Sage has recently announced that Sage Payment Solutions is the exclusive credit card processor used to tightly integrate with Sage ERP products such as Sage 100 ERP (formerly Sage ERP MAS 90 and 200), Sage 300 ERP (formerly Sage ERP Accpac), Sage 500 (formerly Sage ERP MAS 500) and Sage ERP X3. As a result, I’ve had several conversations with channel partners, development partners, customers, prospects, Sage employees, and even customer’s bank representatives on this topic. Everyone wants to know why Sage has made the business decision to exclusively use Sage Payment Solutions and eliminate integration with other payment processors.
Sage Payment Solutions is a full-service credit card and payment processing solution provider that was acquired by Sage a little over five years ago. At the time, the credit card industry had just started to establish credit card security standards. Originally the standards that surrounded security of cardholder data only applied to large merchants that processed huge amounts of credit card transactions. But on July 1, 2010 that changed when PCI-DSS or Payment Card Industry Data Security Standards were amended to state that PCI Data Security Requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data. No longer were the requirements only for the big retail players; they now applied to everyone. This means that any software application that stores credit card numbers needs to comply with those standards, as does any company that uses the software application to store or process credit cards.
Meanwhile, some Sage products for accounting and ERP had already been developed to store credit card numbers within the Sage software and merchants were already established using other credit card processors. One example is Sage 100 ERP, formerly Sage ERP MAS 90 and 200. In order for Sage 100 ERP to be Payment Application-Data Security Standard (PA-DSS) compliant, Sage was required to submit the software to a full compliance audit. This audit took over 26 months, and by the time compliance had been achieved (enter ‘Sage’ at the PCI website to view compliant versions) countless resources in development, product management, customer support, learning services, sales, and more were consumed, not to mention the cost of the auditor’s services and the fees required by the PCI council. And this was only for one of the Sage product lines – Sage has dozens of product lines that offer credit card processing in North America that were subject to the same process! Doing this for all of our products became a logistical and financial pain for Sage.
Leadership at Sage determined there had to be a better way to handle this across Sage North America. And thus Sage Exchange was born. Sage Exchange is technology that was developed by the team at Sage Payment Solutions to processes credit card transactions in a way that is linked with Sage accounting and ERP applications while storing sensitive credit card data in a safe, secure vault in the cloud. Because sensitive credit card information is no longer saved in the ERP software, that software, once integrated with Sage Exchange, will no longer be subject to PA-DSS audits. This means Sage can invest the resources previously spent on audits delivering more features and functionality that help solve our customers’ business challenges.
On the right is a graphical image of the Sage Payments Environment. In the center is the Sage Exchange Payments Hub, which connects everything to the credit card networks as depicted by the credit card images. At the bottom is your ERP system from Sage. On the left are a variety of credit card and payment capture devices, including mobile phones and the Sage Payments Virtual Terminal. Disconnected from the Sage Exchange Payments hub, these devices are commodities. But when you connect them to the Payments hub, information collected on the devices can flow through the Sage Exchange hub and into the ERP system. Likewise, if the ERP system isn’t connected to the Sage Exchange Payments hub, credit card payments captured on the disconnected devices need to be manually entered into ERP, allowing for mistakes and extra work. But when the payments hub is connected with ERP, Sage customers gain time and cost savings by having the information captured on the various devices flow directly into ERP. And, to top it all off, the Sage Exchange portal provides an administrative dashboard and user toolset to help each merchant manage their own payments environment.
The entire Sage Exchange environment is a PCI free zone all delivered by Sage. If other processors or software integrators come into the environment, Sage cannot ensure that all is compliant because we would no longer control the environment. This elevates the risk of exposure to a level that is not in the best interest of our customers’ businesses. And, as PCI compliance requirements become more stringent, it will be increasingly difficult as time goes by for a merchant to obtain compliance with ‘mixed and matched’ parts.
Compliance is not something that a merchant does once and then never has to do again. Rather, merchants need to either undergo a compliance audit or submit a Self-Assessment Questionnaire (SAQ) annually. Having software that meets PA-DSS compliance doesn’t mean that our merchant customers can automatically achieve compliance themselves, but it does help them to know that the software they use meets compliance standards and will help to protect their customers’ sensitive credit card information.
On to the adventure,
Czarina Erika