MICROS e7 Credit Card Security Best Practices

(1)

Credit Card Security

Best Practices

General Information

About This

Document

This document is intended to be used as a checklist for purging sensitive credit card data and protecting MICROS e7 system from potential security breeches. Following this checklist, along with proper installation of MICROS e7 Version 2.6 Patch 2 with the Universal Credit Card Driver installed, will ensure your system is secure.

(2)

Declarations

Warranties

Although the best efforts are made to ensure that the information in this manual is complete and correct, MICROS Systems, Inc. makes no warranty of any kind with regard to this material, including but not limited to the implied warranties of marketability and fitness for a particular purpose. Information in this manual is subject to change without notice. No part of this manual may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or information recording and retrieval systems, for any purpose other than for personal use, without the express written permission of MICROS Systems, Inc.

MICROS Systems, Inc. shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual.

Trademarks

Framemaker is a registered trademark of Adobe Corporation.

Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are the property of their respective owners. Printing History

New editions of this manual incorporate additions and changes to the material since the previous release.

Edition Month Year

(3)

Security Checklist

1. Clear Virtual Memory on Shutdown

Virtual memory is used by the Windows operating system to optimize the use of RAM and disk memory. It is possible for MICROS e7 data to get written to virtual memory by the operating system in the normal course of swapping data between RAM and virtual memory. The only way to clear the virtual memory is during the boot process. It is important to clear virtual memory whenever a MICROS e7 server is rebooted. A scheduled reboot of the server is also recommended as a means of clearing the virtual memory.

Steps to set up clearing virtual memory on shutdown

1.

Click Start.

2.

Click Microsoft Control Panel.

3.

Click Administrative Tools.

4.

Click Local Security Policy.

5.

Expand the local policies by clicking the “+.”

6.

Double click on the Clear Virtual Memory Page File When System Shuts Down.

7.

Select Enable.

2. Ensure the Site has a Firewall in Place

A firewall is a piece of hardware or software which acts as a barrier between the local network and the internet.

1.

A properly configured firewall is required for each site using a persistent connection to the Public Internet or any private internal network where there is a potential for unauthorized access to the MICROS Network.

2.

MICROS recommends a Hardware Firewall in addition to the Windows firewall.

3.

Firewalls can be configured to allow or limit the flow of data between the MICROS e7 network and the public internet.

(5)

4.

If the MICROS e7 system has access to the internet, do not install credit card processing if the site does not have a properly configured firewall in place.

5.

MICROS does not recommend a specific vendor’s firewall be installed. Work with the customers’ network administrator to setup something that works with their configuration. MICROS does sell a firewall that can be used for MICROS e7 sites. For information on the hardware firewall that MICROS offers refer to PMA05-828.

6.

Windows XP Pro, and 2003 have a built in software firewall that should be enabled when running a MICROS e7. The firewall should be enabled before installing the MICROS e7 software.

3. Upgrade to MICROS e7 Version 2.6 Patch 2 and

Configure the Universal Credit Card Driver

1.

Refer to the MICROS e7 Version 2.6 Patch 2 ReadMe First, MD0007-027 for steps on upgrading your system. This process will upgrade your database automatically.

2.

The Universal Credit Card Driver is part of the MICROS e7 installation. If the Universal Credit Card Driver is already configured go to the next section. If not follow steps 3-7 below.

3.

Select Add Record to add a record.

4.

Open System tab and configure the following fields:

Number – After the record is added, the next available number is automatically assigned. This number may be changed, if desired. Name – Enter a name for this driver (e.g. UCCD).

Driver Code – Select the type of driver from the drop down menu. For the Universal Credit Card Driver select UCCD. This selection will cause several more fields to appear.

Node – Enter the hosting node for this driver. This should match the node used to batch credit cards on the Configurator | Restaurant |

Credit Cards form. If the communication mechanism is dial-up (or you

are configured for fallback), then this should be the node that has the modem attached.

