Home > Products > Business Systems > DDMS

PCI Compliance and DDMS

What is PCI Compliance?

The Payment Cardholder Industry (or PCI) standard was created by Visa, MasterCard, American Express, Discover and others to protect cardholder information and reduce data theft. The PCI Data Security Standard (PCI DSS) is an evolving set of requirements intended to ensure that all companies who process, store or transmit credit card information maintain a secure environment.

Separately, a Payment Application Data Security Standard (PA-DSS) provides guidance to software vendors on any software sold, distributed or licensed to third parties that stores, processes or transmits credit card data.

Version 2.0 of PCI DSS and PA-DSS requirements are effective January 1, 2011. Both PCI DSS and PA-DSS are independently run by the PCI Security Standards Council (www.pcisecuritystandards.org) and is enforced by the payment brands and acquirers, not the PCI SSC.

Information about the DDMS system regarding PCI Compliance

  • ECi began the process of conducting a Self-Assessment Questionnaire as part of its commitment to validate DDMS software as PA-DSS compliant.
  • VeriSign, Inc. has verified that HTTPS domains, sites and pages hosted by ECi Software Solutions encrypt user connections to prevent eavesdropping, and our SSL Server certificates is upgraded to the highest level of encryption that VeriSign offers at each renewal period.
  • Merchants who use DDMS Approval Link 4.0 and subscribe to Net1 Payment Solutions can rest assured that their Sage credit card authorization, clearing, settlement, and payment processing services have been validated as being PCI DSS compliant as of July 31, 2010 and will be reviewed annually.
  • Merchants who use DDMS Approval Link 3.0 and subscribe to Payflow Pro please note that its PayPal IPSP e-commerce and payment processing and gateway services have been validated as being PCI DSS compliant as of December 31, 2009 and will be reviewed annually.
  • After talks with multiple assessment agencies, ECi has engaged a Payment Application - Qualified Security Assessor (PA-QSA) and PCI-QSA to conduct monitoring and testing of elements in ECi software affected by PCI requirements, and for ongoing validation of PCI compliance.
  • As we complete each ongoing phase of validation, we may identify elements that require development in order to comply with the evolving standards.
  • As we release software updates that include any enhancements that may be required for compliance, we will notify customers in affected release announcements.
  • Installing the latest DDMS software with enhancements related to PCI compliance will be important to any merchant concerned with maintaining PCI compliance.

Within the scope of ECi software, ECi’s PA-DSS compliance is only part of the effort required for a merchant to achieve PCI compliance.

Elements outside of ECi software will also require assessment for PCI-DSS compliance.

Each merchant is responsible for assessing and ensuring that organizational processes, networks and hardware devices comply with PCI DSS standards. All merchants should review the standards provided by the Security Council and evaluate your PCI requirements.

PCI DSS Requirements (As of June, 2009)

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data*
  4. Encrypt transmission of cardholder data across open, public networks*
  5. Use and regularly update anti-virus software programs
  6. Develop and maintain secure systems and applications*
  7. Restrict access to cardholder data by business need-to-know*
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes*
  12. Maintain a policy that addresses information security*

* For a subset of the PCI-DSS requirements for merchants, the PA-DSS provides guidance for software vendors on requirements marked in the list above.

These standards are maintained by the PCI SSC. The complete list of requirements should be reviewed on the PCI SSC’s Website: https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml

Statements herein regarding compliance of the ECi DDMS software with the PCI standard are based on ECi DDMS’ internal software review against the PCI standard. PCI compliance has not been independently verified by a third party. Use of ECi DDMS software is no guarantee that a user’s business or operations are PCI compliant. Certification should be obtained from an approved Qualified Security Assessor.

 

Sidebar

optional text here.