PCI Compliance - Revision history

Russ horton: /* Not storing card holder data */

2018-03-15T22:55:35Z

Not storing card holder data

← Older revision		Revision as of 22:55, 15 March 2018
Line 133:		Line 133:
	* Stronger access control to ensure sensitive settings and data are only available to administrators and that the actions of those administrators are logged.		* Stronger access control to ensure sensitive settings and data are only available to administrators and that the actions of those administrators are logged.

	In [http://updates.newhavensoftware.com/v10release_notes.htm#link-1-3 CMS TEN] a new feature was introduced called [https://en.wikipedia.org/wiki/Tokenization_(data_security) tokenization] which is the best of both worlds. With this option card data is no longer stored in CMS (thus reducing your compliance requirements) but it is stored securely at the processor or gateway's servers. You will have the freedom to reference and use that card in the future (again, back orders, returns and even future purchases.) This would appear to be the wave of the future and the best way to minimize PCI compliance issues while still retaining the convenience of having customer's credit card on file.		In [http://updates.newhavensoftware.com/v10release_notes.htm#link-1-3 CMS TEN] a new feature was introduced called [https://en.wikipedia.org/wiki/Tokenization_(data_security) tokenization] which is the best of both worlds. With this option card data is no longer stored in CMS (thus reducing your compliance requirements) but it is stored securely at the processor or gateway's servers. You will have the freedom to reference and use that card in the future (again, back orders, returns and even future purchases.) This would appear to be the wave of the future and the best way to minimize PCI compliance issues while still retaining the convenience of having customer's credit card on file. The Tokenization option is presently only available with our Vantiv/Worldpay payment processor.

	While your software only affects a portion of your overall compliance, whether or not you store card data does have a big impact. If your assessor knows of the changes coming soon for you, we'd imagine they would have you focus on other areas of compliance first and give you time to implement the improved software solutions.		While your software only affects a portion of your overall compliance, whether or not you store card data does have a big impact. If your assessor knows of the changes coming soon for you, we'd imagine they would have you focus on other areas of compliance first and give you time to implement the improved software solutions.

Russ horton: /* Learning more */

2018-03-15T22:53:47Z

Learning more

← Older revision		Revision as of 22:53, 15 March 2018
Line 99:		Line 99:

	The following sites are good resources for FAQ's, information and related videos:		The following sites are good resources for FAQ's, information and related videos:

			The PCI Council has also produced a cute [http://www.youtube.com/watch?v=xpfCr4By71U YouTube animated video] which is a very high-level overview of the requirements. Don't watch this if you feel your intelligence is easily insulted (think Schoolhouse Rock).

			Trustwave, a company certified by the PCI Council to perform PCI and PA DSS security validations, has also produced a video explaining the PCI requirements in more detail and how to address the requirements - http://www.brighttalk.com/webcast/5884/44529

			Cybrary has a really good [https://www.cybrary.it/video/pci-dss-introduction/ set of videos] (you have to register but is free) on the topic of PCI-DSS and the requirements that are really worth a watch to get you up to speed.

			Others:

	*https://www.trustwave.com/webinars.php		*https://www.trustwave.com/webinars.php

Russ horton: /* PCI demystified */

2018-03-15T22:51:09Z

PCI demystified

← Older revision		Revision as of 22:51, 15 March 2018
Line 40:		Line 40:

	To be clear, PCI compliance is not limited to your deployment/use of CMS. It goes on to cover all aspects of your operation including your network, access to servers, company policies and/or anything else that could possibly impact the exposure of sensitive credit card data. In short, if a credit card number or the security code (CVV2) is ever visible/accessible beyond the moment it is needed to process (i.e. if it is printed, in an unencrypted file or unencrypted database, etc.) then you are not compliant. This is an over-simplification but is a good rule of thumb to help you get your head around the core issue that drives the PCI Compliance requirements. The PCI DSS link provided above in the Definitions list will outline all aspects of compliance.		To be clear, PCI compliance is not limited to your deployment/use of CMS. It goes on to cover all aspects of your operation including your network, access to servers, company policies and/or anything else that could possibly impact the exposure of sensitive credit card data. In short, if a credit card number or the security code (CVV2) is ever visible/accessible beyond the moment it is needed to process (i.e. if it is printed, in an unencrypted file or unencrypted database, etc.) then you are not compliant. This is an over-simplification but is a good rule of thumb to help you get your head around the core issue that drives the PCI Compliance requirements. The PCI DSS link provided above in the Definitions list will outline all aspects of compliance.

	The PCI Council has also produced a cute [http://www.youtube.com/watch?v=xpfCr4By71U YouTube animated video] which is a very high-level overview of the requirements. Don't watch this if you feel your intelligence is easily insulted (think Schoolhouse Rock).

