2. PSG Retailer PA-DSS Implementation Guide
Page 3 of 20
The Payment Application Data Security Standard Implementation Guide (PA-DSS
Implementation Guide) is a software vendor provided guide on the responsibilities for
implementing PCI Security Standards as it applies to the specific software.4,5
1.4 Being PCI DSS and PA-DSS Compliant
PSG Retailer6
uses PCCharge7
software to process credit cards. PCCharge is a PA-DSS
validated payment application8
which has been integrated with PSG Retailer.
PCCharge is a PA-DSS validated solution that features many security safeguards and anti-fraud
controls. Through its use, stores are one step closer to achieving PCI (Payment Card Industry)
compliance and protecting their business interests.
PSG Retailer has been upgraded to be more secure and to help a store achieve PCI
compliance.
However, many aspects of PA-DSS include store, site, and user specific responsibilities outside
the scope and control of PSG Retailer software, PCCharge software, and PSG. The software
provider is responsible for providing a software specific PA-DSS Implementation Guide to help a
store be PCI compliant. The store is responsible for achieving all PCI DSS requirements.9
This
guide will assist a store in meeting those requirements to be PA-DSS compliant.
1.5 About the PSG PA-DSS Implementation Guide
There are 12 basic requirements for PCI compliance. The requirements have been grouped
into sections for the purpose of this guide.
The following pages contain a brief review of these requirements with PSG Retailer specific
guidelines. The store is responsible for knowing and meeting the PCI standards. PA-DSS
requirements and subsections not listed are not the responsibility of the software vendor.10
For more information, and to download detailed PCI requirements documentation, visit
http://www.pcisecuritystandards.org
4
ibid.
5
Payment Card Industry (PCI). (2008). PA-DSS Program Guide. Retrieved from PCI Security Standards
website: https://www.pcisecuritystandards.org/documents/pci_pa_dss_program_guide.pdf
6
PSG Retailer is owned and authored by PSG, Inc. (2012), Toledo, OH.
7
PCCharge is a product of VeriFone.
8
PCCharge. (2012). PCCharge. Retrieved from http://www.pccharge.com. Last accessed December 27,
2011
9
Payment Card Industry (PCI), PA-DSS Program Guide, loc. cit.
10
Payment Card Industry (PCI), PA-DSS Program Guide, loc. cit.
4. PSG Retailer PA-DSS Implementation Guide
Page 18 of 20
PA-DSS 11: Supplemental
Building a Strong Network
In order to maintain data security, a strong firewall configuration and policy should be in place16
x Ensure the firewall policy includes both wired and wireless connections.
x Review firewall and router rule sets quarterly.
x Include a testing and approval policy for firewall standards.
x Document services and ports necessary for business.
x Build a firewall configuration that denies all traffic from “untrusted” networks and hosts,
except for protocols necessary for the cardholder data environment.
x Build a firewall configuration that restricts connections between publicly accessible
servers and any system component storing cardholder data, including any connections
from wireless networks.
x Restrict inbound and outbound traffic to that which is necessary for the cardholder data
environment.
x Prohibit direct public access between external networks and any system component that
stores cardholder data (for example, databases, logs, trace files).
Guidelines can be found at the PCI Security Standards website:
https://www.pcisecuritystandards.org/documents/information_supplement_6.6.pdf
https://www.pcisecuritystandards.org/security_standards/documents.php?category=supplement
s
PA-DSS 12.1
Topic
Encrypt non-console administrative access.
Background
When a person connects to a computer remotely over a local area network (LAN), wide area
network (WAN), VPN, intranet, extranet, internet, or any other network, this is non-console
administrative access.
Examples include Remote Desktop, GoToMyPC, VNC, pcAnywhere, and SSH. Any other
method where the user is not physically at the computer is more than likely also considered
non-console administrative access.
Unencrypted non-console administrative access (for example telnet, VNC) is prohibited.
While non-console access is not supported, nor applicable, use of non-console access
administrative access will not interfere with PSG Retailer.
Action
All non-console administrative access must be encrypted with technologies like SSL/TLS,
IPSEC, SSH, or a secure VPN.
16
Payment Card Industry (PCI). (n.d.). Information Supplements. Available at:
https://www.pcisecuritystandards.org/security_standards/documents.php?category=supplements