The Card Associations Come Together

Over the last few years there have been a variety of initiatives brought forth by each of the different card networks. Visa’s Cardholder Information Security Program (CISP), MasterCard’s Site Data Protection (SDP), American Express’ Data Security Operating Policies (DSOP) and Discover’s Information Security and Compliance (DISC) regulations. In December of 2004, the Card Associations came together to create a single security program to set a single standard for Merchants to comply with: the Payment Card Industry Data Security Standards (PCI DSS).

PCI DSS focuses on six areas of operation

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

For most Merchants, in order to certify to the PCI DSS standards, you must complete a detailed self-assessment form and receive quarterly network scans from an independent auditor. For bigger Merchants (6 million transactions annually or above), the regulations require a detailed onsite assessment. Even Merchants who process less than 20,000 transactions annually are required to comply with the regulations, even though they are not currently required to be validated by the Card Associations. Certification and compliance guidelines for smaller Merchants are dictated by its Merchant Bank.

Here's A Popular Video From YouTube About PABP & PCI Compliance

What Is CISP ?

When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa USA has instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is intended to protect Visa cardholder data–wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard.

In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard resulting from a cooperative effort between Visa and MasterCard to create common industry security requirements. Visa USA maintains CISP as the managing program for data security compliance endorsing the PCI Data Security Standard.

What Was PABP And Why Is It PA-DSS Now?

You can read lots more about Payment Application Best Practices by clicking the link below.   FreePOS V6 has successfully completed its QPASC audit and is now listed on Visa's website as being fully PABP compliant.   FreePOS is validated to V1.4 of the PABP program's standards.   It should be noted that the PABP program has been transitioned into the all inclusive PA-DSS program which is run by the PCI Council.   FreePOS is fully PA-DSS validated.

Learn more at:

• www.visa.com/cisp

• www.pcisecuritystandards.org

Are You Okay?

Every payment processing application should be certified.  If you are using a certified version of X-Charge, CreditLine or ICVerify you are in great shape from a software standpoint.   Please note that FreePOS has been tested and certified with X-Charge.   CreditLine and ICVerify are each validated separately by their respective manufacturers.

It should be noted, however, that validation may expire after one year.  So you must continually upgrade/update your software if you wish to maintain full compliance.

I Purchased A ____ POS System & Now The Company I Purchased The POS System From Is Telling Me That I Must Upgrade All Of My Hardware & Software Or I'll Be In Violation Of The Law.   Help!

To be in full compliance with the PCI guidelines is an expensive & time consuming process.  Regular audits, software upgrades & rule changes that are difficult to predict all contribute to a very perplexing landscape.   Needless to say: Be very careful to get a second opinion if a sales person (who has a vested financial interest in "your compliance") tells you an upgrade is required.

Another POS vendor told me updates to their product were $499/year and guaranteed never to increase.  How much do FreePOS updates cost per year?

Updates to FreePOS are available at no cost for life.  When you implement a computer system with FreePOS, you won't ever have to pay extra money if the security standards change.   At Positive Feedback Software LLC we take security very seriously.   In an effort to keep our customers compliant we NEVER charge for updates.

What Happens If You Don't Comply?

You could be fined or you could lose your ability to accept credit cards.

Should I Close My Business Until I Get Certified?

NO.  These penalties are reserved for credit card database security mistakes that result in multiple accounts being high-jacked.  If a single person uses a stolen credit card in your establishment, the worst case is going to be a charge-back by the rightful owner of the card.

If I Change Processors Will That Help?

NO.   But some unethical card reps are telling merchants untrue things like this just to get more business.   Remember that PCI Compliance is a process... not a specific credit card processing company.

What Is The Difference Between PABP and PA-DSS?

PABP was a payment application security standard written and administered by Visa.   PA-DSS is the new security standard which is governed by all of the major card brands.   You can view the FreePOS PA-DSS validation here.

Secure Your System

There are many things you can do to make your POS system more secure.   In most cases, computer security boils down to "common sense" rather than expensive software.  

1. Installing New Software

   Don't install new programs unless they come from a reputable source.   Common places to get viruses are:  public download sites, school computer labs & a friend's computer.

    

2. Locking Up Your PC

   Don't leave the door open to your back office PC.  If you do, it will be easy for someone to "slip your computer a mickey".   A locked door is your best security.

    

3. Password Protect Files & Programs

   Put a password on critical functions like batching credit cards & issuing refunds.  Also, password protect your back office machine.   This keeps out the casual "walker by".

    

4. Wireless Hot Spots

   If you have a wireless hot-spot, make sure it is running on a separate & secure router.   If your POS computers plug into the switch that's built into your wireless router, you have a security problem.

    

5. Opening Files

   In the old days, viruses came in files that ended in .BAT, .COM or .EXE     Today, we are not so lucky.   There are thousands of file associations that can launch a virus attack.   Therefore, SCAN EVERY FILE before you open it.

    

6. Updating Antivirus Software

   New viruses are created & launched every day.   Keep your virus scanner updated on a daily basis.  AVG is free and it automatically updates itself on a daily basis. 

    

7. Garbage Disposal Procedures

   Shred documents with customer information on them before placing them in the trash can.

    

8. Cable Closets

   If you have cables, hubs, switches and/or routers in a public place, you are asking for trouble.   Always secure cables in a non-public place (like a lockable closet).

    

9. Surfing The Web

   If you let people surf the internet on your back office computer, you'll get a virus or system crash eventually.  DON'T!!!  

   If you must surf at work, get a separate computer that isn't connected to your POS system for surfing the web.

    

10. POS Stations Should NOT Have Internet Access

    If you delete the DNS and GATEWAY addresses from the POS workstations, they won't be able to get onto the internet.   This is a great way to increase security.