Ver. 7.4 is Critical for All Customers Processing Credit Cards!
Data Pro Accounting Software spent significant development resources preparing for the release of Version 7.4 due to the requirements mandated by the credit card industry that went into effect July 1, 2010.
This is a critical issue that every business owner must address if their firm is processing credit cards. The Payment Card Industry has created a special security standards council for the purpose of protecting consumers from card data theft and fraud. To this end, new standards have been imposed on every level within the industry from merchants, banks, processors, hardware and software developers, and point of sale vendors.
What does this mean to you as a business owner?
A lot! It means that virtually all liability is passed down to you as the merchant. Ultimately, you are responsible for insuring that you comply with the PCI-DSS requirements, one of which requires that you use a payment application that is PA-DSS compliant. Version 7.4 with the new DP/CHARGE Payment Server module is that compliant solution! Risk levels have never been higher for handling credit card information. Failure to abide by these standards can result in fines from the Card Associations, especially in the event of a security breach. None of our other product integrations have gone through PA-DSS compliance. Only Version 7.4 fully complies with the PA-DSS requirements! Even if you are processing credit cards using stand-alone credit card terminals, you still have obligations to become PCI-DSS compliant.
PCI-DSS compliance is required even if you are not processing your credit card transactions through Data Pro's Infinity POWER software applications.
How will this affect current Data Pro Customers?
With the release of Version 7.4, Data Pro's Infinity POWER accounting software products are what is termed "PA-DSS Compliant." As a Data Pro customer with a current Annual License Agreement (ALF), you are automatically entitled to the upgrade to Version 7.4 and higher at no additional charge. This means that all software functionality inside the specific accounting modules that deal with credit card processing have been specifically upgraded to deal with the new mandates.
Announcing DP/CHARGE Payment Server
One of the primary concerns of the Data Security Standards is the protection of cardholder data. Version 7.4 and higher uses a specific system that stores cardholder data off-site in a secure data vault and allows access to the data using a highly encrypted tokenization system with the remaining data in your Infinity POWER application.
This is all possible due to a new and "secure" credit card processing module called "DP/CHARGE," (Part #273). More Information...
Why OpenEdge?
OpenEdge* was chosen as our primary credit card processor because of their industry leading awareness of the PCI-DSS and PA-DSS standards and their representation on the Security Standards Council itself.
Many payment processors meet only the minimum requirements for PA-DSS. OpenEdge has gone above and beyond with the development of their advanced security features, Managed Payer Data (tokenization) and Encrypted Card Swipe.
Through our partnership with OpenEdge, Data Pro has insured that Version 7.4 is fully compliant with the PA-DSS standards and is assisting Data Pro in the process of full "validation." Through this relationship, Data Pro's customers will have access to world-class service and support in addition to all of the security features mentioned above. Though features like "tokenization" and "encrypted card swipe" aren't required under the current standard, they will likely be in the future. Data Pro's customers are ahead of the game by implementing these features now.
If these features aren't required, why should I implement them now?
The answer is simple: Liability! As a business owner, you are ultimately liable in the event of a security breach and are the party responsible for any fines passed down by the Card Associations. Implementing these features now offers better protection by properly protecting cardholder data.
According to industry security expert PCI ASSURE, "92% of card data compromises take place in small businesses with low processing volume."
Validating software companies to ensure that they are PA-DSS compliant is only half the process. If there is a breach, the first place the Secret Service will look is at the software you are using to verify that it is, in fact, PA-DSS compliant all the way down to the specific version of software you are running. In Data Pro's case, any version lower than Version 7.4 is NOT PA-DSS compliant! Merchants are also required to demonstrate their own compliance to the PCI-DSS standards by completing Self Assessment Questionnaires and going through quarterly scans. OpenEdge recognizes the obstacles merchants face in meeting PCI-DSS compliance requirements. To help you with this endeavor, OpenEdge has partnered with PCI ASSURE, a leading Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV), to offer you the OpenEdge PCI Compliance Program for Businesses. It's a comprehensive service that offers a PCI compliance program tailored to how you run your business featuring the OpenEdge PCI Breach Reimbursement Guarantee!
