How are you all handling the “Elephant in the Room” of PCI compliance?
We have certs etc and still fail our test from our vendor.
Any words of wisdom that will assist us all in handling this once and for all?
We accept credit cards thru our bookstore manager and thru shopkeep in our cafe and sometimes use square. Plus we will be on ROCK and doing online giving but as far as I know that is handled by TransNational.
We had to put our CoffeeShop CCR Machine on its own network so that it would pass the PCI Compliance test for the vendor we use for that. It took us a while to figure out that this is what that vendor wanted for us to do.
However, our PCI Complaince for our ChMS is a bit easier since we do not take information, the giver/registrant must go online to process this information.
We use Microsoft RMS for our bookstore and Square for our two Cafe’s.
Our payment processor, on their last invoice to us notified us where we were not compliant in a couple of areas.
We needed to upgrade or Cert to SHA2 certs as currently our Certs are SHA-1.
They also mentioned we needed to make sure that we could take the Mastercard “2 series” BIN numbers.
RMS doesn’t look at or save any CC information, it simply passes the numbers to the processor.
Does your CC processor provide documentation on their requirements?
I would just encourage you to reach out to your payment processor and ask for their requirements documentation, and ask for a scan to see where you are on at least a bi-annual basis.
We had a ChMS we developed in-house. I was never able to meet all of the PCI requirements to the satisfaction of our QSA. Annual compliance auditing was always a large undertaking, and mostly pointless because in the end we were never fully compliant. We decided that switching to 3rd party software was the easiest way to solve that problem. We’ve since switched to CCB for our ChMS, and Square for our cafe and bookstore.
Our QSA always detailed exactly what was failing, our problem was that we couldn’t implement all the changes they wanted to resolve those issues. Did they give you any guidance as to what exactly is not compliant?