There is an ugly truth in the world if you process your credit cards through your POS software. Businesses that fall under this model must understand that software alone, even if it meets the PCI requirements as dictated by PA-DSS (Payment Application Data Security Standard), is not enough by itself to make you PCI compliant. Having secure software is important but insufficient when it comes to PCI compliance.
The question this raises on the mind of the typical merchant is, "Why did I bother to upgrade my software if it is not enough for PCI compliance?" Well, the good news is that the money did not go to waste. A business running non-compliant software that processes credit cards has almost no chance of ever becoming PCI compliant. On the other hand, a business that is running validated software has taken an important first step on the path to securing their location, and if that same business shows the proper diligence, there is no reason that full PCI compliance cannot be achieved.
PCI has 12 main requirements (each of which has numerous sub-requirements), and POS software falls primarily under requirement 6 - Develop and Maintain Secure Systems and Applications. The other 11 requirements hardly mention software. The following items are just some specific examples of what else PCI demands:
1. Deploy and maintain a firewall between the credit card environment and public networks (such as the Internet).
2. If you use wireless, do so in a secure fashion.
3. Manage the access your employees have to sensitive data
4. Test your systems quarterly for vulnerabilities both externally and internally.
5. Train your employees upon hire and once a year thereafter about how to handle credit cards safely.
There are almost 300 total requirements in the PCI standard, so obviously the previous list is not exhaustive. However, it is clear that software is an important element when you are planning to secure your business, but do not fool yourself into thinking that it will solve all your problems. PCI has many parts, and while upgrading to a PA-DSS validated software package helps, you still have other needs when it comes to PCI.
Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.