Cardholder Data Security
Southern DataComm, Inc. has provided software products and services to the electronic payments industry since 1985. The commitment to safeguard cardholder data and maintain compliance with the latest industry standards is ingrained in our company's culture and is incorporated into everything we do. From products and services, down to our support practices and secure facilities management, every aspect of our business is designed to meet or exceed the industry standards for data security.
The Current Industry Standards for Cardholder Data Security
PCI (DSS) – Payment Card Industry Data Security Standard. A set of twelve requirements that must be met to provide a safe environment for handing cardholder data.
PCI (PASS) – Payment Card Industry Application Security Standard. A set of thirteen requirements based on the PCI-DSS that apply specifically to the development, installation and support of payment applications. This program is the PCI equivalent of Visa's CISP Payment Application Best Practices (PABP).
At present, each U.S. card company maintains their own data security programs and criteria for compliance. While they all recognize the common standard known as “PCI” to meet or exceed their own requirements, they reserve the right to require merchants and their vendors to meet additional security measures as needed to manage risk.
Refer to these card company websites for their specific requirements:
SDC Software Applications
As a software provider, SDC voluntarily exceeded the industry requirements in 2001 by performing a full review of all applications using the CISP (pre-PCI) requirements that had just been published by Visa for Service Providers. We ensured that no product stored full track data or CVV2/CVC2/CID, applied strong encryption to transaction databases and began masking cardholder data in user interfaces and reports. In 2004, SDC participated in the Visa Vendor CISP Education Day where a draft of the “CISP Payment Applications Best Practices” was presented and response was accepted from the vendor community. Shortly thereafter, the first security guideline to specifically address payment applications was released. While Visa has published the PABP guideline as voluntary program, their agents (Acquiring banks) have taken a firmer stance and require applications accessing their systems to meet the PABP requirements. As the Visa CISP PABP gives way to its PCI equivalent, PCI–PASS (Payment Application Security Standard), we continue to exceed the industry requirements by strengthening password management/requirements on user interfaces, enhancing audit trails and using strong AES256 encryption for all and databases. In addition, all applications that store or display cardholder data are audited by an independent, Visa qualified payment application security company and validated to meet compliance of the Visa PABP (a.k.a. PASS ). The SDC commitment to data security extends to our staff as well with ongoing training in secure coding practices, testing procedures and support processes.
For more information on application security and secure coding practices, please visit the following websites:
http://www.owasp.org/
http://www.cert.org/books/secure-coding
SDC Payment Delivery Services
For more information on network scanning, please visit the following websites:
http://www.mastercard.com/us/sdp/index.html
SDC Product/Service Compliance Cross Reference
| Product/Service | Version | Compliance |
| ProtoBase | 6.00 | PABP |
| PbAdmin | 6.00 | PABP |
| RealVu | 6.00 | PABP |
| WebVu | 6.00 | PABP |
| ProtoBase eXpress | N/A | PCI, CISP, SDP, DSOP |
| ProtoBase eXpress EZ | N/A | PCI, CISP, SDP, DSOP |
| Network Gateway Service | N/A | PCI, CISP, SDP, DSOP |
| Managed Payment Service | N/A | PCI, CISP, SDP, DSOP |
