New SPMs for MAS 90-200
ERP February 25th, 2010
Sage has published new Supported Platform Matrices for MAS 90 and MAS 200 as of February 16, 2010, showing supported hardware and operating system configurations for Version 4.4.
![[del.icio.us]](http://blog.blytheco.com/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](http://blog.blytheco.com/wp-content/plugins/bookmarkify/digg.png)
![[Facebook]](http://blog.blytheco.com/wp-content/plugins/bookmarkify/facebook.png)
![[LinkedIn]](http://blog.blytheco.com/wp-content/plugins/bookmarkify/linkedin.png)
![[Technorati]](http://blog.blytheco.com/wp-content/plugins/bookmarkify/technorati.png)
![[Twitter]](http://blog.blytheco.com/wp-content/plugins/bookmarkify/twitter.png)
![[Email]](http://blog.blytheco.com/wp-content/plugins/bookmarkify/email.png)
Payment Card Security
ERP, Professional Services February 24th, 2010
As published in The South Carolina CPA Report, by Blytheco consultant Don West, CPA, CISA, CISSP, PMP, CITP.
Albert Gonzalez and two others were charged in August with hacking into the computer systems of Heartland Payment Systems, 7-Eleven and Hannaford Brothers and stealing data on over 130 million credit and debit cards. Gonzalez was already in jail on charges that he had hacked TJX (T.J. Maxx, Marshals and more). That case involves 47.5 million cards. In each case the intrusions went on for months before being detected.
If an organization stores, processes or transmits payment card Primary Account Numbers (PAN) it must comply with the industry requirements for data security. Compliance doesn’t guarantee security but it helps. Not complying can result in fines, adverse publicity and loss of the ability to accept payment cards.
Compliance is difficult and expensive even for larger merchants. It can be prohibitive for smaller ones. You can greatly reduce the cost and effort by reducing your exposure, by not storing cardholder data electronically.
PCI (Payment Card Industry) Security Standards Council
The payment card industry has been working for years to increase the security of card data. At first the card associations established their own policies and standards. In 2006 Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services and JCB International formed the PCI Security Standards Council and agreed to incorporate the resulting standards and certifications into their compliance programs.
PCI Data Security Standard (DSS)
The foundation of the Councils work is the Data Security Standard. Version 1.2.1 was released in July, 2009. It is a very specific and detailed list of requirements for securing card holder data. It contains hundreds of requirements organized as follow:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for employees and contractors.
PCI Payment Application Data Security Standard (PA-DSS)
This standard started as the Visa Inc. program known as the Payment Application Best Practices. Its goal is to help software vendors and others develop secure payment applications that support compliance with the PCI DSS.
Qualified Security Assessors (QSAs), Payment Application QSAs (PA-QSAs) and Approved Scanning Vendors (ASVs)
QSAs, PA-QSAs and ASVs are companies and individuals certified by the Council to perform required services for the higher level merchants (See the table below).
Applicability
Applicability of the standards to a particular entity can be confusing. The main rule is:
“PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.”
Generally the deadlines for compliance with the DSS have passed and all merchants who meet this rule should be compliant now. Estimates of actual compliance vary.
The issuing associations direct the acquiring banks as to how they manage merchant compliance. An example is merchant levels based on card acceptance volume. The following table shows the Visa levels and validation requirements.
|
Level / Tier |
Merchant Criteria |
Validation Requirements |
|
1 |
Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2 |
Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) |
|
Quarterly network scan by Approved Scan Vendor (“ASV”) |
||
|
Attestation of Compliance Form |
||
|
2 |
Merchants processing 1 million to 6 million Visa transactions annually (all channels) |
Annual Self-Assessment Questionnaire (“SAQ”) |
|
Quarterly network scan by ASV |
||
|
Attestation of Compliance Form |
||
|
3 |
Merchants processing 20,000 to 1 million Visa e-commerce transactions annually |
Annual SAQ |
|
Quarterly network scan by ASV |
||
|
Attestation of Compliance Form |
||
|
4 |
Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually |
Annual SAQ recommended |
|
Quarterly network scan by ASV if applicable |
||
|
Compliance validation requirements set by acquirer |
Notice that Level 1 merchants, those with the highest volume, are required to employ QSAs and ASVs and submit reports. Level 4 merchant validation requirements on the other hand are either recommended or set by their acquiring bank.
