Intro to PCI Compliance

Transcription

1 Intro to PCI Compliance And the role Stone Edge V7.1 plays in helping you achieve that goal Monsoon Commerce. All rights reserved.

2 What is PCI? PCI stands for Payment Card Industry In 2006, major financial companies American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International formed the Payment Card Industry Security Standards Council (PCI-SSC). The purpose of the council was to create Payment Card Industry Data Security Standards (PCI- DSS) to reduce fraud and other threats to cardholder data.

3 What is PA-DSS? PA-DSS stands for Payment Application Data Security Standards Every application that handles or stores credit card data must undergo a certification process to prove their software can be implemented in accordance with the PCI-DSS guidelines The Monsoon Commerce Payment Module is certified as PA-DSS compliant Stone Edge 7.1 uses the Monsoon Commerce Payment Module to process payments

4 What are the PCI-DSS Requirements? There are 12 general requirements to which you must adhere to be PCI compliant: Install and maintain a firewall to protect cardholder data Do not use vendor supplied system passwords or parameters Protect stored card holder data Encrypt transmission of cardholder data across open, public networks Use and regularly update antivirus software Develop and maintain secure systems and applications Restrict access to cardholder data by business need to know Assign unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security for all personnel

5 How can I become PCI Compliant? Simply installing Stone Edge Version 7.1 with the Payment Module does not make your business PCI compliant There are many other internal business application and practices to be reviewed and updated in order to meet PCI requirements You may want to hire a PCIP to help you assess your other business practices for PCI compliance Stone Edge 7.1 is an integral part of becoming PCI compliant because it does not require full credit card information to process payments through the Payment Module, which is included with SE 7.1 More information can be obtained by visiting There are many publications listed there but you may want to download and review the following: PCI-DSS Requirements and Security Assessment Procedures Version 2.0 PCI-DSS and PA-DSS Glossary Version 2.0

6 What role does Stone Edge Version 7.1 play in PCI Compliance? Every location in Stone Edge Version 7.1 processes credit card transactions using the Monsoon Commerce Payment Module, which is PA-DSS certified This means that Stone Edge no longer requires full cardholder data to process a credit card payment, eliminating the potential theft of credit card data stored in our application In fact, neither application stores full credit card data in any of their tables. The first six and the last four digits of the credit card number are viewable for customer service purposes. The Implementation Guide for Stone Edge V7.1 and the Payment Module not only provides information about installing our programs in a PCI Compliant manner, but it also provides instructions to implement the PCI directives for securing other aspects of your software environment (Windows, SQL, etc.) and your network configuration.

7 About the Payment Module The Payment Module is included free of charge with Stone Edge Version 7.1 The Payment Module requires its own SQL database An installer for the free SQL Express application is included for your convenience with the Payment Module. If you already have SQL Server you may use that instead of SQL Express You can install SQL Express on a workstation, rather than purchasing a costly server. Be sure to select a unit that has adequate system resources (processor speed, RAM, etc.), and is not already supporting a heavy workload The workstation acting as the server or host of the SQL instance must be accessible to all workstations running Stone Edge

8 How can Stone Edge process payments without the full credit card number? Stone Edge 7.1 uses tokenization to process credit card transactions Tokenization is the process by which a payment processor provides the merchant with a unique identifier or token which can be used in place of full cardholder data (Account #, Expiry, CVV, etc.) to process a payment Some payment processors actually give you a Token, while others allow you to use the Transaction ID of a previous payment as a Reference Transaction

9 Examples of gateways that support tokenization Gateways that provide customer data management services gateway stores the payment information in exchange for a Token (one or more data points) that can be used to run new transactions. Data in the customer management system is not limited in duration (except for card expiration date). AuthorizeNet CIM CyberSource USAePay Gateways that permit reference transactions gateway can accept a TransactionID (aka Token) from a previous auth/sale/credit transaction and will use the payment data from the previous transaction against the new transaction. Reference transactions are limited in use to the length of time the gateway maintains the previous transaction (typically months). PayPal Payflow Pro USAePay Yahoo

10 What are the requirements for upgrading to Stone Edge Version 7.1? You must already be running Stone Edge Version 7.0 You must install SQL Server or SQL Express for the Payment Module database If you have an existing SQL instance for your store data file, you may use it for the Payment Module database as well SQL Express, while free, is only for smaller businesses, as it has some limitations

11 What are the steps to upgrade to Stone Edge Version 7.1? Obviously, the new software must be installed and configured. Most payment related system parameters have been moved from Stone Edge to the Payment Module. Existing Stone Edge users can continue to use their current store data file, but the credit card data must be masked or cleansed. We provide a Data Migration Utility to cleanse the credit card data in the old store data file and transfer Transaction history to the new Payment Module database. We recommend transferring only data within your return period, as it directly impacts the time the migration takes to complete. We recommend keeping a single copy of the current store file and only until the migration process is completed successfully. Additionally, you must identify any backup copies of the store data file and any archive files that you have, either onsite or offsite. These must also be cleansed by the utility if you intend to keep them. Remember to use a secure deletion tool, such as Microsoft SysInternals, to delete any of these files.

