Hi,
There are two types of PCI certification (this information is very high level).
The software that collects credit cards information has to be PCI PA-DSS
certified (formerly, CISP PABP). You may store the track and CVV2 data,
encrypted only, UNTIL you receive the authorization, at which point you must
remove track and CVVW information. You may keep the credit card number,
encrypted, and the auth code. You also need to keep your encryption key
secure, rotate the keys, and have asymmetric keys (UniVerse/UniData does not
support asymmetric keys). We utilized GNU's GPG utility to add the asymmetric
functionality.
As a merchant, you need to be PCA DSS certified. This involves network
security, network monitoring, monitoring various audit file, etc.
You can reduce your PCI DSS exposure, if you utilize a gateway service. There
are several that we have looked into for our customers:
VeriFone's VeriShield - the most secure, data is encrypted in their
MSR, and their dll sends the data to their gateway.
VeriFone's Payware - data is not encrypted from their MSR to their dll,
but a secure socket from the dll to their gateway.
Shift4 - data is not encrypted from an MSR to their dll, but a secure
socket from their dll to their gateway.
All three will keep the data off your server, but not off your register.
For web applications, Shift4 and CyberSource provide options. With
CyberSource, you can redirect to their site for payment information so credit
cards never touch your hardware.
I agree with those that said that you need to learn about PCI, but you also
should find a good auditor, who can help through the process. Our auditor
helped us accomplish PCI PA-DSS certification with minimal pain. Oh, be
prepared, PCI certification is expensive, and requires a lot of documentation!
To be clear, I am not a QA. We provide a POS solution to our customers and
this was a summary of what we learned. Do not take this information as a
source for making decisions on the direction you take, but I hope it helps you
understand what questions to ask.
Good luck!
Tom
RATEX Business Solutions
_______________________________________________
U2-Users mailing list
U2-Users@listserver.u2ug.org
http://listserver.u2ug.org/mailman/listinfo/u2-users