Each card association sets its own levels and validation requirements. American Express for example only has three levels. The rule of thumb is that each merchant should consult their acquiring bank.
Requirements also vary greatly depending on how you handle cardholder data (CHD).
Self-Assessment Questionnaire (SAQ)
The Self Assessment Questionnaire referred to in the table above is actually four different questionnaires depending on how CHD is handled. The following table shows the SAQ Validation Types.
|
SAQ Validation Type |
Description |
SAQ: V1.2 |
|
1 |
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. |
|
|
2 |
Imprint-only merchants with no electronic cardholder data storage |
|
|
3 |
Stand-alone terminal merchants, no electronic cardholder data storage |
|
|
4 |
Merchants with POS systems connected to the Internet, no electronic cardholder data storage |
|
|
5 |
All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. |
Type 1 merchants outsource everything and never have CHD in their systems. SAQ A has 13 questions. Types 2 and 3 either use paper only or the small terminals that are not connected to the Internet or internal systems and do not store CHD electronically. SAQ B has 26 questions. Type 4 merchants use a Point of Sale (POS) system connected to the Internet but no internal systems. They do not store CHD electronically. SAQ C has 41 questions.
Validation Type 5 merchants store CHD electronically and must answer 225 questions. Obviously the key is to not store CHD electronically.
Note: Service providers are entities that process CHD for merchants. They are outside of the scope of this article.
Onerous requirements for small merchants
The requirements of the DSS for merchants that store CHD electronically are extremely complex and expensive. Here are a few examples:
1. DSS 1.3 requires segregating the CHD network from the Internet and passing all inbound and outbound traffic through a Demilitarized Zone (DMZ). This means additional hardware, configuration and management.
2. DSS 10.5.5 requires file integrity monitoring. This means adding systems that constantly monitor critical files within the CHD system, operating system files for instance, and notify you of any changes. More hardware, software and management.
3. DSS 10.6 requires that log files for all components in the CHD system are kept for months and reviewed daily. This can be thousands of entries per day. More hardware, software and management.
his is a small sample of the requirements. As I said earlier, meeting these requirements is very difficult and expensive.
Alternatives for small merchants
Large merchants can justify implementing and maintaining compliant systems. Many smaller, Level 4, merchants can’t. The answer is to not store CHD electronically. In other words, don’t be a SAQ D merchant.
If you accept cards on line there are two basic ways to do it. I’ll use PayPal as an example. PayPal offers “PayFlow Pro” and “PayFlow Link” as ways that a web site can accept payment cards.
With PayFlow Pro, buyers enter their card data on your web site. Your system sends the card data to PayPal for processing and PayPal sends the results of the transaction back to your system. Your system stores CHD electronically and you are a SAQ D merchant.
If you use PayFlow Link, when the buyer is ready to check out he or she is sent to a PayPal web page. All card data is entered in PayPal’s system, not yours. Your system still receives transaction results but it does not store CHD electronically. You are now a SAQ A merchant.
If you are a face-to-face merchant, a retail store or restaurant for example, it can be more complicated. If your Point of Sale (POS) system does not store CHD electronically you are a SAQ C merchant. As I said above, SAQ C only has 41 questions and answering them satisfactorily is much easier than those on SAQ D. If your system stores CHD electronically, as a great number of them do, you are a SAQ D merchant.
So the question is, do you need to store CHD electronically? There are several reasons to do so. One is as a service to the buyer to make it easier to make a purchase on your web site. Amazon’s “One Click Ordering” is an example. It is automatically enabled on your account the first time you place an order and enter your information. Some people love it. It can’t work without storing your CHD electronically. Even without the one click service a lot of sites store your data just to make it easier for you to make a purchase.
If you go into a sports bar and order a drink you may be asked for a card before you are served. Some just put them in a box and hold them. (The wisdom of that and you allowing it is outside the scope of this article) Some pre-approve some amount on the card. That POS system is storing your CHD. They do it to prevent you from walking out without paying.
A very popular reason to store CHD is to handle charge backs. Frequently people will make a purchase and then claim they didn’t do it. Many merchants think they have to have the card data to prove it was a valid purchase. This is not true and even if it was the merchant would have to compare the cost of charge backs to the cost of PCI compliance. After telling a small merchant that compliance would cost him tens of thousands of dollars he said he had to have the CHD to fight charge backs. I asked him how many he had, and he said a couple per month. His average charges are under $100.
