NCR Travel Software and PCI Compliance

Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS) applies to any payment application that stores, processes or transmits cardholder data as part of authorization or settlement. The PCI Council has put together a document on how to determine if an application is not eligible for validation under PA-DSS.

NCR has reviewed the applicability of PA-DSS compliance for NCR Travel’s platform software, custom web applications and custom kiosk applications based on the published standards as of March 1, 2012. NCR designs software based on PA-DSS requirements, including the following measures:

• Store no track data in the database or log it to any files.
• Credit card number is neither stored nor logged anywhere in the application.
• The receipt is masked except for the last four digits and the card holder name.
• All transmissions between the kiosk and the server are via SSL (https).

Your custom application has not been through a PADSS validation process. NCR by itself is not permitted to perform the PA-DSS validation process on a custom application by itself because (1) the software does not facilitate authorization or settlement, and (2) there are a number of components that NCR does not control— such as the operating system, network, and user/ account management policies and practices. As with any payment solution, it is possible to configure and deploy a PCI-capable application in a non-compliant fashion, putting customer data at risk.

As the merchant, you still need to follow PCI-DSS guidelines for testing the solution as it is implemented in your environment and for protecting physical and network access to the units as you would any POS system. NCR recommends that you follow any guidelines for intrusion detection or other proactive protection measures, such as ethical hacking exercises and tainted data recovery attempts, as advised by your information security team. These proactive measures help ensure the system is performing in a PCI-compliant fashion as intended.

PA-DSS validation is an additional service we can provide at additional cost. We would have to engage our third-party PA-DSS validation partner and take a number of additional steps to fully comply at that level. In our experience, the costs associated with a full PADSS validation would exceed the software costs of your current environment. It would probably be more cost effective for you to have it evaluated as part of your overall PCI-DSS audit process.