Are you PCI DSS Compliant?

What is PCI DSS Compliance anyway?

Payment Card Industry Data Standard Security or PCI DSS to keep things short, is a set of security standards required of all businesses that accept credit cards as a form of payment.

Salon owners often call us to ask if TanTrack is PCI Compliant. The answer is no. But only because it is the wrong question. PCI Compliance can only be obtained by the business, not a piece of software. Software, if required, would get a certification called PA-DSS. More on that later.

PCI compliance is also not new. It has been in the fine print of your credit card processing contract for many years. Only in the beginning it was more just a list of recommended practices that you agreed to adhere. In later years, it became a mandated set of security practices. Unfortunately, it was written by corporate security nerds and lawyers so it has become pretty difficult to follow.

For most salons, it is really not that intensive. Typically, a tanning salon (with monthly memberships) will use the Self-Assessment Questionnaire (SAQ) version D. There are far fewer questions required on this form. If you do not have monthly memberships, then you will more likely use SAQ version C. In addition, all tanning salons will be required to perform an external network scan each year.

If you would like to read the entire document (over 350 pages), you can download that directly from the PCI Security Council website library at:

Official PCI Security Standards Council Site – Verify PCI Compliance, Download Data Security and Credit Card Security Standards

We cannot assist with PCI DSS Compliance requirements. Some credit card processors do offer a team that will help at least to explain the requirements.

However, below we will provide a very simple summary of the document in plain English that will be far easier to understand. Just note that standards can change and have more details than our generalized summary. Therefore, the official PCI document will be what should be referenced as actual requirements.

Is TanTrack PCI DSS Compliant?

Salon owners often call us to ask if TanTrack is PCI DSS Compliant. The answer is no. But only because it is the wrong question. PCI DSS Compliance can only be obtained by a business, not a piece of software. Software, if required, would get a certification called PA DSS.

TanTrack is not required to obtain the PA DSS certification because it does not directly handle or store any credit card data. Therefore, it is considered “Out of Scope”. We made the decision in 2010 to convert to the new method (now standard) of using “tokens” in place of credit card data. We were in fact, the very first tanning salon software to implement this new technology!

The way this works is that your credit card machine gets the card data, sends it to the processor, then the processor returns a “token”. We can then safely store and use this token as needed. This token ONLY works for YOUR salon and is also updated every time the token is used for a transaction. This means that if your data were to be stolen, the tokens would be absolutely useless to anyone else. This is a far safer way to handle credit card data!

Getting PCI DSS Compliant

Identify Your Self-Assessment Questionnaire (SAQ)

The first step in your PCI DSS compliance is to identify which SAQ is required. There is a flow chart available in the PCI SAQ Instructions & Guidance document that will help you to determine which SAQ form applies to your tanning salon.

Tanning salons using TanTrack that process credit cards and offer monthly memberships will use SAQ “D”.
Tanning salons using TanTrack that process credit cards and do NOT offer monthly memberships will use SAQ “C”.

If you choose to follow the flowchart provided by the PCI Council, there are a few terms you may need to understand:

P2PE – Point to Point Encrypted (In the case of TanTrack, it would be your WorldPay or Global Credit Card Terminal)
MOTO – Mail Order / Telephone Transactions
E-Commerce Transactions – Transactions via a website such as TanTrack’s Client Portal which does not touch credit card data.

PCI DSS Security Requirements

Requirement 1 - Install & Maintain Network Security Controls

A firewall is a hardware device that controls the internet traffic coming into your business. For most retail
businesses, only a very limited amount of inbound traffic may be necessary such as internet/web, or e-mail. A
firewall will restrict the types of traffic entering your business to only those considered crucial to your business.

The above diagram shows the internet (aka “Cloud”) delivering traffic to a router (cable modem with a
built-in router), then to the firewall which blocks unwanted traffic, then finally to the internal network. In this
diagram, a server is shown but is not necessary. The server can be replaced by another router for example.

Also, note that this is the MINIMAL network setup required for PCI Compliance.

An even more secure setup would actually separate PCs that need web/e-mail access from the PCs that actually
process credit cards. This would be done by placing internet PCs on the unsafe side of the firewall or using a 2nd
firewall configured to allow such traffic, and keep all credit card processing PCs on the safe side of the
firewall.

Note: If you offer your clients access to free wi-fi, it MUST be segmented on to its own network or you will not be PCI DSS Compliant!

Requirement 2 - Apply Secure Configurations to All System Components

Don’t use default passwords for software, modems, windows, etc.

TanTrack will install itself using a default password and user account so that the installation utility can configure
your database during the initial installation. We do allow you to configure TanTrack after installation so that it
will use any username and password combination you provide.

Requirement 3 - Protect Stored Account Data

Secure, limit and log access to full credit card numbers if stored digitally or in printed form.

