PA DSS Implementation Guide - Profitek PA... · highest information security standard. The Payment...

PA‐DSS Implementation Guide

Profitek ‐ RMW Restaurant Management System Version 10.

Version Date Description: Approved By:

1.0 December 17, 2009 Initial Policy 01

PADSS Implementation Guide Ver. 1.0 12/17/09 FSB

Table of Contents 1 Scope and Applicability .............................................................................................................................. 3

Compliance ............................................................................................................................................... 3

Intent of the PA‐DSS ................................................................................................................................. 3

1.2 Scope of this Guide ............................................................................................................................. 3

2 Network and Software Components ......................................................................................................... 4

2.1 A Word about PCI DSS Scope .............................................................................................................. 4

2.2 Network Security................................................................................................................................. 4

2.3 Wireless Networks .............................................................................................................................. 5

2.4 Remote Access .................................................................................................................................... 5

2.5 Non‐Console Administrative Access ................................................................................................... 6

3 PREVIOUS SOFTWARE VERSIONS AND HISTORICAL DATA ......................................................................... 7

3.1 Historical Data Removal ...................................................................................................................... 7

3.2 Profitek Cryptographic Key Generation .............................................................................................. 7

4 DATA PROTECTION AND ENCRYPTION......................................................................................... 8

4.1 Data Retention Settings ...................................................................................................................... 8

4.2 Data Encryption in Storage ................................................................................................................. 8

4.3 Profitek Cryptographic Key Generation .............................................................................................. 9

4.4 Data Encryption in Transmission......................................................................................................... 9

4.4 Windows Restore Points ................................................................................................................... 10

5 USER MANAGEMENT ............................................................................................................................... 10

5.1 Unique User Accounts ....................................................................................................................... 10

5.2 Strong Passwords .............................................................................................................................. 10

5.3 Cashier Users ..................................................................................................................................... 11

5.4 Access Control ................................................................................................................................... 11

6 EVENT LOGS AND AUDITING .................................................................................................................... 11

6.1 Logging Configuration ....................................................................................................................... 11

7 SOFTWARE UPDATES ............................................................................................................................... 13

7.1 Application Updates .......................................................................................................................... 13

8 ANTI‐VIRUS SOFTWARE ............................................................................................................................ 14

9 TROUBLESHOOTING AND SERVICE .......................................................................................................... 14


1 Scope and Applicability

Compliance When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why the PCI Data Security Standard was instituted. The program is intended to protect cardholder data—wherever it resides—ensuring that members, merchants, and service providers maintain the highest information security standard. The Payment Application Data Security Standard (PA-DSS), is applicable to payment applications. This guide is an essential element of InfoSpec Systems PA-DSS compliance efforts.

Intent of the PA-DSS

The PA-DSS applies to payment applications for the merchant that uses Profitek Version 10. The PA-DSS does not confer compliance with the PCI DSS upon the merchant. Rather it facilitates and does not preclude compliance with the PA-DSS.Thus a merchant who uses a PA-DSS compliant application and does so in accordance with the instructions and guidance provided in this document has an assurance that the application will aid in meeting the merchant’s PCI DSS compliance obligations and that it will not prevent the merchant from complying with the PCI DSS, but the merchant will have additional obligations beyond the scope of this document or the responsibility of InfoSpec Systems.

1.2 Scope of this Guide This document is intended for the following audiences: • Profitek Installers/Programmers • Profitek Dealers • Profitek Customer Service • Profitek Training Personnel • MIS Personnel • Profitek Users This document assumes that the user has the following knowledge or expertise: • Operational understanding of PCs • Understanding of basic network concepts • Familiarity with Profitek software • Familiarity with operating Profitek peripheral devices


2 Network and Software Components

While InfoSpec Systems strives to provide its customers and partners with software that protects against security weaknesses, the security of the platforms and networks on which Profitek reside are essential to the overall security of the organization and its information. As such, consider the security and layout of the systems and networks before installing Profitek.

