answers at the end. Once passed, you will have a copy of your certificate available for download.
Merchants will be required to answer "yes" to all questions in order to pass! This is to certify that the questions regarding compliance and security are true for your business. Please answer honestly.
There is a toggle at the top of the page that allows you to sort your “yes” and “no” answers. This is to allow you to look through those questions that you answered “no” to, to update your business processes or policies and return to the page to mark them as “yes”.
You will not be allowed to submit your questionnaire if all answers are not marked as “yes”.
Additional help resources are available on the Sysnet website. Additionally, the phone number for Sysnet support is located on the website screen in the upper right hand corner and is available for your use. A PCI compliance expert can assist you with questionnaire answers.
Unfortunately, as your Qualified Integrator Reseller (QIR) we cannot answer these questions for you and we encourage all businesses to answer the questions thoroughly and honestly.
Step 9 - Confirm Scan and Finish Questionnaire
Sysnet will send you an email confirming your scan PASS or FAIL. It will go to the email on file (used earlier). Please check junk/spam as these emails are automated.
If your scan is a FAIL – call our support team at (612)-861-5277 or email us at support@ingageit.com. Our I.T. support group will need to review your network and scan results to assist you. You will need to follow their direction and proceed with another scan.
If your scan is a PASS – log back into Sysnet and complete the final question of the questionnaire. This is the last step for compliance for the year. You can download a copy of your compliance for your records. Congratulations on your compliance and savings.
Step 10 - Download Attestation of Compliance
A Green checkmark with "You're Compliant" should appear. You may download a copy of your compliance certificate by selecting "DOWNLOAD AOC" (Attestation of Compliance).
There are no further steps: Congratulations on completing your PCI attestation!
