OpenEdge PCI Compliance

For users or potential users.
Post Reply
Scott
Posts: 26
Joined: Wed Jun 20, 2007 6:31 pm
Location: Enola PA

OpenEdge PCI Compliance

Post by Scott » Fri Feb 01, 2019 1:48 pm

Hi,
OpenEdge is requiring us to fill out a questionnaire and to submit to quarterly scans. We've received emails stating that this is no longer optional. If we are using OpenEdge and their POS terminals with Open Dental what SAQ (Self Assessment Questionnaire) level would that require using? It seems from reading about each that SAQ C would hopefully be the one. From a bit of research it seems we don't store any actual credit card info in our systems but instead on OpenEdge's systems?

SAQ D looks WAY over the top.

Regards,
Scott
Good Bye Softdent!!

Scott
Posts: 26
Joined: Wed Jun 20, 2007 6:31 pm
Location: Enola PA

Re: OpenEdge PCI Compliance

Post by Scott » Thu Feb 21, 2019 4:51 pm

Following up, might be helpful,

When using OpenEdge's PCI compliance portal (which seems like a 3rd party service branded for them) We chose at the start of the questionnaire that we DID store credit card info because we are able to use recurring billing on those customer's cards. If you store Credit Card info then you are automatically filling out the 300+ SAQ-D Questionnaire. No fun... thankfully, in fact OD is not storing any retrievable user Credit Card data, ever...?
...
After further research it turns out that OpenEdge uses "encrypted tokens" in the Open Dental program that link to the real user card info which is stored on OpenEdge's servers, and therefore their problem...? So it would then seem we should qualify for the SAQ-C questionnaire which has far less questions and requirements for various reasons. That is not the case however. We would eventually fail the SAQ-C test +because the POS terminals ARE connected to the Open Dental Workstation PCs.

After restarting the OpenEdge PCI questionnaire from the start, we instead chose an option, which we didn't think applied originally in an obvious way, that listed our POS terminal models instead of options that were basically "yes we store cc info" or "no we don't store cc info". Surprisingly, after choosing your POS terminal model, you are STILL put into the SAQ-D category which we've been trying to avoid at all turns. "SAKDEE from the DEEP is a SMALL BUSINESS MONSTER".

However, if you click through a bit more you will notice that even though it is now a SAQ-D designation, which had 300+ questions earlier, it now has only 8 questions!! They all pertain to whether or not you have accessible office documentation and official office policies and training info that relate to those 8 questions. A two page office document later and we could honestly click that we were compliant according to those 8 questions. This also had the effect of getting rid of the next step in the process which involved a remote scan of our office network. Not sure if that was a bug or not on their side that it didn't show up but it was the next step on the Full SAQ-D process originally and was now not showing as needed to complete after several logins.

Regards,
Scott
Good Bye Softdent!!

User avatar
Arna
Posts: 444
Joined: Tue Jul 09, 2013 3:16 pm

Re: OpenEdge PCI Compliance

Post by Arna » Fri Feb 22, 2019 1:49 pm

I have a bunch of these to complete.
Unlike PaySimple, we have to complete one per practice for X-Charge. Honestly, it's so low on my priority list right now that I'll probably get to it in 2021.
Entropy isn't what it used to be...

Arna Meyer

Post Reply