RockSolid POS® PCI Compliance

Last Updated: October 2014

What is PCI Compliance?

The Payment Cardholder Industry (or PCI) standard was created by Visa, MasterCard, American Express, Discover and others to protect cardholder information and reduce data theft. The PCI Data Security Standard (PCI DSS) is an evolving set of requirements intended to ensure that all companies that process, store or transmit credit card information maintain a secure environment.

Separately, the Payment Application Data Security Standard (PA-DSS) provides guidance to software vendors on any software sold, distributed or licensed to third parties that stores, processes or transmits credit card data.

Version 2.0 of PCI DSS and PA-DSS requirements became effective January 1, 2011. Both PCI DSS and PA-DSS are independently run by the PCI Security Standards Council (www.pcisecuritystandards.org) and is enforced by the payment brands, not the PCI SSC.

Information about the RockSolid POS system and PCI Compliance

  • To ensure our software is PA DSS (Payment Application Data Security Standard) compliant, version 5.7.13 of RockSolid POS was verified by an independent PA-QSA (Payment Application Qualified Security Assessor) in conjunction with PC Charge to encrypt all credit card information being passed for authorization.
  • PC Charge version 5.8i and later are qualified as compliant. Please visit www.verifone.com for PC Charge compliancy details.
  • RockSolid POS does not capture and store any credit card information in the database.
  • Wireless devices should be PCI compliant as well. RockSolid POS’s supported wireless device “MC55” supports WPA2, which is a valid encryption algorithm under the current PCI Security Standard. Credit card information is not stored or transferred to or from the device. Please visit www.motorola.com for more information regarding PCI compliance for this device.

Within the scope of RockSolid software, RockSolid’s PA-DSS compliance is only part of the effort required for a merchant to achieve PCI compliance. Elements outside of RockSolid software will also require assessment for PCI-DSS compliance. Using RockSolid POS version 5.7.13 or later is one step towards achieving PCI compliance. However, each merchant is responsible for assessing and ensuring that its organizational processes, networks and hardware devices comply with the applicable PCI DSS standards. All merchants should review the standards provided by the Security Council and evaluate their PCI requirements.

General PCI DSS Requirements

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data*
  4. Encrypt transmission of cardholder data across open, public networks*
  5. Use and regularly update anti-virus software programs
  6. Develop and maintain secure systems and applications*
  7. Restrict access to cardholder data by business need-to-know*
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes*
  12. Maintain a policy that addresses information security*

* For a subset of the PCI-DSS requirements applicable to merchants, the PA-DSS provides guidance for software vendors on requirements noted in the list above. These standards are maintained by the PCI SSC. The complete list of requirements should be reviewed on the PCI SSC’s Website: https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml

Statements regarding RockSolid POS software’s compliance with the PCI standard are based on our internal software review as of the updated date noted above and have been independently verified by a third party. However, use of RockSolid POS software does not guarantee that a user’s business or operations are PCI compliant and should not be relied upon for such purpose. Certification should be obtained from an approved Qualified Security Assessor.