Atrex PCI Compliance

While the Atrex program has NOT been PA-DSS (Payment Application Data Security Standard) certified, Millennium Software has implemented a large portion of the PA-DSS / PCI compliance requirements.  
 
 
Atrex 14, 15, 16, 17, 18, 19, 20

These versions of Atrex provide two distinct levels of PCI Compliance, depending on the payment processor being used. 

PCI Compliance security features for  ALL card processing options:
 
  • CVV and magnetic stripe information is not stored to the database at any time.
  • Credit Card numbers are stored encrypted with 256bit DES3 encryption using internally maintained encryption keys.
  • Card number database storage does not provide for decryption when viewing the database tables outside of Atrex.
  • Security is disabled by default for all installations but must be enabled to store credit card information or to use any processing module.
  • If security is enabled and then disabled, all existing credit card information is removed from the database and new card information cannot be entered.
  • If security is disabled, card information specific fields are inaccessible, and credit card verification/authorization is not available.
  • User passwords must be complex (minimum 7 characters, 1 alpha, and 1 numeric).
  • User Passwords expire after 90 days.
  • Users are locked from the system for 30 minutes after 5 failed login attempts.
  • User passwords cannot be same as previous 5 passwords.
  • Login is required after 30 minutes of application inactivity. 
  • Authority to view full card numbers is restricted by individual user access rights. 
  • Viewing of full card numbers is logged in audit trail.
  • Administrative activity (locked users, password resets, etc) are logged in the audit trail.
  • Connection to client/server engine can be encrypted for use on wireless networks.
  • Information for expired card numbers is purged from the system as part of normal maintenance.
  • Atrex application is protected against modification by malicious software.  

PCI Compliance security features for Worldpay Integrated Payments, formerly known as Vantiv or Mercury Payment Systems 

The Worldpay 
processing module is an Out of Scope solution where the Atrex program never handles the actual card data, which removes the need for Atrex to be PA-DSS certified.  In this scenario, card information is entered via either a web portal directly to the payment processing server or through an end-to-end encrypted device.  The end result is that a "Token" is returned to Atrex and all subsequent use of that card is performed using the token rather than the actual card number.  

In addition to the security options listed above, Atrex using the WorldPay payment option provides the following additional PCI compliance features:
  • Atrex never handles the actual credit card number, resulting in an out of scope solution.
  • Tokens are specific to the merchant account and cannot be used by any other account other than the one it was created with.
  • Information for cards with expired tokens are purged from the system as part of normal maintenance.
  • Tokens for cards used on rapid sale transactions are purged from the system after 30 days as part of normal maintenance.
Atrex using a Worldpay solution is fully PCI compliant as an Out of Scope processing solution.  
 
 
Atrex 13

Atrex 13 provides the following PCI Compliance features for ALL card processing options:
  • CVV and magnetic stripe information is not stored to the database at any time.
  • Credit Card numbers are stored encrypted with 256bit DES3 encryption using internally maintained encryption keys.
  • Card number database storage does not provide for decryption when viewing the database tables outside of Atrex.
  • Full card numbers are not viewable by end user at any time.
  • Connection to client/server engine can be encrypted for use on wireless networks.
  • Atrex application is protected against modification by malicious software.
 
Atrex 12 and Older

 Version 12 and older of Atrex are not compliant with PCI standards due to plain text storage of credit card numbers.  Use of Atrex 12 in any environment that stores or processes credit cards from within Atrex are in direct violation of the PCI standards.