• Sage North America Home
  • Solutions
    Please select from one of the Sage solution categories on the right
     
     
    Accounting Solutions

    Accounting Solutions for Small
    and Midsized Businesses.

    Learn More

    Construction - Real Estate

    Accounting, estimating, project management, service scheduling, property management, and more
    for construction and real estate.

    Learn More

    CRM

    Customer contact and management solutions for small and midsized businesses.

    Learn More

    Employer Solutions

    Human resources, HRMS, and payroll solutions for small and midsized businesses.

    Learn More

    ERP

    Enterprise Resource Planning and Fixed Asset solutions for midsized companies.

    Learn More

    Nonprofit

    Fund accounting and fundraising solutions for nonprofit organizations.

    Learn More

    Payment Solutions

    Payment Solutions, including ACH, Card and Check processing.

    Learn More

     
  • Search Sage for...
    Search Sage for...
     
    Match with:
    Omit keyword/phrase:
    Search Sage sites:
    Select Content Types:

Call Sage: 800-261-0240           Privacy Policy Update Notice

Privacy Policy Update Notice:

Sage North America updated its Privacy Policy on August 18, 2011. With this update, we made changes to the "Business Information Collection and Use by Sage" section of our policy to explain that our websites ("Sites") may use third party Internet advertisers that deliver custom ads to you. Such custom ads are based on information collected through cookies and web beacons when you visit our Sites. Please note that Sage does not control Internet advertisers' use of cookies or information collection. We also explain how you can opt-out of Internet advertisers' information collection. Click here to learn more. Sage North America values your privacy and is committed to maintaining your trust. Please read the full updated Privacy Policy, as you are bound by its terms when you use our Sites.

Close Privacy statement


Payment Application - Data Security Standard

Payment Application - Data Security Standard (PA-DSS)

Secure payment applications, when implemented into a PCI DSS-compliant environment, will help to minimize the potential for security breaches leading to compromises of full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks, and the damaging fraud resulting from these breaches.

With this in mind, it is important to know who is involved with PA-DSS and the responsibilities of each. Key roles from a merchant's standpoint include:

Payment Brands

American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. are the payment brands that founded the PCI SSC (Security Standards Council). These payment brands are responsible for developing and enforcing any programs related to PA-DSS compliance, including, but not limited to, the following:

  • Any requirements, mandates, or dates for use of PA-DSS compliant payment applications
  • Any fines or penalties related to use of non-compliant payment applications

The payment brands may define compliance programs, mandates, dates, etc. using PA-DSS and the validated payment applications listed by PCI SSC. Through these compliance programs, the payment brands promote use of the listed validated payment applications.

On January 1, 2008, Visa implemented a series of mandates to eliminate the use of vulnerable payment applications from the Visa payment system. The latest mandate states that "Acquirers must ensure their merchants, VNPs and agents use only PA-DSS compliant applications by July 1, 2010."

^ Close ^

Payment Card Industry Security Standards Council (PCI-SSC)

The PCI SSC is the standards body that maintains the payment card industry standards, including the PCI-DSS and PA-DSS. In relation to PA-DSS, the PCI SSC:

  • Is a centralized repository for PA-DSS Reports of Validation (ROVs)
  • Performs Quality Assurance (QA) reviews of PA-DSS ROVs to confirm report consistency and quality
  • Lists PA-DSS validated payment applications on the Website
  • Qualifies and trains PA-QSAs to perform PA-DSS reviews
  • Maintains and updates the PA-DSS standard and related documentation according to a standards lifecycle management process

Note that PCI SSC does not approve reports from a validation perspective. The role of the PA-QSA is to document the payment application's compliance to the PA-DSS as of the date of the assessment. As the July 1, 2010 mandate is Visa's, Visa reviews and approves the reports submitted by the PA-QSA's.

Additionally, PCI SSC performs QA to assure that the PA-QSAs accurately and thoroughly document PA-DSS assessments.

^ Close ^

Payment Application Appreciation Qualified Security Assessors (PA-QSA)

PA-QSA's are QSA's that have been qualified and trained by the PCI SSC to perform PA-DSS reviews. NOTE: Not all QSA’s are PA-QSA's. PA-QSA’s are responsible for:

  • Performing assessments on payment applications in accordance with the Security Assessment Procedures and the PA-QSA Validation Requirements
  • Providing an opinion regarding whether the payment application meets PA-DSS requirements
  • Providing adequate documentation within the Report on Validation (ROV) to demonstrate the payment application's compliance to the PA-DSS
  • Submitting the ROV to the PCI SSC along with the Attestation of Validation (signed by both the PA-QSA and vendor)
  • Maintaining an internal quality assurance process for their PA-QSA efforts.

It is the PA-QSA's responsibility to state whether the payment application has achieved compliance. PCI SSC does not approve ROV's from a technical compliance perspective, but performs QA (quality assurance) reviews on the ROV's to assure that the reports adequately document the demonstration of compliance.

^ Close ^

Merchants

Customers are merchants, service providers, or others who buy or receive a third-party payment application to store, process, or transmit cardholder data as part of the authorizing or settling of payment transactions. Customers who want to use applications that are compliant with PA-DSS are responsible for:

  • Implementing a PA-DSS-compliant payment application into a PCI DSS-compliant environment
  • Configuring the payment application (where configuration options are provided) according to the PA-DSS Implementation Guide provided by the vendor
  • Configuring the payment application in a PCI DSS-compliant manner
  • Maintaining the PCI DSS-compliant status for both the environment and the payment application configuration

^ Close ^

Sage Exchange and PA-DSS

Although Sage Exchange was designed to be more than just a PA-DSS certified application, its integration with select Sage North America software products was certainly timely.

Sage Payment Solutions enlisted Trustwave in the role of PA-QSA to review and certify the payment application, and Sage Exchange's listing can be found (along with a list of all other currently PA-DSS payment applications) on the PCI Council website: https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html.

You can also download the Sage Exchange Implementation Guide, available in PDF format.


Sage North America PA-DSS Compliant Software

The following is a list of compliant Sage North America software, including those that are compliant only after running the scrub utility:

  • Sage DacEasy v2011
  • Sage Peachtree v2012, v2011 
  • Sage BusinessVision v2011 SP1
  • Sage ERP X3 v6.x, 5.5, 5.4 and 5.3
  • Sage Fundraising 50 v8.2
  • Sage Fundraising 100 v7.1
  • Sage Fundraising 100/Rainbow Edition v7.1
  • Sage Intergy v6
  • Sage Medical Manager v11.00.04
  • Sage Millennium v7.9
  • Sage Pro ERP v2011, 2010, v7.5
  • Sage Simply Accounting v2011, 2010 release C
  • Sage Timeslips v2011