|
Support Our Troops
Never Forget
09/11/2001
Visits Since
November 2003
| |
This page displays notices regarding product updates,
scheduled releases, or problems and solutions that may affect all customers.
Latest News
 |
 | Dear Domain Point of Sale Customer:
Domain Entertainment has ceased all credit card product software sales
and support operations.
The last sale of any Domain Point of Sale products occurred on July 12,
2010 and on January 1, 2011 Domain Entertainment officially closed its
doors to any new sales of the Domain Point of Sale software.
As a courtesy to existing resellers, I have been continuing to provide
some support. However, I no longer have the time or ability to
effectively provide ongoing support of the product.
Any continued use of the software is strictly for use at the customers’
own risk. There is no warranty of any kind and there is no implication
that it will comply with any existing or future card regulations or
requirements.
I appreciate your support of the Domain Point of Sale product throughout
these many years, but the reality is that recent sales of the software
have failed to keep pace with the expenses of Visa and Mastercard
certification requirements, and these continued and ever changing
requirements continue to raise expenses beyond what is reasonable or
acceptable for small and medium sized software developers like myself. |
|
|
| PABP/PA-DSS Security Latest News
| On December 20, 2010, after requests for more information from some
merchant account providers, I sent off another e-mail to the PCI
Security Standards Council and received a response that read in part as
follows:
"...The Council does not maintain a compliance
program. The individual payment brands enforce compliance through their
individual programs. They can answer compliance-related questions about
merchant levels, fines, compliance dates, etc. The response you received
a year ago has not changed. You can request an exemption directly from
the payment brands..."
However, payment brands have begun the process of
hassling Merchant Service Providers who provide their end users with
software that has not been "certified." Certification is an
unneccessary and expensive process that is intended to move some of the
liability of credit card companies to smaller merchants and card
processing software.
Although Domain Entertainment had previously
certified Domain Point of Sale, this is a process that must be done
again and again and it only becomes more and more costly. As such,
Domain Entertainment will no longer be certifying the Domain Point of
Sale software at this time.
|
| On December 11, 2009, after several e-mails attempting to gain
clarification of PABP/PA-DSS policies and procedures, I sent the
following e-mail to the PCI Security Standards Council
"Since this PABP compliance was begun by Visa I’ve
been concerned with the fact that there are no price controls in effect
for validation as well as the problems which I’ve spelled out in my
e-mail to you regarding the fact that my software is NOT an internet
gateway, all data is stored locally and none of that data is critical
data, the software is essentially a dial-up terminal with internet
connectivity integrated by libraries provided by the clearing houses
themselves which are already PA-DSS compliant. There has never been a
breach of cardholder data from anyone using the Domain Point of Sale
software either locally or remotely because there is no critical data
stored.
There is no reason that a software based
terminal such as mine would need certification equivalent to those of
PayPal, SecurePay, or others which provide an internet front end with
global data storage – that just is not the case here. My software is
nothing more than a terminal that can operate without an internet
connection being present at all and has no remote user or automated
capabilities, everything must be done manually on the local PC."
|
| On December 12, 2009, I received the following response:
"I’ve gotten some additional information regarding
your situation. Exemptions are not for PCI to grant as we are not
involved in any form of enforcement against the PA-DSS standard. In
other words, PCI doesn’t “make” any application go through the process
of validation. If an application is part of authorization or settlement
and handles cardholder data through that process, they can elect to have
that application go through testing and be listed as a Validated Payment
Application but PCI itself does not mandate anything.
If you would like an “exemption”, you will need
to address that with whatever client that wants to buy/use your product,
as merchants are not required to purchase validated applications either
but purchasing an application on the list may reduce a merchant’s cost
for PCI DSS compliance."
|
| So what does this mean? My interpretation of what this e-mail
says is as follows:
 | Payment applications are not required to comply with PA-DSS
security standards by the PCI-SSC and therefore the PCI-SSC cannot
"exempt" an application from compliance, |
| The PCI-SSC does not enforce the PA-DSS standard nor any
requirement that applications be validated, |
| The PA-DSS validation process is elective and purchasers of the
application can "exempt" the application if they so choose, |
| Merchants are not required to purchase PA-DSS validated
applications. |
That being said, Domain Entertainment strives to ensure that the
Domain Point of Sale software meets recommended security standards and
encourages customers to follow the security
procedures outlined on this page and any that may be posted on this
website in the future.
