All banks, payment providers, processors and acquirers will be requiring merchants who have software that has integrated payment processing, including Point of Sale software, to be installed by a PCI-QIR (Qualified Installer and Reseller). This includes all new installs and after any service pack or update to the software has been applied.
The PCI-QIR company must keep a record of the QIR documentation on file for when a PCI-QSA (Qualified Security Assessor) requests it during an audit of our customer’s system. There should be no additional cost for this service. (See Exhibit A for further clarification).
Unattended / Unauthorized Access
PCI-DSS requires that NO third party provider have unattended access to a CDE (card data environment). A CDE is any machine that has the ability to access sensitive cardholder data.
EMV & PCI Compliance Requirements Are Not The Same
EMV (Chip and Signature) is a completely separate initiative from PCI and should not be confused with PCI compliance or its mandates. Since October 2015, card brands and banks have been imposing charge-backs resulting from fraudulent transactions that resulted in EMV Chip cards used on non EMV compatible systems.
Company Security Awareness & Education
The greatest single risk to your company is the lack of security awareness training. Often times this can be traced to non-existent, weak or unenforced company security policies. The most common security issue we see is allowing web browsing and/or email access from a CDE, as it poses two of the single largest risks to an organization’s overall security posture. Weak password policies, unpatched systems, out-dated anti-virus and anti-malware systems will also add to your risks. Point-Of-Sale environments should be on a segmented network and never part of a greater corporate network.
No Escaping PCI Compliance
You cannot escape PCI compliance or responsibility even if your point of sale software is disconnected from a device that accepts payment cards, even if it is an EMV enabled device. PCI Compliance is not only restricted to electronic card data.
PCI Compliant Hosting Environments
Hosting your Point-Of-Sale environment in a PCI certified hosting facility does not make you PCI compliant. The company that supports your point of sale environment must maintain several PCI certifications, and it is your responsibility to know them and what access to allow or disallow based on those certifications. Even though, a service provider will undergo quarterly internal / external vulnerability scans and annual penetration testing on their hosted hardware, you will still need to undergo quarterly internal / external vulnerability scans and annual penetration testing on all remaining systems connected to your CDE.
Data Breach Insurance
Insurance companies are requiring retailers to show proof of compliance, have written security policies and undergo external and internal tests before they will underwrite even a basic data breach insurance policy. Comprehensive data breach insurance policies may require a PCI-QSA to perform an annual audit of compliance.
The Current State of Point of Sale Provider PCI Awareness
During a recent visit to a retail industry event, we were astonished to learn how much misinformation point -of-sale vendors actually knew about current PCI regulations, their liability and requirement to be certified as PCI-QIRs, as well as providing the necessary security awareness training to their customers.
The Real Cost of Security Complacency
A data breach could potentially cause irreparable hard to your brand reputation. Penalties for non-compliance can be insurmountable for small businesses and even cause you to lose your business. PCI compliance reduces the risk of incurring penalties and consequences of non-compliance.
Our team of skilled, certified security experts use the latest security tools to detect existing vulnerabilities and provide continuous monitoring services that detect any malicious activity within your environment. These and other safeguards work around-the-clock as ongoing defense mechanisms to protect your environment against a growing list of potential attacks and vulnerabilities.
Payment Application – Data Security Standard (PA-DSS) Guidelines as of May 2015
The primary purpose of PA-DSS is two-fold:
- protect certain sensitive payment information as it transits from the payment device to the payment processor;
- provide training and installation security guidelines for PCI-QIRs and customers.
The primary account number (PAN) is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed, or transmitted with the PAN, or are otherwise present in the cardholder data environment, they must be protected in accordance with all applicable PCI-DSS requirements.
The scope of PA-DSS as it applies to Payment Applications:
- End-to-end payment functions (authorization and settlement);
- Input and output;
- Error conditions;
- Interfaces and connections to other files, systems, and/or payment applications or application components;
- All cardholder data flows;
- Encryption and Authentication mechanisms;
- Guidance that the payment application vendor is expected to provide to customers and PCI-QIRs to ensure:
- Customer knows how to implement the payment application in a PCI DSS-compliant manner and;
- Customer is clearly told that certain payment application and environment settings may prohibit their PCI DSS compliance.
Cardholder data must never be stored on a server connected to the Internet
PA-DSS Requirements & Procedures for PCI-QIRs and Security Assessment Personnel:
- Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data;
- Protect stored cardholder data;
- Provide secure authentication features;
- Log payment application activity;
- Develop secure payment applications;
- Protect wireless transmissions;
- Test payment applications to address vulnerabilities and maintain payment application updates;
- Facilitate secure network implementation;
- Cardholder data must never be stored on a server connected to the Internet;
- Facilitate secure remote access to payment application;
- Encrypt sensitive traffic over public networks;
- Encrypt all non-console administrative access;
- Maintain a PA-DSS Implementation Guide for customers, resellers, and integrators;
- Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, PCI-QIRs.