Will PCI standards kick 3000s out of service?
June 11, 2009
The answer to the question is being researched by HP 3000 customers today. Those who accept credit cards for payments, and process more than 20,000 Visa sales a year, are preparing for new standards from merchant banks to meet the Payment Card Industry (PCI) Data Security Standard (DSS).
All major credit card brands collectively adopted PCI DSS in 2006 as the requirement for organizations that process, store or transmit payment cardholder data. Ecometry's HP 3000 customers know their e-commerce software vendor will not be certifying HP 3000s for the 2010 standard. But it appears that Ecometry's owner Escalate isn't qualified to certify PCI compliance anyway.
The standard is broader than just software design, covering practices and processes as fundamental as whether and how to store cardholder data. (Don't, unless you must; encrypted plenty if you do.) Escalate wants to convert every Ecometry site to the Unix/Windows versions of the app, which Escalate will be glad to assure as PCI DSS compliant.
But security vendor Paul Taffel, who's just rolled out new features in IDent/3000, says Ecometry is far from the only place to have compliant standards implemented. A Qualified Security Assessor (QSA) can perform an audit to verify compliance — so 3000 sites can continue to process credit card transactions. Or so it appears. Merchant banks will decide.
The PCI Web site and associated white papers include a vast, 28-page listing of QSA providers. A PCI council certifies these providers. QSA is conferred by the PCI Security Standards Council to individuals who meet specific information security education requirements and have taken the appropriate training from the PCI Security Standards Council. They must also be employed by an Approved PCI Security and Auditing Firm. These assessors will be performing PCI compliance audits relating to the protection of cardholder data.
Third party solutions are available to get 3000 sites better credit card security. "The combination of Fluent Edge’s credit card encryption with IDent’s other features, and Vesoft’s Logon security, together provide a robust set of features that certainly fulfill the spirit of the PCI requirements," Taffel says.
The simple answer, for the Ecometry sites who rely completely on Escalate services, would be yes: HP 3000s won't pass the PCI DSS. But any Ecometry site which plans to remain on the HP 3000 after 2010 will be using a third-party solution anyway, since the Ecometry app loses support in that year. These Ecometry customers are leaving their vendor behind to continue to use an application which does the job without many problems. That no-fuss model is what made the 3000 an elegant and efficient business choice to begin with.