Memo to Users of EDJ’s Applications
EDJ recognizes the concerns and dilemmas faced by retailers attempting to comply with the PCI Data Security Standard Version 1.2. EDJ has endeavored to help retailers meet their compliance needs on the IBM 4690 platform by creating an encryption module and a method to protect encryption keys (KeyManager with EDJCrypt). Retailers can use this module to strongly encrypt personal account numbers in their terminal sales application. Retailers have a choice of the encryption method and they supply the key to be used for the encryption process. This module helps retailers meet the requirements of Section 3 of PCI DSS V1.2.
EDJ also has applications for 4690 systems management, operator password management, loss prevention filtering and drilling and store data reporting. We have examined these applications carefully in the spirit of PCI DSS V1.2 and find that these applications do not require or cause the collection of personal account numbers.
StoreGazer 4690 systems management
COPS 4690 id and password management
StoreTotals Store accounting totals storage and access.
EXCEPTion Cashier performance filtering.
ESCAPE Transaction retrieval and drill-down.
TimeGuard 4690 time management and synchronization.
EDJ’s applications are accessed through EDJ’s EDJCommon application. This tool is used to control access to EDJ’s applications. This tool has been designed and coded with our interpretation of PCI DSS V1.2 sections on access control and unique personal ids for computer access. We meet all of the requirements in Section 7.2 and Section 8. Application users must have an unique id. Their password is stored in an encrypted mode. The password must be changed periodically. The user’s id gives access to one or more of the EDJ applications. A user is assigned a role that is specific by the application and the role consists of functional permissions. A user is also granted access to a specific list of stores that can be accessed or the store information that can be reviewed. Our understanding of PCI DSS V1.2 is that only EDJCommon of EDJ’s application set needs to meet the PCI standards. Based on our reading of the standards and a self assessment, EDJCommon does meet or exceed the PCI standards.