About PCI Compliance
What is PCI compliance and PCI DSS?
"PCI" stands for Payment Card Industry, and is comprised of the many organizations that produce electronic payment cards. Perhaps the best known are MasterCard, VISA, AmericanExpress, Diners Club, Carte Blanche, and others. These member companies have set and agreed to a common set of rules or guidelines, known as the Data Security Standard (DSS), which all users of credit and debit cards must adhere to. PCI Compliance is therefore the certification process that entities (such as Hudson clients) must go through to ensure that they are honoring and meeting the minimum requirements set forth by the PCI 'group'. Note: PCI compliance is not a legal requirement, but rather a contractual obligation between companies that store, manage and process credit card transactions and the credit card companies (MasterCard, VISA, et.al).
Wikipedia explains what PCI Compliance is:The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually - by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
The current version of the standard is version 2.0, released on 26 October 2010. PCI DSS version 2.0 must be adopted by all organizations with payment card data by 1 January 2011, and from 1 January 2012 all assessments must be under version 2.0 of the standard. The table below summarizes and specifies the 12 requirements for compliance, organized into six logically-related groups, which are called “control objectives”.
| Control Objectives | PCI DSS Requirements |
|---|---|
| Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data |
| 2. Do not use vendor-supplied defaults for system passwords and other security parameters | |
| Protect Cardholder Data | 3. Protect stored cardholder data |
| 4. Encrypt transmission of cardholder data across open, public networks | |
| Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software on all systems commonly affected by malware |
| 6. Develop and maintain secure systems and applications | |
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know |
| 8. Assign a unique ID to each person with computer access | |
| 9. Restrict physical access to cardholder data | |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data |
| 11. Regularly test security systems and processes | |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security |
The Hudson Group and PCI
While Hudson clients strive to achieve PCI Compliance, for software companies that process credit card transactions and store sensitive data including credit card numbers, the program is a little bit different. The program that software providers (Hudson) participate in is called the Payment Application Data Security Standard (PA-DSS). Like PCI-DSS, PA-DSS has very stringent rules and guidelines that must be met in order to be "Accepted" as an approved Payment Application.Hudson has been building PA-DSS compliant solutions for a number of years but never went through the formal certification process. The PA-DSS standards include end-to-end credit card security, encrypted storage and access logging and control. Additionally, all of our WEB servers are hosted in a PCI compliant hosting facility (INetU http://www.inetu.net/solutions/). We are committed to having the most advanced credit card security technologies available and have released the Limousine Industries first fully tokenized solution in partnership with EPX (http://www.epx.com/).
To date Hudson has integrated with over 10 different credit card gateways, all of whom have reviewed and approved Hudson's security measures. This includes a number of international credit card partners.
For more specific and detailed information on the PCI Data Security Standards, and what is required of both Hudson and Hudson clients in order to achieve certification and compliance, please visit this site: https://www.pcisecuritystandards.org/merchants/index.phpHudson Hosted Clients & PCI
If you are a using Hudson's Cloud Computing offering, then your entire reservation system is hosted on state of the art web servers that you access via the Internet from your office. To ensure the highest standards of security possible, Hudson neither owns nor has physical access to any of the web servers. Hudson employs the professional technical services of a hosting provider; INetU. This managed hosting provider has clients from the banking, finance, insurance and medical industries all of which have rigorous data processing and storage security requirements. To meet those requirements, INetU has to exceed the PCI standards outlined above. INetU servers and databases that Hudson clients are using and accessing are all PCI Certified. For more information on the PCI compliance of our managed hosting provider, please visit their site at http://www.inetu.net/Assurances.aspxPCI and Your Company
While you have partnered with Hudson and INetU to provide you with PCI compliant applications and hosting environments, remember that ultimately you must ensure that your internal business practices are compliant with PCI-DSS standards as well! You must make yourself familiar with the PCI-DSS standards referenced above and must then implement many internal processes and procedures to ensure that your operation is compliant. You may even be required to obtain PCI Certification depending on which corporate clients and accounts you serve! If you believe that all that is required is to use PCI-DSS and PA-DSS certified products and vendors, then you are missing more than half of the total picture! More and more companies are appointing an internal security officer to manage their information security efforts, or are turning to outside security management vendors who will assist you in evaluation and remediation of all matters pertaining to your company's security. For a more detailed explanation on PA-DSS and PCI Compliance, consider watching the following video:Eliminate the Need for PCI Certification! (?)
