Introduction

Scope and Target Audience

This guide covers AbleCommerce 7.0, and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the Payment Card Industry (PCI).

PCI Data Security Standard (PCI DSS)

In 2006 American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International formed the Payment Card Industry Security Standards Council. The main purpose of the council is to produce and maintain the Data Security Standard (DSS). This is a set of rules and requirements that when followed will help prevent fraud, hacking, and other threats to private cardholder data. The main objectives of the PCI DSS are as follows:

• Build and Maintain a Secure Network
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
  • Use and regularly update anti-virus software
  • Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
  • Restrict access to cardholder data b y business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
• Maintain an Information Security Policy
  • Maintain a policy that addresses information security

You can find and review the complete specification by visiting the URL below.
https://www.pcisecuritystandards.org/

This guide is intended to help merchants implement the AbleCommerce application in a way that is compliant with version 1.2 of the PCI DSS.

Payment Application DSS (PA-DSS)

The Payment Application Data Security Standard was originally created by Visa (as Payment Application Best Practices – PABP) as an aid to software providers to help build secure payment applications. PA-DSS validation proves that an application can be implemented in a way that is compliant with the PCI DSS.

AbleCommerce has been designed and certified to meet all of the requirements of the PA-DSS version 1.2. This does not automatically make you, the merchant, PCI DSS compliant. It is necessary that the recommendations and instructions in this guide are followed.

For additional information about PA-DSS, or to view AbleCommerce in the official list of validated applications, please visit the URL below.
https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml

PCI Compliance and Validation

The PCI Security Standards Council is not a compliance organization. They do not require compliance, but individual payment networks may. Visa is one such example. They require you to comply with the PCI DSS, and you must complete some degree of validation based on the annual transaction volume processed. All merchants who handle Visa payments are required to perform at least some level of validation. The URL below directs you to Visa’s Cardholder Information Security Program (CISP) and has complete details and validation procedures.
http://www.visa.com/cisp

A qualified security assessor is the only one who can validate your PCI compliance. A current list of assessors is maintained by the PCI and can be found at this URL:
https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf

Chief Security Officers performed the PA-DSS certification for AbleCommerce 7.0. They can be contacted via any one of the following:

Chief Security Officers
http://chiefsecurityofficers.com/
9821 N. 95th Street, Suite 105
Scottsdale, AZ 85258
Phone: 888-237-3899
FAX: 480-275-4818
Email: info@chiefsecurityofficers.com