Last Updated: 07-01-2010
SunGard Public Sector views security and security issues very seriously and goes to great lengths to ensure that the SunGard Public Sector products are safe and secure. If you need information on PCI-DSS please scroll down to that section or click on this link: PCI-DSS Information. If you need information on PA-DSS please scroll down to that section or click on this link: PA-DSS Information.
FAQ sections have been added. To view the FAQ sections just scroll down the page or click on the appropriate links provided: PCI-DSS FAQ section and PA-DSS FAQ section.
The SunGard Public Sector Remote Solutions Delivery Group has successfully obtained a Payment Card Industry – Data Security Standard (PCI-DSS) certification for that hosting facility and organization. This certification is a significant component of the SunGard Public Sector security and reliability program for our hosting operations. A copy of the current PCI-DSS certificate is available to hosted customers upon request. SunGard Public Sector is listed on both the Visa and Master Card PCI-DSS sites.
Please be aware that this certification only impacts SunGard Public Sector hosted customers and does not materially affect your possible requirement or ability to obtain a PCI-DSS certificate for your organization.
SunGard Public Sector has many hosted and non-hosted eGovernment customers that have received their own PCI-DSS certificates. Hosted customers may still need their own PCI-DSS certificate and whether or not your organization needs a PCI-DSS certificate, what PCI-DSS level you might be and what steps you might need to take to satisfy any applicable PCI-DSS certificate requirements are matters that should be discussed with your merchant provider/acquirer or bank.
If it is determined that your organization does need to complete the PCI-DSS certification process and you are not a hosted customer, SunGard Public Sector can provide you with answers to the software portions of section 3.4 and section 6 (for those questions that specifically relate to SunGard Public Sector software) of the PCI-DSS questionnaire. For hosted customers, this information is addressed in the SunGard Public Sector hosting operations PCI-DSS certificate.
If you are not currently a SunGard Public Sector hosting customer and need sections 3.4 and 6, please contact Todd Baum and request the PCI-DSS questionnaire answers.
If you are currently a SunGard Public Sector hosting customer, please feel free to contact Peggy Serena for a copy of the SunGard Public Sector Remote Solutions Delivery Group PCI-DSS certificate.
NOTE: For customers that have not yet received their PCI-DSS certification but currently process card payments, your acquirer may impose a transaction surcharge to offset their liability in allowing you to continue to process payments while not in compliance.
We hope this answers your questions in regard to PCI-DSS but feel free to contact Todd Baum if you have any other questions related to this matter. Thank you.
Q: We are already PCI-DSS certified, do we need to do anything?
A: Yes, though you are PCI-DSS certified, Visa has stated that they want all payment applications to be PA-DSS compliant by July 1, 2010. Please read the PA-DSS sections below. MasterCard has a PA-DSS deadline too but theirs is not until July 1, 2012.
SunGard Public Sector is working to meet all card association security guidelines. To this end SunGard Public Sector is addressing the Payment Application – Data Security Standard (PA-DSS) application standard. SunGard Public Sector has completed an internal compliance review of all payment related applications. This review was performed with consulting assistance from SecurityMetrics, Inc. (an approved QSA). A small number of minor items (not related to payment processing) have been identified and software updates are being prepared to address these items. As soon as each patch is available it will be posted to MyNaviLine and this status page will be updated. With the application of these patches and acceptance by your acquirer the Click2Gov products will be PA-DSS compliant.
SunGard Public Sector has an external PA-DSS validation schedule for our eGovernment and payment software in October, 2010 with SecurityMetrics, Inc. as the QSA. This is the soonest timeframe that could be scheduled based on our readiness, the size of the effort and SecurityMetrics, Inc. availability.
The information related to our internal review and the supporting documentation supplied by SecurityMetrics, Inc. has been sent to a number of acquirers used by SunGard Public Sector customers for their review.
Visa has stated that all merchants that accept Visa cards need to only utilize PA-DSS compliant payment applications by July 1st 2010. This is a Visa guideline and does not affect acceptance of MasterCard payments. MasterCard has stated that all merchants that accept MasterCard cards need to only utilize PA-DSS compliant payment applications by July 1st 2012.
We have already sent the information from our internal review and the supporting documentation supplied by SecurityMetrics, Inc. to a number of acquirers used by our customers, and the following acquirers have accepted this documentation as an assurance of PA-DSS compliance:
Automated Merchant Systems, Inc.
Bank of America
Mercury Payment Systems
Customers who use these acquirers and who have applied the relevant software patches should not experience any disruption in card processing services. Because these acquirers have accepted SunGard Public Sector applications as compliant, customers using these acquirers should NOT be subject to any additional PA-DSS compliance surcharges on your transactions.
The following acquirers have not yet completed their reviews:
Electronic Merchant Services
Sage Payments
We are currently working to contact the following acquirers:
CapitalONE
Wells Fargo
If you utilize an acquirer that is not listed here, please send their contact information to Todd Baum and they will be contacted. Updates will be posted as to the status of the various acquirers as each project is completed.
If you have any other questions related to PA-DSS certification, please send them to Todd Baum.
Q: What does it mean for an application is PA-DSS compliant?
A: A PA-DSS compliant application has been reviewed to verify that it properly manages and secures credit card data. Visa supports two ways for an application can become PA-DSS compliant. The first way an application can be PA-DSS compliant is to undergo an independent third-party review by a qualified QSA (like SecurityMetrics, Inc.) and after the verification reports are submitted to the appropriate agency, the software is listed on the PA-DSS site. Applications that are listed as being PA-DSS compliant are accepted as such be all acquirers. The second way that software can become PA-DSS compliant is to prove to each acquirer that the software is compliant. It is up to each acquirer what steps need to be taken to prove to their satisfaction that the software is compliant and this needs to be done for each acquirer. No acquirer is required to accept the findings of any other acquirer.
Q: I do not accept credit cards for payments; do I need to do anything?
A: If you do not accept credit cards for payments, you do not have to do anything for PCI-DSS or PA-DSS.
Q: I accept credit cards but only MasterCard; do I need to do anything?
A: If you accept only MasterCard (or any card but Visa) you do not have to do anything at this time related to PA-DSS compliance as the July 1, 2010 deadline is only for Visa. You should still check the patches site and apply any patches when they are made available.
Q: I accept credit cards for point of sale processing only, am I OK?
A: Though the patches that are being posted are only for Click2Gov and are not needed for the OnePoint payment software (to include point of sale), you still need to review the acquirer list to determine if your acquirer has accepted the Click2Gov and OnePoint applications as PA-DSS compliant.
Q: I use AMS (or Bank of America or Mercury Payment Systems) for my credit card processing; do I have to do anything?
A: Yes, though these acquirers have accepted the Click2Gov applications as PA-DSS compliant, you must still load the appropriate Click2Gov software patches before July 1, 2010.
Q: I use AMS for my eCheck processing but I use someone else for credit card processing, do I have to do anything?
A: Using someone other than AMS for credit card processing means that you need to refer to the support status of that acquirer (above) to determine if they have accepted the Click2Gov applications as PA-DSS compliant. Regardless, you should still load the software patches as soon as they are available.
Q: I just installed the patches for my Click2Gov payment applications but I will be loading a new PTF next week. Do I need to do anything else related to PA-DSS?
A: The Click2Gov patch(es) that you loaded are only for your current version of Click2Gov payment applications. If you load any PTFs you should check back here after and load the PA-DSS patches that are appropriate to your new core and Click2Gov version.