2.1 A Word about PCI DSS Scope The rule for considering scope for a merchant’s PCI DSS compliance is this: scope includes any system that stores, processes, or transmits cardholder data AND any system logically connected to the systems that store process or transmit that are not separated by a firewall. Thus if a merchant’s network contains a payment application and a back-office PC on the same local network, both systems are in scope. If the payment application resides on its own network segment and is separated with firewall rules that preclude access in either direction to the back-office PC, only then is this second PC removed from scope.

2.2 Network Security First and foremost, placing the components of Profitek into an appropriately protected network will both reduce the risk of exposure or misuse and meet several essential compliance requirements. A typical proper network implementation will have the Profitek system reside behind a firewall in an internal network segment that allows only the necessary network traffic both in and out. While network configurations may vary depending on need and circumstance, below is an example diagram of a network that demonstrates proper network architecture:

Only ports being used to accept incoming connections are opened on the router, and in most cases, such port forwarding settings only allow incoming connections to a single workstation that is not the data server. Commonly used ports are 5631 and 5632 for PCAnywhere, 2688 for Profitek Gift card server (when Applicable), and SQL server port <see below>. For customers with multiple stores, real time connections over the internet are required for


inventory enquiry and POS transactions. There are two main connection configuration, namely, Remote Desktop Connection (RDP) based on Microsoft’s terminal services technology, and SQL database access over TCP/IP. Connection security is implemented using VPN connections with two factor Authorization. The outbound traffic necessary for normal function of Profitek is listed in the table below: Protocol Source IP(s) Destination IP(s) Port(s) Inbound/Outbound Description Destination IP/URL Ports Moneris ipgate.moneris.com 443 Paymentech netconnectvar1.Paymentech.net/NetConnect/controll

er 443

Global Payments Canada

mcc.globalpaycan.com 443

Heartland Payments System

https://posgateway.secureexchange.net/Hps.Exchange.PosGateway/PosGatewayService.asmx

N/A

PC Charge various N/A PC Anywhere 216.13.248.185 5631/5632 Profitek Gift Card Server

Site specific 2688

SQL SERVER Site specific 5560

2.3 Wireless Networks Wireless networks present significant security and compliance challenges and organizations looking to implement wireless networks in conjunction with payment applications should consider the security ramifications carefully. A wireless network extends an organization’s perimeter potentially beyond its physical boundaries and is more difficult to audit for improper use. When implementing wireless networks, make sure to implement the following security controls:

• Separate any wireless access points from systems that store cardholder data by a firewall that permits only the minimum necessary traffic to and from the wireless network.

• Enable network protection using WPA or WPA2 (Note: WEP is not considered sufficient encryption for compliance or security purposes).

• Change default settings on wireless access points including: o Passwords o Encryption keys o SNMP Community Strings o Other default values as appropriate

• Change wireless encryption keys whenever anyone with knowledge of the keys leaves the business.

2.4 Remote Access Remote access to systems and networks allows for remote support, updates, and troubleshooting. It also presents significant security risks to the systems and data located on the network in question. Thus, the security of remote access mechanisms is a paramount consideration. To limit the use of remote access mechanisms to only authorized users, The


Profitek application may be configured in a number of ways. In order to ensure the application is installed in a PCI compliant manner, ensure:

• Set-up system firewalls to restrict remote access to the application to known source IP/ MAC addresses and protocols.

• The authorized end user will launch PC Anywhere call remote on one of their computers, with its IP addresses forwarded to PC Anywhere ports in the router. Except for a customer with a single computer, the PC Anywhere connection will be implemented on a computer which does not act as the data server.

o PC Anywhere 12.1 or later with: Symmetric or Public Key encryption available Logging Enabled, Host Started , Host End, Host Abnormal, Restricted IP,

Host Port Scan, Encryption Failure Account Lockout Enabled

• Ensure each user of the application is provided unique credentials. • Ensure default settings in any remote access application are modified (such as default

usernames / passwords) • Enforce strong authentication or complex passwords for login credentials (according to

Section 5.2 of this guide). • Profitek support staff will ensure that the PC Anywhere connection is disabled after the

support session is over. Logging functions must be enabled for security purposes. Disabling logs should not be done and will result in non-compliance with PCI DSS. Access to customer passwords must always be restricted to authorized Profitek/reseller/integrator personnel.

