The Payment Card Industry Data Security Standard, or "PCI-DSS", is a set of
comprehensive requirements for enhancing payment account data security. PCI-DSS
includes requirements for security management, policies, procedures, network
architecture, software design and other critical protective measures. This
comprehensive standard is intended to help organizations proactively protect
customer account data.
The PCI-DSS was developed by the leading payment brands - American Express,
Discover Financial Services, JCB International, MasterCard Worldwide, and Visa
Inc - who founded the Payment Card Industry Security Standards Council (PCI SSC)
The PCI-DSS applies to any entity that is processing, storing or transmitting
cardholder data (in any form) including Primary Account Number (PAN). Examples
of such entities are merchants, service providers, acquirers etc. Please note
that If a PAN is not stored, processed, nor transmitted, PCI-DSS requirements do not apply.
No. The PCI-DSS is essentially a set of information security standards
imposed by payment brands onto entities that process, store or transmit
Traditional PCI Data Security Standard compliance does not apply directly to
software vendors and suppliers since most vendors do not store, process, or transmit cardholder data.
No, it is the sole responsibility of the merchant to ensure that it is
Merchants that store, process or transmit payment account data should contact
the acquiring financial institutions with whom they have merchant agreements to
determine whether they must validate compliance and the specific requirements
for compliance validation.
Without the interface, MICROS-Fidelio software is not a payment application.
Nevertheless, if the software is used to store credit card data, it is within
the scope of the merchant's PCI-DSS compliance assessment.
Payment application is the software that stores, processes, or transmits
cardholder data (including Primary Account Number - PAN) as part of
authorization or settlement, where these payment applications are sold,
distributed, or licensed to third parties.
It is not sufficient. First of all, the PCI-DSS standard includes 12
requirements that have to be fulfilled for compliance. PA-DSS certified software
is only one of them.
Second, in order to ensure proper security, the software should be installed,
configured, and later maintained in the PCI-compliant way.
The list of certified versions of MICROS-Fidelio systems is available at
Visa Inc. has defined the following deadlines for using non-certified payment
01/07/2010 for new merchants
01/07/2012 for existing merchants
Also you can stop entering card numbers in the system and use POS terminals for
authorization and payment provided by your acquirer. Please note that PCI-DSS
requirements are still applicable to your company.
By 2010 HRS with several technological partners will finish development of
interfaces based on new architecture. By the new technology payment account
number is confined within the POS terminals network and is never passed to the
interface modules or MICROS-Fidelio system. Thus, requirements of PA-DSS and
PCI-DSS standards are not applied.
Already installed versions of interfaces can still be used till 01/07/2012.
Requirement 6 specifies: "All critical systems must have the most recently
released, appropriate software patches to protect against exploitation and
MICROS-Fidelio is a Participating Organization with the PCI Security Standards
Council (PCI SSC). As Participating Organization, MICROS-Fidelio receives news
and updates from the PCI SSC and closely follows periodic changes in PA-DSS.
Each new release of MICROS-Fidelio software is certified for compliance with the
most recent version of PA-DSS. The up-to-date list of certified versions of
MICROS-Fidelio is always available at