PCI Standards & Compliance looking out for you

The reason PCI (Payment Card Industry) has set up the organization is to officially create  a place for all users of the system to look up how to secure their systems and networks.

payment card flow

 

In the “real world”  you call the credit card processor, such as First Data, which then has a method of contacting VISA, Mastercard, or AMEX who then contact the bank with the credit card account.

All transactions are encrypted from the POS system to the processor. And the Processor has encrypted methods to contact VISA, Mastercard, AMEX, and ultimately the banks.

firstdataPOS This is the Point of Sale terminal.

first datasoftwareThis is a software based Point of Sale system (you supply the computer)

The software based solution is the cheapest, as the computer you already have can run software from First Data

There are also USB connected devices, so you would buy a device that processes credit cards on a computer with the credit card numbers being encrypted from USB and on

http://barcodescannersdiscount.com/itpjpo10coin2.html  barcodescannersdiscount

 

Magtek 21073075 Centurion PCI-DSS Compliant Secure Card Reader Authenticator (3-Track, USB, MSR MAGNESAFE 2.0 HID)  USB Powered. Bi-directional.

Specifically designed to meet PCI DSS requirements to secure card data, the Centurion employs the industry standard, Triple DES encryption and is USB powered. This bidirectional SCRA conveniently makes any existing electronic transaction more secure.

So how you initially set up the POS terminals is a big deal, since the weak point in this scheme is the POS terminal itself. If for some reason it has become unsafe due to malware or some other hacker attack then the credit card number can be stolen before it is sent to the bank.

 

 

So all of these systems are encrypted from the software or hardware to the processor.

POS-to-processor

So if the terminal makers are PCI compliant and the transaction is encrypted, why would you need to test your systems?

Because if the end points have malware (like in Target’s hack) then the credit card numbers are stolen by the malware before the encrypted transaction gets processed.

Oversitesentry blog post about Target hack: http://oversitesentry.com/target-hacked-in-11-steps-4-shouldve-been-stopped/

 

PCI compliance is more than testing and reviewing the POS systems and network. A security policy is a must as well as in the following from PCI DSS 3.1  (4/15/2015):

Requirement 12: Maintain a policy that addresses information security for all personnel.

12.1 Establish, publish, maintain, and disseminate a security policy.

Testing procedures:
12.1 Examine the information security policy and verify that the policy is published and disseminated to all relevant personnel (including vendors and business partners).

Guidelines:

A company’s information security policy creates the roadmap for implementing security measures to protect its most valuable assets. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it.

 

The bottom line is the POS systems must be checked quarterly for some companies, and at least annually for others. It depends on the number of transactions one has per year. (higher than 20k will require more scrutiny)

 

Contact Us – Oversitesentry as we can help you in developing a PCI compliance strategy. and Security policy

 

Our PCI compliance web page at http://oversitesentry.com/pci-compliance/

This blog post updated 10/05/2015