Epicor Eagle PA-DSS 2.0 Implementation Guide

Transcription

1 EPICOR EAGLE PA-DSS IMPLEMENTATION GUIDE PA-DSS IMPLEMENTATION GUIDE Epicor Eagle PA-DSS 2.0 Implementation Guide EL

2 This manual contains reference information about software products from Epicor Software Solutions Inc. The software described in this manual and the manual itself are furnished under the terms and conditions of a license agreement. The software consists of software options that are separately licensed. It is against the law to copy the software on any medium, or to enable any software options, except as specifically permitted under the license agreement. In addition, no part of this manual may be copied or transmitted in any form or by any means without the prior written permission of Epicor Software Solutions Inc. From time to time, Epicor makes changes to its software products. Therefore, information in this manual is subject to change, and the illustrations and screens that appear in the manual may differ somewhat from the version of the software provided to you. Created by: Epicor Software Corporation 4120 Dublin Boulevard Dublin, CA Copyright 2013 Epicor Software Corporation. All rights reserved. Epicor, the Epicor stylized logo design, and Purely Retail are registered trademarks of Epicor Software Corporation. All other trademarks are property of their respective owners. Publication No. EL Revision Date: August 2013 EL Epicor PA-DSS 2.0 Implementation Guide 2

3 Introduction Distribution and Updates This PA-DSS Implementation Guide must be disseminated to all relevant application users including merchants, resellers and integrators (if applicable). It is reviewed and updated annually, after changes to the software, and after changes to the PA-DSS requirements.. Additional Resources For your convenience, this document encapsulates the procedures in the PA-DSS Program Guide from the PCI Security Standards Council (PCI SSC). If desired, you can download the PA-DSS Program Guide from the PCI SSC, but this is optional. Click here to access the document. PA-DSS Setup Overview Use this document to guide you through the PCI implementation process. To proceed, the following must be true: You have installed Eagle for Windows Release 22. If you use Eagle Mobile, you must be on Eagle Mobile release or higher. You have worked with your Local Platform Specialist (LPS) to address any upgrades to peripherals or changes to your network setup. Overview of the Procedures in This Document The procedures described in this document include: Sensitive Authentication Data Install and Set Up SecureAccess Install and Set Up SSH for Legacy RF Guns Set Up Options Change Users Security Bits Microsoft Windows Setup Disable System Restore Points EL Epicor PA-DSS 2.0 Implementation Guide 3

4 Run OSPREY Utilities Review Additional Information Indicate Your System Is Now PCI Compliant Maintain Your Security Updates Wireless Security Configurations Location of Cardholder Data Sensitive Authentication Data (PADSS Requirement a) It is both the merchant s and reseller s responsibility to remove any sensitive authentication data (magnetic stripe data, card validation values or codes, PINs or PIN block data, cryptographic key material, or cryptograms (e.g., encrypted credit card numbers)) stored by previous versions of the Eagle for Windows software. It is the responsibility of Epicor Software Solutions Inc. to provide a means to do this. Removal of this prohibited historical data is absolutely necessary for PCI compliance. Collection of sensitive authentication data should only occur when you need to solve a specific problem. If you plan to collect sensitive authentication data, you must: Store such data in a specific, known location with limited access Collect only a limited amount of data needed to solve a specific problem Encrypt sensitive authentication data while stored Secure deletion of such data immediately after use Previous versions of Eagle for Windows retained sensitive card holder data in old off-line archive files. Level 20.1 and above no longer keeps these files on the POS workstation. If you are upgrading to level 22 from a version of software prior to 21.1, do the following to remove files left from a previous version(s) of Eagle for Windows: 1. Install Eagle level / Eagle for Windows (Level 22 general release) 2. Verify option 1061 is set to Yes. Please follow the steps in this guide before setting option 1061 to Yes. 3. On the Eagle for Windows POS workstation(s), initiate an off-line upload process. Even if no off line file exists to upload, initiating an upload causes the Eagle for Windows application to check for and securely remove any previously uploaded off-line files still remaining on the PC. EL Epicor PA-DSS 2.0 Implementation Guide 4