TanTrack only stores the last 4 digits of any credit card during a transaction per the PCI DSS requirements.
For those tanning salons requiring monthly membership (EFT) payments, TanTrack uses a “token” system meaning that it does NOT store the credit card numbers.

We made the decision in 2010 to convert to the new method (now standard) of using “tokens” in place of credit card data. We were in fact, the very first tanning salon software to implement this new technology!

Requirement 4 - Encrypt Transmission of Cardholder Data Across Open, Public Networks.

For all users of TanTrack, all cardholder data transmitted is only transmitted using P2PE (Point-to-Point Encryption) via the Worldpay or Global terminal.

Communications between our software and cloud database servers is encrypted during transmission using TLS 1.2. All data at rest on our cloud servers is also encrypted.

Requirement 5 - Protect All Systems and Networks from Malicious Software

Use and regularly update anti-virus software on all of your computers within your tanning salon.

There are many options available both free and paid. Internally we use ONLY Microsoft’s Windows Defender anti-virus solution. It is completely free and automatically updated by Microsoft almost daily to protect against new threats. It is also the least intrusive of the anti-virus solutions on the market.

Requirement 6 - Develop & Maintain Secure Systems & Software

Make sure you always have the latest Windows updates, SQL Server Updates, and TanTrack updates.

Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these
vulnerabilities are fixed by vendor provided security patches, which must be installed by the entities that
manage the systems. All critical systems must have the most recently released, appropriate software patches to
protect against exploitation and compromise of cardholder data by malicious individuals and malicious software.

Note: When your data is hosted on our cloud platform, updates to the SQL Server Database are applied immediately upon release. In addition, our cloud servers are monitored 24/7 for unauthorized traffic!

Requirement 7 - Restrict Access to System Components & Cardholder Data by Business Need to Know

TanTrack follows this procedure by never showing the decrypted stored cardholder data and never storing any
cardholder data except in the case of those with active EFT packages in which case only the “token” is stored, not the actual credit card account number.

Requirement 8 - Identify Users and Authenticate Access to System Components

Because most people in a salon access the same computer, it is not practical to have a separate Windows user
name and password for each salon employee. Because of this, TanTrack has its own
employee databases. This allows each employee to have a unique user ID and password to access the secure
areas of the application. All such access or attempts to access is logged per the PCI DSS requirements.

Requirement 9 - Restrict Physical Access to Cardholder Data

Any physical access to data or computer systems that house cardholder data provides the opportunity for
individuals to access devices or data and to remove systems or hard copies, and should be appropriately
restricted.

There are many simultaneous security requirements such as facility entry controls such as locked server cabinets
or rooms, video cameras or other methods for monitoring access. A policy must be in place that helps personnel
easily distinguish between employees and visitors.

Backups must be stored in a secure location, preferably an
off-site facility that is also secure. You may review the actual details for requirement 9 in the PCI DSS guide.

To assist with helping your salon meet this requirement, we have made a large investment in database servers
that are housed in a PCI Certified facility. We can provide proof of the facility’s PCI certification upon request in the event your merchant processor requires such documentation.

These servers are monitored 24 hours a day, 7 days a week for any attempted intrusions via the internet. The
facility is also highly secure requiring many layers of security to even physically get to our servers. The servers
are connected to multiple internet backbones. In addition, the entire facility
has a massive battery and fuel-generated backup system to keep servers running even in the event of a power
failure.

The bottom line, the data is highly guarded, the connection is rocket fast, and the likely hood of any downtime due
to power failure or server failure is absolutely minimal. Far safer and more reliable than anything you would
have available at your salon location.

Requirement 10 - Log & Monitor All Access to System Components & Cardholder Data

Much of this requirement can be handled simply by hosting your databases on our secure servers.
TanTrack also logs many types of sensitive area access. Per processor requirements, these logs can only be deleted if older than 6 months and the deletion will add a new log entry showing the deletion was executed.

Requirement 11 - Test Security of Systems & Networks Regularly

Per the guidelines, you are responsible for running a test at least quarterly to make sure that your network is
safe both internally (behind the firewall) and externally (in front of the firewall via the internet). Such tests
include checking for the presence of a wireless access point/router, network vulnerability scans, penetration
testing, intrusion detection or prevention systems.

There are numerous companies and software products that can assist you with this task.

Internal Scanning (Inside your tanning salon)

GFI LanGuard
Offers a low-cost self scanning tool that will allow you to scan your internal network for vulnerabilities. This is not the same as anti-virus software. This is a tool that will provide a list of open ports within your internal network at the salon for you to review as needed.

External Scanning (via the internet)

The quarterly external vulnerability scanning must be completed by an approved scanning vendor (ASV) to qualify as having met this compliance task. Most often, your processor will provide this service to you with their own contracted ASV.

If you prefer, you can hire your own from the following list of approved ASVs: