PCI de-scope

Robert Greig $organization over 15 years ago

Hi,

There is a discussion taking place between some of the UK venues at the moment regarding PCI-DSS and the possibility of de-scoping all card transactions or effective outsource the PCI compliance issues. We know that TNS now offer a Hosted Payment - Form model which requires both the TNSPay WebService API and the TNSPay Gateway's Hosted Payment and we were wondering how far Next Gen had gone in considering the new services and developments from payment providers, which may make PCI compliance cheaper, safer and less hassle.

Thanks,

Rob

Keith Bursnall $organization over 15 years ago

Hi Rob,

I see this is covered here: http://www.tessituranetwork.com/network/About/Network%20News/Network%20Newsletters/2011_April.aspx?utm_source=NetworkUpdate&utm_medium=email&utm_campaign=April2011
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Robert Greig $organization over 15 years ago in reply to Keith Bursnall

Thanks Keith – We are particularly interested in de-scoping PCI which I don' t think the covers
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Chuck Reif $organization over 15 years ago in reply to Robert Greig

I think Keith is somewhat correct in his reading of the Network update item on the new credit card server. It is one of our goals to have a completely "hands off" method to deal with credit cards in order to remove the onus of PA-DSS certification for the software. In fact our team had a meeting this week with our security auditors to discuss that very topic (among others). The new credit card server is one step towards that because it gives us more options for ways to address payment processors. I understand that what you are talking about specifically is a 3rd party hosted window so that the application never even touches (much less stores) that credit card data and we are looking at that as well. That approach does add some simplicity to the process but also poses some integration challenges because of the "commit" problem. What happens if you authorize a card through a totally separate window and then you never save the order? And if you want to do recurring payments (automatic credit card billing) then we have to store some pointer to the credit card stored in a 3rd party system. All solvable problems but ones that add to the complexity.

Thanks for the comments and for keeping the conversation going.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Dave Alton $organization over 15 years ago

Let me also throw out a real world scenario. When disputes happen the credit card company requires that we provide them with the full PAN. In a third party system where the credit card number is never even seen how can we deal with the credit card companies requirement to provide that information. They want the full PAN and authorization number. We have this scenario come up often.

Thanks,

Dave Alton
CIO
Center Theatre Group
o:213-972-7539 | c:213-973-2834

From: Tessitura Next Generation Forum [mailto:forums-nextgeneration@tessituranetwork.com] On Behalf Of Chuck Reif
Sent: Friday, April 08, 2011 8:52 AM
To: Dave Alton
Subject: Re: [Tessitura Next Generation Forum] PCI de-scope

I think Keith is somewhat correct in his reading of the Network update item on the new credit card server. It is one of our goals to have a completely "hands off" method to deal with credit cards in order to remove the onus of PA-DSS certification for the software. In fact our team had a meeting this week with our security auditors to discuss that very topic (among others). The new credit card server is one step towards that because it gives us more options for ways to address payment processors. I understand that what you are talking about specifically is a 3rd party hosted window so that the application never even touches (much less stores) that credit card data and we are looking at that as well. That approach does add some simplicity to the process but also poses some integration challenges because of the "commit" problem. What happens if you authorize a card through a totally separate window and then you never save the order? And if you want to do recurring payments (automatic credit card billing) then we have to store some pointer to the credit card stored in a 3rd party system. All solvable problems but ones that add to the complexity.
Thanks for the comments and for keeping the conversation going.
From: Robert Greig <bounce-robertgreig4894@tessituranetwork.com>
Sent: 4/8/2011 10:06:03 AM
Thanks Keith – We are particularly interested in de-scoping PCI which I don' t think the covers

You were sent this message automatically by www.tessituranetwork.com because you subscribed to the Tessitura Next Generation forum email notifications. You may reply to this message or visit the site to reply to the post above. If replying via email, please consider deleting the previous message text before sending to help with readability on the site. Thank you!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Tom Brown (Past Member) $organization over 15 years ago in reply to Chuck Reif
Chuck,

As you are looking at the Credit Card Server are you considering the issues around credit card company issued gift cards? Right now we have not found a way to institute this kind of gift card setup for Tessitura.

This seems to be because the current credit card server and Tessitura Clients have no way to do the following:

querry available balances and then

easily split payments between the Gift Card and apply the remaining expences on another Credit Card or more gift cards.

To be the most help, we would have to be able to do the above from both the Box Office and on the Web.

Is this sort of functionality on the "Radar Screen"?

--Tom
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Gary Halliday $organization over 15 years ago

Hi all,

Just on the point of automatic credit card billing. If like us you always require the CV2 number, but then you can’t save this number in Tessitura, doesn’t this function become obsolete in the UK?

