2010 user conference april 23 rd – 25 th, philadelphia, pa pci compliance & security presented...

2010 User ConferenceApril 23rd – 25th, Philadelphia, PA

PCI Compliance & Security

Presented By:

Kevin Smith & Mark Setzer

Stone Edge Technologies, Inc.

April 24, 2010 10:30 AM – 12:00 PM


PCI PA-DSS Compliance

The Stone Edge Order Manager Payment System

Presented By:

Kevin Smith

Senior Developer, Stone Edge Technologies, Inc.

April 24, 2010 10:30 AM – 12:00 PM


PA-DSS?• Payment Application – Data Security Standards

• Created & Enforced by PCI

• Maintained by PCI Security Standards Council

• Liability Concerns as a Merchant

• Impacts Applications Storing Cardholder Data

• Certification Needed for Gateway Access

• Deadlines!


Dilemma!• Is the Order Manager Certifiable?

– Security Concerns– Time & Cost of Certification– Versioning Considerations

• Questions– To Store or Not To Store– Long Term Issues and Liabilities– Third Party Integration Concerns


Management Decision• New Payment System

– Simplicity (KISS – OOPS!)– Limited Versioning– Data Isolation– Encryption Concerns– Code Centralization– Formalized Process Flow– Streamline Processor Integrations– Achieve Certification


Order Manager

Import

MOP

View Orders

Manual Orders

POS

OrderApproval

Pack & Ship

Data Action RulesCC

ProcEmail Payment Result

Gateway Code

CCProc

CCProc

CCProc

CCProc

CCProc

User Interface and/or Code

Data Action RulesEmail Payment Result







Order Manager

Import

MOP

View Orders

Manual Orders

POS

OrderApproval

Pack & Ship

CCProc

CCProc

CCProc

CCProc

CCProc

CCProc

Data Collection, Action, RulesResult Analysis, Record Payment, Email

Processor Code

RESULT


Impact On Your Operations• No Permanent Card Data Storage• Less Liability• Repeat Customers

– Card Data Tokenization– Gateway Customer Management Systems– Payment Data From Website

• Partial Shipments & Subscriptions• A Few Extra Clicks• New Interface


Added Features• Multiple Capture & Voice Auth Capture

• Blind Credit Support

• Additional Gateways

• Gift Card Support*

• PIN Pad Support

• Check Reader Support

• Encrypted Card Swipe Support

• Improved USB System


Credit Card Interface


eCheck Interface


Other Payments


Existing Transactions


Questions?


Security

Presented By:

Mark Setzer

Senior Developer, Stone Edge Technologies, Inc.

April 24, 2010 10:30 AM – 12:00 PM


Types of Security• Physical

– Physical access means game over from a security standpoint

• Network

– Assume attacks are inevitable

– Who needs access? To what?

• Application

– Microsoft Access, Order Manager, Microsoft SQL Server


Order Manager Security• Intended for basic reporting, logging,

task assignment

• Not “hard” security


Network Security• Hardware location

– Firewall rules

• Server administration

– Shared folders

– Active Directory

– Needed services

– Windows Updates


Application Security• Microsoft Access

• SQL Server

– Careful about “role” access

– Difficult to provide “basic” access w/o allowing destructive behavior as well


Questions?

2010 user conference april 23 rd – 25 th, philadelphia, pa pci compliance & security presented...

Documents