That is why the industry has "Qualified Security Assessor" organizations that can assist in this process. By partnering with OpenEdge, Data Pro made sure we had a process in place that would allow us to guide our merchants through this process with minimal confusion and expense.
OpenEdge recognizes the obstacles merchants face in meeting PCI-DSS compliance requirements. To help you with this endeavor, OpenEdge has partnered with PCI ASSURE, a leading Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV), to offer you OpenEdge PCI Validation. It's a comprehensive service that offers a PCI compliance program tailored to how you run your business featuring the OpenEdge PCI Breach Reimbursement Guarantee!
For businesses with integrated IP-based payment processing, the program features a full-featured PCI compliance portal with easy-to-use navigation and award-winning vulnerability detection.
Featuring PCI ASSURE® PCI Manager,
the program includes:
- PCI compliance portal featuring the PCI Wizard and To Do List to help determine the
steps required for your business type, making the process easy to complete and
informative.
- Vulnerability scanning service for up to 3 IPs to help determine the vulnerabilities in
your network.
- On demand external scanning . ad]hoc scans up to 12 a year.
- The Security Policy Advisor for assistance with PCI DSS policy documents and
requirements – one per merchant ID (MID) – and to develop your own unique internal
best practices.
- The PCI ASSURE Agent for up to 3 devices for simplifying the scanning process and
providing ongoing compliance monitoring for the systems the agent is installed upon.
- Access to the PCI Video Assistant, on-line help test, tutorials and educational tools for
your staff (up to 10 users).
- Immediate user access to web-based scan report results upon scan completion.
- 24/7 phone and email support from PCI ASSURE for use of PCI ASSURE and PCI DSS
questions.
- Electronic report submission of quarterly PCI compliance letter (executive report) to
Acquirer.
What will happen to my current credit card processing options if I upgrade to Version 7.4 and I don't have a OpenEdge Merchant ID or DP/CHARGE?
You will not be able to continue to process credit cards as you have done up until now. All master configuration options previously found in Version 7.3 and lower that supported other integrated processing solutions such as NOVA, IC/Verify and PC Charge are gone.
What if I need the new PAYROLL changes expected to come out later this year?
You will have to upgrade to get them and you will need to become PCI-DSS compliant as well. We can no longer support one without the other.
What happens now?
1) Determine whether you process credit cards in any way or not. If not, none of this affects you. You are done! You can upgrade or not.
2) If you do, contact Data Pro Accounting Software immediately and ask for one of our trained account managers to assist you in guiding you through the upgrade process. After we speak with you about upgrading, we will submit your information to the Account Representative at OpenEdge who will then contact you to establish your new OpenEdge Merchant Account (ID). Alternatively, you can go to our web site and register on-line by filling out the OpenEdge Registration form and they will be glad to contact you directly to assist you in acquiring your OpenEdge Merchant ID and/or help you work through your PCI-DSS Merchant Validation process.
A more specific white paper from Data Pro has been mailed to all Data Pro Accounting Software users with a complete update, including a detailed "Frequently Asked Questions" section at the end. Please contact us immediately at 1-800-237-6377 or 727-803-1500 and Press 1 for Sales if you haven't received yours yet. Or, just e-mail us at dpasales@dpro.com to request your white paper today. Our marketing staff will also be calling each and every customer to insure that they receive this information since it is so important.
Frequently Asked Questions
- What are the deadlines for complying with PCI DSS?
- I’m a small merchant who has limited payment card transaction volume. Do I need to be compliant with PCI DSS? If so, what is the deadline?
- How do I determine if my organization is eligible to complete one of the shorter Self-Assessment Questionnaire (SAQ) versions?
- Is encrypted cardholder data considered cardholder data that must be protected in accordance with PCI DSS?
- Is the Self-Assessment Questionnaire all I need to do to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS)?
- How can issuers be PCI DSS compliant if they store sensitive authentication data?
- Navigating PCI DSS
- How does PCI DSS apply to individual PCs or workstations?
