Momentus is committed to ensuring the security of our customers’ payment data. We know the amount of knowledge and expertise that is needed to fully secure a payment collection environment to be in compliance with the Payment Card Industry Data Security Standards (PCI DSS). To that end, we’ve taken numerous steps to provide our customers with an industry-standard, PA-DSS compliant payment application. For those taking advantage of our Cloud environment, we offer a complete, peace-of-mind, PCI DSS compliant solution.
We understand, however, that there may still be many questions around the PCI Compliance topic. See below for some commonly asked questions and answers.
What is PCI DSS Compliance?
The Payment Card Industry Data Security Standards (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. These requirements are designed to cover all aspects of payment data collection from the software application being used to the people collecting the data to the physical environment where the data and application reside.
What is PA-DSS Compliance?
PA-DSS (Payment Application Data Security Standards) is a set of requirements developed by the Payment Card Industry (PCI) Council as a way of ensuring that payment applications which collect payment data are properly secured. The Software has been independently verified to be in compliance with PA-DSS. To be PCI Compliant, a site must be using a PA-DSS certified payment application.
Can you store credit card numbers, expiration date, etc. and still be PCI Compliant?
Yes. An organization can store credit card numbers, expiration dates, cardholder names ,etc. in a database and still be PCI Compliant as long as you are following the PCI guidelines. The payment application you use to collect payment data typically includes a PA-DSS Implementation Guide which instructs you on how to configure the application in a compliant manner. As long as you implement the payment application according to the guide, you can collect this information in a secure and compliant manner. Attached to this article is the latest PA-DSS Implementation Guide.
What about the number on the back of credit cards? Is that stored in the application?
The number typically found on the back of credit cards is referred to as the CSC number (Card Security Code), CVV number (Card Verification Value) or the CVC number (Card Verification Code). This number is usually 3 or 4 digits in length. The main purpose of the number is to prove that the individual using the card has the card in their possession when the transaction is not being made in person. It simply is an added layer of security when it comes to verifying the card. Not only would you need the card number but also the CSC number to process a transaction.
PA-DSS and PCI DSS requirements state that this number cannot be stored in any manner. Because of this, the software can request the number to process a transaction but never stores this value.
What is the encryption process used to secure cardholder data?
Momentus software fully complies with all PA-DSS requirements regarding encrypting cardholder data. In general, the application uses the Advanced Encryption Standard (AES) algorithm which has also been adopted by the U.S. government to protect classified data. The application uses a key length of 256 bits.
How are the encrypting keys managed?
In order to properly encrypt the cardholder data, a key must be provided. This key is then used by the application to properly encrypt and decrypt the cardholder information. Each customer establishes their own encrypting key which is then stored in their database in accordance with the PA-DSS requirements regarding key storage. Outlined in the Implementation Guide is the complete workflow for establishing and maintaining encrypting keys. Again, this process fully complies with PA-DSS requirements.
Is the software PCI DSS certified?
PCI DSS certification does not apply to payment applications. However, using a PA-DSS certified payment application is one requirement within the many PCI DSS requirements that exist. The software is PA-DSS certified and thus can be used by a customer to fulfill the certified payment application requirement of PCI DSS.
Can the application be configured to not store any credit card information? If it is configured that way, does my organization still need to be PCI DSS compliant?
The application can be configured to never store credit card data. You can still process credit card transactions through the application but no sensitive cardholder data is stored.
As far as still needing to be PCI DSS certified, that depends on several factors. If you still collect cardholder data for processing purposes, then, yes, you need to consider the certification. If your organization never takes credit card payments except through online self-service websites, then you may not need to consider PCI DSS compliance. It is recommended that you contact a Qualified Security Assessor to review your specific situation. A list of available QSA’s can be found on the PCI Council website:
https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors
What kind of certification documentation is available from Momentus regarding PCI DSS and PA-DSS certifications?
The Cloud environment is PCI DSS compliant. An Attestation of Compliance (AOC) is available upon request. Please contact your Account Manager for more information.
The application is PA-DSS compliant. The application is listed on the Payment Card Industry (PCI) Council website under validated payment applications. The list can be viewed at the following web address. Search for the company name of Momentus.
https://www.pcisecuritystandards.org/assessors_and_solutions/payment_applications?agree=true
I looked at the PCI Council website but didn’t see my version of the Software listed as compliant. Is my organization not compliant?
The PA-DSS Compliance level actually applies to the areas of the application that process cardholder data only – not the application as a whole. To that end, these areas have been grouped under a specific module called Credit Card Processing. To see which version of this module your application is using, view the PCI Compliance tab on the Help -> About screen. This tab shows the version of the module and a link to the PCI Council website showing this certification. As new versions of this module are developed, additional certifications will be attained and listed on the website.
Who can I contact with PCI DSS or PA-DSS compliance questions?
Email Ken Bell, Chief Information Security Officer {CISO}, at security@gomomentus.com with any additional PCI DSS or PA-DSS compliance questions.
Comments
0 comments
Please sign in to leave a comment.