Introduction Introduction Introduction Introduction
This document serves as a guide for TCS Retail users who are credit card merchants. It is written to help them become compliant with the PCI (payment card industry) security requirements. Please note that as a credit card merchant you must be compliant with these standards, they are not optional.
This guide focuses on the things that you must do within our system, but there are also several things that fall outside the scope of our system. To get more detailed information please read the documents on Visa’s website:
http://usa.visa.com/merchants/risk_management/cisp.html
Please note that in VISA’s vernacular this security program for merchants is sometimes called “CISP” (cardholder information security program).
Validation Basics Validation Basics Validation Basics Validation Basics Requirements Requirements Requirements Requirements
The following are the requirements as stated on Visa’s website. Build and Maintain a Secure Network
Build and Maintain a Secure Network Build and Maintain a Secure Network Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data Protect Cardholder Data Protect Cardholder Data Protect Cardholder Data 3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program Maintain a Vulnerability Management Program Maintain a Vulnerability Management Program Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications Implement Strong Access Control Measures
Implement Strong Access Control Measures Implement Strong Access Control Measures Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks Regularly Monitor and Test Networks Regularly Monitor and Test Networks Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy Maintain an Information Security Policy Maintain an Information Security Policy Maintain an Information Security Policy
Local Local Local Local
Local access means within the local network at your business place. Each user should be assigned a separate User ID and password to get onto the system. Passwords should be complex and should meet the following requirements:
Password Requirements Password Requirements Password Requirements Password Requirements
1. Be at least 7 characters in length. 2. A mixture of letters and numbers. 3. Passwords should not be reused.
4. Group passwords should not be used; each user should have their own. 5. They must be changed at least every 90 days.
6. After initially setting up the user’s password, the user should change it to their own the next time they log into the system.
Additionally regular employees or users of the system should not have access to cardholder information, administrative functions and data, or other sensitive information.
Later in this document is explained how to set up a user and set the correct privelege levels on the system to allow them to do their job, but restrict them from the unauthorized areas of the system.
R R R Remoteemoteemoteemote
Periodically you may need someone to have remote access to your system for support over the Internet. You may also wish to work from home and access your machine over the Internet. Please follow these guidelines which are also required by the PCI compliance rules.
1. Two levels of security or authentication are required for access to your bookstore server over the Internet. At least one of these must involve encryption. Typical would be a connection to the network with an encrypted VPN and then remote desktop in. Another example would be the SSH protocol. In this case the two levels of
security/authentication are the encryption and then the user/password to access the system.
2. Do not use insecure protocols like telnet to get into the system. The firewall on the server should be setup to deny entry by this method.
Firewall Firewall Firewall Firewall
As part of the PCI compliance a firewall must be setup and configured. There are several requirements that are to be met.
1. It is recommended that a network diagram be made showing all connections to the bookstore server which holds cardholder data. This includes wireless networks.
2. Changes to the firewall must be authorized and documented. 3. Limit the traffic to that which is required to conduct business.
4. To prevent spoofed IP addresses, egress (outgoing) and ingress (incoming) filters should be placed on border routers.
5. The cardholder database should not be on a direct internet connection. This is termed DMZ or “demilitarized zone.” It should be on the internal network.
Wireless Wireless Wireless Wireless
Wireless networks have some special requirements that must be paid attention to. 1. Access must be limited to authorized devices on the wireless network.
2. A perimeter firewall must be setup between the wireless network and the bookstore server.
3. Vendor default settings should be changed (i.e. WEP keys, SSID, passwords, SNMP community strings, disabling SSID broadcasts).
4. Use Wi-Fi Protected Access (WPA) or an equivalent or greater standard for authentication on the network.
5. Use Wi-Fi Protected Access (WPA), VPN, SSL at 128-bit, or WEP for encryption. (WEP keys must be rotated quarterly.)
6. Be sure to restrict physical access to wireless access points, gateways and handheld devices.
7. You should periodically identify all wireless devices using a wireless analyzer.
Testing and Analyzing Access Testing and Analyzing Access Testing and Analyzing Access Testing and Analyzing Access
1. A vulnerability scan or penetration test should be performed quarterly by a qualified scan vendor.
2. Be sure to review access logs to firewalls, wireless gateways and your server for unauthorized traffic.
Updating of Systems Updating of Systems Updating of Systems Updating of Systems
1. Total Computing Solutions, LLC will be emailing users information on recommended patches to install. These include patches to our software, Windows and OpenSSL and other auxiliary software.
Setting Up Security Measures on TCS Retail Setting Up Security Measures on TCS Retail Setting Up Security Measures on TCS Retail Setting Up Security Measures on TCS Retail
This is a walkthrough on how to specifically set up the security measures in TCS Retail.
