Sage MAS 500 Newsletter – Volume 8 – Issue 2

Sage MAS 500 ERP

Newsletter for Sage MAS 500 ERP

May 2010 • Volume 8 • Issue 2

Headline News

Sage Software offers free Web seminars designed to help you better manage your business. Current offerings include:

• Critical Compliance: Ensure Your Ability to Accept Credit Card Payments After July 1, 2010. PCI, PA-DSS, PCI DSS — What does it all mean for your business?

For the current Sage MAS 500 Webcast schedule or to register click here.

Payment Card Industry (PCI) Standards

All Business Processing Credit Cards Must Comply

Credit card fraud has been a serious issue for some time now, fueled in part by the high volume of Webbased credit card transactions. The frequency of fraudulent activity continues to grow. According to the Privacy Rights Clearinghouse (www.privacyrights.org), more than 100 million records containing sensitive information have been exposed to theft since 2005, and the targets are not only large organizations. In fact, smaller organizations with less stringent security measures in place are easy targets for thieves.

Theft typically does not occur during the Internet credit card processing transaction itself — these transactions are well encrypted. Instead, thieves concentrate on breaking into databases that store a large number of credit card transactions, such as a businesses’ accounting system. Regulatory bodies are doing their best to control credit card theft by enacting laws to protect personal information and to regulate the circumstances in which organizations must publicly report a data breach.

Compliance requirements vary according to the number of transactions processed per year. However, all organizations processing credit card data, regardless of size, must comply with the Payment Card Industry Data Security Standard (PCI DSS). Organizations suffering a data breach could be fined by their credit card processor if they fail to comply with the standard. Here we provide a brief overview of the PCI DSS requirements.

Dos and Don’ts of Data Storage

You can store the primary account number, the cardholder name, and expiration date, but this information must be protected per PCI DSS requirements — more on that later. You may not store the three-digit code on the back of the card, variously called CAV2, CVC2, CVV2, or CID. You also may not store the full magnetic stripe data or PIN information for debit cards.

12 PCI DSS Requirements

There are 12 components of PCI DSS requirements that fall into the following six main categories. All businesses processing credit cards are required to:

Build And Maintain A Secure Network — The first two requirements relate to the security of a company’s network.

1. Install and maintain a firewall configuration to protect cardholder data. A firewall must be present to control the computer traffic between a company’s internal network and untrusted external networks. It must examine all network traffic and block transmissions that do not meet specified security criteria — whether entering the system by way of the Internet as e-commerce, employees’ access through desktop browsers, employees’ e-mail access, dedicated connection such as business-to-business connections, or wireless networks.
2. Do not use vendor-supplied defaults for system passwords and other security parameters. Strong system passwords should be used, the default passwords and settings are well known by the hacker community.
   Protect Cardholder Data — These requirements protect data as it is stored or transmitted.
3. Protect stored cardholder data using programming methods such as encryption, truncation, masking, and hashing. If an intruder gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. The particular encryption algorithms that must be used are very specific. Sage MAS 500 has had credit card encryption in place for some time.
   In Sage MAS 500 Version 7.3, the encryption algorithms have been updated to meet the new PCI DSS standards.
4. Encrypt transmission of cardholder data across open, public networks. Vulnerability Management Program — These requirements cover the overall protection of your computer software.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications. When a software vendor, such as Microsoft, issues a security patch, it must be installed promptly.
   Strong Access Control Measures — The next three requirements relate to access to information on your computer systems.
7. Restrict access to cardholder data by business need-to-know. Give access to cardholder data only to those who need it to complete their job responsibilities.
8. Assign a unique ID to each person with access to your computer or network. This helps ensure that each individual is uniquely accountable for his or her actions.
9. Restrict physical access to cardholder data. You must secure hard copies of cardholder data in a restricted access location.
   Monitor and Test Networks — Even with a well-designed firewall and good anti-virus software, new vulnerabilities are being created all the time by malicious individuals. To track and prevent damaging activity:
10. Track and monitor all access to network resources and cardholder data. You must log user activities so you can detect and track down the cause of a possible data compromise.
11. Regularly test your security systems and processes.
    Maintain an Information Security Policy — A strong security policy sets the security tone for the whole company and informs employees and contractors what is expected from them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it.
12. Maintain a policy that addresses information security.

PCI DSS and Sage MAS 500

Sage MAS 500 Credit Card Processing v7.3 has been tested and verified as being PA DSS compliant. If you store credit card information in Sage MAS 500, it is advisable to upgrade to Version 7.3 as soon as possible to ensure your compliance with PCI DSS. Version 7.3 provides a utility for the safe and secure deletion of historical cardholder data — the new Purge Credit Card Data task. It is your responsibility to remove card validation values or codes and any other credit card data stored in previous versions of Sage MAS 500. The utility also should be used periodically to remove data, based on maintaining a balance between business needs and PCI compliance.

Note: There is no additional charge for the Sage MAS 500 Credit Card Processing module when you use Sage Payment Solutions as the processor.

For additional information on how to implement Sage MAS 500 Version 7.3 in a PCI DSS-compliant manner, see the PA-DSS Implementation Guide for Sage MAS 500 Version 7.3 posted on the Sage MAS Online Community.

If you are unsure of your compliance with any of the other standards, give us a call.