FAS PCI Compliance

FAS is one of the very few systems in the floral industry to have ever been certified for PCI compliance. FAS was originally certified for PCI compliance in 2009. FAS’s PCI compliance was recertified in 2015 by the Payment Card Industry Security Standards Council (Council). The PCI Security Standard is a set of security policies, procedures, and protocols developed by the Council in order to protect sensitive cardholder data from fraudulent access and abuse. Computer data breaches have grown exponentially over the last year, affecting many of the largest retailers, banks, and other industries in the U.S. All payment applications which “store, process, or transmit” credit card data, including POS systems, credit card processing systems, e-commerce web sites, etc., in all industries must ultimately be validated as being PCI compliant in order to continue to process credit cards.

In order to have a software application validated as being Standard-compliant, a software vendor must submit its system to a Payment Application Qualified Security Assessor (Assessor) authorized by the Council to perform system security audits. The Assessor performs extensive tests on the systems to verify compliance with the Standard. These tests involve running actual transactions through the systems, generating reports, reviewing data-entry screens, etc., and they involve forensic analyses of the server hard disk and workstations to verify that prohibited data is not stored. These tests also verify that sensitive data is properly encrypted using very high levels of encryption. The Assessor submits his findings to the Council which then makes the final decison concerning validation.

Many floral systems have never been certified for PCI compliance and almost certainly will never meet the demanding requirements for achieving compliance. One cannot simply claim to be compliant without completing the rigorous audit process described above.

More recently, FAS has raised its own security standards by incorporating the latest EMV chip card credit card security technology into its systems. Secure credit card devices facilitate end-to-end encryption which guarantees that credit card data is instantly encrypted and that the data remains encrypted. Tokenization is a process that involves substituting a token–a string of letters and numbers–that represents the actual credit card data. These technologies remove virtually any possibility of a data breach in your shop because text credit card data never exists in the memory or on the hard disk drive of your server or workstation. The secure chip card reader allows you to process the chip on a credit card, swipe the magnetic strip on an older legacy card, and accept contactless payments from customers’ smart phones using Apple Pay and Android Pay.