PCI for Online Ordering
Most online ordering compliance steps for PCI take just 10-15 min.
Introduction
What is PCI?
Payment Card Industry Data Security Standards (PCI DSS) compliance is mandated by credit card companies and the payment network to ensure the security of credit card transactions and cardholder data. It exists to protect cardholders from having their sensitive card data stolen and subsequently used without their consent.
Are we required to complete this?
Even if you do not actively accept card payments, this PCI questionnaire is required.
What is the benefit or cost?
PCI questionnaires that are left uncompleted and fined by the card network and processor. The current processor fee is $39.95/mo. This fee is $0 with a completed PCI questionnaire.
Overview
This guide will assist you with the login and profile questions for your business. This form will not provide answers to the questionnaire and only the merchant can complete the questionnaire. We are not authorized to complete this questionnaire for you and this is not legal or compliance advice.
Step-by-Step PCI Guide:
Step 1 - Login to MX Merchant
- Click the link in the email from noreply@mxmerchant.com or go to www.mxmerchant.com
- Login using your existing username and password.
You must use the Google Chrome web browser. Other web browsers are not fully supported for all features and may cause technical issues.
If you forgot your password, click the "Forgot Password" link to have a reset process emailed to you.
If you forgot your username or are having another issue/error, please contact us for assistance.
If you do not have credentials for mxmerchant.com, please contact us for assistance.
Step 2 - Select Business Merchant ID
Please note: Many merchants have both an in-person, “Brick & Mortar” account as well as an online, “e-Commerce” account. Ensure you have the proper account selected before you begin.
If you have more than one ID/location, verify you are connected to the right account. You may have to edit your "Location".
- To do this, select the in the top right-hand corner.
- Select "Edit" next to "Location". A pop-up will appear. Search for the correct location by name.
- Select the checkbox next to the correct location and hit "Save".
Step 3 - Enable PCI Application
Sysnet is a third-party PCI Compliance vendor that supports the PCI compliance process on behalf of payment processors.
- An activation confirmation message will appear. Select "OK".
A green bar will appear at the top of your web browser window confirming the app has successfully been activated.
On the app, you should now see the button where the button was before. This means the app is now activated.
Step 4 - Create Your Account
The application has been activated, but you must create an account. For security, you will be required to re-login after creating your account for the first time.
Hover over the Sysnet app with your mouse:
Click . You will be redirected to a webpage at https://pciprotection.com.
- Create a username and password by selecting "Register" and following the prompts.
A pop-up confirming you are integrating your compliance into your online portal will appear. - Select "Allow".
You will be redirected back to the "Apps" page of your MX Merchant account.
Like before, hover over the Sysnet app with your mouse. Click .
Alternatively, you can navigate to: pciprotection.com.
Step 5 - Complete Your Compliance
Your dashboard will show “Not compliant” and three boxes for:
- Your Business Profile
- Be Scan Compliant
- Complete Security Assessment
Step 6 - Business Profile: SAQ-A
Correctly answering the business profile is critical. The wrong profile will alter your Security Assessment and make it inaccurate.
The following outlines the questions for a business profile of SAQ-A. This is PCI DSS' simplest classification and applies to customers that are using online ordering.
If you are using an on-premise payment terminal such as a card reader or point-of-sale that is connected to your online ordering merchant ID (MID), this SAQ-A will not apply to you. Please contact us for assistance.
- Complete the SAQ-A Business Profile Q&A:
Q: Does your organization provide payment related services, have access to credit card information for another company's customers, or provide services that could impact the security of credit card information for another organization?
A: No
Q. Select your processing method:
A. Check "Pay by Link"
Q. Your Pay By Link solution provider
If you are on Sail:
A. MX Merchant Gateway
If you are on Focus:
A. Authorize.net Gateway
Q. Does your business electronically store credit card numbers?
A. No
Do not keep credit card information in electronic files unless you have a compelling business reason to store the information. In most cases, you will reduce the level of effort required to comply with the PCI standard if you do not electronically store credit card numbers after authorization.
Q. Do you agree with the above statements?
A. Yes
Q. Your company policy for information security
A. I already have an Information Security Policy in place that covers ALL of the relevant clauses of the Payment Card Industry Data Security Standard (PCI DSS)
Q. All media (electronic and hard copy) is physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes), as listed below:
A. Yes
Q. All of the proper controls are in place as listed, to ensure that only those who need access are granted such access:
A. Yes
Q. All requirements involving service providers, as listed, are being met
A. Yes
Q. All password standards are followed as listed
A. Yes
Q. All software and related system components are kept patched and updated, as listed, in order to provide protection from attack:
A. Yes
Q. Do you enforce a minimum password length of seven characters, containing both numeric and alphabetic characters, for user accounts on all POS devices, computers and systems in your business?
A. Yes
- You will be asked to validate your questions on an "Eligibility" Page. Your Eligibility should be assigned the "SAQ-A" type. If it is not, then there is an error with the Business Profile answers submitted.
If the resulting SAQ bullet points do not match your business, please contact us for assistance.
Step 7 - Security Assessment
Complete the "Security Assessment" by answering all questions accurately and honestly.
The questionnaire CANNOT be passed without answering "yes" to all questions. There is a dropdown at the top of the page to filter questions which have not been answered "yes". If you require additional information to support these questions, the PCI Protection website includes a support line (which is not INGAGE) that can assist you.
The basic SAQ-A profile means that your business does not directly handle cardholder data or Sensitive Authentication Data (SAD) which means the Security Assessment may have questions that do not apply to you. If you select "N/A" on an answer it will require a short response. A simple response such as "This does not apply to us" will suffice.
Step 8 - Download Attestation of Compliance
A Green checkmark with "You're Compliant" should appear. You may download a copy of your compliance certificate by selecting "DOWNLOAD AOC" (Attestation of Compliance).
If the above Business Profile resulted in your SAQ-A classification then the "Scan" section which first appeared in the middle of the page should no longer be visible as it does not apply to you. If you are still be required to complete the scan after successfully completing the business profile and self-assessment as described above, please contact us for assistance.
There are no further steps: Congratulations on completing your PCI attestation!