2.5 Non-Console Administrative Access For any administrative access to the application or its components, including the operating system, database, etc. that does not occur at the system console, Profitek requires the use of strong encryption. All non-console administrative access must be encrypted using technologies such as SSH, VPN, or SSL and two factor authentication applied to log-in. Telnet or rlogin must never be used for administration. Strong password log in to the application is factor 1 and a certificate is factor 2. Example - Enable encryption for a specific client For the client to request the SSL encryption, the client computer must trust the server certificate and the certificate must already exist on the server. You have to use the MMC snap-in to export the Trusted Root Certification Authority used by the server certificate: 1. To export the server certificate's Trusted Root Certificate Authority (CA), follow these steps:

a. Open MMC, and then locate your certificate in the Personal folder. b. Right-click the certificate name, and then click Open. c. Review the Certification Path tab. Note the top most item. d. Navigate to the Trusted Root Certification Authorities folder, and then locate the

Certificate Authority noted in step c. e. Right-click CA, point to All Tasks, and then click Export. f. Select all the defaults, and then save the exported file to your disk where the client

computer can access the file. 2. Follow these steps to import the certificate on the client computer:


. a. Navigate to the client computer by using the MMC snap-in, and then browse to the Trusted Root Certification Authorities folder. b. Right-click the Trusted Root Certification Authorities folder, point to All Tasks, and

then click Import. c. Browse, and then select the certificate (.cer file) that you generated in step 1. Select the

defaults to complete the remaining part of the wizard. d. Use the SQL Server Client Network Utility. e. Click to select the Force Protocol encryption option. Your client is now ready to use

SSL encryption.

3 PREVIOUS SOFTWARE VERSIONS AND HISTORICAL DATA

3.1 Historical Data Removal Historical data (magnetic stripe data, card validation codes, PINs, or PIN (blocks) stored by previous versions of Profitek software must be securely removed as a necessary component of PCI compliancy.

1. Back Up Profitek Data to Drive D:\PCI Profitek 2. Install Updated Profitek software 10.version in a folder named D:\Profitek 10. 3. Restore database files to the new Profitek 10. Folder 4. Any data transferred from the old database to the new database is now encrypted. 5. Delete all historical sensitive information residing on the server in the old folder, backup

folder and —wherever it resides—including old backup tapes, logs, copies of the database, journals, saved credit card batches, etc. by using an industry standard removal utility such as Eraser.

Profitek CHD files are located in the SQL Database file: RM0000History Table Name : RMCCACreditRequest A CCA Log is saved in an encrypted text file under a subfolder in D:\Profitek\Bin Any cryptographic material, such as cryptographic keys used for computation or verification of cardholder data or sensitive authentication data stored by previous versions of the software, must also be securely removed as a necessary component of PCI compliancy.

3.2 Profitek Cryptographic Key Generation When a key generation is completed, re-encryption of the data will automatically take place on restart of the POS workstations. No further action is required. It is strongly advised that a daily close be performed before this action is taken because any unsettled transactions will not be available after the re-encryption takes place.


4 DATA PROTECTION AND ENCRYPTION

4.1 Data Retention Settings Cardholder data exceeding the merchant-defined retention period must be purged. Credit card batch purging is available. To configure credit card batch purging, navigate to the CCA tab of the System Integration Section in Housekeeping, enter the number of days to save credit card batch files. 90 Days is the recommended default.

4.2 Data Encryption in Storage Profitek uses credit card masking and Rijndael128-bit encryption to ensure credit card data is stored in a manner compliant with the PCI Data Security Standard. As a PCI compliant measure to protect stored data, production Profitek systems should never reside directly on the Internet and a firewall should always be placed between the Profitek system and Internet/corporate network gateways. Profitek does not allow unmasked credit card information to be printed on guest checks displayed on the workstation, customer receipts, and journals in order to comply with Requirement 3 of The PCI Data Security Standard. Only the last four digits of the Primary Account Numbers (PAN) is displayed. In addition, the following should be noted:


End Users should not store any Card Holder Data (custom reports, spreadsheets etc.) outside of Profitek on Internet accessible systems.

