|
|
The Payment Card Industry (PCI) security program has instituted a set of rules regarding the storage of Credit Card numbers. System Five has included a comprehensive PCI Compliance Check that ensures your business meets the required parameters for the storage of this information.
The PCI Compliance Check can be accessed through the Credit Card Verification Options page in the Setup Wizard and will automatically run every time the Point of Sale Transaction report is generated. It is very important to configure the PCI Compliance Check properly in order for the routine to function correctly for the specific needs of your business.
In order to meet the PCI Security rules, the following rules are now applied to the input and storage of CVV and CVV2 numbers.
In addition to the storage of the CVV and CCV2 numbers, a regular check of the stored Credit Card Numbers must be performed and submitted to the Processor. Without this compliance check, the Credit Card Processor could suspend your transaction processing.
PCI is an acronym for Payment Card Industry, which is a consortium of MasterCard, VISA and others. It was previously know as CISP (Card Information Security Program) which was VISA's term for a similar set of standards. PCI is a set of security standards that are being enforced on all Merchants, Service Providers and Credit Card Processors.
Failure to comply may result in any or all of the following:
Denial of Credit Card processing services
Fines levied by the card processors on the Merchant for up to $50 per card for all card information that is stolen.
All credit card information is encrypted securely using strong encryption.
Credit card numbers are truncated after a number of days, reducing the liability should you system be compromised by hackers.
CVV and CVV2 numbers are not stored in the database. This means you can not get card present rates for Mail / telephone orders unless you process the card immediately.
Track 2 information is not stored in the database.
PIN numbers are not stored in the database.
Access to non-blanked Credit Card information is controlled through internal Security Permissions, except for the Credit Card transaction they are currently processing.
Access to non-blanked Credit Card information is logged for each user.
Non-blanked Credit Card Number are not visible on Point of Sale Transaction Report for users running remote access programs such as terminal server, VNC and pcAnywhere.
PIN based Debit Card Numbers are not stored at all since you can't void or reverse a Debit Card with out the card present.
Users must have a unique name and password to the computer, file server, System Five and remote access programs. Do not use names such as Staff and Sales. Passwords should be changed every 90 days.
Secure operating systems such as Windows NT/2000/XP should be employed and the file structure must be NTFS to protect the data. Operating systems must be kept up to date with all patches.
Note: Windows 95/98/ME operating systems are not secure and are no longer supported by Microsoft for patches.
Up to date Virus checkers must be installed on all computers and file servers. Virus checkers should be setup to download new virus signatures daily.
A firewall must be in place between your internal network and the internet. A Personal firewall on each computer a also a good idea. Most routers have a built in firewall, but they must be configured and password protected.
Wireless networks must be heavily encrypted. System Five does not support the use of Wireless networks for data traffic, but could be used for remote access programs.
Merchant copies of credit card receipts must be secured. Printing of the non-blanked card number or expiry date on Merchant copies should be avoided.
Printing of non-blanked Credit Card numbers on Customer copies is illegal in most countries and states and may violate your merchant agreement.
Backup tapes, disks must be secured in a safe, locked place. This should also be off site.
DataCap System Inc payment server software, NETePay, will connect to many of the major Credit Card processors, such as FDMS, GPS, NOVA, Paymentech and Vital/Visanet. It will also give you the added functionality of PIN based Debit Cards, Pre-authorizations and fast TCP/IP processing.
We recommend Mercury Payment Systems for fully integrated payment processing. There is no charge for the Mercury Payment Systems software and you have options including: PIN Debit, EBT (food stamps), Gift Cards, Check verification/ guarantee processing; fast (2-3 seconds) TCP/IP processing (dialup is available); no payment server / software to install, configure; and on-line web reporting.