PCI and PAPB Compliance

Implementation of an eCommerce solution requires careful control to ensure proper compliance with merchant processing requirements.

PCI: Payment Card Industry Data Security Standard or PCI DDS. PCI is a result of the collaboration between Visa and MasterCard to create common industry security requirements. Other card companies have adopted these standards.

CISP: Cardholder Information Security Program (Visa)

A helpful guide for US customers is available from Visa. Click here to view the PDF.

PCI Compliance

Per the PCI PA-DSS Program Guide v. 1.1 dated April 2008, PCA-DSS certification is required for payment applications that “store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licenses to third parties.”
 
Because EnvisionWare does not process authorizations or settlements but instead uses a third-party module for this purpose, we are not subject to complete, nor are we eligible to receive, PCA-DSS certification.  The application we use (termed the Payment Server) is PCA-DSS certified and, as such, customers using EnvisionWare eCommerce Services™ meet the standards set forth by the PCI Security Standards Council under our collaborative partner's PCA-DSS certification. 

PCI applies to the organization that actually hosts EnvisionWare eCommerce Services which would include our customers. PCI requirements state that a library is required to obtain PCI Certification from a third party accessor only when the total number of transactions per year will equal or exceed one (1) million. Thus, unless you plan to process more than 1 million payments per year, you are not required to obtain this formal PCI certification.

For more information, visit www.visa.com/cisp.

PCI still requires that your environment meets PCI requirements.

The basics of PCI DDS are as follows:

  1. Build and maintain a secure network which means that you must operate with a firewall and you cannot use default passwords.
  2. Protect cardholder data - encrypt data across the network (EnvisionWare eCommerce Services encrypts all data)
  3. Maintain a vulnerability management program which includes maintaining your anti-virus software and other applications.
  4. Implement strong access control measures - control access to your server; do not share IDs
  5. Regularly monitor and test networks
  6. Maintain an information security policy

Payment Servers

EnvisionWare eCommerce Services integrates a variety of Payment Servers which in turn connect to merchant processors.

For customers using Moneris, our implementation uses the e-eSELECTplus product using the API in a card not present manner and not in an ecommerce manner. This will clarify to Moneris that EnvisionWare does not fall under PCI compliance guidelines.

For customers using the PCC payment server option, information about PAPB compliance is available from Professional Services and is provided as a standard part of the planning and implementation program.  Your PCC Payment Server license and documentation provides all of the information you will need for your merchant processor.

EnvisionWare closely monitors PAPB, CISP, and PCI guidelines for all countries where EnvisionWare eCommerce Services is or will be deployed. Our goal is the delivery of secure products that offer versatile solutions for our customers, and which remain on the forefront of secure eCommerce solutions.

‹ Merchant ProcessorsupSSL Certificate for eCommerce Services ›