Quest E-Commerce Solutions PCI Compliance
12 Principles of PCI DSS
PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The result is a comprehensive standard intended to help organizations protect consumer cardholder data.
Below are the twelve principle requirements of PCI DSS.
Quest SuiteTM is a restricted eCommerce solution to allow Patrons to pay for outstanding Fees and Fines to the Library and Institutions. To process a Credit/Debit card, the patron must be present and the Patron must slide the card through a card swipe attached to the eCommerce station. In this way, Card Present Processing, no entry of Credit/Debit cards is ever requested therefore eliminating the fraudulent use of Debit/Credit cards.
I addition, our eCommerce solution uses an encrypted transmission protocol to process the payment through your chosen Merchant Account. Although we do log payment transactions in a secure audit file, only the last 4 digits of the Credit/Debit card are retained. The audit file is used only for a cross reference of payments made to the Institution. Also the modules used to process the Credit/Debit card are fully PCI compliant.
The 12 steps below are addressed in respect to the Quest SuiteTM eCommerce solution.
Build and Maintain a Secure Network
1- Install and maintain a firewall configuration to protect cardholder data
Any device upon which the eCommerce solution is installed is protected with an appropriate Firewall. Also because the solution is within the boundaries of the Institution, there is the added protection of the Institutions firewall.
2- Do not use vendor-supplied defaults for system passwords and other security parameters
Vendor installed passwords are deactivated once the system is installed and tested. Once this is done passwords for the Institution are set.
Protect Cardholder Data
3- Protect stored cardholder data
Card holder data is protected on a secure database and only the last 4 digits of the card are retained
4- Encrypt transmission of cardholder data across open, public networks
All transmissions to the credit/debit card clearing house or merchant processing center is sent through a secure encrypted data port.
Maintain a Vulnerability Management Program
5- Use and regularly update anti-virus software
Anti-virus software is update on a regular basis both through the institutions anti-virus procedure as well as the devices anti-virus software
6- Develop and maintain secure systems and applications
The Institution should maintain internal polices and procedures in respect to secure systems and applications
Implement Strong Access Control Measures
7- Restrict access to cardholder data by business need-to-know
Card Holder data is only available through the Merchant Account.
8- Assign a unique ID to each person with computer access
This is accomplished with Unique User id’s and Passwords to the computers the eCommerce solution is operating on.
9- Restrict physical access to cardholder data
There is no physical access to card holder information.
Regularly Monitor and Test Networks
10- Track and monitor all access to network resources and cardholder data
Our audit file provides a log of transactions processed. However only the last 4 digits of the card are retained.
11- Regularly test security systems and processes
The Institution should conduct a security test in respect to their internal Polices and Procedures.
Maintain an Information Security Policy
12- Maintain a policy that addresses information security
Institutions should retain a Policy and Procedure manual to address information security.