Payment by credit card is increasingly popular. However, this also requires tightened security measures with regards to credit card and transaction data in order to bolster the consumers’ confidence in this method of payment. Therefore, security experts of the credit card companies sat down together and developed a common solution. Any company that processes transmits or stores credit card data must adhere to a number of safety guidelines for data security. The aim is to have all merchants who accept cards by these companies strictly comply with the ‘Payment Card Industry – Data Security Standard’ (PCI), formerly known as ‘Cardholder Information Security Program’ (CISP).

The current version of the standard was developed over a period of only a few years. VISA launched the Cardholder Information Security Program (CISP) in 2001. It was the first program of its kind and required merchants and service providers to keep to a number of specific standards for data security. A few years later, VISA, MasterCard, American Express, Discover, Diners Club and JCB aligned their individual policies and introduced the ‘Payment Card Industry Data Security Standard’ (PCI-DSS), an updated and more comprehensive version of the standard, which became obligatory for all merchants and service providers in June of 2005. Updated again in September of 2006, the standard now includes around 160 requirements, which became binding by the end of June 2007. The agreement is no mere paper tiger: In 2006 alone, VISA has filed claims to the total amount of US $4.6 million against merchants who failed to comply with the standards. This is an increase of 35% compared to the previous year.

The current PCI standard includes strict norms for processing and storing of credit card data. Merchants have to follow these norms in order to maintain their status as partners of the credit card company and avoid large fines. Your bank may have contacted you during the past months with information regarding PCI and its importance for preventing credit card fraud.

At the beginning of this year, the credit card organizations VISA and MasterCard have agreed on common standards in order to achieve a consistent course of action for the application of security requirements. These ‘Payment Card Industry (PCI) Data Security Standards’ are valid for the entire credit card payment industry.

The PCI regulations specify 12 requirements for compliance that have to be fulfilled by all merchants accepting VISA cards and by service providers:

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
3. Protect stored cardholder data. Do not store unnecessary card or transaction data like full card number, magnetic stripe data, card verification code (CVV2) or PIN.
4. Encrypt transmission of cardholder data and sensitive information across open, public networks.

Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy
12. Maintain a policy that addresses information security

Detailed explanations of the 12 requirements may be found here.

One of the most important elements in the 12-point PCI data security program is the prohibition of storing full credit card and CVV data in any form after successful authorization. This is crucial because access to this highly sensitive data facilitates forging of credit cards.

If an audit discovers that you as a merchant are storing credit card data at the POS (cash register), in the PMS (Front Office System) or in your company office, there is an increased likelihood that VISA may fine your bank and your bank will pass the fine to you for non-compliance. VISA is well aware that certain POS and PMS products store credit card data.

As a matter of course all IT providers for the entire industry are affected, as well as your transaction service provider. Please also have your transaction service provider confirm PCI compliance.

Merchants and service providers are required to comply with the ‘PCI Data Security Standards’ when processing credit card and transaction data. This means undergoing a certification process conducted by an agent authorized by VISA and MasterCard.

We at MICROS-Fidelio take this initiative very seriously. When the new Association guidelines were announced, which prohibited the widely practised storing of credit card data, we implemented changes to all of our software applications to comply with the new regulations.

Since then we have added a number of further changes in order to be fully PCI-compliant as far as possible. We are offering the PCI-compliant versions of our MICROS-Fidelio products as upgrades to our customers. Smaller upgrades or patches can be carried out by MICROS-Fidelio Support. Please check with your Support if a patch can be realised for your product.

Since 2006 MICROS-Fidelio is a certified software manufacturer of payment applications complying with the safety standards. A list of all certified software providers and their applications can be found on the official US website of VISA, or click here.

We recommend not only checking your product version for PCI compliance, but also making sure all setup options needed for compliance are properly configured. You can find a list of all PCI-certified systems here.

Our Support departments will be happy to assist you with the configuration options. You can reach us during our regular support business hours under the normal support contact options. In case you require a software upgrade, we will assist with planning and scheduling.

To contact your local MICROS-Fidelio EAME Support Centre, please click here for local details.

Neither MICROS-Fidelio nor your service provider is liable for any damages you incur in connection with using non-compliant products.

We regret that the market is putting such enormous pressure on banks and merchants accepting credit cards. However, we feel it is our duty to keep you informed on the matter.

We will be happy to assist you in any way we can.

PCI DSS (Payment Card Industry Data Security Standard) affects all merchants/businesses that accept credit card payments and store credit card data.

In order to meet the PCI standard, a compliant software version is needed. Please refer to our Compatibility List for the current list of compliant versions.

If you are handling and storing credit card data, older software versions can be updated to meet the standard.

The scope of the upgrade you may need depends on the version of the software you have now. Our Support and Sales departments will be happy to assist you.

Please also pay attention to network security and make sure that there are no unprotected/unencrypted safe-copies or training systems in your network.

You are kindly requested to perform such changes only when instructed by Support. We will assist you in finding out if any changes in setup or configuration are required.

The version number is usually displayed on-screen when you start or run the software. If you are having trouble finding your version number, please ask Support for assistance.

If you have an active support contract, updates are free of charge.

In many cases, depending on the product, an update can be performed remotely by the responsible Support department.

In case the version you are currently running is very old, it may be necessary to perform the update onsite, which will be chargeable. Depending on the scope of the upgrade, other charges, e.g. for new hardware, may apply.

In order to meet the security requirements you should not store/enter any credit card data and update your system to a software version that is PCI-compliant.

Please contact your central IT management to coordinate updates.

There is no issuing of individual certificates. All software providers whose products are certified are listed on the official VISA website (List of certified software providers) along with the relevant software versions. Companies that do not appear on the list are not officially certified and do not meet the strict requirements for PCI. The list is updated regularly by VISA.

The answer depends on the software version. Our Support team can give you detailed information on the status of the version you are running. Furthermore, individual and business-specific fields may have been added to your database/user interface upon your request, and these may be filled manually.

If you do not enter or store any credit card data anywhere in your system or network, you are PCI-compliant. In this case, no software upgrades or setup changes are required.
We have acquired our credit card terminal via MICROS-Fidelio – is it PCI-compliant?
MICROS-Fidelio does not sell credit card terminals. Please contact your transaction service provider (e.g. Concardis or Elavon) for further information.

MICROS-Fidelio does not sell credit card terminals. Please contact your transaction service provider (e.g. Concardis or Elavon) for further information.

You are compliant as long as there is no manual input of credit card data in the Front Office system. Please also refer to the official PCI-DSS Documentation for further details.