This document provides an overview of PCI Compliance, what it is, and what merchants are required to do to remain compliant when processing card payments.
PCI Compliance (Payment Card Industry Data Security Standards) is a set of security requirements created by major card brands (Visa, Mastercard, American Express, Discover) to protect cardholder data. PCI compliance is mandatory for all merchants that accept, transmit, or store card data. Any merchant with an active card-processing MID is required to complete PCI, even if they primarily process ACH payments.
Merchants must become PCI compliant within 90 days of enrollment in PCI Toolkit. Compliance is validated by completing a Self-Assessment Questionnaire (SAQ), which reviews how cardholder data is handled, including storage practices, firewall use, and password security. The SAQ must be completed annually, and successful completion generates a PCI certificate valid for one year. Some merchants are also required to complete quarterly vulnerability scans, which are valid for three months.
Merchants are typically enrolled in PCI Toolkit within one week of account activation with Stax. If compliance is not achieved within the 90-day window—or if it lapses at any point afterward—a PCI Non-Compliance Fee may be charged monthly until compliance is restored. Any monthly PCI Toolkit admin fees outlined in a merchant’s agreement begin once enrollment occurs and continue while the account remains active.
How do I become PCI Compliant?
You will be emailed a link to the SAQ approximately one week after your Stax application is approved.
Leading up to your yearly renewal, you will be emailed a monthly reminder for three months to retake your SAQ.
What happens if I don't become PCI Compliant?
If you do not complete the SAQ within 90 days of the initial email, you will be assessed a monthly fee of $50 within your typical processing fees.
What PCI DSS Is
PCI DSS (Payment Card Industry Data Security Standards) are security requirements set by major card brands (Visa, Mastercard, American Express) to protect cardholder data during processing, transmission, and storage. All businesses that handle cardholder data must comply with these standards.
Stax Level 1 PCI Compliance
Stax is a Level 1 PCI Service Provider, which is the highest level of compliance under PCI standards. This means Stax undergoes annual audits by qualified assessors to verify its security practices and data protections.
Data Protection Measures
To protect cardholder information, Stax uses:
End-to-end encryption: Card data is encrypted at the point of capture and never stored once a transaction is processed.
Tokenization: Sensitive payment data is replaced with secure tokens to prevent actual card details from being exposed.
Vulnerability testing: The system’s cloud architecture is continuously tested for security weaknesses.
Approved security protocols: Only PCI and Federal Information Processing (FIP) approved protocols are used, including exclusive use of TLS 1.3.
Customer & Merchant Protection
Stax takes data security seriously for partners, sub-merchants, and customers. As a payment facilitator, Stax supports faster onboarding while maintaining compliance safeguards.
Fraud Prevention
Fraud monitoring is an integral part of Stax’s security strategy. Systems and teams proactively watch for unauthorized transactions. Stax also runs standard verification checks, such as Know Your Customer (KYC) and Customer Identification Program (CIP) verification for merchants, helping prevent fraud and protect accounts.
GDPR Alignment
While the GDPR is a European data protection law and doesn’t directly apply to all Stax users, Stax aligns with GDPR principles where appropriate to enhance transparency and protection of cardholder data.