FREQUENTLY ASKED QUESTONS ABOUT PCI/CISP COMPLIANCE By Chris Odediran

Point of sale operators are all of a sudden bombarded with information about PCI/CISP compliance to the extent that the volume of available information may be overwhelming. In a nutshell, the following are the most frequently asked questions to help you to quickly understand what it is all about .

What is SDP /CISP / PCI?
It is a standard that many businesses must adhere to help protect consumer data. CISP (Cardholder Information Security Program) is a Visa security standard that is designed to help protect all levels of business from fraud and loss of data. MasterCard has a similar program called SDP (Site Data Protection). CISP / PCI is a standard that is designed to help secure and protect sensitive data specifically relating to the payment card industry. CISP compliance extends beyond online businesses and applies to Retail (brick-and-mortar) , and Moto (keyed entry) businesses in addition to ecommerce . CISP compliance is emphasized more than the SDP program because it is more restrictive and better organized.

Who must be PCI/CISP compliant?
PCI / CISP is designed to be implemented by any businesses that accept or facilitate credit card transactions or the handling of sensitive credit card and user information. If you use your Positouch system to receive credit card, then you are required to be compliant.

How are the requirements enforced?
Under the contractual obligations, Visa can fine the members and processors up to $500,000 for any incident where one of their merchants isn’t CISP-compliant, and doesn’t rectify security issues or has a security breach. Not only can Visa fine the acquiring member institution, but they can reach down and put restrictions on merchants or ban merchants from participating in Visa Programs.

If I’m CISP-compliant, am I protected from these penalties?
Yes, according to the published rules, if a merchant is CISP-compliant, then the member/processor is protected from fines. The
restaurant’s contract with the processor would reflect the same protections under the CISP rules and the processor wouldn’t be able to fine the POS operator when CISP-compliant.

But if I’m not compliant?
You would be subject to heavy fines and penalties depending upon your contract with your processor.

What are the fines and penalties?
CISP compliance is a very serious matter. Non-compliance can cost you money, time, and reputation. If your systems are not CISP-compliant, your business is at extreme financial risk. Visa and MasterCard can shut down or fine non-complying merchants, Owing to the impossibility to monitor every business and organization, larger companies are the only ones who were being monitored at the beginning. Now, enforcement has been spread to small business like yours. It is the responsibility of a business to ensure that they take the steps to become CISP compliant. If a business is not CISP compliant and a loss of data occurs, there is a $500,000 fine from Visa alone for loosing data and an additional $100,000 fine just for not being CISP compliant. You can be fined as much as $600,000 for not-becoming CISP compliant and loosing data because of it.  This applies for any business that accepts credit or debit cards. A single credit card number that is lost and is traced back to a business is considered a loss of data. Apart from the monetary penalties, it never looks good when a business looses data. News agencies jump on these stories, and instantly make a business look like a criminal organization.

Where can I get more information about PCI-CISP Compliance?
Visa: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html?ep=v_sym_cisp
PCI Security Standards Council: https://pcisecuritystandards.org/

What are the specific requirements of compliance?

1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt transmission of card-holder data and sensitive information across public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to card-holder data.
10. Track and monitor all access to network resources and card-holder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.

What do you need CC Productions to do to  comply?

•  Upgrade your Positouch system to version 531 if you are not already running this version.

•  Upgrade your credit card software to Transaction + Server version 7 or Midnight Express version 3.

•  Install a firewall and virus/spyware sofware if you have broadband/high-speed Internet connection.

•  Implement new passwords and authentication scheme on all your system's components.

How long does it take to be compliant?
It depends on a number of factors, such as your hardware level, operating systems and payment . From the time that you sign a contract, two to three weeks.

Who must you call to discuss compliance?
Call Charles Reise or Ed Wood at our office, 1-800-507-5554.