MICROS e7 Version 2.7 Patch 1
Upgrade
Best Practices
General Information
About this
Document
This document is intended to convey best practice information when upgrading the MICROS e7 application from a non-PCI compliant version to a PCI compliant version. The table below lists all of the PCI compliant and non-PCI compliant versions of MICROS e7.
Visa established the Payment Card Industry (PCI) Data Security Standard to protect Visa cardholder data—wherever it resides—ensuring that members, merchants, and service providers maintain the highest information security standard.
Non-PCI Compliant
Version Compliant PCI Versions
1.0 1.5 1.5 Patch 1 2.0 2.0 Patches 1 & 2 2.7 2.1 2.1 Patches 1, 2, 3 & 4 2.5 2.6 2.6 Patches 1, 2 & 3 2.7 Patch 1
General Information
Non-PCI compliant versions of MICROS e7 may allow sensitive information, such as credit card numbers, to exist in a non-encrypted format. Such historical data (magnetic stripe data, card validation codes, PINs, or PIN blocks) must be removed. Removal of such data is necessary to ensure the MICROS software upgrade is conducted in a manner that is PCI compliant.
The sensitive information cannot simply be deleted from the file system. When files are deleted from the file system, most operating systems do not delete the files themselves, only the reference to each file is deleted. So, as a security measure, sites must follow the upgrade best practices and use a wipe tool to securely remove any historical sensitive information data. Such data must be removed not only from the database, but anywhere the historical sensitive information resides, including backup tapes and logs.
MICROS Systems, Inc. mandates the secure deletion of historical sensitive information wherever it resides using the secure wipe tool Eraser. For more information, refer to the MICROS Secure Wipe Tool document.
General Information
Declarations
WarrantiesAlthough the best efforts are made to ensure that the information in this manual is complete and correct, MICROS Systems, Inc. makes no warranty of any kind with regard to this material, including but not limited to the implied warranties of marketability and fitness for a particular purpose. Information in this manual is subject to change without notice. No part of this manual may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or information recording and retrieval systems, for any purpose other than for personal use, without the express written permission of MICROS Systems, Inc.
MICROS Systems, Inc. shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual.
Trademarks
Framemaker is a registered trademark of Adobe Corporation.Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are the property of their respective owners.
Printing History
New editions of this manual incorporate additions and changes to the material since the previous release.Edition Month Year
1st September 2007
2nd November 2007
Upgrade Best Practices
Upgrade Best Practices
Follow these steps to execute a secure upgrade to a PCI compliant version of the MICROS e7 software. These steps should be performed on the PC running MICROS e7.
Clear Virtual Memory on Shutdown
Virtual memory is used by the Windows operating system to optimize the use of RAM and disk memory. It is possible for MICROS e7 data to be written to virtual memory by the operating system in the normal course of swapping data between RAM and virtual memory. The only way to clear the virtual memory is during the boot process. It is important to clear virtual memory whenever a MICROS e7 PC is rebooted. A scheduled reboot of the PC is also recommended as a means of clearing the virtual memory.
Instructions for clearing virtual memory are provided below for the following operating systems:
Windows 2000
Windows Server 2003 and Windows XP
Windows Vista Business Edition
Steps to set up clearing virtual memory on shutdown on a System Running Windows 2000
1.
Click Start.2.
Click Microsoft Control Panel.3.
Click Administrative Tools.4.
Click Local Security Policy.Upgrade Best Practices
Steps to set up clearing virtual memory on shutdown on a System Running Windows Server 2003 and Windows XP
1.
Click Start.2.
Click Microsoft Control Panel.3.
Click Administrative Tools.4.
Click Local Security Policy.5.
Expand the local policies by clicking the “+.”6.
Select the Security Options folder.7.
Double click on the Shutdown: Clear Virtual Memory Pagefile.8.
Select Enabled.9.
Click [Ok].Steps to set up clearing virtual memory on shutdown on a System Running Windows Vista Business Edition
1.
Click Start.2.
Click Microsoft Control Panel.3.
Click Administrative Tools.4.
Click Local Security Policy.5.
Expand the local policies by clicking the “+.”6.
Select the Security Options folder.7.
Double click on the Clear Virtual Memory Page File When SystemShuts Down.
8.
Select Enabled.9.
Click [Ok].Upgrade Best Practices
Wipe all Old Copies of the Database and
Database Logs from System
The recommended way to wipe these files is to use the ERASER removal utility (http:// www.tolvanen.com/eraser). Simply deleting the files is not sufficient. A hacker could use a variety of tools to recover data where a proper removal utility has not been used to wipe the old databases. Using the Windows delete function simply unlinks the filename from the data, leaving the data intact on the system. Wiping or removing the data will write over the data with garbage data, making the original file unrecoverable. For more information, refer to the MICROS Secure Wipe Tool document.
1.
The current database files should not be wiped off the system. These files can be found at the following location: \MICROS\e7\db2.
For removal of files from the system, use the ERASER removal utility available at the following location: http://www.tolvanen.com/eraser.It is important to find all instances of the db and logs.
Search for *gz* and any other naming conventions you may use to archive your databases and logs.
This utility may be used to delete any type of file.
Any files stored on the system that contain customer data should be wiped from the system.
If you are unsure that you have located all possible files, than a reinstallation to a completely blank hard drive is recommended.