The goal of the Payment Card Industry Data Security Standards (PCI DSS) 3.2 update is to strengthen security. After all the last thing a merchant wants is to inform customers of a data breach that may have compromised their payment card or personal information — or face the hefty fines or penalties associated with a breach.
While the requirements of this update are currently considered “best practices,” businesses will need to prepare for the changes in order to be in compliance by the enforcement date of February 1, 2018. Merchants must also comply with the change from SSL (Secure Socket Layer) to TLS (Transport Layer Security), which will be enforced beginning June 30, 2018. In addition to working with Evergreen Point of Sale to comply with PCI DSS 3.2, you should also get assistance from an industry expert; a PCI audit company will go through all aspects of PCI Compliance, not just what relates to your point of sale.
In Scope vs. Out of Scope
Understanding whether your IT systems are in scope or out of scope is key to determining your overall risk exposure with PCI DSS 3.2. Whether a point of sale (POS) system is in scope or out of scope will affect PCI compliance with regard to your Dinerware system.
In Scope Systems
Merchants that process credit cards by physically swiping the magnetic stripe on their Dinerware computers are considered “in scope” because consumer payment card data is passed through, and stored in, the POS system. In regard to PCI DSS 3.2, this means you may have more requirements to implement to comply with regulations:
- Latest Windows operating system (WIN7 or WIN10) running on all Dinerware computers
- Note: Microsoft Windows XP and variations such as POS Ready 2009 are not compliant with PCI DSS 3.2
- Dinerware POS version 3.7.3 and higher. (Current recommended version is Dinerware v3.7.5)
- A physical network firewall segregating the POS network from all other networks
- This provides the added security that is necessary to protect against external threats from hackers and other data breaches.
Other Ramifications of In Scope Systems
- You will need to implement multi-factor authentication if your POS system or network is being accessed remotely.
- This pertains to anyone using a remote access tool such as LogMeIn or GoToMyPC.
- You will also need to make sure your service provider follows new regulations for segmentation check and penetration testing, and that they repeat this process every six months or after a change is made to your network.
Out of Scope Systems
“Out of scope” simply refers to systems where consumer card data does not get processed through, nor stored in, a point of sale system. Therefore, no consumer card data can be compromised in the event of a network hack or data breach. Evergreen POS customers often ask about chip card readers, also known as EMV (Europay, Mastercard, Visa) readers. While there are costs associated with implementing this new technology there is a huge benefit: Out of scope!
To make complying with PCI DSS 3.2 easier, you can implement external EMV chip card readers and take your POS system out of PCI scope. In addition to EMV providing additional security for your customers’ accounts, it also keeps card data out of your POS system.
EMV technology works together with point-to-point encryption (P2PE) and tokenization for a total security solution to minimize risk:
- EMV chip: The chip embedded in credit cards has the latest security built into it. Unlike the magnetic stripe, it is much more difficult for thieves to create counterfeit copies of the chip.
- P2PE: EMV card readers encrypt the information on the chip and send it directly to the processor where the information is decrypted. Dinerware does not know anything about the consumer data on the card.
- Tokenization: The processer authorizes or declines the card and then passes a token to Dinerware.
The Solution for You
Determining PCI scope and implementing the technologies that will align with PCI DSS 3.2 compliance can be complex and time consuming.
Evergreen POS will help you evaluate your current technology and provide you with the software and hardware upgrades you need as well as help you implement external EMV chip card readers to take your system out of PCI scope. Contact us today for a free assessment so that you can feel confident of compliance as well as security for your customers’ data and your business.