FAS's new Version 2010 software was recently recognized as being compliant with the Payment Card Industry Security Standards Council (Council) Payment Application Data Security Standard (Standard). The Standard is a set of security policies, procedures, and protocols developed by the Council in order to protect sensitive cardholder data from fraudulent access and abuse. All payment applications, including POS systems, credit card processing systems, etc., in all industries must ultimately be validated as being Standard-compliant in order to continue to process credit cards. Simply stated, if a system allows the user to input and process a credit card, then that system must be certified as being compliant with the Standard, regardless of whether the system uses third-party software for credit card processing or not. As of September 17, 2009, there were only two floral applications-FAS and Teleflora's Dove POS system--listed on the Council's List of Validated Applications. The Standard contains an extremely rigorous set of requirements dictating how software must process and store credit card information, how the physical computer network must protect against intrusion from unauthorized agents, how the system users must implement the Standard within their respective businesses, and much more. Receiving this certification is a major accomplishment for any company that is validated. It is mandatory that computer users have Standard-compliant systems. Users of non-compliant systems who find that their customers' credit card data has been compromised can be subjected to fines and penalties that could jeopardize the survival of even the largest of corporations. Processors and banks can terminate the ability of a non-compliant merchant to accept and process credit cards, virtually putting even the largest of retailers out of business until compliance is achieved.

In order to have a software application validated as being Standard-compliant, a software vendor must submit its system to a Payment Application Qualified Security Assessor (Assessor) authorized by the Council to perform system security audits. The Assessor performs extensive tests on the systems to verify compliance with the Standard. These tests involve running actual transactions through the systems, generating reports, reviewing data-entry screens, etc., and they involve forensic analyses of the system hard disk to verify that prohibited data is not stored. These tests also verify that sensitive data is properly encrypted using very high levels of encryption. The Assessor submits his findings to the Council which then makes the final decison concerning validation.

If your software vendor does not appear on the Council's List of Validated Applications at the web site provided above, you should take the steps necessary for becoming Standard-compliant as soon as possible. For more information about these issues visit PCI Security Standards Council.