It is also recommended that customers that are not running the most
recent version of the Domain Point of Sale software purchase an upgrade
to the latest version from our online store to insure they are using the
most secure product and are able to receive the best discount rate when
processing payments. |
|
|
|
Domain Entertainment's Domain Point of Sale software is currently PABP
/ PA-DSS (Payment Application Best Practices / Payment Application Data
Security Standard) certified until 09/30/2009 (at which time DPOS must be
recertified or the PCI SSC will recommend that the existing software not
be distributed to NEW customers).
Applications, such as DPOS, are no longer required to be listed on the
PABP / PA-DSS website as certified and Domain Entertainment, in opposition
to the new PA-DSS requirement that payment of $1,250.00 be submitted
yearly just to be listed on a website, in addition to the serveral
thousands of dollars in certification fees, will instead inform users of
the PABP / PA-DSS status of the Domain Point of Sale software here on the
Domain Entertainment website.
PABP, originally enacted by Visa, is being taken over by an entity calling
itself the Payment Card Industry Security Standards Council (PCI SSC) and
will be called PA-DSS as of October 1, 2008 at which time the PABP list of
certified applications that used to appear for no charge on the Visa
website will be removed that website and will then appear on the PCI SSC
website for those companies willing to pay out $1,250.00 to be listed on
the website.
Prior to stating Domain Entertainment's opposition to this entire scheme,
be aware that the information below will not be describing much more than
what has already been stated on the internet in several places. You can
type in "PCI SSC", "PABP", or "PA-DSS" into your favorite search engine
and find plenty of others giving the same information and more. For even
more interesting reading, do a web search for "credit card hackers" and
determine for yourself who you think PABP / PA-DSS protects.
Domain Entertainment has been opposed the PABP / PA-DSS scheme from its
inception due to its lack of cost regulation by Visa and now by PCI SSC.
Certification under the scheme must be done either Annually (or
Bi-Annually if submitting a report of no change) at a fee ranging from
several thousand to tens of thousands of dollars. Certification providors
are unregulated and may charge whatever fee they see fit and application
providers who provide solutions to small and medium sized businesses such
a Domain Entertainment are charged the same fees as huge corporate web
based auction sites, what may be considered pocket change for these huge
corporations is a significant amount of revenue for smaller companies like
Domain Entertainment.
Let me first describe what it takes to get the software from a company to
the customer and then tell you how PABP / PA-DSS fits in.
1. First, the software company must request current operating
specifications from whatever processor they wish to support (such as FDMS,
Global, Paymentech, ECHO, etc.) - this is who actually takes the credit
card information you put into the software and tells you whether the
transaction is approved or not.
2. The software company then spends many man hours writing the software to
meet those specifications prior to application testing.
3. Once the software meets the specifications, the processor (FDMS, etc.
as above) requires that the software go through application testing to
insure that the data is being sent correctly and that everything works.
The processor will not certify the application on their network until it
is working correctly and passes their application testing procedures.
4. Any time a change in the software is made which affects the data
transmission, it must go back through this software application testing,
this must be done individually for every processor that the software
supports (Domain Point of Sale supports 8 credit card processors and 5
check guarantee processors).
5. There are also card industry rules that must be followed as far as what
card information can be stored on your computer and displayed on receipts.
At this point the software can normally be sold to the customer for use,
however, a couple of years ago Visa began requiring PABP certification
which requires that companies pay thousands of dollars to a 3rd party
company to basically come and retest what has already been tested.
What does PABP / PA-DSS do for you? In my opinion, under the guise of
protecting your data and your customers, what it really does is give
credit card companies additional insulation from liability. I believe PABP
/ PA-DSS was probably created in response to the ongoing news stories of
hackers stealing and downloading millions of credit card numbers.
