Security & Compliance

It seems to occur almost on a daily basis, some sort of data breach or cyber attack that you hear in the news, whether at home or abroad. In today's world, security is always at the forefront of topics discussed regarding Point of Sale. Not only do we provide a PA-DSS compliant system, but we provide security services and support according to PCI-DSS standards.

 

At Lucas Systems, we never want our customers’ names to appear in the news.  We designed our Information Security Management (ISM) program, above all else, to keep your business safe.

Many breaches occur because cyber-criminals believe services providers are weak.  Knowing this, we built our own program from the ground up to account for our security, your security, and the interaction between them.

  • Quarterly scanning is a requirement of PCI-DSS, but we have elected to exceed that mandate.  We adopted a monthly cycle on all (not just in-scope) systems, using more detailed scanning techniques than a typical ASV.

  • We employ the Center for Internet Security’s (CIS) consensus-based benchmarks to configure our systems.  These widely accepted standards provide guidelines for implementing secure operating systems and software.

  • Our workstations and servers utilize a Gartner Magic Quadrant industry leader for malware protection.

  • We have outsourced our own compliance.  By outsourcing, we have an impartial third-party ensuring that our actions meet PCI-DSS standards and best practices.

  • We protect our perimeter with an industry leading unified threat management product. The product is a leader in network security and has been a member of the PCI Council since 2009.

  • We audit remote access activity daily.  Hackers love to exploit this technology to attack merchants, and we refuse to let this happen!

Certifications

 

PA-DSS 3.2 Re-validation - PA-DSS applies to software vendors and others who develop applications that store, process, or transmit cardholder data and/or sensitive authentication data. Software vendors are required to certify and validate their solutions every 2 years.

Certified Level 1 Service Provider - As of August 2017, Lucas was re-certified as a Level 1 Service Provider and we have received our Attestation of Compliance (AoC) and our Report on Compliance (RoC) from a Qualified Security Assessor (QSA). Service Providers are organizations that have a credible or affiliated relationship with cardholder data.  Although Lucas does not process, store or transmit cardholder data, as a Level 1 Service Provider, we are required to meet the same stringent security requirements of those that do provide these services.  In order to maintain this important certification, our business systems, processes and procedures must be audited annually by a QSA.  In addition, each quarter an Approved Scanning Vendor (ASV) will perform external and internal scanning of our Networks and Internet-facing Servers.

 

 

QIR - In May 2016, Lucas Systems was certified and listed as a Qualified Integrator and Reseller of PA-DSS systems. Organizations qualified by PCI DSS as Qualified Integrator and Reseller Companies (QIR Companies) are authorized to implement, configure, and/or support validated PA-DSS Payment Applications on behalf of merchants or service providers for purposes of performing Qualified Installations as part of the QIR Program. The quality, reliability, and consistency of a QIR Company’s work provides confidence that the Payment Application has been implemented in a manner that supports the Customer’s PCI DSS compliance. This was accomplished in preparation for the January 31, 2017 deadline mandated by Visa that all merchants utilize QIR-certified point of sales service providers.

Requirements

As the POS security landscape developed, our customers found few service providers who could help them tackle the complexities of the PCI-DSS.  So we created our own security offering using the same leading technologies we use internally, and then partnered with outside firms to supplement it.  Today, our unified security solution simplifies your compliance and is intended to keep you secure!

 

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

 

We partnered with a managed firewall vendor that have extensive experience with the hospitality industry, and brings their expertise and resources to SMB's with their enterprise firewall solutions.

 

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

We stage our systems to use unique passwords for every account, and we handle critical password changes under our security services agreement.

 

Requirement 3: Protect stored cardholder data

Our payment technologies effectively render the POS system out-of-scope.  You will see the benefit as you are marking “not applicable” on much of your SAQ!

Requirement 4: Encrypt transmission of cardholder data across open, public networks

 

Our supported payment technologies coupled with a managed firewall from one of our partners will ensure end to end encryption.

Requirement 5: Protect all systems against malware and regularly update antivirus software or programs

 

We install and manage an industry leading endpoint protection product on all systems within our security services agreement. Our security team monitors every system daily for incidents and responds immediately to threats.

 

Requirement 6: Develop and maintain secure systems and applications

 

Our security team monitors popular vulnerability databases and promptly takes action to patch known threats.  We thoroughly test and document system changes prior to release.

 

Requirement 7: Restrict access to cardholder data by business need to know

 

Using our payment technologies means nobody has access to sensitive cardholder data.  Period.

 

Requirement 8: Identify and authenticate access to system components

 

Our staging team configures the required user identity and password management on all new systems.  All remote access utilizes two-factor authentication to ensure security and compliance.

 

Requirement 9: Restrict physical access to cardholder data

 

Using our payment technologies means nobody has access to sensitive cardholder data.  Period.

 

Requirement 10: Track and monitor all access to network resources and cardholder data

 

We offer services to accommodate tracking and monitoring through our partners.

 

Requirement 11: Regularly test security systems and processes

 

Our Firewall Vendors are PCI Council Approved Scanning Vendors and we can provide you the tools to help you with the necessary testing and scanning.

 

Requirement 12: Maintain a policy that addresses information security for all personnel

 

We can offer the tools and advice for this requirement, but every company has unique policy needs.

We offer one additional security service that does not directly fall into any requirement, but you will always need. 

Experience! 

Our team has been navigating the PCI landscape from the beginning, and our expertise is only one call or email away.  Whether you need an ASV scan deciphered or help understanding parts of the SAQ, we are always available.  This is the most important service of all!