Hello,
Does anyone know if credit card information is held within Sage 100?? We currently going through a process to become PCI complaint and if asked want to make sure giving correct answer..
Thanks for any information.
PCI Non-Compliance Fee means you did not go through the Certification process for PCI Compliance. They partner with another group (I think it is now Aperia) to certify compliance and if you never do it…
If you are not using a 3rd party CC provider, the Sage 100 vault (v2013+) would be Paya (formerly known as Sage Payment Solutions).
https://support.paya.com/44518-pci-compliance
Any version prior to v2013…
Paya will not allow you to be PCI compliant, even using Sage 100, unless you follow VERY stringent guidelines for your network and your PCs. It does NOT matter if all your credit card data is in the Vault…
When they moved from Trustwave they said in their FAQ:
Can a merchant choose to remain with Trustwave directly?
While we no longer offer Trustwave as our recommended PCI solution, customers can choose to work with any Qualified Security Assessor (QSA) company.
If the other company is a QSA then it would be taken off.
This was back in March 2019 and we got PCI Certified through Security Metrics SAQ C compliance. Paya said that wasn't good enough. I went back and forth several times with no resolution so I gave up.
I have seen users setup Unified login in Sage 100 so that security was based on the logged in user in windows. You can then setup MFA with Windows and since unified login is based on windows you can say the client logged in with MFA. Personally, I do not consider this MFA with the application and in my humble opinion is less secure as the login is not challenged when going into the application, only when going into windows.
*Community Hub is the new name for Sage City