(6)

Device ID – Specify the modem to use for authorization requests. Each modem has a 1-digit number associated with it. Select 0 if no device is used.

To determine to number to be entered, perform the Show Devices diagnostic using the e7 credit card utilities. For example, the following sample message might display:

Device [1]: Boca 28.8 Kbps V.34 MV.34E Device [2]: Standard 1200 bps Modem Device [3]: Standard 2400 bps Modem Select the appropriate device number.

Suppress Modem Initialization – Instructs the driver not to alter the default modem initialization string in the Windows CE registry. Leave this field as zero unless instructed otherwise by MICROS support. Not Used – Leave this field as zero.

Communications Channel – Specifies the type of interface connection used between the merchant and the credit card processor. The options are:

– 0: Dial-up

– 1: TCP/IP (not supported) – 2: Internet

Note On a PC, the modem must be configured in the Control Panel before it an be assigned as an authorization device.

(7)

Custom Mode – Determines when and how the credit card driver will translate the data in order to communicate, or set required specifications for a specific processor. The options are:

– 0: No changes (default)

– 1: UK Mode (not yet supported)

– 2: Kincaid Mode (only applicable with a TCP/IP connection – not supported)

– 3: Fifth Third bank (only application with a TCP/IP connection – not supported)

Enabled 12-Digit Amount – Determines whether the credit card processor can accept an amount up to 12-digits long (excluding the separator). The options are:

– 0: Off (not allowed) – 1: On (allowed)

Disable Auth Code Limit – Determines whether or not the credit card driver will accept a manually entered authorization code that is longer than 6 digits. The options are:

– 0: Aborts a batch settlement if the batch file contains a detail record with an authorization code longer than 6 digits.

– 1: Accepts files for batch settlement that contain oversized

authorization codes in detail records. When an oversized auth code is found, the number is truncated to the first six digits before continuing.

Enable Card-Level Results – Card-level results are enabled by turning on this option. The card level results field is a 2 character field sent by the issuer as part of the authorization response and returned as part of the settlement detail record. Enter one of the following options.

– 0. Option is disabled. This value is selected by default. – 1. Option is enabled.

(8)

Enable POS Data Code – Use this field to enable the POS Data Code. This field defaults to 0. The POS Data Code is a fixed 12 character string of data in the authorization message which indicates the condition of the POS Device and transaction at the time of the

authorization. Examples of these characteristics are: Swipe or Manual entry; card present or not; print and display capabilities; etc. The POS Data Code string will also be sent as part of the Settlement Detail. Enter one of the following values:

– 0. Option is disabled. This value is selected by default. – 1. Option is enabled.

Phone Number – Enter the telephone number used for authorizations and settlement. This information is provided by the credit card processor. Consider the following when entering this field: – Do not include hyphens

– Include any necessary long distance access code and area code (e.g. 14105551212).

– Include any dialing prefix necessary to get an outside line (e.g. 94105551212).

Backup Phone Number – Enter the backup telephone number used for authorizations and settlement (this field is optional). If the system attempts to perform an authorization but cannot gain a connection (e.g. the line is busy) the backup number will be used.

This information is provided by the credit card processor. Consider the following when entering this field:

– Do not include hyphens

– Include any necessary long distance access code and area code (e.g. 14105551212).

– Include any dialing prefix necessary to get an outside line (e.g. 94105551212).

Host IP Address:Port – The IP address and port of the primary host connection. This field is only available if TCP/IP is enabled.

(9)

Backup IP Address:Port – The IP address and port of the backup host connection. Backup connections are used when the system cannot establish communication via the primary host address. This field is only available if TCP/IP is enabled.

