New MasterCard POS standards

[LosAngelesZCUser]

I wasn't sure where to post this. This doesn't concern any particular payment module, just ones that use a Point of Sale (POS) system, like Authorize.net. The website of one of my company's clients uses Zen Cart, and they recently received this message from MasterCard:

Your Point of Sale (POS) system must be upgraded

Your business has been identified as using a POS system that utilizes an integrated POS software application such as Aloha, Counterpoint, or Squirrel or an E-payment/Gateway application such as
Authorize.Net, Cybersource, and First Data Global Gateway. To be compliant with this new MasterCard
mandate, your POS system will need to be updated with new transaction specifications.

If your system is not compliant by May 1, 2010, you may be subject to a per transaction compliance fee
by MasterCard. To avoid MasterCard compliance fees associated with these new procedures, these new
specifications must be implemented on your POS system. You will want to contact your application
software vendor directly to find out what updates are available. Your vendor is responsible for updating
your application software.

Ensure you are PA-DSS compliant

When you contact your vendor we recommend you also confirm that your software is Payment Application
Data Security Standard (PA-DSS) compliant. Visa has mandated that merchants using POS software
applications will need to be compliant with the PA-DSS by July 1, 2010. To view an updated list of
compliant payment applications, please visit http://www.pcisecuritystundords.org/...tandczrds/vpa/

I know nothing about this stuff. I couldn't find Authorize.net in the list of compliant applications that they link to. Should I be concerned? This particular website uses the iTransact (RediCharge) module, but several other clients have websites that use Authorize.net. Can anyone who's an expert on this stuff tell me if these modules are compliant with these new standards? What about PayPal/PayFlow modules?

I apologize upfront for my ignorance about payment gateways. My expertise is with the aspects of Zen Cart that take place entirely on the website; I don't know much about the parts that involve communication with outside gateways.

[Kim]

Does this customer also have a physical store? Are they using their Zen Cart as a Point of Sale system in the brick and mortar?

[LosAngelesZCUser]

Does this customer also have a physical store? Are they using their Zen Cart as a Point of Sale system in the brick and mortar?

I don't think so. Can you explain how that would work, and why it makes a difference?

[kobra]

Can you explain how that would work, and why it makes a difference?

I see where MC is using the acronym POS as the same as a gateway

POS is normally associated with "Point of Sale" or just like when you pay at a department store with a CC...
You and the card are physically present

Using a gateway you or your card are not present

Look at the site they linked to for the "Self Evaluation" thing
If one answers these questions correctly they should fall into level/class 4 - and personally be compliant

I have not re-read it recently but there may be items your host must comply with as in possibly subscribing to a PCI Scanning service.
The gateway provider will have some responsibilitirs also

[LosAngelesZCUser]

By the way, the URL in the message should be https://www.pcisecuritystandards.org...standards/vpa/. The message came in a PDF and for some reason I couldn't copy the text as text, only as an image. I had to use OCR software to convert it to text.

[LosAngelesZCUser]

The only self-assessment questionnaire I see on pcisecuritystandards.org is for PCI-DSS, not PA-DSS. Are these the same thing, or what's the difference?

[deeman001]

I hope someone else in the ZC community has been notified about this and has more information about it, because it seems like a real pain to try to code for this new MC requirement.

I received a notice from my Merchant account processor (WellsFargo Merchant Services) telling me that MasterCard has announced changes to the way an "E-payment/Gateway application" ( I am assuming ZenCart is this type of application) handles customers that pay with a MasterCard debit card or a Pre-paid MasterCard. I don't know if this will affect my zencart store or not and wanted to see if anyone else has additional information about this new requirement. I am currently using PayPal PayFlow Pro to handle credit card transactions, but when I called them they said that it would be the Merchant account processor who would require this. I very confused about this new requirement.

Here is an excerpt from the Letter, there are more details in the letter I received about why MC wants this done, but i'm only putting a few paragraphs here :

"MasterCard has announced mandatory changes to its debit and prepaid card authorization procedures that require an update to your Point of Sale (pos) system. Beginning May 1, 2011 MasterCard will require merchants to perform partial authorizations and real-time authorization reversals for debit and prepaid card transactions, in addition, merchants will be required to support available balance responses for prepaid card transactions. New data elements will need to be passed between MasterCard and your pos system which will require you to make programming enhancements.

Your Point of Sale (POS) system must be upgraded
Your business has been identified as using a POS system that utilizes an integrated POS software application such as Aloha, Counterpoint, or Squirrel or an E-payment/Gateway application such as Authorize.Net, Cybersource, and First Data Global Gateway. To be compliant with this new MasterCard mandate, your POS system will need to be updated with new transaction specifications. If your system is not compliant by May 1. 2011, you may be subject to a per transaction compliance fee by MasterCard. To avoid MasterCard compliance fees associated with these new procedures, these new specifications must be implemented on your POS system. You will want to contact your application software vendor directly to find out what updates are available. Your vendor is responsible for updating your application software."

Any information about whether our ZenCart stores need to be upgraded to handle this mandate would be appreciated.

[Kim]

Would you please get your provider to clarify exactly what they are considering as a POS?

[kobra]

Would you please get your provider to clarify exactly what they are considering as a POS?

Having read this at least twice I would think that it is apparent that it is not the "provider" as you are using this and only a poorly written message from the MC group copied and forwarded to users...

Your business has been identified as using a POS system that utilizes an integrated POS software application such as Aloha, Counterpoint, or Squirrel or an E-payment/Gateway application such as Authorize.Net, Cybersource, and First Data Global Gateway

Point of sale system that uses an E-payment system...
The real question is is ZenCart already a secure platform from which to conduct secure transmission to/through a compliant gateway or not.

I believe that what ever the requirements are should be reviewed by the Dev Team

I suspect that it is, but am only a volunteer poster here...

[pdxdoug]

Interesting news ...

I run Counterpoint POS system in our bricks and mortar store and haven't heard a word about this from either Radiant Systems (the owners of Counterpoint) nor Mastercard.

What I'm reading into this is that stores that are running old versions of Counterpoint and the other mentioned POS systems must upgrade their POS software (NOT Zencart) to be compliant.

I don't think that this has anything to do with Zencart or the associated payment gateways that ZenCart uses. Those payment gateways already know what the PCI/MC requirements are and should be meeting or working on meeting those requirements.

On the other hand, one must have a maintenance agreement ($$$) with Counterpoint to receive half-yearly updates to the POS software and any bug fixes. Merchants who have let those agreements lapse find it costly to renew just to be current.

Along with running Counterpoint and using their payment gateway (First Data) comes the pleasure of having Security Metrics insure PCI compliance, and they've not indicated anything either.

The OP can always log onto the Counterpoint Users Forum (cpuser.org) and see if there is any relevant information posted there.