End To End Encryption with Tokenization

Introduction to the PCI-DSS

Unless you're living under a rock, you already know about credit card security issues.  Today just about everyone uses credit cards for payment and that is not likely to change any time soon.  At the same time, technology is growing by leaps and bounds and credit card issuers and acquirers are vulnerable to criminals with the know-how to steal cardholder information.  That is why the PCI-DSS (Payment Card Industry Data Security Standard) was developed.  Every two years, the PCI security standards council issues new PCI-DSS requirements for merchants and payment application vendors.  The idea is that as information technology grows and becomes more robust, the need for better and newer cardholder security is required as well.  Because of this, merchants accepting credit cards never ever truly 'become' compliant.  Instead they participate in a compliance life cycle that changes year to year.

If you are a merchant that processes credit cards in any way, you need to comply with the latest PCI-DSS.  This is true even if your POS system does not do card approvals and settlements.  If you use a countertop terminal separate from your POS system, there are still PCI-DSS requirements that you must follow to be in compliance.  The reason for this is that card information can be compromised in a variety of ways.  The simplest way is by a rouge employee who could steal your customer's card information by writing it down or using a skimming device.  So if you are a merchant that processes credit cards, your business will never be fully 'out of scope' of all PCI-DSS requirements.

POS Computer Systems - Getting serious about PCI-DSS

As was previously said, PCI-DSS compliance is required if you process credit cards in any way.  But if your POS system is approving and settling credit cards too, your security compliance requirements increase dramatically.  Because a POS computer system can access and transmit data in a variety of ways (internet, wireless, etc.) there are many more ways for cardholder data to be compromised.  In fact, if you use a POS system to process credit cards, to remain compliant you must answer over 200 questions on the SAQ D (Security Assessment Questionnaire - Form D).

There are a variety of POS systems available to dry cleaners, Some use older software that is not up-to-date or software that isn't certified to the latest PA-DSS standards.  Others are PA-DSS compliant today but what about tomorrow, next month or next year?  Because the PCI-DSS is evolving all the time, a POS vendor must update its applications to stay current with new PA-DSS requirements.  Worst of all, even if a merchant's POS system is PA-DSS certified, the cardholder data can still be compromised by the latest cyber attacks and threats.  That's because cardholder data is entered into the POS system by a basic card reader or keyboard "in the clear".

End To End Encryption with Tokenization.  Together, the best security possible

Fabricare Management Systems has taken this dilemma head on.  By incorporating E2E Encryption with Tokenization technologies, our Fabricare Manager POS meets and exceeds all PA-DSS requirements.  In fact, when using these technologies, our POS system is out of scope of PA-DSS requirements altogether.  How is that possible?  Our system does not allow clear text cardholder data to be read, written, stored, swiped or keyed in.  Instead, it does most of these same operations but with encrypted data in place of clear text card data.  Because our POS sees only encrypted data from the start with no means to decrypt it, the data and POS system are deemed out of scope by the PCI Security Standards Council.  Since it's the payment processor's responsibility to decrypt the data, they carry the burden of securing it.  Merchants enjoy a significant savings in the cost of maintaining PCI-DSS compliance, with a reduction down to 40 questions on SAQ Form C instead of the 288 questions on SAQ Form D.

What is the cost of End To End Encryption with Tokenization?

The Fabricare Manager POS has a history of having the lowest cost of ownership on a feature for feature basis compared to any other system available.  We're continuing that tradition by making End to End Encryption with Tokenization available to our customers for free.  It took us over a year to implement the technology and to receive the certifications necessary to use it, but those costs are dwarfed by the savings we receive by using a technology that lowers our cost of support.  Therefore, we believe those same cost savings should be passed on to our customers. 

In searching for a partner to help us provide this technology we selected Mercury Payments Systems.  MPS is a proven leader in card processing technology who works closely with software vendors and merchants alike.  Their service, support and on-line reporting are second to none with rates that are very competitive.  To read more about the benefits customers enjoy using Mercury Payments Systems, see this page here.