User Accounts User Accounts User Accounts User Accounts
This section of the document does not explain every detail about adding a new user, it just covers establishing the user’s privilege level in the system. For additional information about setting up a user, see the training documentation.
Lets define three basic levels of privilege in the system and assign them the privilege number to put into the system:
Privelege Title Roles
9 Administrator Maintaining user accounts,
establishing system parameters.
6 Manager/Asst. Manager Running reports, information access, maintaining system data, advanced cashier functions.
1 Cashier Running basic cashier
functions.
Your may vary from this. You may decide to define more privilege levels, your numbers may be slightly different, but the purpose of this is to get you acquainted with how to set it up on the TCS system to meet the PCI requirements. You may need to adjust it to meet your own needs and policies.
The way the privilege level works in TCS Retail is that any menu option in the system can be assigned a privilege. Users with a privilege of 9 would have use of anything that was
Setup the Setup the Setup the
Setup the privilegeprivilegeprivilegeprivilege level for System Administrator level for System Administrator level for System Administrator level for System Administrator
Go to User Maintenance (POS-UU-5-1)
Lets start with your user profile – so use your code where “test” is used below.
Make sure your privilege level is “9” for each account shown. Setup the
Setup the Setup the
Setup the privilegeprivilegeprivilegeprivilege for all users for all users for all users for all users
We recommend that you keep the privilege levels the same on every account. The reason is that if they have privilege level of 3 on POS, but a privilege level of 9 on TEXT, then on TEXT they will have the ability to change security, change users, etc.
Establish the Establish the Establish the
Establish the privilegesprivilegesprivilegesprivileges in the System in the System in the System in the System
Here is an example of setting up a privilege level for a menu. This example will be for the System Administrator menu. First you must find the “process name” of the menu. To do that you must go to a place on the system that contains the System Administration menu. Log into POS. Go to User Utilities (POS-UU) and look at the menu:
Notice that the System Administrator menu is option #5.
The process name is just to the left of the menu option. For our example the process name of the System Administrator menu is “SA”.
Now we need to set the System Administrator menu to privilege level 9. Go to Process Control (POS-UU-5-2)
Set the Privilege to “9”. This will keep unauthorized users, anyone with a privilege lower than 9, out of the System Administration menu.
POS-5-1-5-27. Now both paths are restricted.)
Be sure that the correct privilege level is set on all your users. Non-administrators should not have a privilege level of 9 on any account.
Credit Card Encryption Credit Card Encryption Credit Card Encryption Credit Card Encryption
Credit card encryption involves several steps, which should be done by someone with administrative privileges. You must first install or have installed OpenSSL onto your
bookstore server (we will help you with this). You must setup your user on the system to have full privileges and then install OpenSSL.
Take the file “Win32OpenSSL-v0.9.7d.exe” from TCS and put it on the bookstore server.
Open the file. It will automatically extract OpenSSL
contact support. Set
Set Set
Set PrivilegePrivilegePrivilege LevelsPrivilege Levels Levels Levels
Make sure that you have appropriately defined the privilege level for you and your employees. This is explained in the User AccountsUser AccountsUser AccountsUser Accounts section of the document.
Next, turn on the security settings. Go to Security Settings (POS-UU-5-25-5).
Set Activate Credit Card Encryption to “Y”. (You can also set Activate Password Security to “Y” which is explained later.)
Since this is the first time doing it, as soon as you update this record you will be prompted to setup the encryption key and to setup a secure password.
Do not lose the encryption key you enter! You cannot retrieve it and must call technical Do not lose the encryption key you enter! You cannot retrieve it and must call technical Do not lose the encryption key you enter! You cannot retrieve it and must call technical Do not lose the encryption key you enter! You cannot retrieve it and must call technical support
support support
support. You. You. You will . You will will will be be be chargebe chargedchargechargeddd a fee a fee a fee a fee for us tofor us tofor us tofor us to get on your system and retrieve it. get on your system and retrieve it. get on your system and retrieve it. get on your system and retrieve it.
Once you enter the new key you will be prompted to encrypt all of the card data with the new key.
Password Security Password Security Password Security Password Security
This explains how to turn on the password security settings. Note that this will encrypt your password and enforce the secure password guidelines required by the PCI guide.
If you chose “Y” to Activate Password Security while turning on the Credit Card Encryption (coming from the last section), you’ll be prompted to reset your password and can skip to that section of the document (next page). If you have not done so, you must first do the following:
1. Install OpenSSL
2. Set the OpenSSL path in the Encryption Settings (POS-UU-5-25-25).
Both of those steps are explained in the Credit Card Encryption section. Then you must set Activate Password Security in the Security Settings.
Go to Security Settings (POS-UU-5-25-5).
You must enter your current POS password and then enter and reenter a new password. The new password must be at least 7 characters in length and must be a mixture of numbers and letters. You also are not allowed to reuse passwords and each user must reset their password every 90 days.
