Sage ERP Software PCI DSS Compliance

Blog by Doug Deane

Sage ERP Software PCI DSS Compliance

Definition of Terms

Before we can even begin to start talking about the PCI DSS standards, it’s necessary to define some important and often-used terms:

Acquirer – Also referred to as the “acquiring bank” or the “acquiring financial institution.” This is the entity that initiates and maintains relationships with merchants for the acceptance of payment cards.

Hosting Provider – Offers various services to merchants and other service providers. Services range from simple to complex; from shared space on a server to a whole range of “shopping cart” options; from payment applications to connections to payment gateways and processors; and for hosting dedicated to just one customer per server. A hosting provider may be a shared hosting provider, who hosts multiple entities on a single server.

Merchant – For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.

Service Provider – Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.

All of the definitions above are taken from the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms which can be downloaded at:

https://www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml

Overview

PCI-DSS Compliance is the current challenge for the ERP software industry. The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. These standards were created to help credit card processing organizations prevent fraud by increasing data security. The standard applies to all organizations that store, process, or exchange credit cardholder information from any credit card company who has signed on to these standards.  That includes all the major credit card brands.

Contrary to popular belief, these standards are not being maintained, enforced or applied by any branch of government.  Enforcement is done by the organizations who maintain card processing relationships with merchants. For merchants processing Visa or MasterCard transactions, compliance is enforced by the organization’s acquirer, while organizations handling American Express transactions will deal directly with American Express for compliance issues.

Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through a processor, risk losing their ability to process credit card payments and being audited and/or fined.  The compliance date for all merchants who process credit card transactions is July 1, 2010.

What It Is

The PCI-DSS standards incorporate these 12 basic requirements, some of which affect ERP publishers and providers, and some that do not:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

ERP publishers and providers are affected by requirements 2, 3, 4, 6 and 10.  Merchants (ERP system end-users) must comply with all the standards, if they are storing credit cardholder information on their ERP system.  So, the most diligent ERP providers must only sell ERP software that complies with requirements 2, 3, 4, 6, and 10, and they should also make their end-users aware of all the remaining requirements.  Card processors and/or acquirers have a responsibility to do this, as well.

How This Affects Merchants and ERP Software Publishers and Providers

There are five validation categories for ERP end-users (merchants).  In order to determine which category you fall into, access this PCI Security Standards Council webpage, find the description that most closely applies to you, and download the associated SAQ (Self-Assessment Questionnaire) by pressing one of the links A-D next to the description that applies to you in the table:

https://www.pcisecuritystandards.org/saq/instructions_dss.shtml

Most merchants using Sage MAS90, MAS500 or Accpac ERP will fall into Category D.  Each merchant must fill out the appropriate SAQ and provide it to their acquirer or card brand, along with any supporting documentation.

The new standards only affect ERP software packages that store credit card information in their customer database, or as part of their order processing features.  To see how those ERP packages are affected by the new standards, you can download version 1.2 of the PCI DSS standards by clicking on this link:

https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html

Requirements 3 and 4 on pages 21 and 27 of the standards defines the bulk of the changes that the publishers made to be in compliance, but requirements 2, 6 and 10 also apply.  Most existing ERP packages probably already met the standards defined in requirements 2, 6 and 10.

Sage Software Compliance

MAS90 versions 4.30.0.18 and 4.40.0.1 and the associated EES versions are both PA-DSS and PCI DSS compliant.  You should access this Sage Implementation Guide in order to understand the complete scope of what it takes to install MAS90/200 in a PA-DSS compliant manner:

http://cdn.bestsoftware.com/sagemail/MAS/PCI/Implementation%20Guide_MAS90v43018__44001.pdf

Sage MAS500 version 7.3 is PA-DSS compliant.  You should access this Sage Implementation Guide in order to understand the complete scope of what it takes to install MAS500 in a PA-DSS compliant manner:

http://community.sagemas.com/sagemas/attachments/sagemas/500TECH/447/3/PA-DSS_Implementation_Guide_MAS500v730%20-%2001-04-2010.pdf

Sage Accpac ERP does not need to meet the PA-DSS standards, because there’s no native credit card processing or cardholder data storage capability that’s necessary for Accpac functionality.  There are superfluous cardholder data fields in the native software, and they will be scrubbed out by a utility that Sage will provide some time in the middle of June, 2010.

Advanced credit card processing functionality for Accpac ERP is provided by third-party providers of Accpac ERP enhancements.  One of the most widely used, Iciniti, publishes their Accpac ERP Credit Card module.  Iciniti has stated that their module will be PA-DSS and PCI DSS compliant by July 1, 2010.

There are other publishers of Accpac ERP credit card processing modules, and we will update this blog with their compliance information, when it becomes available.

———————————–

Doug Deane is President of DSD Business Systems, a national provider of on-demand (cloud) and on-premises ERP and CRM software, specializing in wholesale distribution, manufacturing, warehouse management, inventory, business intelligence and eCommerce software.  DSD offers Sage 100 (formerly MAS 90), Sage 300 (formerly Accpac), Sage 500 (formerly MAS 500), NetSuite, Sage FAS, Sage HRMS (formerly Abra), Sage CRM, Sage SalesLogix, Extended Solutions, and Custom Programming.

Categories:
Sage 100 Sage 300 Sage 500
Tags:
Cloud ERPFinancial ManagementGeneral Business

Congratulations! You’re registered to join us.

Acumatica Lunch and Learn Irvine, CA
We’re so excited to show you the power of Acumatica!

Should you have any immediate questions or needs, please feel free to reach out to your event host: ktucker@dsdinc.com