4.3 Profitek Cryptographic Key Generation This ability will only be allowed at the Administrator user level. If the user feels that their system could have compromised, a button to generate a new system-wide encryption key is provided. When the new keys are generated the old keys are permanently removed, therefore: It is strongly advised that a daily close be performed before this action is taken because any unsettled transactions will not be available after the re-encryption takes place. The system will ask you to close all POS workstations. When generation is complete, re-encryption of the data will automatically take place on restart of the POS workstations.

4.4 Data Encryption in Transmission Profitek uses 128-bit encryption to ensure credit card data is transmitted across public networks in a manner compliant with the PCI Data Security Standard. When transmitting cardholder data over the Internet always use SSL and when transmitting wirelessly, always use the highest level of encryption available. Modems should not reside in application servers unless absolutely necessary. If a modem is installed, it should be kept powered off or disabled except when needed. For added security, the modem should be configured to use automatic call back and data encryption. Firewalls will not


protect against attacks via the modem. All non-console administrative access must be encrypted using technologies such as SSH, VPN, or SSL/RLS (transport layer security) for web-based management and other non-console administrative access. Telnet or rlogin must never be used for administration. Because of the PCI Data Security Standard InfoSpec Systems requires each site use secure encryption transmission technology (for example, IPSEC, VPN, or SSL/TLS) when sending cardholder information over public networks, including when using wireless connections, E-mail, and when using services such as Telnet, FTP, etc. When sending credit card numbers via email, end users and resellers must use an email encryption solution.

4.4 Windows Restore Points Windows provides the ability to create system restore points. Unfortunately, this can cause remnants of memory to be permanently written to the hard drive. Credit card transactions will sometimes write items to the volatile memory of the system, and the system will in turn write these items to the disk in the file(s) containing the restore point information. Therefore, in order for any Windows XP system where the Profitek application will be running to be compliant with PA DSS1.2, it is mandatory that restore points are disabled.

5 USER MANAGEMENT

5.1 Unique User Accounts

All Party’s must establish unique IDs for each person with computer access. No two Profitek users should have the same ID, and each person’s activities can be traced provided the client site maintains proper configuration and adheres to privilege level restrictions based on a need to-know basis. While InfoSpec Systems Inc. makes every possible effort to conform to Requirement 8 of the PCI Data Security Standard, certain parameters including: proper user authentication, remote network access, password management for non-end users and administrators, for all system components, depend on site specific protocol and practices. To ensure strict access control of the Profitek application, always assign unique usernames and complex passwords to each account. Do not use default administrative accounts for application logins. Assign secure authentication per section 5.2 to default accounts (even if not used), do not use these accounts after system set-up. InfoSpec Systems Inc. mandates applying these guidelines to not only Profitek passwords but to Windows® passwords as well. Furthermore, InfoSpec Systems, Inc. advises users to control access, via unique usernames and PCI-compliant complex passwords, to any PCs, servers, and databases with payment applications and cardholder data.

5.2 Strong Passwords For PCI compliance, the following password management for System and Administration users is required (per PCI Data Security Standard 8.5.9 through 8.5.15)


• Change user passwords at least every 90 days • Require a minimum password length of at least seven characters • Use passwords containing both numeric and alphabetic characters • Do not allow an individual to submit a new password that is the same as any of the last

four passwords he or she has used • Limit repeated access attempts by locking out the user ID after not more than six

attempts • Set the lockout duration to thirty minutes or until administrator enables the user ID • If a session has been idle for more than 15 minutes, require the user to re-enter the

password to re-activate the terminal

In addition, the following should be noted: It is recommended that the re-seller/end user take care to ensure strong passwords are assigned to other applications and systems whenever possible.

5.3 Cashier Users

Cashier users have no access to systems or administrative functions and as such may be exempt from the Strong Password management criteria in Section 5.2.

5.4 Access Control Local access to Profitek Back Office and Administrative users should follow password management as follows:

• Change user passwords at least every 90 days • Require a minimum password length of at least seven characters • Use passwords containing both numeric and alphabetic characters • Do not allow an individual to submit a new password that is the same as any of the last

four passwords he or she has used • If a session has been idle for more than 15 minutes, require the user to re-enter the

password to re-activate the terminal Logging functions must be enabled for security purposes. Disabling logs should not be done and will result in non-compliance with PCI DSS. Access to end user passwords must always be restricted to authorized Profitek/reseller/integrator personnel.

