Since your objective as a merchant is to obtain PCI Compliance, we further define the PCI requirements here, to facilitate your compliance process. Remember, Amadeus - PMPRO’s PMPRO has already been “PABP” certified, so that alleviates the concern that our application could pose security risks that might prevent you from obtaining PCI Compliance. That is why we have obtained the PABP certification.
Systems which process payment transactions necessarily handle sensitive cardholder account information, such as credit card numbers and user passwords. The Payment Card Industry (PCI) Data Security Standard is a worldwide standard for payment card and consumer financial data protection. It incorporates the requirements of the Visa U.S.A. Cardholder Information Security Program (CISP) and the Visa International Account Information Security (AIS) program, the Master Card International Site Data Protection (SDP) program, as well as the security requirements of American Express DSS, Discover Card DISC and the Japan Credit Bureau (JCB).
The Payment Card Industry (PCI) has developed security standards for handling cardholder information in a published standard called the PCI Data Security Standard (DSS). The security requirements defined in the DSS apply to all members, merchants, and service providers that store, process or transmit cardholder data.
To be in compliance with this standard, all of your company's Internet connections, assigned IP addresses, and all Internet connected servers (Web, email, DNS, etc.) must have no level 3, 4 or 5 severity vulnerabilities in their most recent security audit. Audits must be conducted at least every 90 days. Various firms can assist with your scans, including Coalfire Systems, ControlScan, or other firms.
The PCI DSS requirements apply to all system components within the payment application environment which is defined as any network device, host, or application included in, or connected to, a network segment where cardholder data is stored, processed or transmitted.
Install and maintain a firewall configuration to protect data.
Any PMPRO implementation should include the setting of strong passwords in both the MS SQL Server application as in PMPRO. Do not use defaults for system passwords and other security parameters.
To protect stored cardholder data, data encryption is used in the PM PRO database. Also, Cardholder data can be purged by PMPRO users when there is no further business need for the information.
Clients are responsible for the encrypted transmission of cardholder data and sensitive information across public networks.
Use and regularly update anti-virus software
Develop and maintain secure applications
Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder
Regularly test security systems and processes
Maintain a policy that addresses information security