Guest Post by Bradley Cyprus, VendorSafe
There is an ugly truth in the world if you process your credit cards through your POS software. Businesses that fall under this model must understand that software alone, even if it meets the PCI requirements as dictated by PA-DSS (Payment Application Data Security Standard), is not enough by itself to make you PCI compliant. Having secure software is important but insufficient when it comes to PCI compliance.
The question this raises on the mind of the typical merchant is, “Why did I bother to upgrade my software if it is not enough for PCI compliance?” Well, the good news is that the money did not go to waste. A business running non-compliant software that processes credit cards has almost no chance of ever becoming PCI compliant. On the other hand, a business that is running validated software has taken an important first step on the path to securing their location, and if that same business shows the proper diligence, there is no reason that full PCI compliance cannot be achieved.
PCI has 12 main requirements (each of which has numerous sub-requirements), and POS software falls primarily under requirement 6 - Develop and Maintain Secure Systems and Applications. The other 11 requirements hardly mention software. The following items are just some specific examples of what else PCI demands:
1. Deploy and maintain a firewall between the credit card environment and public networks (such as the Internet).
2. If you use wireless, do so in a secure fashion.
3. Manage the access your employees have to sensitive data
4. Test your systems quarterly for vulnerabilities both externally and internally.
5. Train your employees upon hire and once a year thereafter about how to handle credit cards safely.
There are almost 300 total requirements in the PCI standard, so obviously the previous list is not exhaustive. However, it is clear that software is an important element when you are planning to secure your business, but do not fool yourself into thinking that it will solve all your problems. PCI has many parts, and while upgrading to a PA-DSS validated software package helps, you still have other needs when it comes to PCI. If you are not sure how to get started with this process, VendorSafe offers a few helpful tips on their blog “The Self Assessment Questionnaires are Huge – Here’s How to Get Started.”
About VendorSafe:
GRS has partnered with VendorSafe to provide a clients a comprehensive solution for PCI Compliance. For more than 20 years, Vendor Safe Technologies has developed, deployed, and supported innovative security technologies. The company’s patent-pending Self Configuring Firewall Architecture™ and Global Security Mesh™ / VPN enables PCI Levels2 and 4 merchants to become PCI compliant within 30 days at the lowest total cost of deployment and lowest total cost of ownership. Vendor Safe solutions are secured by the superior defenses of firewalls from Juniper Networks. Learn more by visiting the Vendor Safe website at www.vendorsafe.com.
