PCI Compliance Debate
#1
Posted 01 August 2006 - 07:41 AM
I have been heavily involved with one of our clients with regards to PCI compliance. Together we are working towards PCI compliance which as everyone will know is a requirement (not an option) laid out by Mastercard and Visa if you want to process credit cards. The penalties for non compliance are huge (in the region of $10,000 a day) so this needs to be looked at.
If you are storing card numbers within MOM then you are certainly not PCI complaint. I hope this thread can be used to discuss where we think MOM is lacking to allow us all to become compliant in the future. The fines for non complaince are huge so we all need to get up to speed.
The VISA site is the best resource for information. This PDF gives a breakdown of all the sections and requirements.
There are two main areas I can see where MOM is lacking.
Requirement 10: Track and Monitor all Access to Network Resources and Card Holder Data.
In summary this means MOM should create log files of any access to card holder information. The PDF describes the minimum data that needs to be stored. MOM currently does not do this.
Requirement 3: Protect Stored Data
If you import orders into your system there is a period of time between creation and importing that card numbers are stored unencrypted. Really this is unacceptable. I believe MOM should have the option to accept encrypted orders.
I'd love to hear everyone else's thoughts on this.
Regards,
Dan.
#2
Posted 08 August 2006 - 06:29 AM
I was hoping for at least some reassurance from Dydacomp. Maybe this is a topic which people are hoping will go away? Is noboddy else concerned about this at all?
#3
Posted 10 November 2006 - 12:52 PM
I noticed this older post and thought I would introduce myself and offer some guidance.
I work in support at Dydacomp and have responded to a few postings including one specifically about this post in our forum for supported MOM customers. forum.dydacomp.com
If you were to login and register on our site, you would be albe to see the full string of information but in summary, PCI compliancy is the responsibility of you as a merchant. If you're on the most current version of the MOM software then you're given some of the tools necessary to become compliant.
Wee have added peices like Visa certified encryption and user security profiles to enable Customer service reps to only see the last 4 digits of the credit card number.
If you're interested in hearing more, please try looking in our user forum for more information. Thank you.
Michael Nardini
Dydacomp
#4
Posted 19 February 2008 - 09:55 AM
Hello,
I noticed this older post and thought I would introduce myself and offer some guidance.
I work in support at Dydacomp and have responded to a few postings including one specifically about this post in our forum for supported MOM customers. forum.dydacomp.com
If you were to login and register on our site, you would be albe to see the full string of information but in summary, PCI compliancy is the responsibility of you as a merchant. If you're on the most current version of the MOM software then you're given some of the tools necessary to become compliant.
Wee have added peices like Visa certified encryption and user security profiles to enable Customer service reps to only see the last 4 digits of the credit card number.
If you're interested in hearing more, please try looking in our user forum for more information. Thank you.
Michael Nardini
Dydacomp
Mike, although this is the standard Dydacomp answer to this issue, it is pure crap. MOM software stores CC data in an encrypted format but shows it to all users in payment screen. If you try to turn that feature off the cards are not available for use at all. A Dydacomp exec's response to us on this issue was "oops, we're working on it. If more customers have this same issue, it'll attain a higher priority" THIS IS A DYDACOMP SOFTWARE ISSUE AND THUS THE RESPONSIBILITY OF THE VENDOR, NOT THE MERCHANT! Furthermore, the export feature, which is advertised as a function that allows you to "export orders previously entered in MOM to an external fulfillment house." While this is a valuable feature, what Dydacomp fails to mention is that the export file contains unencrypted credit card information and thus makes any company using it (even internally, not to mention when sending it to a third party fulfillment house) PCI UN-COMPLIANT! If MasterCard and Visa knew about this, no doubt they would automatically investigate any and all merchants using MOM. This is on Dydacomp, not the unwitting customers that bought your product thinking that it was a solid piece of business software.
#5
Posted 25 November 2008 - 09:15 AM
2 user(s) are reading this topic
0 members, 2 guests, 0 anonymous users