The Payment Card Industry has developed a set of Data Security Standards (PCI DSS) which must be met by any company that processes, transmits, or stores’ cardholder data. Though there are more than 50 types of POS software available on the market in New Zealand today, only two POS software suites are PCI DSS-certified for use in a retail environment.
Most resellers and merchants are not aware of this fact, or of the full scope of PCI DSS compliance. So while the types of compliant software that may be sold are highly constrained, designing a PCI DSS-compliant POS system and network has enormous sales potential. Businesses are starting to make smart buying decisions by purchasing from resellers that understand PCI DSS, protect cardholder data and assist merchants in gaining and maintaining compliance.
What is PCI DSS?
The PCI DSS standards were created in 2004 by a council of five major payment card companies – American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa – to reduce the risk of credit card fraud and ensure baseline security is in place at their partner businesses. These standards include twelve criteria, covering everything from physical security to development of policies and documentation. All criteria must be met by the merchant and their computer network in order to be complaint, done either through a third-party audit or by self-assessment with a questionnaire. In all, there are up to 212 technical line items that must be checked.
These original PCI DSS protocols were recently revised to version 2.0, offering an opportune time for resellers to open a dialogue with their customers about payment card security.
Examining the POS system
First, a short review of how most modern POS systems work. There are three main components: a terminal or cash till to calculate price and keep track of stock, an accompanying handset where EFTPOS and credit cards are swiped for payment – also known as PIN Entry Devices (PEDs) – and a back office computer that monitors the entire system and reports on sales and transactions. All can be areas of focus for PCI DSS.
Since it is the PEDs that process and transmit card data, these are always subject to PCI DSS audit. Though they arrive from the manufacturers certified under the Payment Application Data Security Standards (PA DSS), this does not necessarily mean that they will be installed in a PCI DSS-compliant environment. As soon as the PED devices are physically connected to the POS terminal or cash till, that connection brings the terminal into the scope of compliance.
It’s a situation that can quickly snowball to bring an organisation’s entire computer network into review for PCI DSS compliance and auditing. While it’s not impossible to set up and maintain a PCI DSS-compliant network, it requires ongoing vigilance that escapes all but the most wary IT administrators.
The average POS system stays in place at a business for seven years. That’s an eternity in IT terms; the typical desktop system gets replaced every three. But looking at it in more broad security terms, think of the threats and vulnerabilities that have emerged in that time; how well could a seven-year-old system be protecting a business?
New Zealand is one of the few countries with no disclosure laws for card data breaches, hiding the true scope of the problem. Resellers not fully versed in PCI DSS compliance are sometimes managing networks for retailers and mistakenly believe that they don’t need to work toward PCI DSS because their PEDs meet PA DSS.
So what’s the answer?
There are several things resellers can do to better serve their customers and ensure POS systems and software are PCI DSS compliant.
Use a certified POS software suite. Information on approved software packages is available on the PCI Council’s website: www.pcisecuritystandards.org.
Segment the network. There are solutions and hardware available on the market today that can keep the payment systems and open computer networks segregated and out of the scope of PCI DSS compliance. The smaller the network, the easier it is to maintain and certify.
Monitor for swapped units. A favourite tactic of card fraud thieves is to swap out a PED for a compromised one that skims card data. Build retail systems with safeguards in place that monitor and block unauthorised devices on the network.
Keep patches up to date. It’s not just good practice from a security perspective, it’s imperative under PCI DSS that all software security patches are continually applied and anti-virus remains up to date.
Test, document and certify. Test all changes to the network and software vigorously, document everything and certify that the changes still meet PCI DSS criteria. The audits are as much about process as they are about technology.
Partner with PCI DSS-compliant companies. Work with companies that understand PCI DSS and can give you the right information about your needs when it comes to security and compliance. When in doubt, cut it out. If you’re ever unsure of the network security in place at the POS, consider removing its external access capabilities and contacting a consultant for an evaluation.
The retail sector needs to have a serious look at PCI DSS and the new security requirements in place. Some merchants must be compliant with PCI DSS now and all merchants will be required to be PCI DSS compliant in the next few years. There are companies in the market today offering affordable PCI compliance solutions, so if you’re making a change to your payment environment you should be looking at implementing PCI compliant solutions now. It’s a smarter business decision than suffering a security breach or having to redesign and reconfigure a network later.