March 9, 2009
-
Steps to Visa PCI Compliance, Pt.3
POS system must store only what's needed.More guidelines for credit card-accepting merchants:
- Authorized Service: Only allow authorized service professionals to tamper with POS terminals. Keep a close watch on who has access to credit card PIN encryption devices and secure them from being removed, modified, or replaced. This applies to all locations.
- Report Immediately: Anytime a credit card PIN device or encryption device is found to have been tampered with, don't take the risk. Report the activity either, to VISA, local law enforcement or both.
- Payment applications: Ensure your credit card payment applications are up to snuff. Merchants can verify this by accessing http://www.visa.com/cisp to make sure their credit card transactions are secure and up to PABP (Payment Application Best Practices) standards.
- Starting new or changing: For those merchants in the market for a new credit card system, this CISP site provides the convenience of providing a list of all the venders and applications that have already been validated. They must be validated by a Visa-approved Security Assessor.
- Stripe Data: Generally, when a credit card is swiped, all the info from the mag. strip is pulled in. After that, the different fields are parsed out to the appropriate categories. Most POS software not only accommodates handling all of the information pulled in but, the default configuration is to keep all that data and store it. Without taking that extra step to configure a new POS system, it will almost certainly not be in compliance with the CISP standard. Extra steps have to be taken.
After a transaction has been approved, most of that sensitive credit card data is no longer needed. In fact, the CISP standard requires that only the ‘PAN' (credit card number), ‘card expiration date' and ‘cardholder name' from this ‘track data' should remain stored after the approval. Each merchant is responsible for ensuring compliance to avoid penalties (which can be substantial).