How QuickBooks can be used to support the implementation of a PCI DSS Compliance program
In late 2008 the Payment Card Industry released the Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). This security requirement now applies to all businesses, regardless of size, which take payment from customers in the form of Credit Cards. Generally speaking, the PCI DSS requires businesses to take reasonable and appropriate measures to safeguard customer credit card information.
Most, if not all, B2B CFO Partners work with clients who are required to implement a compliance program. And many of these clients use QuickBooks as their accounting solution. Because QuickBooks is the most commonly used business accounting application, and Intuit is a company committed to customers, there are features within the QuickBooks application which allow a business to cover most of the PCI DSS requirements.
The high level requirements of the PCI DSS are:
Build and Maintain a Secure Network
o Requirement 1: Install and maintain a firewall configuration to protect cardholder data
o Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
o Requirement 3: Protect stored cardholder data
o Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
o Requirement 5: Use and regularly update anti-virus software
o Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
o Requirement 7: Restrict access to cardholder data by business need-to-know
o Requirement 8: Assign a unique ID to each person with computer access
o Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
o Requirement 10: Track and monitor all access to network resources and cardholder data
o Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
o Requirement 12: Maintain a policy that addresses information security
I’ll now explain how the security features within QuickBooks help with implementing a compliance program.
· Enabling Customer Credit Card Protection supports satisfying Requirements 2, 3, 4, & 8.
o Requirement 2 is supported when Credit Card Protection is enabled because the admin user and any user with access to credit card data must create a complex password which is required to be changed every 90 days.
o Requirement 3 is supported when Credit Card Protection is enabled because credit card numbers are not visible to users who have not been given access, and QuickBooks does not store card validation or PIN codes.
o Requirement 4 is supported when Credit Card Protection is enabled and the client used Intuit Merchant Services to process the Credit Card Payment because the transmission of that transaction is encrypted.
o Requirement 8 is supported when Credit Card Protection is enabled because, again, any user with access to credit card data must create a complex password which is required to be changed every 90 days.
· Other Requirements are satisfied in these ways:
o Requirement 6 is supported when Automatic Update is enabled because the QuickBooks application will be updated with any critical updates required to maintain security over credit card data.
o Requirement 7 & 8 are supported when security is properly implemented. QuickBooks allows for each user to be given a unique username/password, for each user to be granted or denied access to specific functional areas and or sensitive data, and whether that can see credit card data or not.
o Requirement 9 is supported because QuickBooks provides only one place to store credit card information and that data is encrypted for users who have not been granted access.
To turn on Customer Credit Card Protection, as the Admin user select this option from the Company drop down menu, then click the Enable Protection button. You will then be required to create a complex password which must be changed every 90 days. You will then be instructed to change the security setting for all users to allow or disallow access to credit card data.
The setting to allow access to Customer Credit Card data in on the Sales and Accounts Receivable area screen. At the bottom of the screen is a check box for "View complete customer credit card numbers". Uncheck the box if the user is not to have access.
Finally, when Customer Credit Card Protection is enabled you will have access to the new "Customer Credit Card Audit Trail" report. This report details every access to or use of a customer credit card. This report is accessed via the Accountant & Taxes report.
To discuss how to implement a complete PCI DSS Compliance program contact Rick Daigle, firstname.lastname@example.org, or 404-787-5835