PCI and PAPB Compliance

Implementation of an eCommerce solution requires careful control to ensure proper compliance with merchant processing requirements.

PCI: Payment Card Industry Data Security Standard or PCI DDS. PCI is a result of the collaboration between Visa and MasterCard to create common industry security requirements. Other card companies have adopted these standards.

CISP: Cardholder Information Security Program (Visa)

PAPB: Payment Application Best Practices - guidelines that a vendor like EnvisionWare must follow in the creation and delivery of eCommerce applications.

A helpful guide for US customers is available from Visa. Click here to view the PDF.

PCI Compliance

EnvisionWare is a payment application vendor. At no point does EnvisionWare store, process, or transmit cardholder data in our environment. As such PCI DDS does not apply to EnvisionWare.

PCI applies to the organization that actually hosts EnvisionWare eCommerce Services which would include our customers. PCI requirements state that a library is required to obtain PCI Certification from a third party accessor only when the total number of transactions per year will equal or exceed one (1) million. Thus, unless you plan to process more than 1 million payments per year, you are not required to obtain this formal PCI certification.

For more information, visit www.visa.com/cisp.

PCI still requires that your environment meets PCI requirements.

The basics of PCI DDS are as follows:

  1. Build and maintain a secure network which means that you must operate with a firewall and you cannot use default passwords.
  2. Protect cardholder data - encrypt data across the network (EnvisionWare eCommerce Services encrypts all data)
  3. Maintain a vulnerability management program which includes maintaining your anti-virus software and other applications.
  4. Implement strong access control measures - control access to your server; do not share IDs
  5. Regularly monitor and test networks
  6. Maintain an information security policy

PAPB Compliance

At the present time, PAPB is a best practice. EnvisionWare completed an internal audit to ensure our compliance with PAPB standards. PAPB will be a mandatory requirement in July 2008. Prior to that date, EnvisionWare will have completed the certification process and will provide all EnvisionWare eCommerce Services customers with a link to the compliance record.

Payment Servers

EnvisionWare eCommerce Services integrates a variety of Payment Servers which in turn connect to merchant processors.

For customers using Moneris, please state that you will be using the e-eSELECTplus product using the API in a card not present manner and not in an ecommerce manner. This will clarify to Moneris that EnvisionWare does not fall under PCI compliance guidelines.

For customers using the PCC payment server option, information about PAPB compliance is available from Professional Services and is provided as a standard part of the planning and implementation program.

EnvisionWare closely monitors PAPB, CISP, and PCI guidelines for all countries where EnvisionWare eCommerce Services is or will be deployed. Our goal is the delivery of secure products that offer versatile solutions for our customers.