Dynamics Community Forum Thread Details

Credit Card Processing

PCI {shudders}

PCI DSS compliance is very misunderstood. GP does not natively store and transmit the "card holder data" in a protected encrypted way. However you can not buy PCI DSS compliance out of a box (it only helps with some of it).

Getting compliant is about the all encompassing environment from the person taking the card details to the card processor. This means checking things like that your internal phone system is actively prevented from recording calls containing card numbers (or portions of), through to securing things with locks. Making certain everyone is documented as trained not to ever write down any card numbers etc (as that would be classed as storing them...).

The network must be secure and certified as penetration tested, and isolated, it is very tough - even if like us you don't store the card holder details and merely transmit them. We use a card processing provider that tokenises the card details so we don't store them, but we still must comply to a certain level as we enter them from Telesales.

If we brought the whole buildings and network into PCI scope it would be prohibitively expensive, instead we reduce the scope by running a separate high security network that is compliant on a different LAN.

Web orders are easier as the user enters the card details into the card processors website so we take advantage of their compliance, then we get a token back that represents that card whenever we want to use it.

Below each of these single high level requirements breaks down into pages of detail, some of which makes you squirm thinking how you will comply. I am convinced that a large percentage of companies that are signing themselves as compliant are choosing to look the other way and cannot be, or are paying PCI consultants that are mis-advising. So if you are serious about being PCI compliant, you have a bit of work ahead and it, much like quality system has to be managed and continuously ran with audit checks and training for new starters and continuous refreshers for everyone else.

Go read the standards https://www.pcisecuritystandards.org/document_library (PCI DSS v3.2 is current)

Quoted from http://www.theukcardsassociation.org.uk/security/what_is_PCI%20DSS.asp

There are 12 high level requirements, and they fall into the six categories below:

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protect stored data (use encryption)
4. Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses Information Security

Quick Links