Menu

Is Channergy PA-DSS Certified?

by [email protected], October 28, 2019

The short answer is no. This article will explain why and what you need to do to meet your PCI Compliance requirement in relation to Channergy.

The PCI Security Standards Council publishes a document describing the conditions an application must meet to be PA-DSS certified. You can find it at https://www.pcisecuritystandards.org/documents/which_applications_eligible_for_pa-dss_validation.pdf.

Channergy uses a 3rd party component to process credit card payments. In the past the council allowed for PA-DSS certification of the component. If you installed Channergy prior to the cutoff date you can use the component’s certification by following these steps:

  1. Go to  https://www.pcisecuritystandards.org/assessors_and_solutions/payment_applications
  2. Use the company name of /n software
  3. Select Acceptable only for pre-existing deployments.
  4. You can use the first item listed (Direct Payment Integrator)

If you are a newer Channergy customer (generally any time after 2016) the above will not apply to you. However, you do not need to show that Channery is PA-DSS certified. The reason for this are the following 2 requirements:

2. Does the application handle cardholder data, but the application itself does not facilitate authorization or settlement?

5. Is the application a back-office system that stores cardholder data but does not facilitate authorization or settlement of credit card transactions?

Channergy must answer “Yes” to both of the above questions therefore causing it to be ineligible for PA-DSS Certification.

So, if you are a newer customer what is your response to a PCI Compliance questionnaire? The answer is in the same document as shown below:

 

What should a merchant or service provider do if they use, or wish to use, applications that store, process or transmit cardholder data that are not eligible for PA-DSS validation?

Applications that store, process or transmit cardholder data and that are not eligible for PADSS validation would be included as part of an entity’s annual PCI DSS assessment to ensure that the application is compliant with all applicable PCI DSS requirements.

That means that your responses to your PCI Compliance questionnaire include Channergy as part of your organization’s plan. That generally includes such items as your company’s data security strategy, storage of customer data etc. When asked about how you store customer data and if it is encrypted you can use the following when describing how Channergy manages this:

The data is encrypted in a table using this method:
 
DBISAM (the database used by Channergy) uses the MD5 message-digest algorithm to generate 128-bit MD5 hashes from plain-text passwords. These hashes are then used with the Blowfish 8-byte symmetric block cipher algorithm to encrypt the actual data.
 
And that’s it. PCI Compliance is not automatically granted by simply using a PA-DSS certified program. You must have strategies and policies in place to ensure the safety of customer data. Those policies include the data stored by Channergy.
If you have any questions about Channergy’s role in your PCI Compliance strategy please feel free to contact us.