5 Install and Set Up SecureAccess (PADSS Requirement 12.1) You must install the SecureAccess application on PCs from which you access any of Network Access ( legacy ) applications. To download SecureAccess, visit our PCI Readiness website at: At the customer PCI site, select the Security Updates section, and then select the SecureAccess link to download the Secure Access application. Install and Set Up SSH for Legacy RF Guns (PADSS Requirement 12.1) You must install and set up an SSH version of the Wavelink emulation software for the following Legacy RF guns: Motorola (Symbol) MC3090, Motorola (Symbol) MC9090, and Data logic Falcon For the procedure, see document number EL2209 Installing the TelnetCE SSH Plug-In Component. This document is available on Epicor s website. Click the link below to access the document. Documentation/DocSearch.cfm?category=PCI Set Up Options (PADSS Requirement a, 2.1 and ) Cardholder data exceeding the customer-defined retention period must be purged. Purge criteria is controlled by Eagle for Windows options 311, 8965, and In Options Configuration, click ID, type the option ID number from the table below, and click OK. 2. Click in the Current Value column, and select the setting indicated in the table. 3. Repeat this process for each option listed in the table. Option Description ID# 311 Days to store credit card numbers in Quick Recall Set Option to this: 180 days or less. Additional Information Card numbers older than the value in this option are truncated with x s (e.g., 1234xxxxxxxx5678) when you run QRCCC in the next section. PA-DSS Requirement (PA-DSS Requirements a, 2.1) It is both the merchant s and reseller s responsibility to remove any sensitive authentication data (magnetic stripe data, card validation values or EL Epicor PA-DSS 2.0 Implementation Guide 5

6 8965 Eagle for Windows startup action when trace logging is enabled 561 Terminal Inactivity Timeout period (seconds) D-Deny This ensures that trace logs are never written to the local PC if trace logging is enabled on the system. 900 Current PADSS requirement is a 15- minute terminal timeout. Verify the value of this option is no more than 900 seconds codes, PINs or PIN block data, cryptographic key material, or cryptograms (e.g., encrypted credit card numbers)) stored by previous versions of the Eagle for Windows software. It is the responsibility of Epicor Software Corporation to provide a means to do this. Removal of this prohibited historical data is absolutely necessary for PCI compliance Confirm that the payment sets a session idle time-out to 15 minutes or less. Change Users Security Bits Guidelines for User and Password Controls (PADSS Requirement 3.1.c, 3.2 ) The following are the PA-DSS guidelines for password controls. You are advised against using administrative accounts for application logins (e.g., don t use the sa account for application access to the database). (PA- DSS 3.1c) You are advised that the Terminal s Default User must not be set to an ADMIN account, because the application will start already logged in with no password required. A LIMITED user with no capabilities must be added to the terminal and used as the default. This must be done every time a terminal is added." You are advised to assign strong passwords to these default accounts (even if they won t be used), and then disable or do not use the accounts. (PA-DSS 3.2) You are advised to assign strong application and system passwords whenever possible. (PA-DSS 3.2) EL Epicor PA-DSS 2.0 Implementation Guide 6

7 You are advised how to create PCI DSS-compliant complex passwords to access the payment application, per PCI Data Security Standard through (PA-DSS 3.2) You are advised to control access, via unique username and PCI DSS-compliant complex passwords, to any PCs, servers, and databases with payment applications and cardholder data. (PA-DSS 3.2) You are advised that changing out of the box installation settings for unique user IDs and secure authentication will result in noncompliance with PCI DSS. Passwords should meet the requirements set in PCI DSS section through , as listed here. Do not use group, shared, or generic accounts and passwords. Change user passwords at least every 90 days. Require a minimum password length of at least seven characters. Use passwords containing both numeric and alphabetic characters. Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. Limit repeated access attempts by locking out the user ID after not more than six attempts. Set the lockout duration to thirty minutes or until administrator enables the user ID. If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. Changing Security on the Eagle System (PA-DSS Requirements 3.1 and 3.2) For users with any of the following security bits set to Yes, you must change them to a High Security Password user, or change the following security bits to No. Security Bit Description 14 Add/Change/Delete security settings, bit lists 91 Allow system admin utilities (such as CDT, OSPREY, SHOWTASK) 506 Allow access to OSPREY's USRLOGIN function 689 View full customer credit card number 691 View full customer credit card number (decrypted mode) 757 Ability to view bankcard number in QuickRecall Users with any of these security bits set to Yes who are not set up as High Security Password users are not allowed to log into the Eagle Browser or Eagle for Windows POS. EL Epicor PA-DSS 2.0 Implementation Guide 7