	Trustwave, a company certified by the PCI Council to perform PCI and PA DSS security validations, has also produced a video explaining the PCI requirements in more detail and how to address the requirements - http://www.brighttalk.com/webcast/5884/44529

	Cybrary has a really good [https://www.cybrary.it/video/pci-dss-introduction/ set of videos] (you have to register but is free) on the topic of PCI-DSS and the requirements that are really worth a watch to get you up to speed.

	==Bah, humbug!==		==Bah, humbug!==

Russ horton: /* Learning more */

2018-03-15T22:50:36Z

Learning more

← Older revision		Revision as of 22:50, 15 March 2018
Line 105:		Line 105:

	The following sites are good resources for FAQ's, information and related videos:		The following sites are good resources for FAQ's, information and related videos:
	*http://www.pcicomplianceguide.org/
	*https://www.trustwave.com/webinars.php		*https://www.trustwave.com/webinars.php
	*http://searchsecurity.bitpipe.com/rlist/term/Payment-Card-Industry-Data-Security-Standard-Compliance.html		*http://searchsecurity.bitpipe.com/rlist/term/Payment-Card-Industry-Data-Security-Standard-Compliance.html

Russ horton: /* Learning more */

2018-03-15T22:49:46Z

Learning more

← Older revision		Revision as of 22:49, 15 March 2018
Line 108:		Line 108:
	*https://www.trustwave.com/webinars.php		*https://www.trustwave.com/webinars.php
	*http://searchsecurity.bitpipe.com/rlist/term/Payment-Card-Industry-Data-Security-Standard-Compliance.html		*http://searchsecurity.bitpipe.com/rlist/term/Payment-Card-Industry-Data-Security-Standard-Compliance.html
	*http://www.pcipolicyportal.com/

	==Ways to reduce your compliance costs and efforts==		==Ways to reduce your compliance costs and efforts==

Russ horton: /* PCI demystified */

2018-03-15T22:48:46Z

PCI demystified

← Older revision		Revision as of 22:48, 15 March 2018
Line 41:		Line 41:
	To be clear, PCI compliance is not limited to your deployment/use of CMS. It goes on to cover all aspects of your operation including your network, access to servers, company policies and/or anything else that could possibly impact the exposure of sensitive credit card data. In short, if a credit card number or the security code (CVV2) is ever visible/accessible beyond the moment it is needed to process (i.e. if it is printed, in an unencrypted file or unencrypted database, etc.) then you are not compliant. This is an over-simplification but is a good rule of thumb to help you get your head around the core issue that drives the PCI Compliance requirements. The PCI DSS link provided above in the Definitions list will outline all aspects of compliance.		To be clear, PCI compliance is not limited to your deployment/use of CMS. It goes on to cover all aspects of your operation including your network, access to servers, company policies and/or anything else that could possibly impact the exposure of sensitive credit card data. In short, if a credit card number or the security code (CVV2) is ever visible/accessible beyond the moment it is needed to process (i.e. if it is printed, in an unencrypted file or unencrypted database, etc.) then you are not compliant. This is an over-simplification but is a good rule of thumb to help you get your head around the core issue that drives the PCI Compliance requirements. The PCI DSS link provided above in the Definitions list will outline all aspects of compliance.

	The PCI Council has also produced a cute [http://www.youtube.com/watch?v=xpfCr4By71U YouTube animated video] which is a very high-level overview of the requirements. Don't watch this if you feel your intelligence is easily insulted (think Schoolhouse Rock)~~. The PCI Council's [https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf Quick Reference Guide] is perhaps a better start~~.		The PCI Council has also produced a cute [http://www.youtube.com/watch?v=xpfCr4By71U YouTube animated video] which is a very high-level overview of the requirements. Don't watch this if you feel your intelligence is easily insulted (think Schoolhouse Rock).

	Trustwave, a company certified by the PCI Council to perform PCI and PA DSS security validations, has also produced a video explaining the PCI requirements in more detail and how to address the requirements - http://www.brighttalk.com/webcast/5884/44529		Trustwave, a company certified by the PCI Council to perform PCI and PA DSS security validations, has also produced a video explaining the PCI requirements in more detail and how to address the requirements - http://www.brighttalk.com/webcast/5884/44529

Russ horton: /* PCI demystified */

2018-03-15T22:44:59Z

PCI demystified

← Older revision		Revision as of 22:44, 15 March 2018
Line 44:		Line 44:

	Trustwave, a company certified by the PCI Council to perform PCI and PA DSS security validations, has also produced a video explaining the PCI requirements in more detail and how to address the requirements - http://www.brighttalk.com/webcast/5884/44529		Trustwave, a company certified by the PCI Council to perform PCI and PA DSS security validations, has also produced a video explaining the PCI requirements in more detail and how to address the requirements - http://www.brighttalk.com/webcast/5884/44529

			Cybrary has a really good [https://www.cybrary.it/video/pci-dss-introduction/ set of videos] (you have to register but is free) on the topic of PCI-DSS and the requirements that are really worth a watch to get you up to speed.

