Leading Payment Software Products

What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was created by the five major credit card companies as a guideline to help business owners implement the necessary hardware, software and other procedures to guard sensitive credit card and personal information. PCI DSS is a set of requirements for enhancing payment account data security. The five major credit card companies that developed the PCI Security Standards Council are American Express®, Discover® Financial Services, JCB International, MasterCard® and Visa®.

What does PCI compliance mean?
PCI compliance means that your business is exhibiting best practices to prevent cardholder information or data security breaches. While PCI compliance is not a guarantee of security, it is an important step in prevention. Please check with your Payment Compliance representative or your processor to ensure you are meeting the PCI compliance guidelines set by the card associations (Visa, MasterCard, AMEX, and Discover).

Will I need to upgrade my equipment or software to become PCI compliant?
As part of becoming PCI compliant, you may be required to upgrade your equipment and/or software to a PCI Data Security Standard certified version. You will need to contact your equipment and/or software vendor to discuss what options may be available and the costs associated with those options.

What is PA-DSS and how does it relate to PCI DSS?
The Payment Application Data Security Standard (PA-DSS) is a program that was formerly known as Payment Application Best Practices (PABP). This program is managed by the same council that manages PCI DSS and was created to assist software programmers in creating secure payment applications that would meet the requirements of PCI DSS. The requirements to meet PA-DSS are derived from the same standards for PCI DSS. All POS applications must be PA-DSS certified by July 1 of 2010.

I’m already using a PCI-compliant terminal/gateway. Why does my business need to be certified for PCI compliance?
The PCI Security Standards Council has various requirement programs. The Payment Application Data Security Standard (PA-DSS) is a set of requirements to help software vendors and others develop secure payment applications. These applications do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI Data Security Standard.

Use of a terminal/gateway that runs PA-DSS certified software is one of many components that are evaluated in the assessment of an account’s PCI DSS compliance.

Is ICVerify PA-DSS compliant?
Yes. Since the release of version 4.0.4, ICVerify has fully met the requirements for PA-DSS. Version 4.1, the latest release, continues with that by being fully certified by the Payment Card Industry Security Standards Council (PCI-SSC).Versions 4.0 through 4.0.3 were certified as being PABP compliant. Merchants using versions of ICVerify prior to version 4.0.4 should contact their merchant provider, bank or original place of purchase about upgrading to this latest version to ensure they are meeting with the latest industry standards. Download the PCI Security Standards Council letter.

To go to the PCI Security Standards Council website and see our listing, please click here. Click on “Validated Payment Applications” on the left-hand side. Once your read and agree to their discalimer, you will be able to search by either Company name (First Data) or application name (ICVerify).

What changes were made to ICVerify in order to become PA-DSS compliant?
The specific change requirements can be found in Appendix A to the PA-DSS Implementation Guide that is included with every copy of ICVerify. You may also find the PA-DSS Implementation Guide here on our website. Appendix A of the Implementation Guide may be found here.

Below are just some of the key changes made in this release for PA-DSS:

In accordance to the guidelines of Payment Application Data Security Standard (PA-DSS), the following changes and enhancements have been added to the software. Points 1 through 8 have been in the software since version 4.0.4. Points 9 through 12 are new to version 4.1:

1. In the User Manager application, "View Full Data in GUI" privilege will not be assigned to any profile by default. It must be manually added to any user profile if business needs warrant.
2. If you do not have the "View Full Data in GUI" privilege then account number will be masked in the ICVERIFY GUI when you will select the customer name from the customer name field.
3. All merchants who are using the Import and Export functionalities of ICVERIFY are recommended to use only encrypted format of the files while importing or exporting the transactions. This will be the default setting. If you have legitimate business need to use un-encrypted format then please un-check the encrypted flag from the import and export screen.
4. In ICVERIFY and the User Manager Applications, passwords must meet the following criteria: 1. Password Length must be a minimum of 8 characters in length and a maximum of 16 characters. 2. Must have at least one alphanumeric character. 3. Must have at least one digit. 4. Must have at least one special character. The following are examples of complex passwords:
   • red4bal!oon5
   • rome0&julie8
   • @uth3nt1cate
5. At the time of SQL Server 2005 installation, you will need to provide a complex password for the database. This is a change from earlier versions of ICVERIFY where there was one default password.
6. When upgrading the existing ICVERIFY installation to the ICV 4.0.4 then please confirm that all history data and customer data are intact after upgrade. Once confirmed, the PCVXSecureDelete.exe that comes with the ICVERIFY installation must be run to securely delete the old data directories. After this step, you will be able to process transactions.
7. "View Full Data in Report" privilege will no longer be available in ICVERIFY.
8. INTEGRATORS: ICVERIFY will accept only encrypted request file in REQ-ANS mode. Request files sent in plain text will be discarded.
9. INTEGRATORS: Previously, third party POS integrators used the Encryption Manager Interface to encrypt/decrypt their transaction data. But now for version 4.1, the Encryption Manager is no longer available for integration. Instead, a new windows service, ICVTnsServer, has been introduced with ICVERIFY software package offering cutting edge 256-bit AES encryption/decryption for transaction processing. Third party software integrators must integrate their client systems with ICVTnsServer service to encrypt/decrypt transaction files. The clients will communicate to the server through SSL protocol. Details about integration with ICVTnsServer windows service are available in the SDK guide.
10. Option "Never" for Password Lockout and Password Expiration has been removed from User Manager Application.
11. Sensitive data in DBG files and LOG files will be masked.
12. The JCard application now uses only SSL v3.0 and TLS v1.0 for SSL encryption when sending transaction messages to host. Also only cipher-suites of 3DES, 128 bit or 256 bit strength are used for SSL encryption during host communication for all supported processors.

What is the PA-DSS Implementation Guide?
The PA-DSS Implementation Guide was created to assist merchants in understanding the importance of the latest security regulations and what those changes mean for them as well as their customers. Specifically, the guide goes through the various components of ICVerify and describes how each meets the latest standards for security as outlined by PA-DSS. Furthermore, it contains the requirements that ICVerify, and any application that integrates with ICVerify, need to adhere to. And it provides guidelines for the vendors/integrators as to what requirements would be their responsibility.

I have never heard of PCI compliance before. Is this new?
No. Business owners began taking the PCI Self-Assessment Questionnaire (SAQ) to identify potential security risks to achieve PCI compliance starting in 2005. You may be more familiar with the payment brands’ programs that promote the implementation of the PCI DSS:

• MasterCard: Site Data Protection (SDP) Program
• Visa: Cardholder Information Security Program (CISP)
• Discover Network: Discover Information Security & Compliance (DISC)
• American Express: Data Security Operating Policy

What am I required to do to become PCI compliant?
The minimum requirement is to complete a Payment Card Industry Data Security Standard Self-Assessment Questionnaire (SAQ) on an annual basis and achieve a passing score. If you electronically store cardholder information or if your processing systems have any Internet connectivity, a quarterly scan by an approved scanning vendor is also required. Please check with your Payment Compliance representative or your processor to ensure you are meeting the PCI compliance guidelines set by the card associations (Visa, MasterCard, AMEX, and Discover).

If you have additional questions about how payment software helps you in securing your payment transactions, please contact us at paymentsoftware.support@firstdata.com.