Conclusion
Payment card data security is a huge concern and will get worse before it gets better. All organizations that store, process or transmit Cardholder Data must comply with the PCI DSS. Compliance is either relatively painless or an expensive, demanding, ongoing process depending on how you accept and process cards.
Breaking News!
I mentioned earlier that Level 4 validation requirements were set by the acquiring banks. Until recently this has remained mostly a voluntary process of self assessment with no requirement to submit the forms to anyone. On August 1 BB&T notified all of its merchant account holders that they had to complete and submit the self assessment forms, including an Attestation of Compliance by the Executive Officer. First National Merchant Services and First American Payment Systems have done the same thing.
Voluntary self assessment for the smallest merchants is quickly becoming a thing of the past.
Save Time with Precise, Integrated Budgeting
ERP February 23rd, 2010
Potential car buyers may be attracted by the buffed exterior and vacuumed interior of your vehicle, but the savvy ones will kick the tires and look under the hood. Likewise, when potential investors or buyers come knocking, consider your Income (P&L) Statement the appearance of the car. Clearly important but not the whole picture.
Looking at the Cash Flow Statement is like kicking the tires. Will the tires hold up? Is your cash flow strong enough to support ongoing operations and future growth?
Even more important is looking under the hood, or at the Balance Sheet. Like a car engine to the car buyer, no other financial report gives as immediate and accurate a picture of your company’s overall health. Hence the Balance Sheet’s other name, the “Statement of Financial Position”.
The typical financial planning cycle
Despite the importance of all three financial reports, the Income Statement – the shiny exterior – gets 90% of the attention during budgeting time, due to busy schedules and inadequate tools. The Income Statement doesn’t show Accounts Receivable or Accounts Payable, so it can’t possibly tell the whole story.
In the typical scenario, after much number-crunching, the Income Statement is ready for prime-time. With only a day or so left in your budgeting cycle, the Balance Sheet is built at a 50,000-foot level – just the basics with little to no granularity of data. Precision suffers. That lack of precision flows over to the Cash Flow Statement, built of course from the Balance Sheet. The two subpar statements are manually synchronized with the more vetted Income Statement and your financial plan achieves sign-off.
Technology hurdles
Lack of time is not the only obstacle impeding accurate and thorough Balance Sheets and Cash Flow Statements. Most financial reports today are created in spreadsheets, with no easy way to capture the ebb and flow of cash, especially if using the accrual method. As a result, many companies use averages or estimates for Accounts Receivable and Payable, or ignore the Balance Sheet altogether.
Where Balance Sheets stand alone
Capital expenditures are one of many business variables that must be taken into account when conducting strategic planning. Usually, the cost of new equipment, for example, won’t appear on your Income Statement until it begins to depreciate. Until that time, the Balance Sheet is the only place you can see precisely how much capital you need when.
Many companies use the Income Statement alone for this type of analysis, adding up the amount of money they’ll lose until break even and assuming that is the amount of necessary capital. They couldn’t be more wrong. Without the Balance Sheet, they are merely guessing.
Out-of-the-box solution
Detailed, plausible and defensible financial reports are not a pipedream. The creators of Budget Maestro & Planning Maestro have been in your shoes and knew there had to be a better way, so they designed software that:
- Works right out of the box, implementing in hours and requiring little to no IT involvement
- Generates precise, integrated, synchronized, real-time Cash Flow Statements and Balance Sheets, as well as Income Statements and other financial reports.
- Builds the Balance Sheet and Cash Flow Statement off the P&L transactions so you don’t have to add data a second or third time.
- Is an affordable investment in improving your financial management and ability to make strategic business decisions.
To learn more about Budget Maestro, join us for a free webinar on Thursday, March 18, 2010, 2:00pm Eastern Time. Register here.
February eNews Preview: Useful Resources to Improve HR Management
Human Resources February 22nd, 2010
This year’s Sage Summit customer conference included presentations from top industry experts in compliance, benefits management, payroll, and HR. For those of you who couldn’t attend, here’s a recap of the highlights presented during the Sage Abra Spotlight on HR track.
