Over the past few weeks I have been getting a lot of questions on Credit Card Information stored in the CPS applications from both auditors and course customers.  Increased fraud and customer awareness of credit card information protection have prompted me to address this topic over and over.  Without getting too technical (which is not easy because there is an unbelievable amount of technology and regulation involved), here is the Reader's Digest version on what happens when you are dealing with Credit Card data in PSK so that you can share this if and when you are asked about it.

Note: Get some coffee... This is boring!  And there are no pictures...

Cast of Characters:  Wikipedia has some good articles on the specifics and is the source of most of the definitions below.  Links provided for you geeks out there.

SSL - The SSL protocol allows applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery.  SSL provides endpoint authentication and communications privacy over the Internet using cryptography. 

HTTPS: - https is a URI scheme used to indicate a secure HTTP connection.  Using an https: URL indicates that HTTP is to be used, but with a different default TCP port (443) and an additional encryption/authentication layer between the HTTP and TCP.

SOAP - a protocol for exchanging XML-based messages over computer networks, normally using HTTP/HTTPS.  There are several different types of messaging patterns in SOAP, but by far the most common is the Remote Procedure Call (RPC) pattern, in which one network node (the client) sends a request message to another node (the server) and the server immediately sends a response message to the client.

WSE 2.0 SP3 - "a software system designed to support interoperable Machine to Machine interaction over a network."  Web services are frequently just Web APIs that can be accessed over a network, such as the Internet, and executed on a remote system hosting the requested services.

Rijndael 128 bit - In cryptography, the Advanced Encryption Standard (AES), also known as Rijndael, is a block cipher adopted as an encryption standard by the U.S. government.  It has been analyzed extensively and is now used widely worldwide.   F.Y.I.  This is my personal credit card number in encrypted format "184,205,109,132,66,67,47,203,20,151,177,183,0,17,31,214,102,66,4,82,190,182,36,41,153,241,189,35,163,54,253,217".  Good luck decyphering that!

DLL - Dynamic-link library (also written without the hyphen), or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems.

IPC - IP Commerce is a company that provides an open commerce network.  In short, it is the platform that allows PSK to directly connect to Chase/Paymentech today and several additional credit card processors in the near future.

ETS - Electronic Transaction Systems Corporation is a company that provides integrated credit card processing with PSK.

Shift4 - Shift4 is a credit card gateway company that provides integrated credit card processing with PSK.

Host Capture - Credit card transactions authorized on the local POS terminal are stored on the processors computer for Batch Settlement.

Terminal Capture - Credit card transactions authorized on the local POS terminal are stored on the local POS or local Server for Batch Settlement.

PCI - standard for Merchants to comply with: the Payment Card Industry Data Security Standards (PCI DSS).  PCI DSS focuses on six areas of operation

• 1. Build and maintain a secure network
• 2. Protect cardholder data
• 3. Maintain a vulnerability management program
• 4. Implement strong access control measures
• 5. Regularly monitor and test networks
• 6. Maintain an information security policy

PABP - Payment Application Best Practices is a set of Visa recommendations derived from PCS DSS and the PCI Security Audit Procedures that are intended to protect cardholder data and ensure that members, merchants and service providers maintain the highest level of information security.

Now that I have lulled you to sleep, there are 3 scenarios to cover.  You will need to refer back to everything you just skipped over to decrypt the acronyms.

• 1) POS Credit Card transaction. When the credit card is swiped or entered on the POS Sale screen, the transaction data (Swipe, card number, amount, name, etc.) is encrypted by the Processor's (ETS, IPC or Shift4) DLL and transmitted via the Internet over an HTTPS connection using SOAP protocol + SSL by WSE2.0 SP3. A return code is sent back by the processor to let the PSK POS know if the Authorization was approved or denied.
• a. For Host Capture (ETS, Shift4), the transaction data is stored on the Processor's computers for Batch Settlement at the end of the day. The only data stored in the PSK database is for reporting purposes. This includes only the last 4 digits of the card number, amount, Name, Sale Number and Authorization code.
• b. For Terminal Capture (IPC/Chase) the transaction data is stored in the PSK database. The Credit Card Number is encrypted using Rijndael 128 bit encryption. Once Batch Settlement is run at the end of the day, the credit card number is permanently deleted from the PSK database and only the data for reporting is stored as in Host Capture above.

• 2) Card-On-File. Typically used for private clubs to process re-occurring charges like member dues, you can store a Credit Card number with a Member's account. When you enter the credit card number it is processed by the DataProtect.dll and is stored in encrypted format using Rijndael 128 bit encryption. Based on your connection type (Local LAN vs. via Internet) this may also include SOAP protocol + SSL by WSE2.0 SP3. The card on file data is kept with the Customer record and is kept in encrypted format until that Customer record is deleted.

• 3) On-Line (Tee Sheet or Web Store) transaction. Similar to card on file for encryption, however, this always comes over an HTTPS connection using SOAP protocol + SSL by WSE2.0 SP3. Credit card information is stored with the on-line user's profile and is kept in encrypted format until that customer profile is deleted.

If the time comes that you need the actual PCI DSS and PABP certification documentation for your site, you will need to contact your service provider (ETS, Chase, Shift4) for the paperwork since they are ultimately the ones that are certified.  The service providers, to ensure that the POS subset of the overall process meets PCI DSS and PABP compliance, audit Club Prophet Systems. 

Side Note: We get several calls per week from credit card processors asking CPS to interface with their platform and customers asking us to deal with their local bank or processor.   As you can see there is a significant amount of work involved in interfacing with a credit card processor, which is why we cannot and do not cater to every processor out there. 

Enjoy :)

P.S.  It was more painful for me to write this newsletter than it was for you to read it!