Tag Archive for 'security'

Credit Card Security and PCI Compliance

Published
by
Brian Rice
on June 18, 2010
in MAS 90 and MAS 200
. Comments

If you are accepting credit cards as a form of payment, July 1, 2010 will be a big day. This is the day be which all credit card merchants (businesses accepting credit cards) must be using a PA-DSS compliant payment application. If you are using MAS 90 or MAS 200 to process credit cards and running versions 4.30.0.18 or 4.40.0.1, you are in the clear for this requirement. If you are accepting credit cards through some other process like a stand-alone point of sale or other software application, you will need to verify that it is also PA-DSS compliant.

Beyond the PA-DSS requirment (the software portion of compliance) which was setup by the Payment Card Industry, there is also the PCI-DSS (Data Security Standard),  technological and physical controls of card holder data and the processes used to manage those controls. These physical controls include addressing details like where records are stored, who has access to these areas, how the records are retained, and when they are destroyed. There are varying levels of controls for the varying types of merchants, but if you maintaining card holder data in MAS 90 or MAS 200, you are considered Level 4.

To meet the standards, you must complete a Self Assessment Questionnaire (SAQ). To give you an idea of how seriously these standards are taken, the Level 4 SAQ includes 222 questions. The good news is that you don’t have to handle this on your own. Sage has partnered with a Qualified Assessor (QA) in Trustwave. For $85 annually, Trustwave provides an SAQ assistance tool, security awareness training for your staff, and will complete monthly security scans (better than the quarterly scans required by PCI-DSS).

Be certain, there is a great deal of work to do and detail to monitor, but consider the risk if you customer data is compromised:

  • Damage to your brand
  • Costs of investigation
  • Cost of remediation
  • Fines and fees
  • Ongoing compliance audits
  • Victim notification costs
  • Financial loss
  • Data loss
  • Charge backs
  • Operational disruptions

By working with a QA like Trustwave, you will ease the burden of becoming compliant and reduce your risk of exposure. If you have done everything you can to maintain your compliance, your business should receive some sympathy from the card brand if data is compromised.

I have mentioned it before and will mention it again. Sage has created a PCI Compliance website. The information is thorough and updated often.

Credit Card Security Compliance for Sage MAS 90 and 200

Published
by
Brian Rice
on May 14, 2010
in MAS 90 and MAS 200
. Comments

We recently wrote about the Payment Card Industry Data Security Standars (PCI-DSS) and the new requirements being enforced as of July 1, 2010.

Only the features in MAS 90 and 200 version 4.30.0.18 and 4.40.0.1 or greater are designed to address these requirements. Installations of  less current releases will not be compliant with the new standards if credit card data is stored inside the system.

There are twelve requirements organized into six objectives.

  1. Build and Maintain a Secure Network: Install and maintain a firewall and use unique, high-security, passwords with special care to replace default passwords.
  2. Protect Cardholder Data: Whenever possible, cardholder data must not be stored. You must also encrypt any data passed across public networks, including your shopping cart and web-hosting providers.
  3. Maintain a Vulnerability Management Program: Use anti-virus and keep it up date. Develop and maintain secure operating systems and payment applications. Ensure the applications you use are compliant (see www.visa.com/pabp).
  4. Implement Strong Access Control Measures: Access to cardholder data – both electronic and physical – should be on a “need-to-know” basis. Ensure those people with access have a unique ID and password. Do not share logon information.
  5. Regularly Monitor and Test Networks: Track and monitor all access to networks and cardholder data. Ensure you have a regular testing schedule for security systems and processes including firewalls, patches and anti-virus.
  6. Maintain an Information Security Policy: It’s critical that your organization has a resource for governing your company’s data security. Ensure you have a policy and that it’s disseminated and updated regularly.

More information is available at Sage’s PCI-DSS Compliance page.