Why HR is Critical in Today’s Downturn
In this session, Dorothy Knapp Hill of SHRM talked about how the economy has affected the role of HR professionals by forcing them to focus all of their attention on cutting costs. She further counseled the room about how to avoid layoffs and presented case studies of companies that were getting creative about cutting costs, avoiding layoffs, and engaging and retaining employees. Key takeaways included:
- Employees who are not laid off can suffer “layoff survivor sickness,” a term coined to reflect the negative emotions that can impact organizational performance and/or cause an exodus of workers that results in greater losses than the cuts achieved by layoffs.
- Workers are increasingly dissatisfied. 53% of employees are only staying with their present employer until the economy recovers.
- Average cost to replace an employee is 150% of the employee’s base salary, according to the Bliss-Gately “Cost to Replace Tool.”
- When we do pull out of recessions, the business environment will not be the same as before. We will emerge into full scale global competition that requires HR professionals to talk the language of business.
For additional SHRM support resources: www.shrm.com.
Windows 7 Compatiblity
ERP, Sage Software February 18th, 2010
Curious about Windows 7 compatibility with Sage products? See Sage’s Windows 7 Compatibility Announcement below.
In a nutshell:
- MAS 500 supports Windows 7 as of Version 7.2 Product Update 1.
- Compatibility with Windows 7 is being tested for MAS 90/200 Versions 4.3 and 4.4 - look for more info in March.
For more information on back versions and more, read the Windows 7 Compatibility Announcement.
Another satisfied customer…
ERP, Professional Services February 17th, 2010
Pat Porter from The Sparenburg Building in Big Spring, Texas called the Blytheco support line with a problem: how to move data from an old version of BusinessWorks from her desktop computer to a laptop with a new version of BW. She had different sets of data in both installations, and wanted all of the data on the laptop. Blytheco expert John Stoffa was able to connect to both machines remotely, copy the data to the laptop, and convert it to the current version of BusinessWorks, all in about 3.5 hours.
“John was very patient and helpful and got me moved over and running,” said Pat. “I have nearly caught up from the last quarter of 2009, so I am quite pleased.”
More Roadmaps
ERP, Sage Software February 12th, 2010
A View to the Future…MAS 90-200 Road Map
ERP February 12th, 2010
For the first time ever, Sage has published to the public its “road map” for three product lines: MAS 90-200, MAS 500, and Accpac. The road map has traditionally been Sage’s schedule for new releases and updates projected out a couple of years, and has been available only to Sage business partners.
This “Public Roadmap” for MAS 90-200 is a 17-page document with not only the release timeline, but also some juicy tidbits like product strategy info, feature highlights for each release, a sneak peek at Business Insights Intelligence (a new reporting alternative to FRx scheduled for release Q2 2010) and some details about Sage’s position in the business software market.
Watch this space for the MAS 500 and Accpac roadmaps, coming soon (I hope)!
Blytheco represents on Sage PACs
Channel News, Sage Software February 11th, 2010
We’re pleased to announce that members of our Executive Team have been invited to serve on various Sage Advisory Councils.
From Sage: “The Product Advisory Council (PAC) consists of Sage partners and is focused on product related issues, complementing the BPAC which focuses more on general business issues. The PAC’s primary role is to serve as a dedicated group of partners that support the long term success of our products through validation of product plans and designs. PAC members are a resource to product management, designers/business analysts, UCD, developers, and other groups that require product related feedback.”
Blytheco Vice President of Consulting Tim Baker will serve on the MAS 500 PAC; Executive Vice President Nicholas Hoad will serve on the MAS 90-200 PAC. Donna Baeza, Director of HR and HRMS Sales Support, serves on the Abra PAC; Phil Sim, Vice President of CRM, serves on the CRM Solutions PAC.
Read the press release here.
New guys, new roles at Sage
Channel News, Sage Software February 4th, 2010
Sage made the following announcements last night:
- Mike Wingrove appointed Senior Director of Sales in Canada
- Brent Pieterick appointed Senior Director of Channel Distribution Optimization for SBS NA
- Joe Carroll appointed Senior Director of Channel Marketing for SBS NA
- Rob Johnson promoted to Senior Director of Partner Programs and Readiness
Brent and Joe come to Sage from the Microsoft world, continuing a recent trend. Good luck to these guys!