8 For more information about changing a user s security bits, or about setting up High Security Passwords, see online help: From the Contents tab, click System Management Security. If a user has one or more of these security bits set to Yes, set option 3 Check Password at POS to Yes as follows: 1. In the Options Configuration window, click ID, type 3, and press Enter. 2. In the User field, select the appropriate user. 3. Change the Current Value column of Check Password at POS to Yes, and click OK. 4. Click Change on the toolbar to save the setting. 5. Repeat this process for any other users who require option 3 Check Password at POS set to Yes. Set special security to S on all terminals. 1. In the Options Configuration window, click ID, type 520, and press Enter. 2. In the Terminal field, select the terminal number. 3. Change the Current Value column of Terminal s Special Security to Yes, and click OK. 4. Click Change on the toolbar to save the setting. 5. Repeat this process for all other terminals. Microsoft Windows Setup (PADSS Requirement 2.1) This section describes the changes you must make in Microsoft Windows to meet PCI Compliance standards. Enabling Strong Passwords/Password Expiry/Screen Saver Passwords For a password to be strong, it should: EL Epicor PA-DSS 2.0 Implementation Guide 8

9 Be at least seven characters long. Because of the way passwords are encrypted, the most secure passwords are seven or 14 characters long. Contain characters from each of the following three groups: Group Letters (uppercase and lowercase) Examples A, B, C... (and a, b, c...) Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 Symbols (all characters not defined as letters or numerals) ` # $ % ^ & * ( ) _ + - = { } [ ] \ : " ; ' < >?,. / Have at least one symbol character in the second through sixth position Be significantly different from prior passwords Not contain your name or user name. In addition to setting up strong passwords, you will also need to set up Lockout Policies, which can be used to temporarily or permanently (until reset) lock out a user after a certain number of failed login attempts. This is useful for systems that may be accessible by the general public, and prevents someone from trying to guess a login password. There are many other policies that you can enable/disable using Lockout Policies, but be careful as you can restrict yourself so much that you can no longer access the system. Carefully read and understand the various policies if you decide to pursue further policy changes. Disable System Restore Points (PADSS Requirement 2.1) If you use Microsoft Windows XP, Windows Vista, or another operating system that supports System Restore Points, they must be disabled. System Restore creates and uses restore points to track changes in Windows, and recover to a previous configuration. It is possible these restore points may retain cardholder data. When you turn off System Restore, the operating system automatically removes existing restore points and stops the creation of new restore points. Instructions on how to do this are available from Microsoft: Run Osprey Utilities Configure the SysLog Server in SETIP (PADSS Requirement 4.1.b, 4.2, 4.3 and 4.4) IMPORTANT! Epicor strongly recommends that you consult with your Local Platform Specialist (LPS) before attempting to set up the SysLog Server. EL Epicor PA-DSS 2.0 Implementation Guide 9

10 You must configure the Eagle to pass logs to a SysLog Server in order to be compliant with PCI DSS. If you are executing this procedure during business hours, you must use Offline POS until because this process puts the system into Quiet mode. All logging conforms to PADSS version 2.0 requirements and The Syslog Server itself provides a prompt backup audit trail to a centralized log server that is difficult to alter, as per PCI DSS From the console terminal (the one attached to the CPU), at the login prompt, type OSPREY and press Enter. At Password, type AVATAR and press Enter. 2. At Selection, type SetIP and press Enter. This quiets the system (you cannot run any Eagle applications except Offline POS). 3. Type an E to Execute, and press Enter. Then type Yes, and press Enter to put the system in maintenance mode. 4. At the prompt, Do you want to change the current setting (y/n) [default y]? Press Enter to accept the default of Yes. 5. At this point, a series of prompts will display, one by one, on the screen. Simply press Enter for every prompt, until you get to the prompt to set up the logging server. At this point, select y to add syslog servers. 6. Type a lowercase a to add syslog server for compliancy regulations. Note: You will also be required to know the port number and protocol in use; the default for most syslog servers is 514 and UDP. 7. Enter the log server address, and then press Enter. 8. Enter the log server port number, and then press Enter. 9. Enter the log server protocol, and then press Enter. EL Epicor PA-DSS 2.0 Implementation Guide 10

