PCI Solved

PCI Compliance Solved!

If you feel a little unsure about PCI compliance and all its details, don’t feel bad. You have plenty of company. In fact, PCI has spawned an entire industry of consultants, assessors, pundits and experts.

But start with this fact sheet as your guide regarding your ISS45 and ScanMaster POS systems.

What is the point of PCI?
It stands for “Payment Card Industry” and its regulations are designed to reduce the risk of fraud from stolen credit card data.

What am I supposed to do?
You are required by your processor, banks, and other financial institutions to keep your stores compliant with PCI’s regulations. These requirements comprise a list of management practices and technology standards that protect credit card data.

Where are these rules available?
PCI publishes the Data Security Standard, or “DSS,” detailing 12 primary requirements together with a listing of safeguards and procedures required to ensure compliance with those requirements.

How will I know if I meet the standards?
Going through the PCI Self-Assessment Questionnaire (“SAQ”) will tell you much of what you need to know. In fact, smaller merchants at this time are not required to file anything beyond the SAQ. Larger merchants must be certified by a Qualified System Assessor (“QSA”) trained to validate stores or enterprises as PCI-Compliant.

Doesn’t PCI compliance depend on my POS and payment systems too?
Yes, in many cases. Systems or applications that handle, transmit or store “track data” from credit cards are officially designated as “payment applications” and must be considered acceptable by your assessor for your stores to be judged PCI-Compliant.

What is “track data”?
Track data includes the full credit card number, expiration date and other account-specific data that is stored on the magnetic stripe on a credit card.

What must a “payment application” do to be judged acceptable so that my store can achieve PCI-Compliance?
Any payment application must be validated to operate in compliance with PCI’s Data Security Standard for Payment Applications – the “PA-DSS.” This rule book describes how track data must be handled and protected within the payment application.

If my payment application was successfully validated does that mean that my stores automatically achieve PCI Compliance?
Unfortunately not. Having a PA-DSS payment application is a first step, but there are many other management practices and safeguards required in order for a merchant to achieve PCI Compliance.

How do I know if my payment applications were validated?
Merchants can visit the PCI or Visa Web sites to see a list of payment applications that have been validated under PA-DSS or previous standards such as Payment Application Best Practices (“PABP”).

Are all POS systems listed on the Visa and PCI sites?
No. A growing number of POS systems, including ISS45 and ScanMaster, do not handle, transmit or store any credit card track data. Since these POS systems are not considered “payment applications,” they are therefore not listed by Visa.

How can it be possible for a POS system to NOT handle card data?
New interfaces between POS systems and electronic payment applications such as WinEPS “isolate” the POS from the card data. WinEPS can handle the electronic payment transaction and all track data by itself and the POS system never touches the card data.

... Read more by clicking on the .PDF link below

    -    Click here to download/view a .PDF document