The reason PCI (Payment Card Industry) has set up the organization is to officially create a place for all users of the system to look up how to secure their systems and networks.
In the “real world” you call the credit card processor, such as First Data, which then has a method of contacting VISA, Mastercard, or AMEX who then contact the bank with the credit card account.
All transactions are encrypted from the POS system to the processor. And the Processor has encrypted methods to contact VISA, Mastercard, AMEX, and ultimately the banks.
The software based solution is the cheapest, as the computer you already have can run software from First Data
There are also USB connected devices, so you would buy a device that processes credit cards on a computer with the credit card numbers being encrypted from USB and on
Magtek 21073075 Centurion PCI-DSS Compliant Secure Card Reader Authenticator (3-Track, USB, MSR MAGNESAFE 2.0 HID) USB Powered. Bi-directional.
Specifically designed to meet PCI DSS requirements to secure card data, the Centurion employs the industry standard, Triple DES encryption and is USB powered. This bidirectional SCRA conveniently makes any existing electronic transaction more secure.
So how you initially set up the POS terminals is a big deal, since the weak point in this scheme is the POS terminal itself. If for some reason it has become unsafe due to malware or some other hacker attack then the credit card number can be stolen before it is sent to the bank.
So all of these systems are encrypted from the software or hardware to the processor.
So if the terminal makers are PCI compliant and the transaction is encrypted, why would you need to test your systems?
Because if the end points have malware (like in Target’s hack) then the credit card numbers are stolen by the malware before the encrypted transaction gets processed.
Oversitesentry blog post about Target hack: http://oversitesentry.com/target-hacked-in-11-steps-4-shouldve-been-stopped/
PCI compliance is more than testing and reviewing the POS systems and network. A security policy is a must as well as in the following from PCI DSS 3.1 (4/15/2015):
Requirement 12: Maintain a policy that addresses information security for all personnel.
12.1 Establish, publish, maintain, and disseminate a security policy.
12.1 Examine the information security policy and verify that the policy is published and disseminated to all relevant personnel (including vendors and business partners).
The bottom line is the POS systems must be checked quarterly for some companies, and at least annually for others. It depends on the number of transactions one has per year. (higher than 20k will require more scrutiny)
Contact Us – Oversitesentry as we can help you in developing a PCI compliance strategy. and Security policy
Our PCI compliance web page at http://oversitesentry.com/pci-compliance/
This blog post updated 10/05/2015