Designing a POS system for cost-effective compliance with PCI-DSS: Using MagTek readers and Magensa

processing services

2 | Page

1 Executive Summary

The potential for an unauthorized release of cardholder data is a critical concern for any of the

players involved in the business of acquiring and processing card-based payments. This includes

merchants, service providers, gateways and processors. It also includes, by proxy, entities that

provide software and solutions to merchants, even though they themselves may not be involved in

processing transactions. This includes ISOs, ISVs, VARs and software developers. Data breaches

expose all these parties to the risk of financial loss in the form of litigation, as well as penalties

leveled by card brands and regulatory agencies.

Therefore, the mitigation of this risk is an essential element in any POS system design. The question,

however, is how this is best accomplished. Given the sophisticated nature of many of the methods

available to protect cardholder data, choosing the correct path can be daunting. The decision is

made even more difficult by the imposition of requirements for cardholder data protection by the PCI

Security Standards Council, often referred to simply as “PCI”. This organization promulgates the PCI

Data Security Standard, PCI-DSS, a standard by which virtually all members of the card acquiring

chain must adhere (either directly, or on behalf of their customers).

So, a difficult task becomes two: Protect cardholder data, and thus the organization, from a data

breach and show that the requirements of PCI-DSS have been met. Since investments in risk

mitigation do not generally contribute to revenue, most organizations scramble to limit the scope of

cardholder data protection to as simple and cost-effective a solution as possible. This is only rational.

It is important to remember that payment card crime is a cost/benefit game: The amount spent on

securing cardholder data should be less than the expected losses over time. This is also reflected in

a criminal’s analysis of the profitability of stealing card data: If it costs more to steal it than it’s worth,

it’s avoided.

2 Security Methodology

Given these guard rails, how should one navigate the road? We recommend choosing a security

methodology for your design that accomplishes all these needs at once. Only one such methodology

has proven itself time and again, across billions of transactions, to be the best choice and is

accepted by PCI:

Completely remove all unencrypted cardholder data from your environment by

insuring that it is strongly encrypted by a responsible third party, with a key only they know, before it

reaches your environment and stays that way until it leaves.

With MagTek encrypting readers and

Magensa gateway processing, you can achieve this goal.

We suggest this methodology as it is at the heart of effective PCI-DSS compliance. At its core, PCI-

DSS is about protecting cardholder data, specifically the card number or Primary Account Number

(PAN). From the PCI-DSS standard

“The primary account number is the defining factor for cardholder data. If cardholder name,

service code, and/or expiration date are stored, processed or transmitted with the PAN, or

are otherwise present in the cardholder data environment (CDE), they must be protected in

accordance with applicable PCI DSS requirements.”

PCI Security Standards Council, “Data Security Standard, Requirements and Security Assessment Procedures”,