In our desire to continually offer cutting edge technology to the ground transportation industry, Hudson developers are already looking into alternatives to the standard Credit Card processing model. It is our hope to be able to offer clients an option that eliminates the storage of credit card data in their Hudson databases. If there is no credit card data to secure and protect, then PCI certification may be eliminated. This technology is referred to as "tokenization" and Hudson has deployed this to its first clients during the fall 2012. If a client opts to enable tokenization in their business, they will still need to go through the PCI Self Assessment Questionnaire process, but because credit cards are not retained or stored, the process can be greatly simplified.Hudson PCI Updates
Here is what we are doing now: Hudson has hired a Qualified Security Assessor (QSA), named Trustwave. This QSA is approved by the PCI organization to evaluate and assess the level, degree and thoroughness of security of Hudson's suite of products and applications. This QSA reviews all documentation, application code, websites, etc. to ensure they meet the PA-DSS compliance standards. When a shortcoming is noted, the QSA guides and counsels Hudson on how to correct items and bring them within compliance standards. Once this is achieved, the QSA issues a certificate that identifies the standards as having been met. Hudson then formally applies to the PCI Security Standards Council for certification. Sound involved? It is! But this is a system of checks and balances that ensures all requirements are met, for each and every aspect of Hudson's products. After obtaining PA-DSS Acceptance, Hudson and its product(s) has been listed on the PCI Security Standards website as an approved and accepted Payment Application provider. No other transportation industry software provider has yet obtained this certification for the current version 2.0 of the PCI standard. The Hudson Group is leading the way and intends to be the first in the industry. Why do we bother? Quite simply, any breach, even a single one can have catastrophic results for our clients and their passengers and we want to ensure that everybody is protected and secure. Come back to this page to see / learn what current PCI Compliance activities are underway.February 2014
Hudson is notified by the PCI Security Standards Council (PCI-SSC) that its HGTS v1.94 has been Accepted as a valid payment application when installed on Microsoft Windows 7 and Microsoft Windows Server 2008 R2 Operating Systems. One of the significant notes of this achievement is that as of this date, all Hudson cloud hosted clients are running the HGTS system on Windows Server 2008 R2. This means that well over half of current clients now have the ability to configure their systems so that the applications and credit card processing is happening on a PA-DSS compliant platform.2013 / 2014 - Winter
Trustwave and The Hudson Group sign a PCI Attestation of Validation (AOV) and submit to the PCI council in early January 2014. The AOV is the document that Trustwave prepared indicating that they have reviewed HGTS version 1.94k on Windows 7 and Windows Server 2008 R2 Operating Systems and find that it passes their PA-DSS review process. Some additional updates were made to the Hudson Group PA-DSS Client Implementation Guide (which will be available online after we hear from the PCI Council). At this time, Hudson is waiting for the PCI Council to review and accept the AOV and grant us PA-DSS acceptance for HGTS 1.94 on these 2 new operating systems. The Council considers this a "Major Change of Scope".2013 - Late Spring / Early Summer
The PCI Committee at Hudson prepared 2 Virtual Machines (VM's), one Windows 7 Professional and one Windows Server 2008 R2 Enterprise edition. Onto both VM's Hudson installed the latest version of HGTS 1.94 and configured both identically with test credit card processing accounts. The VM's were then sent to Trustwave in Chicago for testing and review. Trustwave is taking the VM's and testing and reviewing for PA-DSS Acceptance. In this case, the software is essentially identical to that already evaluated so this process focuses on potential security vulnerabilities of the HGTS v1.94 application running on these 2 operating systems. At this time, Hudson is waiting for Trustwave to complete their evaluation.2013 - January
Hudson clients were formally notified by email on January 7 of the recent PA-DSS Acceptance. On January 8, Hudson Marketing department released a fully syndicated press announcement on PRWeb.com: Press Release. The company Facebook page and websites are also updated to reflect the new status. Hudson begins dialog with Trustwave to review the next steps for getting the HGTS 1.94 application "Accepted" for additional operating systems: Windows 7, Windows 8, Windows Server 2008 R2.2012 - December 19 - PA-DSS Acceptance Day
