RetailEdge Goes Out of Scope for PA-DSS
  • User avatar
    RetailEdge Moderator
    Site Admin
    Site Admin
    Posts: 1298
    Joined: Mon Jan 23, 2006 4:02 pm
    Location: Rutland, VT
    Contact:

    RetailEdge Goes Out of Scope for PA-DSS

    by RetailEdge Moderator » Wed Dec 04, 2013 12:59 pm

    RetailEdge's PA-DSS validation expired on October 28, 2013. To address this issue, we had a couple of choices:

    1. Have RetailEdge (RetailEdge CC Module) re-validated as payment application, or
    2. Remove RetailEdge from PA-DSS scope by no longer transmitting or storing credit card data (RetailEdge is no longer a payment application).

    We determined the best solution for RetailEdge and our customers would be to remove RetailEdge from the PA-DSS scope.

    Out of Scope Solutions

    RetailEdge currently has two out of scope processing options. The processing is integrated with the program, however, RetailEdge is no longer handling any credit card data. The transmission and storage of the credit card data is handled by the credit card processor's application or device (Merchant Warehouse or Mercury Payment Systems). RetailEdge only passes the transaction amount to the processor's application/device. The processor's applications are PA-DSS validated or the devices are PCI-PED.

    Why Go Out of Scope

    We chose to remove RetailEdge from the scope of PA-DSS for a number of reasons.

    1. The PA-DSS validation process is time consuming and expensive. The validation process takes away from our ability to quickly make changes to important RetailEdge functionality. Increased costs need to be passed on to our customers and this reduces our ability to provide a cost effective affordable POS software.

    2. Adds security by removing sensitive data from the computer that could be by malware or keylogger software or hardware (**).

    3. Gives our customers the latest processing technologies as soon as they are available. Processors are in the business of processing credit cards and since the processors are now handling the transaction information they are going to have to handle new technologies as they become available. New payment methods (i.e., mobile wallets, EMV), new acceptance methods (i.e., signature capture devices, mobile device scanners) and new payments types will be available quickly and when they are needed.

    Out of Scope Solution Card Entry Methods

    Since RetailEdge handles a number of types of businesses, we designed RetailEdge's out of scope solutions to be as flexible as possible. RetailEdge's out of scope solutions use a variety of card entry methods to accept the credit card data. Each has their advantages.

    Card Entry Devices

    Using separate card entry devices allow the user to swipe their own card and so the card never leaves their hand. These devices also have keypads on them that will allow them to use enter their PIN for Debit Card transactions which in some cases can save you money. And the devices are also signature capture devices and so you no longer need to store paper receipts. RetailEdge stores signature information in the program. These devices are more expensive than simple encrypted swipes described below.

    Encrypted Magnetic Strip Readers

    Using an encrypted magnetic stripe reader is less expensive than the card entry devices described above. They are simple devices that allow the clerk to swipe the customer's card and attach to your computer using a USB connection. The card information is encrypted at the head of the reader and so no card track information is sent through the computer in "clear text". This help protects you from keylogger/malware attacks.

    Hand Keyed

    The out of scope integrations also allow for hand keying transactions. This does not require any equipment at all and so there is no added expense and it allows you to process phone orders or cards with bad magnetic strips. However, hand keyed processing rates are more expensive. And even though the processors application that is handling this card data has been validated to handle this information in a secure manner (PA-DSS), there is still the potential that if your computer is not properly protected from malware and keyloggers that this information could be obtained through your computer's keyboard buffer (since you are just typing the information into the computer). You should always ensure your systems are well protected (PCI Compliant).

    Legacy Integration Phase Out

    Old integrations are still available for legacy customers to use. For instance, if you are using RetailEdge with an old integration and add a new workstation.

    However all customers who have purchased a new license of RetailEdge after the October 28, 2013 should be using the Out of Scope Solutions. Even if you are an existing RetailEdge user, we encourage you to switch to the out of scope solution for the existing partner as they become available.

    PCI Compliance

    Also please note, even though RetailEdge is out of PA-DSS scope and using one of the out of scope solutions can significantly reduce your PCI reporting requirements, your business still needs to be in PCI compliance and subject to the requirements of PCI if you are accepting credit cards.

Who is online

Users browsing this forum: No registered users and 1 guest