The Gro CRM Small Business Platform is PCI Compliant and Certified for Your Security
PCI Compliant CRM Platform
Gro Software Security Assessment and Compliance
Gro Software has obtained a signed Payment Card Industry Attestation of Compliance (“AoC”). This attestation demonstrates Level 1 compliance with the Payment Card Industry Data Security Standard ("PCI-DSS"), as formulated by the Payment Card Industry Security Standards Council. Our network and servers are scanned for compliance each quarter and we renew our compliance each and every year.
PCI-DSS Compliance Requirements
Maintain a Firewall
Establishes firewall and router configuration standards that mandate testing, testing procedures, and a review of configuration rule sets every six months.
Does not use vendor-supplied defaults for system passwords and other security parameters.
Addresses password hygiene with respect to vendor-supplied passwords that, if combined with hacker tools, are able to show all of your networked devices and can make you a sitting duck for unauthorized entry.
Protect Cardholder Data
Protect stored cardholder data.Defines storage, encryption, and retention of cardholder data and authentication data for required business uses. Also covers the documentation and protection of the keys used to encrypt cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Refers to the implementation of strong cryptography and security protocols such as SSL/TLS, SSH or IPSec to safeguard sensitive cardholder data during transmission over open, public networks (Internet and mobile). Additionally, wireless networks transmitting cardholder data or connected to the cardholder data environment must use industry best practices to implement strong encryption for authentication and transmission.
Use and regularly update anti-virus software or programs
Any system potentially affected by malware must be protected by anti-virus software that is current, actively running, and generating audit logs.
Develop and maintain secure systems and applications.
Application code must adhere to secure coding guidelines including reviewing custom application and third-party code to identify vulnerabilities.
Limit access to system component and cardholder data to only those individuals whose job requires such access.
To protect critical data from access by unauthorized personnel inside and outside of the business, systems and documented processes must exist to restrict access to cardholder data using role-based access controls (RBAC) set to "deny all" unless access to cardholder data and systems is specifically granted.
Assign a unique ID
Any user granted access to cardholder data must have a unique identification so that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. This requirement also includes provisions around using two-factor authentication via token and storage of user passwords.
Restrict physical access to cardholder data
to safeguard against physical media containing cardholder data being removed or compromised, areas where devices, data, systems, or hardcopies of cardholder data must be restricted from general access. This applies to both electronic systems for all online merchants and paper receipts and POS systems for brick and mortal establishments.
Monitor & Test Network
Track and monitor all access to network resources and cardholder data,
Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. Logs should record specific actions and create an audit trail including, at a minimum: user identification, type of event, date and time, success or failure indication, origination of event, and identity or name of affected data, system component or resource. These logs should be reviewed daily and audit trails retained for at least a year.
Regularly test security systems and processes,
Run internal and external network vulnerability scans at least quarterly and after any significant change in the network or infrastructure, application upgrade or modification. After passing the initial compliance scan, merchants must pass four more consecutive quarterly scans by an Approved Scanning Vendor (ASV) as a requirement for compliance. This provision also includes the use of up-to-date network intrusion detection systems (IDS) and file integrity monitoring tools to check for and alert to system compromise or unauthorized modification of critical files.
Maintain a policy that addresses information security for all personnel.
Establish, publish, update, and disseminate a security policy that addresses compliance requirements. This policy should include an annual review process for identifying vulnerabilities and formally assessing risks. Defined usage policies for employee screening, remote access, wireless, removable electronic media, laptops, tablets, handheld devices, email and internet are also required.
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of comprehensive requirements developed by the major card brands to facilitate the adoption of consistent data security measures. All payment gateways renew their compliance each and every year.
All datacenters are audited and certified by various internationally-recognized compliance standards.
ISO27001, SSAE 16 and ISAE 3402 (Previously SAS 70 Type II), SOC 2 Type II, SOC 3, and PCI-DSS certified. All datacenters renew their compliance each and every year.