Does anyone have information regarding encryption when storing credit card information and when, and if, various POS companies have begun encrypting their credit card data? I am specifically interested in this info as it relates to 1999 to 1993. encryption and various other compliance like truncation of numbers on receipts are scheduled to go into effect in the near future. but what about storage of this information, was it just stored without doing anything extra to it, like in the Micros 2700 guest check detail file, or do various companies actually secure this data using their own methods? and if so, how does one know what the standard is for securing this information, ie. what methodology to use. 3DES for example, although is widely pushed by visa and mc, has been broken. so what's the standard? and who sets it? do POS manufacturers have the onus of securing data or do the standards come down the pike from the merchant since there are no direct relationships nor legal contracts between credit card companies and manufacturers?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Encryption of Credit Card Data: Now and 1999-1990
- Thread starter Nightbug
- Start date
The best advice is that the POS not store the full credit card information and instead, only store the card type and last four digits. To accomplish this, you will need a reliable gateway provider that specializes in securing this data.
The next best option (and minimum requirement) is to encrypt any card information stored and only store what is absolutely necessary. The latest security regulations (Payment Card Industry Data Security Standards or PCI DSS) require 128 bit 3DES or better encryption. With many POS environments, this is a difficult feat to accomplish so option 1 would be the only alternative.
PCI DSS, which is a conglomeration of VISA's, MasterCard's, AMEX's and possibly other's security requirements, is already a requirement -- it's just that the fines and penalties have not fully made it to the merchants.
All three of the majors (VISA, MasterCard & AMEX) have information on their sites about the requirements. I usually prefer to reference VISA's version because it is the most complete.
I know that Micros 2700 is not compliant and based on my experience with Micros (we wrote 8700, 9700 and 3700 native drivers ourselves for our gateway), I seriously doubt Micros will help you to get the 2700 compliant.
Sorry if this was not the answer you wanted to hear. Good luck!
The next best option (and minimum requirement) is to encrypt any card information stored and only store what is absolutely necessary. The latest security regulations (Payment Card Industry Data Security Standards or PCI DSS) require 128 bit 3DES or better encryption. With many POS environments, this is a difficult feat to accomplish so option 1 would be the only alternative.
PCI DSS, which is a conglomeration of VISA's, MasterCard's, AMEX's and possibly other's security requirements, is already a requirement -- it's just that the fines and penalties have not fully made it to the merchants.
All three of the majors (VISA, MasterCard & AMEX) have information on their sites about the requirements. I usually prefer to reference VISA's version because it is the most complete.
I know that Micros 2700 is not compliant and based on my experience with Micros (we wrote 8700, 9700 and 3700 native drivers ourselves for our gateway), I seriously doubt Micros will help you to get the 2700 compliant.
Sorry if this was not the answer you wanted to hear. Good luck!
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question