PaymentCardXpress – PCI DSS Validated

Reasons to Swap Out Your Current Credit Card Solution and replace it with PaymentCardXpress® (PCX) – #7 PCI DSS Validated

PCX has been confirmed by CoalFire, a PA-DSS QSA, to be Out-Of-Scope.

Because CFXWorks is a software vendor, we are limited in what we can do relative to PCI-DSS. In fact, a software vendor exercises no control over 8 of the 12 PCI-DSS requirements. Of the 4 requirements that can be impacted by a software vendor, no single vendor exercises full control over all the requirements. The four that a software vendor can impact and the CFXWorks focuses on include:

• Requirement 3 – Protect Stored cardholder data.
  • We store a masked version of the account number, as allowed by PCI-DSS.
  • We store the token returned from Elavon’s gateway.
  • We mask the card account number (PAN) in our database, logs, displays, and reports.
  • All our configuration and setup data is stored using 256-bit AES encryption.
  • PCX provides merchants access to an internal cryptography engine that implements several encryption and message digest algorithms. Use of this engine is the responsibility of the merchant.
• Requirement 4 – Encrypt transmission of cardholder data across open public networks.
  • As a merchant option, we force all connections to our software to use HTTPS.
  • All connections to Elavon use HTTPS (TLSv1.2). The encryption algorithms and keys are controlled by the processors’ server.
• Requirement 6 – Develop and maintain secure systems and applications.
  • Our software is implemented using an Identity Access Management System (IAM) that performs access control and authentication at the transaction, task, and user level.
  • Our software implements application level security filters intended to control the syntax and content of all input values. This is intended to prevent for example, SQL Injection compromise attempts.
  • We recommend that our merchants change all default passwords and other security parameters.
• Requirement 10 – Track and monitor all access to network resources and cardholder data.
  • We maintain audit logs that record detailed transaction request and response information. Sensitive card data is masked in these logs. User activity is tracked at the task level.

The following list summarizes what PCX does not do relative to PCI-DSS:

1. PCX has NO VISIBILITY to the Primary Card Number (PAN).
2. PCX does not store the PAN.
3. PCX does not transport sensitive card data.
4. PCX does not process card transactions. Elavon is the processor.
5. Requirements 1 – We do nothing related to installing and maintaining firewalls
6. Requirements 2 – We do not force our merchants to change default passwords and other security parameters however we do strongly encourage them to do so.
7. Requirements 3 – Merchants often add their own code to our PCX solution to integrate it with their front and back-office systems. Our PCI-DSS activities are limited to the software we author and provide.
8. Requirements 5 – We do not provide or update virus protection software.
9. Requirements 6 – We do nothing relative to securing the merchants H/W systems, middleware, or operating systems. Our PCI-DSS activities are limited to the software we author and provide.
10. Requirements 8 – Our IAMS access control and authentication capability will restrict access to cardholder data by business need-to-know if correctly configured by the merchant. The merchant is responsible for providing the correct configuration data and performing the required configuration tasks.
11. Requirements 9 – CFXWorks must rely on the merchant to assign a unique user name and password to each person with computer access.
12. Requirements 11 – CFXWorks must rely on the merchant to regularly test security systems and processes
13. Requirements 12 – CFXWorks must rely on the merchant to maintain policies that addresses information security.