EDJ Applications and PCI Compliance

April 9, 2008

 

 

Memo to Users of EDJ’s Applications

 

EDJ recognizes the concerns and dilemmas faced by retailers attempting to comply with the PCI Data Security Standard Version 1.1.  EDJ has endeavored to help retailers meet their compliance needs on the IBM 4690 platform by creating an encryption module and a method to protect encryption keys (KeyManager with EDJCrypt).  Retailers can use this module to strongly encrypt personal account numbers in their terminal sales applica-tion.  Retailers have a choice of the encryption method and they supply the key to be used for the encryption process.  This module helps retailers meet the requirements of Section 3 of PCI DSS V1.1.

 

EDJ also has applications for 4690 systems management, operator password manage-ment, loss prevention filtering and drilling and store data reporting.  We have examined these applications carefully in the spirit of PCI DSS V1.1 and find that these applications do not require or cause the collection of personal account numbers.

            StoreGazer                 4690 systems management

            COPS                         4690 id and password management

            StoreTotals                 Store accounting totals storage and access.

            EXCEPTion                 Cashier performance filtering.

            ESCAPE                     Transaction retrieval and drill-down.

            TimeGuard                  4690 time management and sychronization.

 

EDJ’s applications are accessed through EDJ’s EDJCommon application.  This tool is used to control access to EDJ’s applications.  This tool has been designed and coded with our interpretation of PCI DSS V1.1 sections on access control and unique personal ids for computer access.  We meet all of the requirements in Section 7.2 and Section 8.  Application users must have an unique id.  Their password is stored in an encrypted mode.  The password must be changed periodically.  The user’s id gives access to one or more of the EDJ applications.  A user is assigned a role that is specific by the applica-tion and the role consists of functional permissions.  A user is also granted access to a specific list of stores that can be accessed or the store information that can be reviewed.  Our understanding of PCI DSS V1.1 is that only EDJCommon of EDJ’s application set needs to meet the PCI standards.  Based on our reading of the standards and a self assessment, EDJCommon does meet or exceed the PCI standards.

 

If you have questions, please feel free to contact Dave Courtney of EDJ Enterprises at (919) 790-7711 or via email at dcourtney@edj.com.