I also believe that most of the rules enacted by credit card companies in
the last several years have only made it more difficult for merchants to
be able to defend against chargebacks and fraudulent charges than ever
before as well as made it more difficult for software companies to keep up
with their ever increasing demands and now ever increasing fees, but you
are encouraged to research this on your own and come to your own
conclusions.
The bottom line here is that Domain Entertainment provides an affordable
PC software solution to small and home based businesses. Unlike web based
processing solutions, there is no additional monthly fee to use the Domain
Point of Sale software which can help small businesses save hundreds of
dollars each year in unnecessary fees.
The Domain Point of Sale product has never been on the list of
applications that store sensitive cardholder data nor has it ever been
considered a high risk application. That's because it stores all
transaction information on your local PC, not at a source on the internet,
and that transaction information is stripped of all but minor, allowable
identifying information (such as the last few digits of a card number),
transactions are sent via phone line or via the internet using secure
software communication libraries written by the internet processor
themself, not by Domain Entertainment. |
|
|
| Ongoing changes in the credit card industry are requiring that
merchants themselves become more and more involved in securing the
cardholder data that they handle. In our continuing efforts to
make these ongoing transitions as painless as possible, Domain
Entertainment has released version v2.20 to assist with these changes.
Additionally, the following information is being provided to assist our
customers complying with current card industry PCI security requirements
- please implement these changes to your system as necessary, and keep
in mind that these are *minimum* requirements, so you may wish to expand
on them (note that these changes pertain to the Windows XP OS and may
vary slightly depending on your version of Windows):
| In the Control Panel->Security Center, the Windows Firewall Should
be ENABLED or a suitable alternative firewall should be used. |
| In the Control Panel->User Accounts, any Guest Accounts should be
turned OFF and any Administrator accounts should be protected
with secure passwords. |
| File Sharing (or Simple File Sharing) should be DISABLED. |
| In the Windows Control Panel->Performance and
Maintenance->Administrative Tools->Local Security Settings->Local
Policy->Audit Policy, auditing for all items shown here should be
ENABLED and turned on. |
| In the Windows Control Panel->Performance and
Maintenance->Administrative Tools->Local Security Settings->Account
Policy->Password Policy:
| Enforce password history should be set to 4
passwords remembered |
| Maximum password age should be set to 90 days |
| Minimum password length should be set to 7 characters |
| Password must meet complexity requirements should be set
to Enabled |
| Store password using reversible encryption should
be set to Enabled
|
|
| In the Windows Control Panel->Performance and
Maintenance->Administrative Tools->Local Security Settings-> Account
Policy->Account Lockout Policy:
| Account lockout duration should be set to 30 minutes |
| Account lockout threshold should be set to 6 invalid
logins |
| Reset account lockout counter after should be set
to 30 minutes
|
|
|
| Additionally, should this product be used in a wireless lan (WLAN)
environment, you must verify that:
| Appropriate encryption methodologies are in use for any wireless
transmissions, such as: VPN SSL/TLS at 128 bit, WEP (Wired Equivalency
Protocol) at 128 bits, and/or WPA.
|
| If WEP is used and the key rotation process is manual, verify
processes are in place to rotate shared WEP keys at least quarterly
and whenever key personnel leave.
|
| If WEP is used, verify that another methodology is in use, in
addition to WEP, to protect the data.
|
| For automated key rotation processes, verify that keys change
every 10-30 minutes.
|
|
|
Failure to
implement these requirements in their entirety may put your system and
your data at risk.
|
|
| Adding support for two new processing solutions (FDMS Nashville
[Terminal Based] and Global Payments East) both supporting dial-up and
TCP/IP (via Datawire) transaction processing capabilities, along with
various program enhancements, version 2.11 of Domain Point of Sale has
been released ahead of schedule.
Most existing owners of Domain Point of Sale v2.10 (those which
purchased their software on or after September 1, 2004) will be eligible
for a free upgrade to this new version which can be downloaded by
clicking here.
Owners of prior versions of the software will be able to purchase a
software upgrade through the online store.
