ims point of view: retail pro and pci-dss compliance
TRANSCRIPT
Phone: 1.484.482.1600 Contact Us For More Information WWW.IMS-POS.COM
Topic: Retail Pro® and PCI Compliance – What You Need To Know
There has been much communication and confusion recently about Retail Pro® and PCI Compliance. IMS
customers have been receiving information from Retail Pro®, Merchant Warehouse (MW - Retail Pro’s
EFT exclusive provider) and Shift 4®.
IMS has prepared this Point of View (POV) to help our customers understand what is happening and to
help you make the most informed choice for meeting PCI-DSS compliance standards not just for today,
but for moving forward.
PCI SECURITY STANDARDS
It is YOUR responsibility as a merchant to understand what YOU need to do to be fully PCI Data Security
Standard (PCI-DSS) compliant. Your Payment Application Data Security Standard (PA-DSS) validated POS
software is only one of many PCI-DSS compliance requirements. PCI Security Standards are available at
WWW.PCISECURITYSTANDARDS.ORG. According to the PCI Security Council:
“Use of a Payment Application Data Security Standard (PA-DSS) compliant application by itself
does not make an entity PCI DSS compliant, since that application must be implemented into a
PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by
the payment application vendor.”
There are 12 primary requirements listed below:
Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
Phone: 1.484.482.1600 Contact Us For More Information WWW.IMS-POS.COM
There are numerous sub-requirements under each main area. To find out about these requirements,
there is a full complement of resources, including a Self Assessment Questionnaire (SAQ), on the
WWW.PCISECURITYSTANDARDS.ORG website.
RETAIL PRO®’S COMPLIANCE APPROACH
As part of Retail Pro’s PA-DSS compliance responsibilities, it must complete a yearly validation process
with an approved Payment Application Qualified Security Assessor (PA-QSA). This year’s validation date
is June 21, 2014.
This means that any software versions and associated EFT link-system partners that Retail Pro® wishes
to be PA-DSS compliant and acceptable for new deployments, must be included in this validation
renewal. Versions and systems included in the re-validation include:
1. Retail Pro® V9.2
2. Retail Pro® Prism
3. Merchant Warehouse gateway services
This means that Retail Pro® V8.6 is only acceptable for pre-existing deployments (validated according to
PA-DSS V1.2). That also means that your legacy Monetra based EFT Links to Mercury, First Data, and
WorldPay, as well as the Shift 4® EFT Link, will continue to function as they currently do (validated
according to PA-DSS V2.0) until they are moved to sunset status at some point in the future.
The Shift4® 4Go® product has not been tested nor certified by Retail Pro International (RPI) for
operation with Retail Pro® products, and RPI has not developed, tested or certified any interface
between Retail Pro® and 4Go®.
WHAT THIS MEANS FOR YOU
For those customers who currently use the legacy EFT links listed above, your pre-existing deployments
will continue to work and you will continue to be PA-DSS validated as stated above. Any legacy EFT links
will not be PA-DSS compliant for new deployments after the re-validation date. If you are planning on
new deployments of any kind, these must use the Merchant Warehouse EFT solution.
Phone: 1.484.482.1600 Contact Us For More Information WWW.IMS-POS.COM
WHY MERCHANT WAREHOUSE?
In making this strategic decision, Retail Pro® considered not only its current PA-DSS validation
requirements, but how it could best support its customers in the rapidly advancing world of EMV and
mobile-digital payments. As stated in previous Retail Pro® communications, as well as IMS’s own blog
post communication, “EMV. Chip and Pin. What You Need To Know”, Retail Pro® has selected Merchant
Warehouse as its sole EFT partner after a thorough due-diligence review. Some of the reasons for
selecting Merchant Warehouse include:
MW can act as both a gateway and processor - using either MW processing or your processor
Gateway services include fully PA-DSS compliant advanced data encryption technologies
tokenization and point-to-point encryption
The Genius Customer Engagement Platform enabling:
o EMV ready payment acceptance
o Secure credit card payments
o Acceptance of yet-to be-determined mobile payments and various promotional
payments such as gift cards, coupons, loyalty payments, etc.
ARE YOU PCI-DSS COMPLIANT?
Again, being PA-DSS compliant does not mean you are fully PCI-DSS compliant, as being PCI-DSS
compliant includes more than just having a PA-DSS compliant POS system. And perhaps more
importantly, are you taking all the steps necessary to protect yourself against a large scale data breach?
IMS’s RECOMMENDATION
IMS wants its customers not only PCI-DSS compliant, but to be as protected as possible against a data
breach. To that end, we recommend an implementation roadmap that includes the following:
Do a PCI Security Council SAQ and utilize a Qualified Security Assessor (QSA) if needed
o IMS can recommend a QSA if needed
Take appropriate steps to be fully PCI-DSS compliant
Upgrade to the newly validated Retail Pro®-EFT system including Retail Pro® V9.2 or Retail Pro®
Prism and Merchant Warehouse for gateway services
YOUR NEXT STEPS
IMS understands this is a business critical and emotional issue. Call us at 1-484-482-1600 to discuss your
options and how you should proceed.