PCI-DSS Compliance

PCI-DSS refers to the credit card industries security compliance process for credit card merchants and software providers. More information on PCI-DSS on their offical website here.

SMS version 8.9 was the first version to meet the general conditions for PCI-DSS certification, however official (external) certification was not sought until SMS 8.9 pci.

Changes to Credit Card Processing

SMS 8.6 implemented secure credit cards storage and restricted information (VCodes), but Cyrious chose to implement a more comprehensive security model with SMS 8.9pci.
  • Credit Card processing is now run in a separate service outside of the SSLIP. The name of the service is C3SBR.
  • C3SBR functions as an independent security and credit card service.
  • Communication with C3SBR is implemented using Microsoft .NET 3.5 transactions to ensure integrity of processing.
  • The SSLIP must be running as a user in the CyrCCProcessor group in order to be allowed to communicate with C3SBR.
  • All credit card information is sent encrypted between the SSLIP and the C3SBR.
  • The C3SBR manages all encrypted credit card information in the database.
  • Control stored masked versions of the credit card information only. (e.g. ---8948 as the card number.) Control never accesses the database tables with secure information.

Changes to Credit Card Storage

  • New tables managed by C3SBR were created. These tables are independent of any existing Control tables and can be located in the same or different database.
  • All non-masked credit card information was transferred to the new database tables managed by the C3SBR service.
  • All encrypted credit card information was deleted from the existing database tables (and rewritten with blank data).
  • Transactional logs are maintained by C3SBR that are separate from any journals in Control.

TDES Keys

TDES utilizes a trinary key system. Each of these keys is necessary to encrypt and decrypt the information. These keys are supplied as follows:
  • Customer Supplied. Each customer supplies one key. This means that even Cyrious employees do not have the capability to decrypt the user database.
  • Program Supplied. Each Cyrious program supplies the remaining two keys. Note that SMS encrypted data will be different than Control encrypted data even if the customer key is the same.

New Credit Card Options

Several new credit card options were required for PCI compliance.
  • Customer TDES Key. Enter a phrase used to generate the TDES customer key (1 of 3 keys) used to encrypt all credit card information. The Customer Key is encrypted using TDES (and private keys).

Changes related to User Logins

The access to the credit card system is only as secure as the login for anyone with legitimate access to the same information. Control required several changed to fully meet PCI recommendations and requirements for user login security.
  • Passwords must be changed every 90 days.
  • Passwords must meet minimum security standards. Passwords must be at least 6 characters and contain at least one number, upper case letter, and lower case letter.
  • A passwords may not be the same password used in the last 4 attempts.
  • Password are now encrypted using TDES (private keys).
  • No default passwords are allowed. On first start-up, Control and the SSLIP will automatically remove any default passwords left in the system. Blank passwords will also be disabled. If the administrator password is not set or set to the default, the user will be prompted for the password before continuing.

See Also

Because the credit card processing engine workts through the SSLIP and is the same in SMS and Control, much of the reference material for PCI processing is found on the Control WIKI site.