	==Bah, humbug!==		==Bah, humbug!==

Russ horton: /* PCI demystified */

2018-03-15T22:43:13Z

PCI demystified

← Older revision		Revision as of 22:43, 15 March 2018
Line 41:		Line 41:
	To be clear, PCI compliance is not limited to your deployment/use of CMS. It goes on to cover all aspects of your operation including your network, access to servers, company policies and/or anything else that could possibly impact the exposure of sensitive credit card data. In short, if a credit card number or the security code (CVV2) is ever visible/accessible beyond the moment it is needed to process (i.e. if it is printed, in an unencrypted file or unencrypted database, etc.) then you are not compliant. This is an over-simplification but is a good rule of thumb to help you get your head around the core issue that drives the PCI Compliance requirements. The PCI DSS link provided above in the Definitions list will outline all aspects of compliance.		To be clear, PCI compliance is not limited to your deployment/use of CMS. It goes on to cover all aspects of your operation including your network, access to servers, company policies and/or anything else that could possibly impact the exposure of sensitive credit card data. In short, if a credit card number or the security code (CVV2) is ever visible/accessible beyond the moment it is needed to process (i.e. if it is printed, in an unencrypted file or unencrypted database, etc.) then you are not compliant. This is an over-simplification but is a good rule of thumb to help you get your head around the core issue that drives the PCI Compliance requirements. The PCI DSS link provided above in the Definitions list will outline all aspects of compliance.

	~~A great series of videos~~ is ~~available from one~~ of ~~our payment processing partners, Mercury Payment Systems, on~~ the ~~topic of PCI~~. ~~It starts with an overview, much as~~ this ~~article does, and subsequent videos cover the various aspects of compliance in more detail~~. ~~Highly recommended viewing. http~~://go.~~mercurypay~~.~~com~~/~~pcipartner~~/~~resources~~.~~htm~~		The PCI Council has also produced a cute [http://www.youtube.com/watch?v=xpfCr4By71U YouTube animated video] which is a very high-level overview of the requirements. Don't watch this if you feel your intelligence is easily insulted (think Schoolhouse Rock). The PCI Council's [https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf Quick Reference Guide] is perhaps a better start.

	The PCI Council has also produced a cute YouTube animated video which is a very high level overview of the requirements. Don't watch this is you feel your intelligence is easily insulted (think Schoolhouse Rock). <g> http://www.youtube.com/watch?v=xpfCr4By71U		Trustwave, a company certified by the PCI Council to perform PCI and PA DSS security validations, has also produced a video explaining the PCI requirements in more detail and how to address the requirements - http://www.brighttalk.com/webcast/5884/44529

	Trustwave, a company certified by the PCI Council to perform PCI ad PA DSS security validations, has also produced a video explaining the PCI requirements in more detail and how to address the requirements - http://www.brighttalk.com/webcast/5884/44529

	==Bah, humbug!==		==Bah, humbug!==

Russ horton: /* Definitions */

2018-03-15T22:33:39Z

Definitions

← Older revision		Revision as of 22:33, 15 March 2018
Line 31:		Line 31:
	*IT GRC = Information Technology Governance, Risk and Compliance		*IT GRC = Information Technology Governance, Risk and Compliance
	*SMB = Small and Medium sized Business		*SMB = Small and Medium sized Business
			*EMV - Stands for Europay, MasterCard, Visa and refers to the chip now embedded in most phsical cards, used in lieue of the magstripe as a more secure solution.
			*P2PE - Point to point encryption, a technique used by some POS devices to encrypt the card as it is swiped and only sends the encrypted card to the processor.

	==PCI demystified==		==PCI demystified==

Russ horton: /* CMS configuration */

2018-03-15T22:23:36Z

CMS configuration

← Older revision		Revision as of 22:23, 15 March 2018
Line 158:		Line 158:
	The majority of CMS merchants will be required to fill out a self-assessment questionnaire (SAQ) that covers not only their use of CMS but in fact all aspects of their business processes and network. Larger merchants may have to pay to have a licensed auditor come in and complete the assessment for them. If you will be filling out the SAQ form you should know there are multiple versions available based on how you process and store charge card data. Currently, CMS users would be considered ''validation type 5'', since CMS is storing card holder data, and thus will need to complete '''SAQ form D''' which can be downloaded from https://www.pcisecuritystandards.org/document_library?category=saqs#results.		The majority of CMS merchants will be required to fill out a self-assessment questionnaire (SAQ) that covers not only their use of CMS but in fact all aspects of their business processes and network. Larger merchants may have to pay to have a licensed auditor come in and complete the assessment for them. If you will be filling out the SAQ form you should know there are multiple versions available based on how you process and store charge card data. Currently, CMS users would be considered ''validation type 5'', since CMS is storing card holder data, and thus will need to complete '''SAQ form D''' which can be downloaded from https://www.pcisecuritystandards.org/document_library?category=saqs#results.

