Cardholder Information Security Program in CounterpointDocument Transcript
Cardholder Information Security Program
In June 2001, Visa initiated the Cardholder Information Security Program (CISP) to
define and promote credit card security standards that reduce the risks and costs
associated with credit card fraud. In December 2004, Visa—in collaboration with
MasterCard and with the endorsement of Discover and American Express—published
version 1.0 of the Payment Card Industry (PCI) Data Security Standard, which outlines
a set of guidelines that merchants must follow in order to be considered PCI-DSScompliant. These guidelines stipulate, among other requirements, that credit card
numbers must be masked on printed receipts and that full card numbers may not be
retained on non-secured computer systems.
PCI-DSS compliance is essential to ensure that sensitive credit card information is
secure and that you are protected from any liability that could arise from the fraudulent
use of cardholder data obtained from your computer systems.
In April 2006, Visa certified CounterPoint SQL to be compliant with CISP and Payment
Application Best Practices (PABP) standards. CounterPoint SQL is listed on Visa’s
website (www.visa.com/cisp) as a Validated Payment Application.
The CounterPoint SQL online help includes topics to guide merchants in setting up
fully PCI-DSS compliant systems, including advice for adhering to requirements that
are not related to CounterPoint.
CPGateway also meets all PCI-DSS compliance standards. Radiant is named on
Visa’s website (www.visa.com/cisp) as a PCI DSS-Compliant Service Provider for
Configuring CounterPoint SQL properly is only part of an overall PCI-DSS compliance
strategy. Attaining PCI-DSS compliance requires you to evaluate your business
practices to make certain that you have the appropriate policies in place and that your
staff is vigilant to the risks of credit card fraud.
To ensure that you are following all published guidelines regarding PCI-DSS
compliance, download and review the PCI Data Security Standard from
www.visa.com/cisp. If you are not taking the necessary steps to adhere to the
requirements outlined in the PCI Data Security Standard, your business is open to
dangerous and potentially expensive liability.
While Radiant can assist you and your CounterPoint Business Partner in configuring
CounterPoint SQL to be PCI-DSS compliant, we cannot function as an independent
auditor or advisor regarding your general CISP compliance.
Refer to www.counterpointpos.com/cisp for additional information about PCI-DSS
CounterPoint PA-DSS Compliance
When your customer pays you with a credit card-in-store, online, or by phone-you
collect cardholder information. You need to protect that information. The card brands
including Visa, MasterCard, American Express and others enforce strict guidelines
based on the Payment Card Industry Data Security Standards (PCI-DSS) for any
system that processes, stores or transmits credit card data. This is just one component
of the 12 requirements that PCI administers to ensure that cardholder information is
secure and protected against theft.
As a merchant who accepts credit cards, you are responsible for adequately securing
your customers' cardholder information wherever it resides-on your computers, in a
drawer, or in a filing cabinet. If you fail to do so, Visa, the other card brands and your
bank-under the terms of your Merchant Processing Agreement-can hold you
accountable for fines, and for any losses they suffer from the fraudulent use of
cardholder data obtained from your business.
Although it is just one part of the overall PCI requirements, if your system is not PADSS validated, your business is at extreme financial risk. Get, and keep, your
CounterPoint system PA-DSS compliant with the CounterPoint Subscription Service..
PCI-Compliant Software and Services
In today's world of heightened security concerns, NCR is committed to providing you
with solutions that protect your customers' information. All of our latest software
versions go through an extensive audit process to ensure that they are validated with
the Payment Application Data Security Standards (PA-DSS).
NCR Counterpoint V7 and NCR Counterpoint are approved by Visa as PA-DSS
Validated Payment Applications. In addition, NCR Counterpoint Gateway and NCR
Counterpoint Online are approved by the PCI Security Standards Council (PCI-SSC)
as PCI-Compliant Service Providers. As PA-DSS-Validated Payment Applications,
NCR Counterpoint V7 and NCR Counterpoint adhere to all PA-DSS requirements
through the security features below:
Password security settings support PCI-compliant password policies.
All passwords and credit card numbers are encrypted.
Full credit card numbers are not displayed or printed; all card numbers are masked to
display only the first 6 and the last 4 digits.
Magnetic stripe track data is not retained in the CounterPoint database.
CVV2/CVC2/CID data (i.e., verification numbers printed on each card) is not retained.
Retention of full credit card numbers in history is optional; full card numbers retained
in history are encrypted.
Keeping Your Software Compliant
PA-DSS requirements will continue to change. To meet the PCI-SSC’s current and
future PA-DSS requirements, you must keep your CounterPoint software up to date.
CounterPoint Subscription Service (CSS) will keep your CounterPoint system
compliant with the PCI-SSC’s ever-changing requirements. With CSS, you
automatically receive new CounterPoint features and enhancements as they are added
to the software.
If your CSS is expired, you can renew online today.
Additional information can be found on the following websites:
Payment Application Data Security Standard
PCI Security Standards
Visa (Risk Management)