Hi All,
This is a request we got from a client about PCI compliance with DataSelf, which connects to Sage 100, which connects with Century Business Solutions credit card processing.
Have any of you encountered PCI DSS compliance questions to this level? I'm not sure how to respond. I've used the logic that we only connect to the ERP and the ERP doesn't contain any credit card information, end of story. But looks like this is "the rest of the story"...
----------Client Request ----------
Our Sage 100 uses Century Business Solutions to process credit cards ,(not Paya), and they are PCI compliant. Although I am required by the PCI Standards to make sure all access to the Sage server and all it's connections follow Policy and PCI-DSS compliant standards, below is a list of information I will need to verify compliance with this access we are granting to you.
Note: You are under PCI-DSS compliance when- You have access to a Computer or System that has Credit Card processing ability.
- What transfer encryption is used to communicate with the Sage-Server integration?
- Has your system been through a penetration test (PEN Test) ? When? Result ?
- What monitoring do you have to identify breaches with-in your system that could affect access to ours.
What is your policy on informing us of a breach?
- Have you ever had a PCI-DSS validation Scan done on the system that accesses our credit card computer?
- What updates do you do to the DataSelf integration and are they automated or manually done by employees of DataSelf?
What reporting policy do you have to notify us of any discovered vulnerabilities in the integration or one of it's updates.
The PCI-DSS Vendor Question documentation outlines that even integrators that are NOT directly "Pluged-in" to the credit card processing process are considered potential breach points because they have:
- Access to the same network as the Credit Card processor computer
- Data transfer to or from the same network as the Credit Card processor computer
- Have Integrations on the Credit Card processor computer.
Note: Most Integrators are not presented with this line of questioning because most "Customers" don't have a clue as what it takes to be PCI-DSS compliant. With that said, I am sorry this is a long conversation, I would love to not be having to jump through so many hoops myself. I greatly appreciate your help and patience on this matter as it is a daunting requirement in the small business world.
------------------------------
Clark Walliser
Senior Consultant
Dataself Corporation
San Jose CA
Clark
------------------------------