From: Tessitura Next Generation Forum [mailto:forums-nextgeneration@tessituranetwork.com] On Behalf Of Chuck Reif
Sent: 08 April 2011 16:52
To: Halliday, Gary
Subject: Re: [Tessitura Next Generation Forum] PCI de-scope

I think Keith is somewhat correct in his reading of the Network update item on the new credit card server. It is one of our goals to have a completely "hands off" method to deal with credit cards in order to remove the onus of PA-DSS certification for the software. In fact our team had a meeting this week with our security auditors to discuss that very topic (among others). The new credit card server is one step towards that because it gives us more options for ways to address payment processors. I understand that what you are talking about specifically is a 3rd party hosted window so that the application never even touches (much less stores) that credit card data and we are looking at that as well. That approach does add some simplicity to the process but also poses some integration challenges because of the "commit" problem. What happens if you authorize a card through a totally separate window and then you never save the order? And if you want to do recurring payments (automatic credit card billing) then we have to store some pointer to the credit card stored in a 3rd party system. All solvable problems but ones that add to the complexity.

Thanks for the comments and for keeping the conversation going.

From: Robert Greig <bounce-robertgreig4894@tessituranetwork.com>
Sent: 4/8/2011 10:06:03 AM

Thanks Keith – We are particularly interested in de-scoping PCI which I don' t think the covers

You were sent this message automatically by www.tessituranetwork.com because you subscribed to the Tessitura Next Generation forum email notifications. You may reply to this message or visit the site to reply to the post above. If replying via email, please consider deleting the previous message text before sending to help with readability on the site. Thank you!

www.southbankcentre.co.uk

Ticket Office: 0844 847 9910

Southbank Centre is a Registered Charity No. 298909

______________________________________________________________________

This message (and files transmitted with it) may contain confidential or copyright information. If you receive it in error, please notify the sender and delete it from your computer.

_______________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Ray Bernard $organization over 15 years ago
1024x768 Clean false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4
Tom,
The Science Museum has a functional, but inelegant way of processing gift cards. I say inelegant because it is does not seamlessly link Tessitura to our processor. We use a third party processor to enable our patrons to use their gift cards in our Explore Store, parking ramp and contracted food service. We use methods of payment to add value to and redeem gift cards. Processing, balance inquiries is done through a separate software. Please let me know if I can provide more details, though I think we may have talked at a conference?
Thanks.
Ray

From: Tessitura Next Generation Forum [mailto:forums-nextgeneration@tessituranetwork.com] On Behalf Of Tom Brown
Sent: Friday, April 08, 2011 11:12 AM
To: rbernard@smm.org
Subject: Re: [Tessitura Next Generation Forum] PCI de-scope

Chuck,
As you are looking at the Credit Card Server are you considering the issues around credit card company issued gift cards? Right now we have not found a way to institute this kind of gift card setup for Tessitura.
This seems to be because the current credit card server and Tessitura Clients have no way to do the following:
querry available balances and then
easily split payments between the Gift Card and apply the remaining expences on another Credit Card or more gift cards.
To be the most help, we would have to be able to do the above from both the Box Office and on the Web.
Is this sort of functionality on the "Radar Screen"?
--Tom
From: Chuck Reif <bounce-chuckreif3941@tessituranetwork.com>
Sent: 4/8/2011 10:48:35 AM
I think Keith is somewhat correct in his reading of the Network update item on the new credit card server. It is one of our goals to have a completely "hands off" method to deal with credit cards in order to remove the onus of PA-DSS certification for the software. In fact our team had a meeting this week with our security auditors to discuss that very topic (among others). The new credit card server is one step towards that because it gives us more options for ways to address payment processors. I understand that what you are talking about specifically is a 3rd party hosted window so that the application never even touches (much less stores) that credit card data and we are looking at that as well. That approach does add some simplicity to the process but also poses some integration challenges because of the "commit" problem. What happens if you authorize a card through a totally separate window and then you never save the order? And if you want to do recurring payments (automatic credit card billing) then we have to store some pointer to the credit card stored in a 3rd party system. All solvable problems but ones that add to the complexity.
Thanks for the comments and for keeping the conversation going.

You were sent this message automatically by www.tessituranetwork.com because you subscribed to the Tessitura Next Generation forum email notifications. You may reply to this message or visit the site to reply to the post above. If replying via email, please consider deleting the previous message text before sending to help with readability on the site. Thank you!

Spam
Not spam
Forget previous vote
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Tom Brown (Past Member) $organization over 15 years ago

[edited by: Tom Brown at 12:17 PM (GMT -6) on 8 Apr 2011]

Crispin Gray $organization over 15 years ago in reply to Tom Brown (Past Member)

Will be very interesting to see how this develops...like the ROH we want to explore ways that we can de-scope as much of our infrastructure from PCI as possible. The additional cost and complexity this has already introduced is a serious burden on the IT Department and I can’t see this getting any easier over the next few years. Just the sheer number of additional systems we now have to monitor (File Integrity Monitoring, IDP/IDS, Log Management, Wireless IPS, etc) together with the additional procedures we now have to follow make this an increasingly large part of the day to day work of the IT Department. As a tier 3 merchant, at least we are able to avoid the added burden of an annual third party audit – however I’m not convinced the threshold for this won’t be reduced over the next few years. Anything that we can do to de-risk as much of our payment infrastructure as possible and therefore remove the PCI overhead will be very welcome.

Lou Ambrose $organization over 14 years ago

I am late joining this discussion, but want to add to the vote for getting credit card storage out of Tessitura. The self assessment questionnaire is much tougher this time than the last time I completed it. It is only going to get more burdensome in the future. I want an outside vendor to be PCI compliant and take as much of the burden as possible.