6 EVENT LOGS AND AUDITING

6.1 Logging Configuration Record at least the following audit trail entries for all system components for each event:

• User identification. • Type of event. • Date and time.


• Success or failure indication. • Origination of event. • Identity or name of affected data, system component, or resource.

Profitek provides a audit trail utility within the that allows privileged users to track Profitek specific activities. Logging is set up under Housekeeping/Security Setting.

An automated audit trail must be implemented for all system components to reconstruct the following events:

• All actions taken by any individual with root or administrative privileges. • Access to all audit trails. • Invalid logical access attempts. • Use of identification and authentication mechanisms. • Initialization of the audit logs. • Creation and deletion of system-level objects.

The advent of open database structure means that anyone with system level access to the database server (MS SQL) has access to system components covered under this requirement, and thus requires logging of user access and activity as detailed in Requirement 10 of the PCI Data Security Standard. For MSSQL, enable the C2 audit tracing using the Within Microsoft® SQL Server Management Studio:

• Within the Server authentication section, select the “SQL Server and • Windows Authentication mode” option, as seen circled above. • Within the Login auditing section, select the “Both failed and successful logins” option.


• Within the Options section, select the “Enable C2 audit tracing” option.

7 SOFTWARE UPDATES

7.1 Application Updates InfoSpec Systems Inc. may occasionally provide Profitek software updates remotely. As such, each site must develop usage policies for critical employee facing hardware and software devices (for example, remote-access software, wireless technologies, removable electronic media, laptops, e-mail, and Internet) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following:

• Require explicit management approval to use the devices. • Require that all device use is authenticated with Strong username and password • Require a list of all devices and personnel authorized to use the devices. • Require labeling of devices with owner, contact information, and purpose. • Require acceptable uses for the devices. • Require acceptable network locations for the devices. • Require a list of company-approved products. • Require automatic disconnect of modem sessions after a specific period of inactivity. • Require activation of modems used by vendors only when needed by vendors, with

immediate deactivation after use. • Prohibit the storage of cardholder data onto local hard drives, floppy disks, or other

external media when accessing such data remotely via modem. • Prohibit cut-and-paste and print functions during remote access. • Patches and Updates are to be installed on-line or on-site by authorized service

personnel only to ensure the integrity of the update. • Patches/updates must be moved onto the target system in a “Zipped” format and

unzipped to access the executables. InfoSpec Systems, Inc. recommends all customers and resellers/integrators use a personal firewall product if computer is connected via VPN or other high speed connection, to secure these “always-on” connections. PA-DSS requires that all updates be capable of being rolled back to the previous version. When Applying Update

• Backup the data file • Apply the update by running the setup disk.

To Roll Back • 1. Restore the data file • 2. Run the setup disk of the prior version.


8 ANTI-VIRUS SOFTWARE In accordance with the PCI Data Security Standard, InfoSpec Systems Inc.mandates regular use and regular updates of anti-virus software. Anti-virus software must be deployed on all systems commonly affected by viruses, particularly personal computers and servers.

9 TROUBLESHOOTING AND SERVICE To ensure customer data is protected, InfoSpec Systems, Inc. mandates Profitek resellers/integrators and customer support must only collect sensitive authentication data needed to solve a specific problem. The policy regarding Customer data is as follows:

• Whenever possible, do not gather data locally. Instead, use a remote troubleshooting application that requires end user express permission to access the system, and which encrypts all traffic over SSL. See section 2.4

• Never request magnetic stripe data, card validation codes, PINs, or PIN block numbers. • Only gather data with express permission of authenticated and authorized end user

personnel, and only when required to resolve the specific problem. • Never gather data that is not needed to solve the specific problem. • Encrypt and store data in specific, known locations that have limited access. • Delete data securely immediately after use.

PA DSS Implementation Guide - Profitek PA... · highest information security standard. The Payment...

Documents

Transcript of PA DSS Implementation Guide - Profitek PA... · highest information security standard. The Payment...