- As a merchant, what Self-Assessment Questionnaire (SAQ) form should we complete?
- What are the deadlines for complying with PCI DSS?
Compliance is mandated by the payment card brands and not by the PCI Security Standards Council. However, for most merchants, the deadlines for validating compliance with the PCI DSS have already passed. You should check with your acquirer and/or merchant bank to check if any specific deadlines apply to you, based on merchant transaction volume (level) as determined by the card payment brands. All entities that transmit, process or store payment card data must be compliant with PCI DSS.
- I’m a small merchant who has limited payment card transaction volume. Do I need to be compliant with PCI DSS? If so, what is the deadline?
All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards. For questions regarding compliance validation requirements and deadlines as well as compliance reporting requirements, we recommend that you contact your acquirer. For more information regarding the PCI security standards and supporting documentation, including the “Navigating the PCI DSS” as well as targeted Self Assessment Questionnaires to assist small and medium merchants, please visit the PCI SSC website at: www.pcisecuritystandards.org.
^ BACK TO FAQ's^ BACK TO TOP
- How do I determine if my organization is eligible to complete one of the shorter Self-Assessment Questionnaire (SAQ) versions?
The SAQ is a validation tool for merchants and service providers who are not required to undergo an on-site data security assessment per the PCI DSS Security Audit Procedures. Please consult your acquirer and/or payment brand for details regarding PCI DSS validation requirements. The Self-Assessment Questionnaire Instructions and Guidelines document has been developed to help merchants and service providers understand the PCI Data Security Standard Self-Assessment Questionnaire (SAQ). The document provides guidance on the following topics:
- PCI Data Security Standard Self-Assessment: How it all fits together
- PCI Data Security Standard: Related Documents SAQ Overview
- Why is compliance with the PCI DSS important?
- General Tips and Strategies
- Selecting the SAQ That Best Applies to your organization -
- Guidance for exclusion of certain, specific requirements
- How to Complete the Questionnaire.
- Is encrypted cardholder data considered cardholder data that must be protected in accordance with PCI DSS?
The Council will be developing more formal guidance around this topic, leveraging information that is received through the various channels of the DSS lifecycle feedback process. Until further guidance is provided by the Council, the following should be taken into consideration regarding encrypted cardholder data.
Encryption solutions are only as good as the industry-approved algorithms and key management practices used, including security controls surrounding the encryption/decryption keys (“Keys”). If Keys are left unprotected and accessible, anyone can decrypt the data. The DSS has specific encryption key management controls (DSS 3.5 and 3.6), however, other DSS controls such as firewalls, user access controls, vulnerability management, scanning, logging and application security provide additional layers of security to prevent malicious users from gaining privileged access to networks or cardholder data environments that may grant them access to Keys. It is for this reason that encrypted cardholder data is in scope for PCI DSS.
However, encrypted data may be deemed out of scope if, and only if, it has been validated that the entity that possesses encrypted cardholder data does not have the means to decrypt it. Any technological implementation or vendor solution should be validated to ensure both physical and logical controls are in place in accordance with industry best practices, prohibiting the entity, or malicious users that may gain access to the entity’s environment, from obtaining access to Keys.
Furthermore, service providers or vendors that provide encryption solutions to merchants who have administrative access and controls to Keys along with the management of termination points for encryption to process transactions, are required to demonstrate physical and logical controls to protect cryptographic keys in accordance with industry best practices (such as NIST referenced in PCI DSS requirement 3.6), along with full compliance with PCI DSS.
Merchants should ensure their solution providers who provide key management services and/or act as the point of encryption/decryption are in compliance with PCI DSS. Merchants should be aware that encryption solutions most likely do not remove them completely from PCI DSS. Examples of where DSS would still be applicable include usage policies, agreements with service providers that deploy payment solutions, physical protection of payment assets and any legacy data and processes (such as billing, loyalty, marketing databases) within the merchant's environment that may still store, process or transmit clear text cardholder data, as that would remain in scope for PCI DSS.
^ BACK TO FAQ's^ BACK TO TOP
- Is the Self-Assessment Questionnaire all I need to do to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS)?