11 10. Once you have added your required syslog servers, press Enter through the rest of the prompts that display. 11. When the SETIP main screen redisplays, when asked if you want to continue editing the configuration, type n and press Enter. Press Enter at the following prompt: Do you want to update the network settings (y/n) [default y]? 12. Press Enter at the following prompt: Please press <ENTER> to continue. 13. At the main menu, press <Esc>, and then press the spacebar. 14. Press Enter at the following prompt: Type 'QUIET' if you do NOT want the system back in normal mode now. Changes take effect after the reboot. Data Removal / Re-encryption (PADSS Requirement 2.7.a.) When upgrading to a new version of Eagle for Windows software, you must either remove existing credit card data (truncate) or re-encrypt existing encrypted card numbers with new keys. Removal or re-encryption is absolutely necessary for PCI DSS compliance. Note: The process of re-encrypting data may be a multi-day process, depending upon the number of encrypted of cards your system is retaining. Truncate or Encrypt Credit Card Data with QRCCC (PADSS Requirement 2.7.b) To truncate or encrypt credit card data, use Osprey function QRCCC (QuickRecall Credit Card Clean-Up) to either truncate existing credit card data (based on option 311), or encrypt it into the card number encryption file (MSF). 1. From the console terminal (the one attached to the CPU) at the function menu, type OSPREY and press Enter. At Password, type AVATAR and press Enter. 2. At Selection, type QRCCC and press Enter. 3. Type T to truncate, or E to encrypt. 4. At Action, type E to execute, and press Enter. 5. To re-encrypt credit card data, use Osprey function REEXPKEY as indicated below. Re-encrypting Data with New Keys (PADSS Requirement 2.7.b) 1. From the console terminal (the one attached to the CPU) at the function menu, type OSPREY and press Enter. At Password, type AVATAR and press Enter. 2. From the selection prompt (within Osprey), type REEXPKEY and press enter. 3. At the Action prompt, select E to execute, and press Enter. This process causes all existing Keys to be marked as expired, rendering them unusable. It then re-encrypts all existing encrypted card data using new keys. EL Epicor PA-DSS 2.0 Implementation Guide 11

12 Key Encryption Key (KEK) Rotation (PADSS Requirement a and 2.6.5b) At least once a year, or if your data has been compromised, PCI rules require that you rotate the master key (known as the Key Encryption Key or KEK). This is the key that encrypts the keys that encrypt credit card data. To rotate your KEK, do the following: 1. From the console terminal (the one attached to the CPU) at the function menu, type OSPREY and press Enter. At Password, type AVATAR and press Enter. 2. From the selection prompt (within Osprey), type ROTATKEK and press Enter. 3. At the Action prompt, select E to execute, and press Enter. Review Additional Information Review the additional information in this section to verify that you are complying with the relevant PA-DSS requirements discussed. Remote Access Two-factor Authentication (PA-DSS Requirement 10.2) If Eagle for Windows can be accessed remotely, all network connectivity must use twofactor authentication per PCI DSS requirement 8.3. This requirement states that you must implement two-factor authentication for remote access to the network by employees, administrators, and third parties. You must also use technologies such as a remote authentication and dial-in service (RADIUS) or a terminal access controller access control system (TACACS) with tokens; or a VPN (based on SSL/TLS or IPSEC) with individual certificates. Both a password and an additional authentication item (for example, smart card, token, PIN) must be required. Remote Access Software Security Configuration (PA-DSS Requirement , a and b) Implement the following applicable security features for all remote access software used by the merchant, reseller or integrator. Change the default settings in the remote access software (for example, change default Passwords and use unique Passwords for each customer) Allow connections only from specific (known) IP/MAC addresses. Use strong authentication or complex passwords for logins. Enable encrypted data transmission. Enable account lockout after a certain number of failed login attempts. Configure the system so a remote user must establish a Virtual Private Network ( VPN ) connection via a firewall before access is allowed. Enable the logging function. Restrict access to customer passwords to only authorized reseller/integrator personnel. EL Epicor PA-DSS 2.0 Implementation Guide 12