The PCI Security Standards Council notified The Hudson Group that version 1.94 of the HGTS application suite is PA-DSS Accepted as a payment application! Though there was no Champagne to open when the email was received, the word spread throughout the company like wildfire. Hudson and HGTS are now listed on the official PCI-SSC website as both a company and approved payment application: Validated Payment Applications. Look under the company name: "The Hudson Financial and Technology Group" or the application name: Hudson Ground Transportation System "HGTS"2012 - December
The PCI Security Standards Council sends the listing fee invoice to The Hudson Group. Receipt of this invoice indicates that the ROV and other supporting documents have been received and are ready for final review. After payment of the invoice, Hudson is told by the PCI SSC that there were 2 very minor administrative items that needed to be addressed by Trustwave. Hudson signs a revised AOV form and returns to Trustwave, addressing the first of the 2 items. Trustwave is revising a diagram contained in the ROV to address the 2nd item. Both items then returned to the PCI SSC. Final review and acceptance is on track to occur before end of the calendar year.2012 - November
Hudson is provided with the final Trustwave Report on Validation (ROV) document. The document is reviewed by the Hudson PCI committee for completeness and accuracy. Hudson submits back to Trustwave: ROV Product Description Form, PA-DSS Vendor Release Agreement, PA-DSS Attestation of Validation. These documents are submitted by Trustwave to the PCI SSC on November 27 for review and acceptance. This final acceptance can typically take 2-4 weeks. Hudson waits....2012 - October
The Trustwave QSA asked some clarifying questions on Encryption methodology and provided this back to the QA team. Superstorm Sandy hits the east coast and disrupts the review process by a week or more. Hudson continues to wait for results.2012 - September
All final required documentation submitted to Trustwave on September 4. Trustwave QSA will be reviewing documents and conducting interviews of Hudson developers regarding development practices. Final QSA report expected to be complete on September 14. HGTS application and report then submitted to Trustwave internal QA Team for final analysis and review. Hudson waits for results...
2012 - August
The documentation process continues. Documents submitted to Trustwave for review: 1) The Hudson Group: Change Control Procedures, 2) The Hudson Group: Secure Troubleshooting Procedures. Other documents currently in process: 1) Vulnerability Management, 2) Hudson Software Development Procedures, 3) Hudson Encryption Key Management2012 - July
Trustwave reports that HGTS application passed the internal forensic analysis. Internal company focus redirected to completion of required documentation. Once documentation is submitted to QSA, he will write a report outlining degree of compliance with PA-DSS standards. Report will then be sent on for final Trustwave review and PA-DSS compliance consideration. Hudson documents submitted for review: 1) Executive Summary Questionnaire, 2) PA-DSS Client Implementation Guide for HGTS by The Hudson Group2012 - May & June
Working with Trustwave QSA several user id, password, logging items are added, modified and remediated by Hudson developers. Updated versions of HGTS (1.94) are delivered to Trustwave and reviewed to ensure items have been addressed to satisfaction of QSA. Additionally, Trustwave examines the detailed data connection to the card processor and determines that no unencrypted or insecure data is being transmitted. Final remediation items are addressed and Trustwave sends HGTS application on for forensic analysis.2012 - April
All Hudson Web Servers which host client marketing and web reservation sites pass the PCI Compliance Status scan. Hudson Developers review login security and credit card processing security of the Hudson local system with Trustwave QSA.2012 - March
Additional data and documentation provided to Trustwave regarding process, procedures and data flow within Hudson applications.2012 - February
Hudson installation of local system suite of applications begins. Basic setup and configuration rules created for typical ground transportation operation. Fares, services, schedules, default profiles, etc. are added and customized. Training of Trustwave personnel on application use, structure and setup is begun. Client implementation Guide content continues to evolve.2011 - December
Remote server(s) in Trustwave labs are added and configured according to Hudson requirements.2011 - November
Kick-off call is held with Trustwave Account Advisor. Trustkeeper login accounts created for key management and developers at Hudson. Initial documentation regarding Hudson application is reviewed and completed. Client Implementation Guide is begun. Internal PCI Committee is formed.- Bob Binney - Chief of Operations
- Rich Sorrentino - VP Client Services
- Derek Skawinski - VP Software Development
- Scott Wanner - Director of Technical Support
- Jared Spence - Network Manager
- Lyndy Burnham - Special Projects & Documentation
