See: https://newaccount1608055419986.freshdesk.com/a/solutions/articles/66000503375
PA-DSS | PCI-DSS | |
---|---|---|
What it is? | PA-DSS is the standard against which System Five has been tested, assessed, and validated. | PCI-DSS Compliance is obtained by the merchant, and is an assessment of your actual server (or hosting) environment. |
What it's for? | PA-DSS Validation is intended to ensure that System Five will help you achieve and maintain PCI Compliance with respect to how System Five handles user accounts, passwords, encryption, and other payment data related information. | “PCI DSS Compliance” is the responsibility of the merchant and their hosting provider, working together, using PCI compliant server architecture with proper hardware & software configurations and access control procedures. |
Payment Card Industry (PCI) has developed security standards for handling card holder information in a published standard called the PCI Data Security Standard (DSS). The security requirements defined in the DSS apply to all members, merchants, and service providers that store, process or transmit card holder data.
The PCI DSS requirements apply to all system components within the payment application environment which is defined as any network device, host, or application included in, or connected to, a network segment where card holder data is stored, processed or transmitted
Outlined below are the 12 requirements for the PCI DSS. For more details, refer to this link
Build and Maintain a Secure Network |
---|
1. Install and maintain a firewall configuration to protect data |
2. Do not use vendor-supplied defaults for system passwords and other security parameters |
Protect Card holder Data |
3. Protect Stored Data |
4. Encrypt transmission of card holder data and sensitive information across public networks |
Maintain a Vulnerability Management Program |
5. Use and regularly update anti-virus software |
6. Develop and maintain secure systems and applications |
Implement Strong Access Control Measures |
7. Restrict access to data by business need-to-know |
8. Assign a unique Id to each person with computer access |
9. Restrict physical access to card holder data |
Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and card holder data |
11. Regularly test security systems and processes Maintain an Information Security Policy |
12. Maintain a policy that addresses information security |
System Five uses AES256 encryption
Note: The chip contains track equivalent data as well as other sensitive data, including the Integrated Circuit (IC) Chip Card Verification Value (also referred to Chip CVC, iCVV, CAV3 or iCSC).
source: Page 8
The PCI DSS requires that access to all systems in the payment processing environment be protected through use of unique users and complex passwords. Unique user accounts indicate that every account used is associated with an individual user and/or process with no use of generic group accounts used by more than one user or process. Additionally any default accounts provided with operating systems, databases and/or devices should be removed/disabled/renamed as possible, or at least should have PCI DSS compliant complex passwords and should not be used. Examples of default administrator accounts include “administrator” (Windows systems), “sa” (SQL/MSDE), and “root” (UNIX/Linux).
The PCI standard requires the following password complexity for compliance (often referred to as using “strong passwords”):
PCI user account requirements beyond uniqueness and password complexity are listed below: |
---|
If an incorrect administrator password is provided incorrectly 6 times then the account should be locked out. |
Account lock out duration should be at least 30 min. (or until an administrator resets it). |
Administrator Sessions idle for more than 15 minutes should require re-entry of username and password to reactivate the session. Note: System Five can automatically log out all users after 5 minutes of inactivity. |
Do not use group, shared or generic user accounts |
The Windward Support policy, regarding the collection of data for testing purposes, requires the owner of the data to use the System Five Zip and Transfer utility, which excludes all sensitive credit card data, to prepare and transfer their non-sensitive data to a designated windward site. For more information please consult the Windward Support Policy.
System Five in accordance with PCI rules tracks certain events. System Five also tracks other events that may show fraudulent activity. The event logging has two purposes.
All sensitive data in System Five is encrypted with Data Encryption Keys (DEK) which are automatically dynamically created as required. The Data Encryption Keys are encrypted stored in the database and are encrypted with Key Encrypting Keys (KEK). When System Five is first installed a standard set of KEKs are used. Before integrated payment processing is enabled, the standard KEKs must be replaced with a set of Dynamic company specific set of encryption keys in order that the payment application is PCI compliant