In accordance with payment brands’ compliance programs, those merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the PCI DSS may need to complete the following steps:
- Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
- Complete a clean vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence of a passing scan from the ASV.
- Complete the relevant Attestation of Compliance in its entirety (located in the SAQ).
- Submit the SAQ, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
- How can issuers be PCI DSS compliant if they store sensitive authentication data?
With regard to issuers or companies that support issuing services such as third party processors (TPPs), and other issuing type processors, it is recognized that such entities may have a legitimate need to retain sensitive authentication data such as the card verification code or value (CVV2, CVC2, CID, or CAV2 data) or PIN. While the topic of issuing entities is not specifically addressed in the PCI Data Security Standard, the PCI Security Standards Council recognizes that in certain instances storage of this data is necessary for entities performing, facilitating, or supporting issuing functions. It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data IF they have a legitimate business need to store such data. It should be noted that all other PCI DSS requirements apply to issuers, and the only exception for issuers and issuer processors is that sensitive authentication data may be retained if there is a legitimate reason to do so. A legitimate reason is one that is necessary for the performance of the function being provided for the issuer and not one of convenience. At their discretion, payment card brands may require issuers to validate PCI DSS compliance. For more specific information on PCI DSS compliance validation requirements, please contact the individual payment card brands at the following email addresses: american.express.data.security@aexp.com | askdatasecurity@discoverfinancial.com | riskmanagement@jcbati.com | sdp@mastercard.com | cisp@visa.com.
^ BACK TO FAQ's ^ BACK TO TOP
- Navigating PCI DSS (PDF file)
- How does PCI DSS apply to individual PCs or workstations?
All system components in the network are considered part of the cardholder data environment unless adequate network segmentation is in place that isolates systems that store, process, or transmit cardholder data from those that do not. Without proper network segmentation, the entire network is in scope for the PCI Data Security Standard, and all PCI Data Security Standard requirements apply. QSAs can advise their clients on how to implement network segmentation to reduce PCI DSS scope. Where there are many PCs or workstations in an environment and all PCs do not need access to the cardholder data environment (CDE), the network segmentation should provide access to the CDE for all PCs that need access, and should prohibit access for all other PCs. With such segmentation in place, PCI DSS requirements are relevant to, and should be applied to, only that smaller PC population. Regarding the applicability of each PCI DSS requirement to an individual PC, the QSA should also consider features that are part of the PC’s basic functionality (for example, logging or file integrity monitoring) or are part of existing network controls, and determine whether these features meet the intent of PCI DSS requirements to protect cardholder data stored, processed, or transmitted by these PCs.
- As a merchant, what Self-Assessment Questionnaire (SAQ) form should we complete?
This is the answer: For each SAQ form, the merchant can find a subsection entitled “Eligibility to Complete SAQ” in the Attestation section www.pcisecuritystandards.org/saq/index.shtml. If the merchant is able to answer yes, to each question on the attestation form, then that particular form would be applicable in terms of validating compliance with the PCI DSS. We also recommend that the merchant contact their acquirer to ensure that they are completing the correct SAQ form.
SAQ Validation Type |
Description |
SAQ: V1.2 |
1 |
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. |
|
2 |
Imprint-only merchants with no electronic
cardholder data storage |
|
3 |
Stand-alone terminal merchants, no electronic cardholder data storage |
|
4 |
Merchants with POS systems connected to the Internet, no electronic cardholder data storage |
|
5 |
All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. |
|
^ BACK TO FAQ's ^ BACK TO TOP
*OpenEdge, a division of Global Payments, operates through the following entities:
OpenEdge Payments LLC is a registered ISO of Wells Fargo Bank, N.A., Walnut Creek, CA
and a registered ISO of BMO Harris Bank N.A., Chicago, IL
and a registered ISO/MSP of Synovus Bank, Columbus, GA.
PayPros LLC is a registered ISO of Wells Fargo Bank, N.A., Walnut Creek, CA.
EMV® is a registered trademark owned by EMVCo LLC.
|