	Your SAQ will cover many topics ~~and~~ of ~~those, you'll find requirements 3 and 4~~ pertain to CMS. ~~For version 6 or earlier, please use of~~ the ~~following options to help ensure compliance to requirements 3 and 4 (pages 11-13). Version 7.0 of~~ CMS ~~will come with a~~ PA-DSS Implementation Guide which ~~will guide~~ you ~~through~~ how to ~~setup and use CMS in a PCI DSS compliant manner~~:		Your SAQ will cover many topics, only some of which pertain to CMS. NewHaven Software publishes a document called the CMS PA-DSS Implementation Guide which covers in more detail how CMS helps you meet PCI requirements and how CMS must be configured to accomplish this. You may download the latest copy of this document from [https://updates.newhavensoftware.com/ Support Downloads]. A sample of the information there includes:

	*Enable credit card encryption - Admin>Database Maint>Encryption		*Enable credit card encryption - Admin>Database Maint>Encryption (CMS v9 and earlier only)
	*Enable credit card masking - Setup>Order Entry>Order Entry Options>"Use Credit Card Masking" should be checked		*Enable credit card masking - Setup>Order Entry>Order Entry Options>"Use Credit Card Masking" should be checked (CMS v9 and earlier only)
	*Disable debug log - Setup>Payment>EDC>Options>"Create Debug log" should be unchecked		*Disable debug log - Setup>Payment>EDC>Options>"Create Debug log" should be unchecked
	*If you are using a CMS invoice (as opposed to a Crystal invoice) make sure you are not using the print task "Payment - Charge Card Number". All of our Crystal invoices and other CMS print tasks will only print the last 4 digits of a credit card number.		*If you are using a CMS invoice (as opposed to a Crystal invoice) make sure you are not using the print task "Payment - Charge Card Number". All of our Crystal invoices and other CMS print tasks will only print the last 4 digits of a credit card number.
	This print task ~~will be~~ masked in ~~a future version~~. All other tasks in CMS that print credit card numbers, like the 'charge message' task have had their card numbers masked for years and still do today.		This print task is masked in CMS TEN+. All other tasks in CMS that print credit card numbers, like the 'charge message' task have had their card numbers masked for years and still do today.
	*~~If you are using ePay or Authorize.net (not PCCharge) the~~ credit card data is transmitted via ~~SSL so it is~~ secure ~~and~~ satisfies section 4.1 for secure transmission.		*The credit card data is transmitted via a secure connection (established by Windows, e.g. TLS 1.2) which satisfies section 4.1 for secure transmission.
	PCCharge has been certified compliant on the old v1.1 PA-DSS standard but the method of integration they use requires CMS to drop a file into their directory with unencrypted credit card data. As such, it appears to us that this integration method is not and cannot be made compliant. '''PCCharge users will need to switch onto a different payment gateway to facilitate compliance.''' Please contact NewHaven Software to discuss your options.		*As a merchant, you'll need to create a data retention policy per item 3.1 in PCI DSS to outline how long you plan to store the card data. Once the data retention policy is set in CMS, it will delete card data nightly based on your selected policy.
	*As a merchant, you'll need to create a data retention policy per item 3.1 in PCI DSS to outline how long you plan to store the card data. ~~We can assist with helping you purge old card~~ data ~~per whatever~~ policy ~~you decide on. We would do this by providing SQL to replace old~~ card data ~~with generic equivalents (e.g. 4444 4444 4444 4448.) Please contact NewHaven Software Tech Support for assistance with this. (This is automated in our version 7 release~~.)		*Use strong passwords for anyone with administrative access. Strong passwords are 7+ characters and must be a combination of letters and numbers. These must be used for anyone with access to the PCI Administrator user.
	*Use strong passwords for anyone with administrative access. Strong passwords are 7+ characters and must be a combination of letters and numbers. These must be used for anyone with access to ~~CMS Setup or Admin. (In version 7, all~~ PCI ~~admin controls are grouped together in one screen~~.)

	Also, questions you'll be asked on PCI should only apply to your location and CMS~~, not eCMS. Since CV3 hosts eCMS sites, the PCI liability for your stores falls upon them~~. You ~~should confirm this with your security assessor but~~ that ~~has been our understanding. If~~ you ~~were hosting~~ your ~~own site, however, you would then also be accountable for storage of card~~ data ~~on your web servers~~.		Also, questions you'll be asked on PCI should only apply to your location and CMS. You have an additional responsibility in ensuring that vendors you work with handle your data in a compliant fashion.

	===User Habits===		===User Habits===