I believe with Sage 2013 credit card data is no longer stored in Sage 100.  It is stored in your Merchant Cloud Vault. 

Thanks much!!!

Although Sage no longer stores the credit card information, some users will enter it into different fields in Customer Maintenance, such as the Comment field even though we tell them to NEVER do that!!

Can you tell me where I can get verification of certificate of PCI compliance for Sage 100.. 

If you are not using a 3rd party CC provider, the Sage 100 vault (v2013+) would be Paya (formerly known as Sage Payment Solutions).

https://support.paya.com/44518-pci-compliance

Any version prior to v2013 is not PCI compliant.

Paya will not allow you to be PCI compliant, even using Sage 100, unless you follow VERY stringent guidelines for your network and your PCs. It does NOT matter if all your credit card data is in the Vault with Paya.

We are charged a "PCI Non-Compliance Fee" EVERY SINGLE MONTH by Paya and we cannot get rid of it. Unless we are a Fortune 500 company with extreme security protocols, we will never get rid of this monthly charge. We are only a small business.

PCI Non-Compliance Fee means you did not go through the Certification process for PCI Compliance. They partner with another group (I think it is now Aperia) to certify compliance and if you never do it or your answers to the questions make you non-compliance then you get the fee. If you choose to do your compliance with another company you will have to provide Paya the certificate of Validation, I believe, to have any fee removed. This process is annual and must be done each year.

How do I ensure my Business is PCI Compliant with Aperia? - Paya

Most small businesses can do, what I call, the Self Cert. Larger companies require PCI compliance processes to be reviewed and audited by 3rd party and can't self Certify. Compliance isn't just software, it is procedures as well which is why you can't just say my software is compliant. At the end of the process you will have a certificate of Validation and attestation of Compliance that you can download. If you have issues through this process you can Chat with Aperia to get clarification. 

> If you choose to do your compliance with another company you will have to provide Paya the certificate of Validation, I believe, to have any fee removed.

We paid to do our PCI Compliance with another company and they issued us a certificate. We took that to Paya and Paya said it wasn't valid for them. I went back to the original company and they said there was nothing wrong with what they issued. I went back to Paya again and they refused to accept it. So I got no where with that and was out money in the process.

Thanks all for the information but we decided to get away from Paya.. for one there support stinks and from what I have seen there are not many security options through the portal that we can change on our own to help litigate fraudulent activity.  

I am surprised that if you show that you are compliant that they would not accept it. Are they telling you that only the partner they use for compliance is acceptable? It sounds like this should be able to be raised up the chain how far did you take it? I would agree that if you have a cert from another group, as long as you have gone through the motions and signed off on a cert showing you follow compliance, then they should remove the additional fee.