Sage ERP Software PCI DSS Compliance
Blog by Doug Deane
Sage ERP Software PCI DSS Compliance
Definition of Terms
Before we can even begin to start talking about the PCI DSS standards, it’s necessary to define some important and often-used terms:
Acquirer – Also referred to as the “acquiring bank” or the “acquiring financial institution.” This is the entity that initiates and maintains relationships with merchants for the acceptance of payment cards.
Hosting Provider – Offers various services to merchants and other service providers. Services range from simple to complex; from shared space on a server to a whole range of “shopping cart” options; from payment applications to connections to payment gateways and processors; and for hosting dedicated to just one customer per server. A hosting provider may be a shared hosting provider, who hosts multiple entities on a single server.
Merchant – For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
Service Provider – Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.
All of the definitions above are taken from the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms which can be downloaded at:
https://www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml
Overview
PCI-DSS Compliance is the current challenge for the ERP software industry. The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. These standards were created to help credit card processing organizations prevent fraud by increasing data security. The standard applies to all organizations that store, process, or exchange credit cardholder information from any credit card company who has signed on to these standards. That includes all the major credit card brands.
Contrary to popular belief, these standards are not being maintained, enforced or applied by any branch of government. Enforcement is done by the organizations who maintain card processing relationships with merchants. For merchants processing Visa or MasterCard transactions, compliance is enforced by the organization’s acquirer, while organizations handling American Express transactions will deal directly with American Express for compliance issues.
Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through a processor, risk losing their ability to process credit card payments and being audited and/or fined. The compliance date for all merchants who process credit card transactions is July 1, 2010.
What It Is
The PCI-DSS standards incorporate these 12 basic requirements, some of which affect ERP publishers and providers, and some that do not:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
ERP publishers and providers are affected by requirements 2, 3, 4, 6 and 10. Merchants (ERP system end-users) must comply with all the standards, if they are storing credit cardholder information on their ERP system. So, the most diligent ERP providers must only sell ERP software that complies with requirements 2, 3, 4, 6, and 10, and they should also make their end-users aware of all the remaining requirements. Card processors and/or acquirers have a responsibility to do this, as well.
How This Affects Merchants and ERP Software Publishers and Providers
There are five validation categories for ERP end-users (merchants). In order to determine which category you fall into, access this PCI Security Standards Council webpage, find the description that most closely applies to you, and download the associated SAQ (Self-Assessment Questionnaire) by pressing one of the links A-D next to the description that applies to you in the table:
https://www.pcisecuritystandards.org/saq/instructions_dss.shtml
Most merchants using Sage MAS90, MAS500 or Accpac ERP will fall into Category D. Each merchant must fill out the appropriate SAQ and provide it to their acquirer or card brand, along with any supporting documentation.
The new standards only affect ERP software packages that store credit card information in their customer database, or as part of their order processing features. To see how those ERP packages are affected by the new standards, you can download version 1.2 of the PCI DSS standards by clicking on this link:
https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
Requirements 3 and 4 on pages 21 and 27 of the standards defines the bulk of the changes that the publishers made to be in compliance, but requirements 2, 6 and 10 also apply. Most existing ERP packages probably already met the standards defined in requirements 2, 6 and 10.
Sage Software Compliance
MAS90 versions 4.30.0.18 and 4.40.0.1 and the associated EES versions are both PA-DSS and PCI DSS compliant. You should access this Sage Implementation Guide in order to understand the complete scope of what it takes to install MAS90/200 in a PA-DSS compliant manner:
http://cdn.bestsoftware.com/sagemail/MAS/PCI/Implementation%20Guide_MAS90v43018__44001.pdf
Sage MAS500 version 7.3 is PA-DSS compliant. You should access this Sage Implementation Guide in order to understand the complete scope of what it takes to install MAS500 in a PA-DSS compliant manner:
Sage Accpac ERP does not need to meet the PA-DSS standards, because there’s no native credit card processing or cardholder data storage capability that’s necessary for Accpac functionality. There are superfluous cardholder data fields in the native software, and they will be scrubbed out by a utility that Sage will provide some time in the middle of June, 2010.
Advanced credit card processing functionality for Accpac ERP is provided by third-party providers of Accpac ERP enhancements. One of the most widely used, Iciniti, publishes their Accpac ERP Credit Card module. Iciniti has stated that their module will be PA-DSS and PCI DSS compliant by July 1, 2010.
There are other publishers of Accpac ERP credit card processing modules, and we will update this blog with their compliance information, when it becomes available.
———————————–
Doug Deane is President of DSD Business Systems, a national provider of on-demand (cloud) and on-premises ERP and CRM software, specializing in wholesale distribution, manufacturing, warehouse management, inventory, business intelligence and eCommerce software. DSD offers Sage 100 (formerly MAS 90), Sage 300 (formerly Accpac), Sage 500 (formerly MAS 500), NetSuite, Sage FAS, Sage HRMS (formerly Abra), Sage CRM, Sage SalesLogix, Extended Solutions, and Custom Programming.