This is page 2 of:
Questions To Ask Your System Vendor Or Reseller
Will the vendor install it according to the PA-DSS Implementation Guide? Obviously, the answer should be “yes.” By the way, you need to have a copy of the PA-DSS Implementation Guide, too. Once you have it, don’t just put it on a shelf. Read it, and understand what actions you or your vendor need to take to make sure the application is installed and maintained properly. For example, if the application stores cardholder data, what is the process to make sure you change the encryption key(s) at least annually?
If the application is installed and maintained by a reseller, you need to ask: Where is the firewall? Is that included, or do you buy it separately? Any discussion of firewalls has to address the fact that PCI does not require just a firewall; PCI requires a properly configured firewall. What role will the vendor or reseller play to help in configuring the firewall?
Does the application store cardholder data, even for an instant? Many payment applications store electronic cardholder data even though there is no longer a good reason for merchants to store that data. If you are uncertain, the vendor’s PA-DSS Implementation Guide should help. When you see a section on encryption and key management, you can be pretty certain the application stores electronic cardholder data. Ask if you can configure the application not to store data. At the very least, minimize the time the data is stored before it is purged. I have seen default settings that retained card data indefinitely, which increases the retailer’s risk of a data breach and is, therefore, a very bad idea.
A common misconception is that a PA-DSS validated application is either a guarantee of PCI compliance (it is not) or that it will not store cardholder data (it can). Retailers need to determine both whether their application stores cardholder data and the process to purge that data when it is no longer needed.
What vendor training does the application developer provide, for both its resellers and its customers? If the vendor only trains resellers, can you attend any of that training?
Who specifically will install the application? Who will perform maintenance and upgrades? Have they been through the training? You want to have the name of the individual who will show up on your doorstep to install or maintain your application. A client of mine recently suffered through a vendor’s tech rep wasting the better part of a day onsite trying to find the password for the SQL server. A client of mine recently suffered through a vendor’s tech rep wasting the better part of a day onsite trying to find the password for the SQL server, then stumbling around trying to execute the upgrade procedure. The tech rep finally left at day’s end with nothing accomplished except a promise to come back “soon” to try again to implement the upgrade. You want to avoid a similar experience with an inexperienced tech rep.
-Marc
January 10th, 2012 at 9:53 am
These are great pointers. Vendors will hawk retail solutions with buzzwords like mobile POS, loyalty and RFID inventory to grab attention, but can they deliver?
My experience early on was the majority of vendors could not follow up after the purchase order was generated. I ended up burnt dealing with firms I met at a conference who had nothing more than a nice brochure and a free memo pad with their logo on it.
I won’t be able to make it this year but if anybody is going to the NRF, can they please follow up?