I see around 70 people have viewed this thread but still no replies.
I was hoping for at least some reassurance from Dydacomp. Maybe this is a topic which people are hoping will go away? Is noboddy else concerned about this at all?
bowett's Content
There have been 2 items by bowett (Search limited from 10-May 23)
#1464 PCI Compliance Debate
Posted by
on 08 August 2006 - 06:29 AM
in
Credit Card Processing & Accounting
#1451 PCI Compliance Debate
Posted by
on 01 August 2006 - 07:41 AM
in
Credit Card Processing & Accounting
Hi Everyone,
I have been heavily involved with one of our clients with regards to PCI compliance. Together we are working towards PCI compliance which as everyone will know is a requirement (not an option) laid out by Mastercard and Visa if you want to process credit cards. The penalties for non compliance are huge (in the region of $10,000 a day) so this needs to be looked at.
If you are storing card numbers within MOM then you are certainly not PCI complaint. I hope this thread can be used to discuss where we think MOM is lacking to allow us all to become compliant in the future. The fines for non complaince are huge so we all need to get up to speed.
The VISA site is the best resource for information. This PDF gives a breakdown of all the sections and requirements.
There are two main areas I can see where MOM is lacking.
Requirement 10: Track and Monitor all Access to Network Resources and Card Holder Data.
In summary this means MOM should create log files of any access to card holder information. The PDF describes the minimum data that needs to be stored. MOM currently does not do this.
Requirement 3: Protect Stored Data
If you import orders into your system there is a period of time between creation and importing that card numbers are stored unencrypted. Really this is unacceptable. I believe MOM should have the option to accept encrypted orders.
I'd love to hear everyone else's thoughts on this.
Regards,
Dan.
I have been heavily involved with one of our clients with regards to PCI compliance. Together we are working towards PCI compliance which as everyone will know is a requirement (not an option) laid out by Mastercard and Visa if you want to process credit cards. The penalties for non compliance are huge (in the region of $10,000 a day) so this needs to be looked at.
If you are storing card numbers within MOM then you are certainly not PCI complaint. I hope this thread can be used to discuss where we think MOM is lacking to allow us all to become compliant in the future. The fines for non complaince are huge so we all need to get up to speed.
The VISA site is the best resource for information. This PDF gives a breakdown of all the sections and requirements.
There are two main areas I can see where MOM is lacking.
Requirement 10: Track and Monitor all Access to Network Resources and Card Holder Data.
In summary this means MOM should create log files of any access to card holder information. The PDF describes the minimum data that needs to be stored. MOM currently does not do this.
Requirement 3: Protect Stored Data
If you import orders into your system there is a period of time between creation and importing that card numbers are stored unencrypted. Really this is unacceptable. I believe MOM should have the option to accept encrypted orders.
I'd love to hear everyone else's thoughts on this.
Regards,
Dan.
