Introduction

Purpose of this document

The purpose of the PA-DSS implementation guide is to provide guidance and instructions for customers, resellers and integrators to implement a payment solution into a merchant environment in a PCI DSS compliant manner.

PCI DSS

PCI DSS is a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. The scope of PCI DSS applies to all major payment card brands and is managed by one single centralized organization

PCI DSS and PA-DSS Version 3.2 were released in April 2016 and May 2016 respectively and the standard is available on the PCI council website1

The PCI Security Standards Council will enhance the PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption.

PA-DSS

Shortly after the development of the PCI DSS standard, the Payment Application Data Security Standard (PA-DSS) was developed to meet the requirements of the PCI DSS. Like PCI DSS, the PA-DSS standard has a broader scope than its Visa counterpart in the fact that it applies to all major payment card brands and is managed by one single centralized organization

Relationship between PA-DSS and PCI DSS

The use of a PA-DSS compliant application like Maitre’D 7.08 does not automatically make an entity PCI DSS compliant. PCI DSS is a comprehensive set of rules and conditions that must be met in order to create a PCI DSS environment. Using PA-DSS compliant applications is just one of these conditions.

Acronyms and terms

PA-DSS: Payment Application Data Security Standard. PCI DSS: Payment Card Industry Data Security Standard. Merchant: The owner/operator of the restaurant in which Maitre’D is installed. User: A name that has been added to the Maitre’D database by the merchant to allow system logon access. We: Throughout the sections of this document, the term “we” is used. This term always refers to the Maitre’D development team that created and designed the software application. PAN: Personal Account Number or Primary Account Number. This is the number that is embossed on payment cards. PIN: Personal Identification Number. This is the number used by the customer to identify him/herself and which replaces the signature in EMV environments or anywhere PIN Pads are in use. CAV2/CVC2/CVV2/CID: These acronyms are all used to refer to the 3 or 4-digit code that is either printed or engraved (as opposed to embossed) on credit cards and used to increase security. POS: Point of Sale. LAN: Local Area Network DMZ: De-Militarized Zone. This is the area of a LAN that is not protected by a corporate firewall and open to public access from the Internet.