Deploying Merchant PCI Services to a Merchant Location


In addition to providing secure equipment and configuration options for making your network PCI-compliant, Mako now offers Merchant PCI services to assist you with completing quarterly network vulnerability scans and annual Self-Assessment Questionnaire (SAQ) submissions that are necessary for demonstrating compliance.

Follow this guide to deploy Merchant PCI services to a Mako device at a distributed merchant location using the Mako Central Management System (CMS).

Your central management team should have already configured company-wide settings and templates, so that you can configure the Mako device to an approved specification.

Once the initial setup is completed, you can use Merchant PCI services to run vulnerability scans, review the configuration, and complete and file SAQs for the merchant location.

Repeat this process for each of your merchant locations.

Configure Your Company

Before deploying to merchant locations, it is greatly beneficial to have your company configured. Templates created at the company level allow you to apply approved settings to the Mako device at the merchant location.

Your central management team should have already addressed this. If not, you will need to refer to the Preparing Your Company To Deploy Merchant PCI Services How To Guide before continuing here. If you manage multiple merchant locations, the preparation guide also covers how to monitor the PCI Dashboard to ensure that all PCI-compliance activities are occurring as intended for all your merchant locations.

If you are still building your network and the Mako devices have not been registered in the Mako CMS yet, you can save time by creating a “template” Mako that is fully configured to your specifications, then copying that “template” Mako when registering each new device. See the Copy Mako documentation.

Configure the Merchant Location

After your company is configured, you are ready to configure the merchant location.

Step 1. Verify Licenses

Figure 1. Example Licenses Page

Each Mako device must have both an active PCI DSS License and an active PCI Enhanced Services License in order to access Merchant PCI services.

Licenses are often handled at the company level by your central management team. Visit the Licenses page (Fig. 1) in the Reports section to verify that both licenses have been applied to the merchant location’s Mako device. If not, contact your central management team for assistance.

Alternatively, license keys may have been provided to you for the merchant location. In that case, apply both licenses to the Mako device using the license keys provided. See the Licenses documentation for details regarding adding licenses.

After the licenses have been applied to a Mako device, you may have access to several new items in the left navigation menu of the Mako CMS that are relevant to Merchant PCI services:

  • PCI Dashboard
  • [Selected Mako] >> Configure >> Review
  • [Selected Mako] >> Configure >> PCI DSS
    • Summary
    • PCI Template
    • Vulnerability Scans
    • AP Scans
    • SAQ
  • Management >> Company >> Manage [Company Name] >> PCI DSS

The exact items available to you will depend on your user account type and access settings.

Step 2. Apply PCI Template

Figure 2. Example PCI DSS Wizard

In order to access Merchant PCI services for the merchant location, you must first apply the PCI Template to the Mako device to create an end-to-end, secure network chain in compliance with PCI DSS.

Applying the PCI Template to any Mako in your network will alter your company’s settings to require that all users have multi-factor authentication enabled. It will also alter the Mako’s settings to require multi-factor authentication for all remote VPN access.

It is likely that your company has already applied the PCI Template to the Mako device. If not, contact your central management team for assistance. Your central management team may direct you to use the PCI DSS Wizard (Fig. 2) on the PCI Template page to apply the PCI Template yourself.

Step 3. Complete SAQ Setup

Figure 3. Example Setup Tab on SAQ Page

Use the Setup tab on the SAQ page (Fig. 3) to configure SAQ settings before you create any SAQs for the merchant location. These settings are used as default values whenever you start a new SAQ using the SAQ Wizard. Applying shared Email settings, SAQ Templates, and SAQ Groups encourages consistent responses and reduces repetitive entry, minimizing the effort needed to maintain PCI-compliance. See the SAQ documentation for details.

SAQ Group

An SAQ Group is a set of related SAQ Templates and default settings for submitting SAQs.

SAQ Groups allow your company to group related SAQ Templates together, as well as to specify additional settings for submitting SAQs. For example, you may have separate groups of templates for locations using Gilbarco and for those using Verifone that loop in your appropriate compliance personnel for each of those systems.

Choose an SAQ Group from the dropdown list of your company’s groups, if desired. The default option is “Individual – No Group.”

SAQ Templates

An SAQ Template is a set of pre-filled settings and answers that reduce the need to repeat responses every time you create an SAQ.

SAQ Templates allow your company to pre-fill settings and answers to apply to multiple SAQs, eliminating the need to enter these responses every time you create an SAQ. Also, having multiple templates means your company can segment its SAQ responses. For example, you may have separate templates for locations using Gilbarco and for those using Verifone.

To apply an SAQ Template to the SAQ, check the checkbox next to its name in the list of your company’s templates. You may choose more than one template.

When multiple SAQ Templates apply to a single SAQ, the pre-filled information will be combined. In cases of conflicting values (excluding blanks), the least compliant value will be used. For example, if the first template specifies “Yes” for a requirement, and the second template specifies “Yes with CCW” for the same requirement, then the value used will be “Yes with CCW.”


This is a list of email addresses that will be copied whenever an SAQ is submitted.

Enter the first email address, then click the “Add” link. Repeat, as needed.

To remove an email address from the list, click its “X” link.

Save Button

Click the “Save” button to save these settings.

Step 4. Verify Scanning Appliance

Merchant PCI services require installation of a dedicated scanning appliance in each merchant location’s network and application of firewall settings that allow it to scan restricted zones.

Mako Networks may have already installed and configured this scanning appliance in your network. If you are not certain whether or not this has been completed for your merchant location, contact your central management team to verify.

Alternatively, your company may have elected to self-install the scanning appliances. In this case, Mako Networks will preconfigure and ship a scanning appliance to your merchant location. All you have to do is plug it into the specified port, then call Mako to confirm successful installation.

Using Merchant PCI Services

Once the merchant location is fully configured, Merchant PCI services are ready for use.

Step 1. Monitor Summary Page

Figure 4. Example Summary Page

The Summary page (Fig. 4) displays a PCI DSS compliance summary for the selected Mako. Here you can see at a glance whether or not you need to take any actions to maintain compliance for your merchant location.

Step 2. Run Quarterly Vulnerability Scans

Figure 5. Example Vulnerability Scans Page

Each merchant location must pass quarterly network vulnerability scans to be PCI-compliant. See the Vulnerability Scans documentation for details.

Step 3. Review Configuration Every Six Months

Figure 6. Review Configuration Form

Each merchant location must review their Mako’s configuration at least once every six months to be PCI-compliant. See the Configuration Review documentation for details.

Step 4. Create and File Annual SAQ

Figure 7. Example SAQ Page

Each merchant location must submit an annual SAQ to be PCI-compliant. See the SAQ documentation for details.

Was this post helpful?
Please let us know if this helped you find answers.