Accepting Credit Cards in your Community

As of July 1st 2010, all merchants accepting credit and debit cards must use payment application software that has been validated as Payment Application Data Security Standards (PA-DSS) compliant.  CARDWATCH has partnered with YESpay and Tgate Payments , both of which are hosted, pre-accredited and PCI / PA-DSS approved “payment gateway” services, to ensure compliance with these standards. With YesPay, CARDWATCH POS is responsible for collecting all of the non-sensitive data needed to perform a payment transaction. The YesPay software then handles all of the sensitive cardholder data-leaving the CARDWATCH application, and our customers, free of information susceptible to data thieves.

Although our new integrated solution takes care of compliance at the POS application level, the Merchant still has many other responsibilities surrounding compliance for network security, protecting cardholder data, access control measures & information security policies. As a merchant, if you aren’t well versed in it already, get familiar with the PCI DSS. The Payment Card Industry Data Security Standard, or PCI DSS for short, is a set of requirements that all businesses, regardless of size, must adhere to in order to accept payment cards.  Their purpose is to ensure the security of cardholder data and to help prevent credit card fraud, hacking, and other security issues.  The standard is enforced by the major credit card companies that make up the Payment Card Industry Security Council-American Express, Discover, JCB, MasterCard and Visa.  PCI compliance for merchants can get a bit tricky: each payment card brand (Visa, MasterCard, etc.) has their own requirements for PCI compliance.  You need to know the different PCI compliance deadlines and requirements for each payment card brand.

Merchants fall under four categories of PCI DSS compliance, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. The highest volume merchants with the largest risk are “Level 1” merchants. As retirement communities, the vast majority of our customers will be classed as “Level 4 Merchants” (lower volume transactions).  Level 4 merchants will in most circumstances qualify for performing their own Self Assessment Questionaire (SAQ) while others may have to undergo an independent 3rd party audit with a qualified assessor.  Some good news…Since YesPay is pre-certified under PCI PA-DSS, this part of your audit or SAQ process becomes a simple check box and reference to YesPay.

Find instructions and a copy of the SAQ for Level 4 Merchants HERE.

At the core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:


Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

 Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security


To learn more about PCI-DSS and the requirements for merchants, visit the PCI Security Standards Council website.