12 Processing payments through Stone Edge Version 7.1 The only change to your normal workflow process is that for electronic payments, you must open the Payment Module interface rather than executing the transaction directly at the Payment tabs of Manual Orders, View Orders or POS interface. The interface is opened by a new button, Payment Module, on the Payment tabs of Manual Orders, Point of Sale, and View Orders screens. Once the Payment Terminal is opened, you can make changes or selections prior to submitting the transaction to the payment gateway for processing. When finished, the Payment Terminal closes and you return to the Stone Edge screen to continue your order processing. Multi-order Processor, Fill Backorders, and Pack & Ship all use the Payment Module in the background (no user interface) as in previous versions of Stone Edge.

13 Let s take a closer look For those of you that are not yet running Stone Edge 7.0, the next few slides show the process of creating a Manual Order and how to open the Payment Module to process a credit card transaction. We ll also show how to invoke the Payment Module from Process Orders and the POS system.

14 Add customer information to an order

15 Add a line item to the order

16 Add or review billing information

17 Add or review shipping information

18 Add messages or notes to the order

19 Add custom field information to the order

20 Add payment information to the order

21 Process the sale transaction

22 View the summary and save the order

23 Process Orders (View Orders) Payment tab

24 Point-of-Sale Keypad tab

25 Point-of-Sale Payment tab

26 Payment Module Main Menu

27 Getting Ready The Implementation Guide will help you get ready for migration to 7.1 A must-read for going to pages of helpful information. Defines security requirements. States how to configure your networks and machines so that they comply with the requirements for the Stone Edge PA- DSS certification. Discusses how migration to 7.1 works.

28 Roll Out Approach Because of the complexity of the installation, the wiping of data, and the need to coordinate updates to the cart scripts to communicate with the PCI compliant version, we are doing a controlled rollout. We will be proceeding on a cart by cart basis, with the first cart being Miva. We will proceed through the supported cart list John Seaner discussed in his mailing on PCI. Our Product Manager, Carter Jones will also provide details in the future about this roll-out process.

29 Roll Out Execution Upgrades will be scheduled to ensure that there are sufficient resources to address any issues that arise. Because an incorrect conversion can knock a business completely offline, the PCI release will not be on the Download Gateway. We are offering a service to do the migration for customers to minimize risks.

30 Upgrade Options Enterprise Customers 5.9 and 7.0 PCI conversion easier since SQL is already in use on Enterprise systems. Lowest cost for migration service Lowest year over year support costs Standard Customers 5.9 and 7.0 PCI conversion is more difficult since SQL must be installed. Going forward, two database systems (Access and SQL) must be supported and synchronized. Highest PCI migration costs and year over year support costs Strongly recommend upgrade to Enterprise Enterprise Customers who cannot migrate from 5.9 If business reasons (e.g. customizations) prevent migration, 5.9 Enterprise users can purchase the payment module and integrate on their own. Requires you to implement in a manner that meets PA-DSS/PCI requirements Requires you to work with a QSA/PCI consultant to determine your final compliance state.

31 DIY Migration DIY migration is strongly discouraged Significant risk of business interruption Significant risk of data loss Problems during, or caused by, DIY migration are not covered by technical support contracts. All assistance is provided at rate of $175/hr. DIY migration is by request only and the user accepts all responsibility.

32 Custom Cart Integrations The Stone Edge Developers guide has been updated for 7.1 If you have written your own integration to Stone Edge, you can request the Developers Guide and update your code.

33 FAQs Do I have to install the Payment Module on each workstation? Yes Can I still use an Access store data file? Yes Does the Payment Module have to be open in order for Stone Edge to process a payment? No, but you will be prompted to sign in with Payment Module credentials before a payment can be processed

34 Summary Don t panic take action to protect your business! Consult an expert if you are unsure or unable to make the changes necessary to attain PCI Compliance. Remember - installing Stone Edge Version 7.1 with the Payment Module is only one small piece of the PCI Compliance puzzle.

35 Resources PCI-DSS Website Stone Edge 7.1 Knowledge Base Stone Edge PCI Implementation Guide Found in the Additional Information section of Stone Edge System Requirements