Internet Host Header – Enter the HTTP host header to be included in every outgoing authorization request. Up to 25 characters is allowed. Internet Target Name – Enter the HTTP target name to be included in every outgoing authorization request. Up to 25 characters is allowed. City (Zip) Code – Enter the number assigned by the credit card processor to further identify the merchant location within a country. In the USA, insert the 5 or 9 digit Zip code for the merchant location. Outside of the USA, a number will be assigned by the credit card processor.

Time Zone – A 3-digit number assigned by the credit card processor used to calculate the local time within the VisaNet Authorization System (e.g. Eastern Standard Time).

Merchant State – The 2-character state/province code assigned by the credit card processor to identify the merchant. The characters entered here must correspond to the state/province that prints on the voucher. Merchant City – Enter the name of the city where the merchant is located.

5.

Select the Merchant – Authorization tab and complete the following fields: MLI Header Enabled – Enter 0 if no MLI header will be used. Enter 1 to enable a Merchant Link Inc. (MLI) header for authorization.

After enabling the MLI header, enter the 3 character code for authorization in MLI Header Data field.

Industry Code – Used to identify the type of industry for this

merchant. Enter 0 if the merchant business is a restaurant. Enter 1 if the merchant business is a retail establishment.

(10)

Language Code – Identifies the language in which authorization messages will be returned for display and/or printing. Select the language code from the following list:

– 0: English – 1: Spanish – 2: Portuguese – 3: Irish – 4: French – 5: German – 6: Italian

Currency Code – The 3-digit number assigned by the credit card processor to identify the type of currency used. The code for the US dollar is 840.

Country Code – The 3-digit number assigned by the credit card processor to identify the country in which the merchant is located. The code for the USA is 840.

Acquirer BIN Number – The 6-digit Bank Identification Number assigned by the credit card processor.

Merchant ID Number – The 12-digit number used to identify the merchant. This number is assigned by the credit card processor.

Store Number – Enter the 4-digit number used to identify the merchant store. This number is assigned by the credit card processor.

Terminal Number – Enter the 4-digit number used to identify a specific terminal within an establishment. This number is assigned by the credit card processor. Each terminal within the establishment must have a unique number.

Merchant Category – The 4-digit number used to identify the merchant type. This number is assigned by the credit card processor. Merchant Name – Enter the name of the merchant (up to 25

characters). This name must correspond to the name that prints on the credit card voucher.

(11)

MLI Header Data – This field is only active if the entry in the MLI Header Enabled field is 1. Enter the 3-character code assigned by ML as a header for authorizations.

6.

Select the Merchant – Settlement tab and complete the following fields: Append Optional Data Group – Determines whether the expiration date and stripe data will be appended to the batch record detail. This option should be disabled when using the Fifth Third Bank Custom Mode. Any settlement records with the optional data appended will be rejected when using the Fifth Third Bank. The options are:

– 0: Disable the options – 1: To append the data

Agent Number – Enter the 6-digit number that identifies the merchant. This number is assigned by the credit card processor.

Chain Number – Enter the 6-digit number that identifies the merchant chain. This number is assigned by the credit card processor.

Merchant Location No – The 5-digit number that provides additional information on the location of the merchant. This number is assigned by the credit card processor. Unless specified otherwise by the merchant’s bank or processor, the default for this field should be 00001.

From the Configurator | Restaurant | Credit Cards form, choose either a PC or workstation from the Batch credit cards on field to specify the node to batch credit cards.

7.

Save the record.

Note This node should be the same as the node hosting UCCD.

(12)

4. Wipe all Old Copies of the Database and

Database Logs from System

This includes all clients on the network. The recommended way to wipe these files is to use an industry standard removal utility such as ERASER (http:// www.tolvanen.com/eraser). Simply deleting the files is not sufficient. A hacker could

use a variety of tools to recover data where a proper removal utility has not been used to wipe the old databases. Using the Windows delete function simply unlinks the filename from the data, leaving the data intact on the system. Wiping or removing the data will write over the data with garbage data, making the original file unrecoverable.

1.

