Eighteen months ago, Visa notified credit card processors that the Panasonic System Manager Pro (SMP) software was vulnerable. Most major quick service restaurant brands are represented in the 200+ vulnerable sites still processing credit transactions with this software.
Instead of forcing the vulnerable sites off the software, many of the processors have instituted PCI non-compliance fees. Eighteen months later, credit card processors continue to process transactions from these vulnerable sites.
“VNPs and agents must decertify all vulnerable payment applications.” When Diana Greenhaw, Global Payment System Risk at Visa was asked about this mandate, she stated that it "requires acquirers to discontinue boarding new merchants using known vulnerable applications and develop plans for transitioning existing merchants to different applications." Eighteen months later, Visa continues to allow transactions from these vulnerable sites.
Merchant Link has sent many notifications to both the processors and sites. They have conducted multiple webinars and conference calls to educate the affected Panasonic SMP sites. Despite these efforts, their position is as follows: “Ultimately it is the banks’ responsibility to ensure that vulnerable applications are not supported on their systems” according to Dan Lane, Merchant Link’s President, “and we will work with them to support those efforts.” Eighteen months later, Merchant Link continues to process transactions from these vulnerable sites.
Elavon ended support for protobase with SMP several years ago, but there are still 100+ sites using this software albeit without support.
The PCI Council states that they only create the rules and do not enforce them.
Quick service restaurant brands are equally guilty of not forcing their franchisees to stop using the SMP software. One of the top five QSR brands represents over half of the vulnerable sites. Even though the parent company was notified, eighteen months later, they continue to allow transactions from these vulnerable sites.
Who will enforce the credit card rules? No One!
The ultimate responsibility for remaining PCI compliant lies with the Merchant.
So what happens if these sites continue to process with vulnerable applications? Nothing ... until they are breached.
1. They will pay large fines
2. Their restaurant brand reputation will suffer
3. They may lose their franchise
4. They may lose their ability to accept credit cards
Get PCI compliant now by installing SMPLink™.
SMPLink™ is credit card interface software developed specifically for Panasonic System Manager Pro (SMP) users that integrates seamlessly with Merchant Link's TransactionVault® - a system that stores sensitive cardholder data in a secure vault - not on your back office computer.
SMPLink™ has over 750 sites installed and processes over 3 Million PCI compliant credit transactions per month. SMPLink™ has processed over 65 million transactions to date.
SMPLink™ is the ONLY PA-DSS compliant credit interface for the Panasonic System Manager Pro (SMP) pos system.