Please be aware that all software and software upgrade purchases are
FINAL and there will be no refunds. Also be aware that once a new
version has been released, older versions are no longer available for
download or purchase due to the ever changing requirements of the credit
card industry, so DO NOT try to install an upgrade which you are not
eligible for or have not purchased! |
|
|
|
| Domain Entertainment™ is proud to
announce that Version 2.10 of Domain Point of Sale™ is the first PC
based software to allow processing through the internet for FDMS Omaha
via Datawire. In addition, this new version also allows processing
via the internet for the Paymentech and Nova host systems. |
|
This means that if you currently use one of these systems for
processing, that you can upgrade to v2.10 of Domain Point of Sale™ and
process transactions through the internet using your DSL, Cable, ISDN,
or other internet connection*. Previously only available to those customers processing through Nova, it
is now be available to those processing on the Paymentech and First
Data Omaha systems. Future support for IPN processing is also planned for
the Global Payments East and ECHO systems.
This also means that if you are currently processing through a
virtual terminal and pay a monthly gateway fee that you can switch to
the Domain Point of Sale™ software and stop paying monthly gateway
fees!**
This release is the first release of Domain Point of Sale™
shipped exclusively on CD and upgrades are available through the online store.
Like all upgrades of Domain Point of Sale™ the
upgrade price includes download access to any upgrades released within
approximately one year of activation.
*Note: For processing through your internet
connection, you must also contact your merchant services to have them
setup your username/password for Paymentech, or to setup your Datawire
ID for FDMS Omaha. No additional setup is currently required for
Nova. **Note: Domain Point of Sale™
can take the place of a virtual terminal for keyed and swiped processing; if
you currently use a gateway for automated processing of your web based store
you will need to continue using it for that purpose. If you are not
currently using Domain Point of Sale™
you may contact your merchant services to purchase a copy. |
|
| Effective immediately First Data is phasing out their 950 dial up
numbers and will shut them down completely by the end of December 2004.
You can get to the dialup numbers in the Domain Point of Sale™
by going to Configuration->Modem in the program. Change any
950 numbers as follows (all other numbers should be left as they are):
Any phone number of 9501324 should be changed to 18663048515.
Any phone number of 9501809 should be changed to 18008747680.
Future versions of Domain Point of Sale™ will
have the new numbers installed by default.
|
|
|
|
|
|
| This new demonstration version allows potential
customers to perform a live system check to get their modems functional
and/or test for compatibility prior to purchase; it also displays the
most recent features of Domain Point of Sale™. |
|
|
|
| Paymentech has announced their self-owned dial-up
network for transaction processing which will result in new phone
numbers for processing. Those customers processing through the
Paymentech network should change their primary phone number (phone
number 1) to 18775295686 and their secondary phone number (phone
number 2) to 18002269864. This change only applies to
versions of Domain Point of Sale™ released prior to January
2003; subsequent versions have the new phone
numbers stored as the default in the software. |
|
|
|
| As of the May 10, 2002 version of Domain Point of
Sale™ the software now supports processing over the internet, including
cable and dsl modems, through the NOVA host system. This release
supports processing on the FDMS Nashville (Envoy, EHC Host Based) system as
well as adds CVV2 and VOID functionality to several previously supported systems. |
|
|
|
| Domain Entertainment™ no
longer produces the privately labeled Merchant Master version of it's
Domain Point of Sale™ software product. The final batch of
Merchant Master labeled software shipped by Domain Entertainment™
was sent out on July 26, 2001 and consisted of the April, 10 2001
(1.00B041001) release of the software, no future Merchant Master labeled
software will be made available. Current owners of the Domain
Entertainment™ Merchant Master labeled software may upgrade
directly to our functionally equivalent Domain Point of Sale™
product. Owners of Merchant Master can purchase an upgrade to the
current release of Domain Point of Sale™ by visiting the
online store (a
current valid serial number and merchant number is required for the
purchase).
Note: Current owners of the Merchant Master software
should purchase an upgrade to the Domain Point of Sale™
product in order to insure that they meet all current Visa, MasterCard,
and other processing rules as well as to insure that they are capable of
getting the best processing rates by being able to submit all necessary
data for each transaction. |
|
|
|
