Stax PCI Compliance Toolkit Walkthrough


This Help Center article provides a guide for organizations working on their PCI DSS Validation with a focus on PCI Toolkit account creation and business profile. PCI Toolkit Link HERE.


Logging in for the first time

Each organization will receive an automated email from with login instructions to access the PCI toolkit. Initial access will require you to create a new password, with the email address being the user name.

Once logged in, you will see your PCI Toolkit Dashboard page with information on the next steps and a link to an informational video.

After you've received the initial welcome email, you will need to complete the questionnaire and compliance certification within 90 days in order to avoid monthly non-compliance fees from Stax.

Completing the Business Profile

You will need to complete your business profile by answering questions about how you accept payments.

Follow the 10 simple steps below to complete this:

Step 1

To get started, click the blue Next under the Step 1 Information heading, as shown below, and then enter your business information in the fields provided.

Step 2

At the bottom of this page, you will select your payment processing types. Please select "E-commerce" and "Mail order/telephone order" for all 3 questions.

Step 3

Choose the image that demonstrates the way(s) you process transactions. For this question, please only select "I have a website on which I sell goods or services and/or accept payments." This payment method best describes the Shelterpay transaction process, and none of the other options apply:

Step 4

How is your website hosted and managed? For this question, please choose "It is hosted and managed by a PCI-compliant provider":

Step 5

How is credit card data entered by customers? The payment collection is entirely handled by Stax, so please choose the second bubble:

Step 6

Do you store credit card data electronically? Please choose "No" for this question, as all payment processing and card storage is managed by Stax Payments:

Step 7

Do you process Credit Card transactions on behalf of other merchants? Please choose "No" for this question:

Step 8

Do you use payment applications such as Point of Sale software or website software to process Credit Card transactions? Please choose "No" for this question, as the payments processed directly through Stax Payments:

Step 9

Do you share cardholder data with other companies? Please choose "No" for this question:

Step 10

Does your business use network segmentation to affect the scope of your PCI DSS environment? You may choose "No" for this question unless you are certain that your organization will implement this. If you aren't sure, then "No" is the best answer:

Completing the Self-Assessment Questionnaire (SAQ)

Once Step 1 is completed, you should receive a pop-up that confirms your business type is "SAQ A." If you are told that your SAQ type is anything other than "A," please reach out to immediately for assistance.

Then, you will be redirected to your dashboard, where you can complete your self-assessment questionnaire (SAQ):

  1. From the dashboard, click on “Next” under step 2. The number of questions is based on the questionnaire answered during step 1; it should be about 30 questions in total.
  2. When answering the questions in the Questionnaire, you may feel free to simply answer "Yes" unless you are certain that an answer should be "No." Note that if you answer "No" to any of the questions, you will have a follow-up task on your PCI dashboard to take care of that item before you can become certified as compliant.
    1. The only question where you will most likely choose "No" is the question asking if your organization currently performs regular network vulnerability scans:

      1. Selecting "No" for this question (and the question right after it) is acceptable and should not result in any follow-up tasks.
      2. If you do currently perform vulnerability scans, feel free to choose "Yes."
  3. Once the questionnaire is completed and any follow-up tasks have been completed, you will then need to attest to your compliance. To do this, click on “Click here to attest" under Step 5 on your dashboard:

Network Scan

After finishing your questionnaire, you will be required to undergo a scan of your website/network. These scans will then occur on a quarterly basis moving forward.

  1. To begin the scan, click “Next” under the column “Step 3 Scanning”:

  2. On the “Submit IP/Domain Information” screen, you will be asked to fill out the IP or website address for scanning and then click “Submit". Select the Website Address section and enter into the text field.

  3. After scheduling a scan, the site will redirect you back to the dashboard. (As noted on the “schedule a scan” page, scanning results can take up to 24 hours to populate into the portal; however, in most scenarios, results will populate by the beginning of the following business day.)
  4. Once back at the dashboard, you can click the “Scan Info” link.

    By clicking this button, PCI Toolkit will show the date the scan will be assessed and/or allow you to schedule another scan if needed.

  5. Once scan results are available, the dashboard will show if the scan has passed or failed.

  6. If the scan fails, you can click on Scan Info and get a report of the vulnerabilities needing to be addressed:

    If the scan is passed, you can proceed with attesting to your compliance and obtaining your certificate.


The SAQ will need to be renewed annually, and the external vulnerability scan will need to be completed quarterly. You will receive an email notification at the email address associated with your PCI Toolkit in advance of these actions becoming due.

If any questions arise, please don't hesitate to contact us at

Can't find what you're looking for?

Contact Customer Solutions