The current database files should not be wiped off the system. These files can be found at the following location:

\MICROS\e7\db

2.

For removal of files from the system MICROS recommends using a removal utility such as ERASURE (http://www.tolvanen.com/eraser).

It is important to find all instances of the db and logs.

Search for *gz* and any other naming conventions you may use to archive your databases and logs.

This utility may be used to delete any type of file.

Any files stored on the system that contain customer data should be wiped from the system.

If you are unsure that you have located all possible files, than a re-installation to a completely blank hard drive is recommended.

(13)

5. Make a Backup of the Current Database

1.

Go to the MICROS e7 Configurator and select the Functionality drop-down arrow on the top right-hand corner of the screen.

2.

Select Backup the Database. The database backup file (backup.001.gz or backup.002.gz) will be stored at the following location:

\Micors\e7\dbbackups

3.

Make a copy of the backup database and place it in a secure location outside of the MICROS tree.

6. Secure your Remote Access Software (i.e.

PCAnyhwere)

Remote access software needs to be secured to prevent unauthorized access to the MICROS e7 system. Remote access to the MICROS e7 system should be limited to a select few who are trusted. Every trusted user should use a unique username and password which is maintained and managed by the site. Remote access sessions should be logged and audited. Please see your vendor’s documentation for specifics. PCAnywhere documentation can be found at:

ftp://ftp.symantec.com/public/english_us_canada/products/pcanywhere/ pcanywhere32/ver10.5/manuals/pca_105_admin.pdf

1.

Please be sure that at a minimum the following areas are covered: Configure and limit access to users who have a unique name and password.

Change the default ports for communications. Enable logging and auditing in the software.

(14)

7. Change PC Logins and Passwords for all Users

to Something Complex

PC users should have unique usernames and complex passwords which are rotated on a regular basis. The importance of using and maintaining a secure password scheme is twofold. First it greatly reduces the risk of un-authorized access to the MICROS e7 server. Second it facilitates proper auditing trails required for PCI.

1.

Every user who has access to the system should have their own username and password

2.

The passwords should be rotated on a regular basis.

3.

The passwords should be complex.

Use Caps, numbers, and special characters in the password for the most secure passwords

The user account should have limited access to the system, only what is necessary to do their job

8. Read and Follow all PCI Guidelines Provided in

MICROS e7 Payment Application Best Practices

Implementation Guide

The MICROS e7 Payment Application Best Practices Implementation Guide

can Documentation can be found on the MICROS Customer Services Web site

(15)

9. Ensure wireless network is configured securely

Unlike a wired network where a hacker would need physical access to the network to “sniff” packages, wireless networks broadcast packages over radio waves. If the wireless network is unsecured, anyone within range of the Access Point could intercept a package.

Three areas of security need to be addressed in wireless network. First, the Access Point needs to be secured so only a trusted user can administer the Access Point. Second, only known machines should be allowed on the network. Third, all data on the network should be encrypted.

1.

Change the Access Point password to be a complex password.

The administrator of the Access Point should have a unique name and complex password.

2.

Only known machines should be allowed on the network. Limit by MAC address and IP address whenever possible. Do not broadcast the SSID of the access point.

3.

Use the strongest encryption available.

At a minimum use 128 bit WEP for data encryption. This should be used wherever WPA is not available.

WPA should be used on all sites where WPA is available. Some older hardware does not support WPA.

4.

Consult your hardware vendor’s documentation on how to configure your hardware.

(16)

10. Antivirus Software Should be Installed and

Kept Up To Date

Current Antivirus software will protect your system from Malware. Malware is software written and deployed with the intent of causing harm to your system. Malware can take several forms. Some Malware is intended to corrupt or destroy data on your system. A second form is used to allow unauthorized use of your system. A third form is to steal information. Antivirus software, when properly deployed, will protect and rid your system of Malware.

1.

All MICROS e7 systems should have antivirus software installed, such as Norton Antivirus.