|
| |
|
Sage MAS 500 ERP
Newsletter for Sage MAS 500 ERP
May 2010 • Volume 8 • Issue 2 |
|
|
|
Sage Software offers free Web seminars designed to help you better manage your business. Current offerings include:
- Critical Compliance: Ensure Your Ability to Accept Credit Card Payments After July 1, 2010. PCI, PA-DSS, PCI DSS — What does it all mean for your business?
For the current Sage MAS 500 Webcast schedule or to register click here.
|
|
Payment Card Industry (PCI) Standards
All Business Processing Credit Cards Must Comply |
|
|
Credit card fraud has been a serious issue for some time now, fueled in part by the high volume of Webbased credit card transactions. The
frequency of fraudulent activity continues to grow. According to the Privacy Rights Clearinghouse (www.privacyrights.org), more than 100
million records containing sensitive information have been exposed to theft since 2005, and the targets are not only large organizations.
In fact, smaller organizations with less stringent security measures in place are easy targets for thieves.
Theft typically does not occur during the Internet credit card processing transaction itself — these transactions are well encrypted.
Instead, thieves concentrate on breaking into databases that store a large number of credit card transactions, such as a businesses’
accounting system. Regulatory bodies are doing their best to control credit card theft by enacting laws to protect personal information
and to regulate the circumstances in which organizations must publicly report a data breach.
Compliance requirements vary according to the number of transactions processed per year. However, all organizations processing credit
card data, regardless of size, must comply with the Payment Card Industry Data Security Standard (PCI DSS). Organizations suffering a
data breach could be fined by their credit card processor if they fail to comply with the standard. Here we provide a brief overview
of the PCI DSS requirements.
Dos and Don'ts of Data Storage
You can store the primary account number, the cardholder name, and expiration date, but this information must be protected per PCI
DSS requirements — more on that later. You may not store the three-digit code on the back of the card, variously called CAV2, CVC2,
CVV2, or CID. You also may not store the full magnetic stripe data or PIN information for debit cards.
12 PCI DSS Requirements
There are 12 components of PCI DSS requirements that fall into the following six main categories. All businesses processing credit
cards are required to:
Build And Maintain A Secure Network — The first two requirements relate to the security of a company’s network.
1) Install and maintain a firewall configuration to protect cardholder data. A firewall must be present to control the computer
traffic between a company’s internal network and untrusted external networks. It must examine all network traffic and block
transmissions that do not meet specified security criteria — whether entering the system by way of the Internet as e-commerce,
employees’ access through desktop browsers, employees’ e-mail access, dedicated connection such as business-to-business
connections, or wireless networks.
2) Do not use vendor-supplied defaults for system passwords and other security parameters. Strong system passwords should be
used, the default passwords and settings are well known by the hacker community.
Protect Cardholder Data — These requirements protect data as it is stored or transmitted.
3) Protect stored cardholder data using programming methods such as encryption, truncation, masking, and hashing. If an intruder
gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. The
particular encryption algorithms that must be used are very specific. Sage MAS 500 has had credit card encryption in place for
some time.
In Sage MAS 500 Version 7.3, the encryption algorithms have been updated to meet the new PCI DSS standards.
4) Encrypt transmission of cardholder data across open, public networks. Vulnerability Management Program — These requirements
cover the overall protection of your computer software.
5) Use and regularly update anti-virus software.
6) Develop and maintain secure systems and applications. When a software vendor, such as Microsoft, issues a security patch, it
must be installed promptly.
Strong Access Control Measures — The next three requirements relate to access to information on your computer systems.
7) Restrict access to cardholder data by business need-to-know. Give access to cardholder data only to those who need it to complete
their job responsibilities.
8) Assign a unique ID to each person with access to your computer or network. This helps ensure that each individual is uniquely accountable
for his or her actions.
9) Restrict physical access to cardholder data. You must secure hard copies of cardholder data in a restricted access location.
Monitor and Test Networks — Even with a well-designed firewall and good anti-virus software, new vulnerabilities are being
created all the time by malicious individuals. To track and prevent damaging activity:
10) Track and monitor all access to network resources and cardholder data. You must log user activities so you can detect and track down the
cause of a possible data compromise.
11) Regularly test your security systems and processes.
Maintain an Information Security Policy — A strong security policy sets the security tone for the whole company and informs
employees and contractors what is expected from them. All employees should be aware of the sensitivity of data and their responsibilities for
protecting it.
12) Maintain a policy that addresses information security.
PCI DSS and Sage MAS 500
Sage MAS 500 Credit Card Processing v7.3 has been tested and verified as being PA DSS compliant. If you store credit card information in
Sage MAS 500, it is advisable to upgrade to Version 7.3 as soon as possible to ensure your compliance with PCI DSS. Version 7.3 provides
a utility for the safe and secure deletion of historical cardholder data — the new Purge Credit Card Data task. It is your responsibility
to remove card validation values or codes and any other credit card data stored in previous versions of Sage MAS 500. The utility also
should be used periodically to remove data, based on maintaining a balance between business needs and PCI compliance.
Note: There is no additional charge for the Sage MAS 500 Credit Card Processing module when you use Sage Payment Solutions as the processor.
For additional information on how to implement Sage MAS 500 Version 7.3 in a PCI DSS-compliant manner, see the PA-DSS Implementation Guide
for Sage MAS 500 Version 7.3 posted on the Sage MAS Online Community.
If you are unsure of your compliance with any of the other standards, give us a call.
|
|
|
|
© Copyright 2004-2010 Tango Marketing, LLC. www.tango-marketing.com All Rights Reserved. This newsletter and its content have been registered with
the United States Copyright Office. This content is licensed by Tango Marketing LLC and can be distributed by licensee until 07/31/2010 at which time the licensee must cease
distribution and use of this content unless permission in writing is obtained from Tango Marketing LLC. Reproduction in whole or in part without permission is strictly prohibited.
The capabilities, system requirements and/or compatibility with third-party products described herein are subject to change without notice. Sage, the Sage logos, and the Sage product
and service names mentioned herein are registered trademarks or trademarks of Sage Software, Inc., or its affiliated entities. All other trademarks are the property of their
respective owners.
|
|
