You can go to the web page and find that Sage ERP MAS 500 version 7.3 is PA-DSS compliant.
You then need to prove to the auditors that Sage ERP MAS 500 was implemented in accordance with our PA-DSS Implementation Guide: http://community.sagemas.com/t5/Installation-and-Technical/PA-DSS-Implementation-Guide-for-v7-3-Credit-Card-Processing/td-p/16235
This is all the proof the auditors require as far as Sage ERP MAS 500 is concerned.
There is only one level of certification in PA-DSS, the application and implementation is either compliant or not. PCI-DSS has different levels of certification and Sage ERP MAS 500 is compliant with any of the different PCI-DSS compliance levels.
Once Sage ERP MAS 500 is at version 7.5 and utilizing Sage Exchange, MAS500 will no longer touch card holder information. The card holder data is gathered by Sage Exchange in a totally independent memory space and sent to the Sage Vault. Sage ERP MAS 500 then deals with an opaque pointer to the information stored in the vault. Sage Exchange is PA-DSS compliant. Sage ERP MAS 500 will no longer require PA-DSS certification because it no longer touches card holder data.
The customer will still be required to be PCI-DSS compliant, so it doesn't change the customer's procedures. It only moves the PA-DSS compliance requirement from Sage ERP MAS 500 to Sage Exchange.
I would like to thank Richard Sisk for input on this topic.
