POSitive products and PCI compliance

  • PDF

POSitive products and PCI compliance

If you accept credit card payments in your business, you are required to comply with the Payment Card Industry (PCI) Data Security Standard. This standard has been adopted by most major card brands, including Visa, MasterCard, American Express, Diners Club, Discover Network, and JCB. It sets out twelve requirements that merchants must meet in order to protect cardholder information.

This document is not intended to replace or stand in place of the PCI Data Security Standard and should not be exclusively relied upon to comply with the standard or with other requirements set out by your bank. POSitive strongly recommends reviewing the full text of the PCI Data Security Standard, available at https://www.pcisecuritystandards.org/.

We also strongly recommend installing POSitive products into a secure environment, according to current security best practices. Keep in mind that the use of POSitive products alone is not enough to comply with the PCI Data Security Standard. Consult with your dealer or IT professional if you need assistance.

How POSitive Software Products helps with compliance

In order to help our users comply with the PCI Data Security Standard, and in order to pass the PCI audit, we have implemented the following features and security measures in our software:

Full magnetic stripe or CVV2 data is not retained. POSitive products do not store sensitive authentication data subsequent to authorization. PIN numbers are never stored. Account numbers are either masked, encrypted (tokenized), or both. Beyond the time they have the customer's actual card in hand, store employees do not ever have access to customer card numbers.

Cardholder information that was stored by previous releases of POSitive products is securely deleted when the database is upgraded to the latest release. If you are storing credit cards for recurring or "Card On File" purposes, the latest release ensures that all credit card data is securely encrypted.

Encryption keys can be replaced regularly, and old keys are not retained.

POSitive software allows you to create a unique user account (employee ID and password) for each employee of the store. An employee cannot use the program without a user account, and these user accounts require passwords to log-in.

POSitive software maintains event logs that record each time an employee logs on to the program, when an invoice is created, when a credit card transaction is recorded, when a credit card is viewed, when a batch is settled, and when the credit card manager is accessed.

POSitive products can be implemented with confidence into a secure network environment. The program will not interfere with network address translation (NAT), port address translation (PAT), traffic filtering network devices, antivirus protection, patch or update installation, or the use of encryption.

POSitive POS products do not provide Internet access to stored cardholder data, and they do not require placement of the store database either on a Web server or in the "demilitarized zone" (DMZ) with the Web server.

POSitive POS products do not enable remote access.

Transmissions of cardholder data over public networks and the Internet are encrypted using Secure Sockets Layer (SSL) 128-bit safeguards.

POSitive POS products do not allow unauthorized users to view card numbers or to send cardholder information via e-mail messages.

Web-based or remote administration, including non-console administration, is not supported by POSitive POS products.

General recommendations

In this section, we'll provide some general recommendations for complying with the PCI Data Security Standard.

To ensure that you are fully compliant, read and implement the entire list of requirements in the PCI Data Security Standard. The standard includes very detailed and specific rules for merchants. It is available at https://www.pcisecuritystandards.org.

You should:

You should disable or prohibit the use of the Microsoft SQL Server "sa" account when accessing the database. If you leave the account enabled, be sure to assign a complex password. If you make any changes to your database login, you will need to update your connection settings in POSitive. Contact Techical Support for instructions on how to do this.

Direct cashiers to log on to Windows using an account that does not have administrator access. For more information, search for "user accounts" in Windows Help.

Control access to all versions of POSitive and your store data by assigning a unique employee ID and password to each employee. Do not allow employees to share IDs or passwords.

Perform regular audits and spot-checks of employee activities and program access.

Periodically reset the encryption key for the store database. You can re-set the key by accessing the Credit Card Manager. The ability to change the encryption key is restricted by a security setting.

If you choose to use wireless connections make sure you are doing so in accordance with PCI requirements. For example, you should change the defaults on your wireless modem or router. These defaults might include (but are not limited to) the wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, SNMP community strings, or other settings. Also, disable SSID broadcasts and, when capable, enable WiFi protected access (WPA and WPA2) technology for encryption and authentication.

Refrain from storing cardholder data in plain text on servers or computers that are connected to the Internet.

The PCI Data Security Standard recommends the use of a dedicated database computer.


Telephone Numbers

North America Toll Free:

All Other Locations: