Partager via


Payment Card Industry (PCI) Compliance

There can be confusion between securing a device and being PCI compliant. Often people may think that making the POS device as secure as possible will ensure it will be compliant.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.  More information on the PCI Data Security Standard can be found here: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.

Unfortunately, locking down the operating systems is not enough to reach and retain PCI compliance, and, sometimes these actions may hinder compliance.  According to the Payment Card Industry Data Security Standards (PCI-DSS), requirement 6.1 mandates that security updates must be applied to systems in the field within 30 days of the security update release.  By not applying updates, known vulnerabilities are left exposed to threat.  Also, PCI-DSS requirement 5 requires that anti-virus software is deployed and updated regularly.  You may be able to get around these requirements if the systems do not process credit card data, but only a Qualified Security Assessor can make that call.

There are also requirements for user accounts, firewalls, handling of cardholder data, network topology, etc. that are involved in PCI assessment.  There are hundreds of POS applications and each have different requirements and handle payment data differently.  We provide general guidance through whitepapers such as "Securing the Retail Store" and "Microsoft's Payment Card Industry Data Security Standard Compliance Planning Guide", but only the PCI Data Security Standard has a detailed description of what is required to be compliant.

The PCI Security Standards Council has a Merchant & Service Providers Resource Center which contains references for Qualified Security Assessors (QSA'a) as well as information on Self-Assessment to assist you as you implement your PCI Compliance strategies.

-Terry