multi store management solution
and receive $200
 




PCI Compliance
 

What is PCI?
The Payment Card Industry Standards Council ‘s mission is to mitigate merchant-based vulnerabilities that threaten the card-processing ecosystem, and create an open global forum for the continued development, enhancement, dissemination, and implementation of security standards for protecting customer account data.

Why should I care about PCI compliance?
The PCI board has set July 2010 as the date to begin enforcing all merchants who accept or process payment cards to process transactions in compliance with PCI and PCI DSS. If the merchant fails to meet the compliance, the provider of credit card processing could choose to discontinue its services until the merchant satisfies PCI Compliance.

What initiatives has the PCI board set forth?
 In order to enhance account data security, the PCI Security Standards council has outlined the following set of practices:

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors

What is PCI DSS?
PCI DSS encompasses a comprehensive set of security standards that mirror the practices set forth by the PCI Security Standards Council. It has been adopted by American Express, MasterCard Worldwide, Visa Inc. International, Discover Financial Services, and JCB International and lays the groundwork for establishing the universal adoption of data security measures across all merchants that store, process, and/or transit customer account data. Organizations that accept or process payment cards must comply with PCI DSS.

The requirements are as follows:
Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data
Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network. Routers are hardware or software that connects two or more networks.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
The easiest way for a hacker to access your internal network is to try default passwords or exploits based on default system software settings in your payment card infrastructure. Far too often, merchants do not change default passwords or settings upon deployment. This is akin to leaving your store physically unlocked when you go home for the night. Default passwords and settings for most network devices are widely known. This information, combined with hacker tools that show what devices are on your network can make unauthorized entry a simple task – if you have failed to change the defaults.

Requirement 3: Protect stored cardholder data
In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. If your organization stores PAN, it is crucial to render it unreadable data as well as data transmitted over a network.

Requirement 4: encrypt transmission of cardholder data across open, public networks
Cyber criminals may be able to intercept transmissions of cardholder data over open, public networks so it is important to prevent their ability to view these data. Encryption is a technology used to render transmitted data unreadable by any unauthorized person.

Requirement 5: Use and regularly update anti-virus software or programs
Many vulnerabilities and malicious viruses enter the network via employees’ e-mail and other online activities. Anti-virus software must be used on all systems affected by malware to protect systems from current and evolving malicious software threats.

Requirement 6: Develop and maintain secure systems and applications
Security vulnerabilities in systems and applications may allow criminals to access PAN and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches, which perform a quick-repair job for a specific piece of programming code. All critical systems must have the most recently released software patches to prevent exploitation. Secure coding practices for developing payments applications, change control procedures and other secure software development practices should always be followed.

Requirement 7: Restrict access to cardholder data by business need-to-know
To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities. Need-to-know is when access rights are granted to only the least amount of data and privileges needed to perform a job.

Requirement 8: assign a unique ID to each person with computer access
Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.

Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted.

Requirement 10: Track and monitor all access to network resources and cardholder data
Establish a process for linking all access to system components to each individual user – especially access done with administrative privileges.

Requirement 11: Regularly test security systems and processes
Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time. Testing of security controls is especially important for any environmental changes such as deploying new software or changing system configurations.

Requirement 12: Maintain an Information Security Policy
A strong security policy sets the tone for security affecting an organization’s entire company, and it informs employees of their expected duties related to security. All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.


How does this affect me?
If you are utilizing integrated credit card processing within our POS system, we provide a PCI compliant version. Making the transition to this version will alleviate the risk of vulnerabilities that threaten the data security of your customer payment card information and will also ensure that you seamlessly receive credit card processing services from your provider, who may choose to discontinue services if you are not in PCI Compliance. The deadline is as of July 2010 for credit card processing companies to require these mandates of all merchants who accept or process payment cards. We strongly recommend that you secure your POS system to minimize the risk of merchant-based vulnerabilities.

Where can I find out more about this?
To read more about PCI Compliance:

Arbelsoft PCI-DSS Implementation Guide  

PCI Security Standards Council Web site
www.pcisecuritystandards.org

Frequently asked Questions (FaQ)
www.pcisecuritystandards.org/faq.htm

Membership Information
www.pcisecuritystandards.org/participation/join.shtml

Webinars
www.pcisecuritystandards.org/news_events/events.shtml

Training (for assessors)
QSAs : www.pcisecuritystandards.org/education/qsa_training.shtml
PA-DSS : www.pcisecuritystandards.org/education/pa-dss_training.shtml

PTS approved devices
PIN Transaction Security (PTS) Devices: www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html
Payment Applications: www.pcisecuritystandards.org/security_standards/pa_dss.shtml

PCI Data Security Standard version 1.2 (PCI DSS)
The Standard: www.pcisecuritystandards.org/tech/download_the_pci_dss.htm
Supporting Documents: www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml
Approved Assessors and Scanning Vendors: www.pcisecuritystandards.org/about/resources.shtml


Navigating the Standard: www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml
Self-Assessment Questionnaire: www.pcisecuritystandards.org/saq/index.shtml
Glossary: www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml
Approved QSAs: www.pcisecuritystandards.org/qsa_asv/find_one.shtml
Approved ASVs: www.pcisecuritystandards.org/qsa_asv/find_one.shtml

      Sitemap : home   /   product   /   prices   /   solutions  /   supports   /   company  /   about us  /   privacy policy                            Site Created by Arbelsoft Inc. 2008   
Arbelsoft Logo© 2003 Copyright Certified. ArbelSoft, Inc.  Toll Free 877.939.1212