Hi,
We are reviewing the "Payment Services for Microsoft Dynamics ERP" option and would like input on the PCI compliance aspect.
I have read the white papers and PCI documentation but the following info from their white paper/docs do not give me a warm fuzzy feeling about credit card data security..
Two tables for the credit card processing feature contain sensitive information. These tables use the table permissions framework (TPF) to limit access, however, we recommend additional security.
• The CreditCardProcessorsSecurity table stores access keys for payment processors. Note: PSMDE no longer requires this table in Microsoft Dynamics AX 2012.
• The CreditCardCustNumber table stores the credit card numbers that were entered through the credit card wizard.
Although the AOS and the SYSADMIN user are the only users that can access the Microsoft Dynamics AX database when it is installed, we recommend that you use the Microsoft SQL Server transparent database encryption feature to further restrict access to the two tables. Specifics about how to protect SQL Server are described in the Microsoft Dynamics AX Security Hardening Guide.
To reduce the possibility of obtaining credit card numbers on the network, all Microsoft Dynamics AX code that processes the full credit card number is run on the AOS
It seems as the onus for data security would strictly be the ours( the client). The other option for credit card payments was Red Maple where they clearly mention that no credit card details would be stored on the MS AX database.
Any feedback would be welcome