13 Establish customer Passwords as described in section Password Controls of this document (according to PCI DSS requirements 8.1, 8.2, 8.4, and 8.5). Disable Remote Access via Modem (PA-DSS Requirement ) The Eagle system allows remote access via modem. Any method of remote access by vendors must be activated only when needed by vendors, with immediate deactivation after use. To disable remote access via modem, go to Function SETRSP (available from the Eagle for Windows Launch Bar or from Network Access) and choose Disable. Firewalls (PA-DSS Requirement ) Perimeter firewalls must be installed between the cardholder data environment (any network or device that stores, transmits, or processes cardholder data) and any public network--for example, the Internet. Connections to private networks can also pose a risk (for example, a VPN connection to a software vendor). These always-on connections must be protected using a firewall or personal firewall product. A firewall must be installed between any wireless networks and the cardholder data environment. The firewall must be configured to deny traffic from the wireless network into the cardholder data environment. If traffic is necessary for business purposes, it must be controlled by the firewall. Encrypt Network Traffic Transmission of Cardholder Data (PA-DSS Requirement 12.1) Eagle uses strong SSL/TLS encryption technology when transmitting cardholder data over networks between the Eagle client and server. Outgoing connections over public networks are protected by the included ProtoBase software. End-user Messaging and Cardholder Data (PA-DSS Requirement 12.2) Eagle for Windows does not include or support any end-user messaging technologies (e.g., , instant messaging, and chat). Unencrypted cardholder data must never be sent using these technologies. Non-Console Administrative Access (PA-DSS Requirement 13.1) Eagle uses SSH for encryption of for all non-console administrative access to payment application or servers in cardholder data environment. Telnet or other non-encrypted access methods must not be used. EL Epicor PA-DSS 2.0 Implementation Guide 13

14 Indicate Your System Is Now PA-DSS Compliant To indicate that your system is now PA-DSS compliant, you must set option 1061 PA- DSS Compliant System to Yes in the Options Configuration window. This option is password-controlled; therefore, the process to change it is different from setting other options. To set to Yes: 1. In Options Configuration, click ID, type 1061, and press Enter. 2. Click Misc. on the toolbar. 3. Choose option F to restore option to factory default (which is Yes) 4. Click Change (F5). Maintain Your Security Updates (PA-DSS Requirement 7.1 and 7.2) Now that you have completed all the steps to implement PCI compliance, be sure to maintain your system s security updates by visiting Epicor s PCI Readiness site on a regular basis. The site is located at: At the customer PCI site select Security updates to download the update to your PC and to obtain the secure hash value. Wireless Security Configurations (PADSS Requirement 6.1.f) If your Eagle is implemented in an environment with wireless networking (WLAN), steps must be taken to secure the environment. The default security settings of wireless devices are usually set for usability, not security. They often include default settings and passwords that help an attacker. Therefore, default settings must be changed. Below is a list of example settings that must be changed. Action Required: Change the following settings in wireless devices: Change wireless encryption keys Change default service set identifier (SSID) Disable SSID broadcasts Change default passwords Change SNMP community strings Enable WiFi protected access (WPA and WPA2, aka i) technology for encryption and authentication (update firmware if necessary to support this) Enable strong encryption (e.g., AES) For new wireless implementations, it has been prohibited since March 31, 2009 to implement WEP. EL Epicor PA-DSS 2.0 Implementation Guide 14

15 Note: The Eagle Mobile is an optional package and was not reviewed in the Eagle PADSS certification process. Location of Cardholder Data (PADSS Requirement 9.1.b) Systems that store cardholder data must not be accessible from the Internet. They must be on an internal network, and never in a DMZ. For instance, cardholder data must not be stored on a web server. Database servers must be on an internal network. Note: inet is an optional package and was not reviewed in the Eagle PADSS certification process. EL Epicor PA-DSS 2.0 Implementation Guide 15