 Allied’s line of forecourt controllers stood up to the strict security standards put forth by the Payment Card Industry (PCI) as they recently passed the Visa required audit. Allied employed the services of the PABP auditing firm Coalfire Systems, Inc to assess the compliance of the popular NeXGen and ANDI/SSC systems.
Allied Software Engineer Lou Seitchik developed the PABP compliant software and worked closely with the Coalfire auditors to ensure that the NeXGen and ANDI/SSC systems met the strict Visa requirements as put forth in the Payment Card Industry (PCI) Data Security Standard (PCI DSS).
“The most significant software changes involve the deletion of track data after transaction completion, the removal of cardholder data from log messages, and the addition of access controls to protect against unauthorized viewing of data or changing of critical parameters,” said Lou. “Further, Allied’s documentation and software development processes are now consistent with industry-accepted best practices.”
Jack Dickinson, Manager of Engineering and Development at Allied, mentioned the importance of the forecourt piece of the PCI compliance puzzle. “PCI has been an important initiative for Allied Electronics, Inc,” said Jack. “Companies have been concerned with their POS and internal operations and we feel the forecourt in some cases has been overlooked.”
The unprecedented security measures are being implemented industry wide by software vendors who develop payment applications that store, process, or transmit cardholder data as part of an authorization or settlement. Vendors who fall into this category are required to undergo a rigorous audit which often requires software changes.
Failure to make the required changes can result in major fines on the part of the retailers. There are penalties as high as $25,000 per month for missing pre-determined deadlines. Should Visa cardholder data become compromised, the company is prepared to hand out fines as much as $500,000 per incident.
As Visa has already begun levying fines and interrupting card processing for non-compliance violations, the urgency to implement the PCI’s standards is definitely being felt.
“We realize the pressure that our integrators and end-users are under and we feel this will help alleviate the concerns with regards to our line of forecourt controllers,” said Dickinson.
Allied’s audit began in December of 2007 and was completed in January of 2008. Coalfire performed the audit in Allied’s San Diego lab. Lura Lee, Coalfire’s Director of PABP Compliance Services spoke of Allied’s audit. “Visa’s Payment Application Best Practice standards are complex to implement for many organizations. To efficiently and competently achieve compliance, it requires the focus of staff and the guidance of an experienced auditor,” said Lee. “Allied found the perfect balance.”
Lee is referring to the combined efforts of Coalfire PABP auditor Mahfouz Ali and Allied’s engineering group.
“Coalfire joined with Lou Seitchik and his team to test the required technical and governance controls, and validate Allied’s PABP compliance.” Lee continued, “Lou understood the need to be forthright and attentive while working with us to validate and improve Allied’s application security.”
Technical documentation detailing all of the changes was distributed and two informational Webinars have already been conducted to specifically outline the changes made to the ANDI interface and the impact to Allied’s vendors and integrators. Changes include:
- Deletion of track data after authorization
- Removal or masking of sensitive data in logs
- Protection of data in store/forward
PCI compliant software versions for several of Allied’s customers are under test in the QA lab and customers and vendors continue to request it for their own PCI compliance. Allied will continue to maintain, both, compliant and non-compliant versions of software. Per the PCI DSS, Allied will conduct annual reviews of all PABP software and related documentation as well as hold training sessions to keep vendors and integrators apprised of any changes.
Coalfire submitted Allied’s Report on Validation to Visa and expects the NeXGen and ANDI/SSC controllers to be PABP-certified and published to Visa’s Website as a confirming application by the end of March.
Of course, PCI compliance does not end with the audit completion letter, at least according to Jack Dickinson. “The natural next target for everyone is migrating compliance to the outdoor payment terminals,” he said. “We feel our compliance puts us ahead of the curve as we work to address the next series of PCI/PABP requirements.”
Contact Allied Electronics for more information regarding PCI compliance and its PABP-certified software. |
Allied integration partner ECRS placed fifth among the nation’s top forty-five retail software manufacturers in the 2007 RIS News Software LeaderBoard. ECRS also claimed top prize in several other key categories. This is ECRS’ highest ranking to date in the survey.