THE INFORMATION IN THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY.

Transcription

1

2

3 Table of Contents Notice About this Document Revision Information Executive Summary Application Summary Typical Network Implementation Dataflow Diagram Difference between PCI Compliance and PA-DSS Validation Considerations for the Implementation of Payment Application in a PCI-Compliant Environment Remove Historical Sensitive Authentication Data (PA-DSS a) Sensitive Authentication Data requires special handling (PA-DSS c) Purging of Cardholder Data (PA-DSS 2.1) Cardholder Data Encryption Key Management (PA-DSS 2.5.c and 2.6.a) Removal of Cryptographic material (PA-DSS 2.7.a) Set up Strong Access Controls (3.1.a and 3.2) Properly Train and Monitor Admin Personnel Log settings must be compliant (PA-DSS 4.1.b, 4.4.b) Services and Protocols (PA-DSS 5.4.c) PCI-Compliant Wireless settings (PA-DSS 6.1.f and 6.2.b) Never store cardholder data on internet-accessible systems (PA-DSS 9.1.b) PCI-Compliant Remote Access (10.2) PCI-Compliant Delivery of Updates (PA-DSS ) PCI-Compliant Remote Access ( b) Data Transport Encryption (PA-DSS 11.1.b) PCI-Compliant Use of End User Messaging Technologies (PA-DSS 11.2.b) Non-console administration (PA-DSS 12.1) Network Segmentation Maintain an Information Security Program Application System Configuration Payment Application Initial Setup & Configuration Appendix A: Addressing Inadvertent Capture of PAN Addressing Inadvertent Capture of PAN on WINDOWS 7

4 Notice THE INFORMATION IN THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. pcamerica MAKES NO REPRESENTATION OR WARRANTY AS TO THE ACCURACY OR THE COMPLETENESS OF THE INFORMATION CONTAINED HEREIN. YOU ACKNOWLEDGE AND AGREE THAT THIS INFORMATION IS PROVIDED TO YOU ON THE CONDITION THAT NEITHER pcamerica NOR ANY OF ITS AFFILIATES OR REPRESENTATIVES WILL HAVE ANY LIABILITY IN RESPECT OF, OR AS A RESULT OF, THE USE OF THIS INFORMATION. IN ADDITION, YOU ACKNOWLEDGE AND AGREE THAT YOU ARE SOLELY RESPONSIBLE FOR MAKING YOUR OWN DECISIONS BASED ON THE INFORMATION HEREIN. Nothing herein shall be construed as limiting or reducing your obligations to comply with any applicable laws, regulations or industry standards relating to security or otherwise including, but not limited to, PA-DSS and DSS. The retailer may undertake activities that may affect compliance. For this reason, pcamerica is required to be specific to only the standard software provided by it.

5 About this Document This document describes the steps that must be followed in order for your pcamerica POS Suite installations to comply with Payment Application Data Security Standards (PA-DSS). The information in this document is based on PCI Security Standards Council Payment Application Data Security Standards program (version 2.0 dated October, 2010). pcamerica instructs and advises its customers to deploy pcamerica applications in a manner that adheres to the PCI Data Security Standard (v2.0). Subsequent to this, best practices and hardening methods, such as those referenced by the Center for Internet Security (CIS) and their various Benchmarks, should be followed in order to enhance system logging, reduce the chance of intrusion and increase the ability to detect intrusion, as well as other general recommendations to secure networking environments. Such methods include, but are not limited to, enabling operating system auditing subsystems, system logging of individual servers to a centralized logging server, the disabling of infrequently-used or frequently vulnerable networking protocols and the implementation of certificate-based protocols for access to servers by users and vendors. You must follow the steps outlined in this Implementation Guide in order for your pcamerica POS Suite installation to support your PCI DSS compliance efforts.

6 Revision Information Name Title Date of Update January 10, 2009 Robert Director of September Horvath Software 26, 2012 Development Robert Horvath Skyler Fox Director of Software Development Software Development Manager October 8, 2013 February 5, 2015 Summary of Changes Initial Publication Document version 1.0 Updated product version to Document version 1.1 Updated product version to to support PA-DSS 2.0 Document version 1.2 Updated product version to Document version 1.3 Note: This PA-DSS Implementation Guide must be reviewed on a yearly basis, whenever the underlying application changes or whenever the PA-DSS requirements change. Updates should be tracked and reasonable accommodations should be made to distribute or make the updated guide available to users. pcamerica will distribute the IG to new customers via its FAQ site located at: and is also distributed with the application.

7 Executive Summary Payment Application version has been PA-DSS (Payment Application Data Security Standard) certified, with PA-DSS Version 2.0. For the PA-DSS assessment, we worked with the following PCI SSC approved Payment Application Qualified Security Assessor (PAQSA): Coalfire Systems, Inc. 361 Centennial Parkway Suite 150 Louisville, CO Coalfire Systems, Inc. 150 Nickerson Street Suite 106 Seattle, WA This document also explains the Payment Card Industry (PCI) initiative and the Payment Application Data Security Standard (PA-DSS) guidelines. The document then provides specific installation, configuration, and ongoing management best practices for using Payment Application as a PA-DSS validated Application operating in a PCI Compliant environment. PCI Security Standards Council Reference Documents The following documents provide additional detail surrounding the PCI SSC and related security programs (PA-DSS, PCI DSS, etc): Payment Applications Data Security Standard (PA-DSS) Payment Card Industry Data Security Standard (PCI DSS) Open Web Application Security Project (OWASP) Application Summary Payment Application Name Payment Application Version Application Description: pcamerica POS Suite Version Payment engine for Cash Register Express, retail point of sale software, and Restaurant Pro Express, a point of sale solution for quick service and table service restaurants, utilized in both independent businesses and chains of stores and restaurants. The pcamerica POS Suite is sold via the Internet, distribution partners, and reseller/dealer channels. The application can accept both card present and card not present scenarios, supporting mail and telephone orders. Cardholder data is stored in a PA-DSS compliant manner using industry standard strong encryption, and does not store sensitive authentication data after authorization. When card data is transmitted to a payment processor in the

8 Typical Role of Application: course of a transaction or settlement, it is sent over a secure, encrypted connection utilizing industry standard SSL for communication. The pcamerica POS Suite is sold via the Internet, distribution partners, and reseller/dealer channels. The pcamerica POS Suite has several direct integrations with various payment processors. Typically the merchant will only need to enter the information for their particular processor to enable payment processing. However there are two exceptions. Integration with PC Charge requires the Verifone PC Charge payment application, and integration with Mercury Payment Systems requires the installation of the Datacap Systems DSIClientX middleware to transmit transaction authorizations. Target Market for Payment Application Target Market for Payment Application (check all that apply) : X Retail Processors Gas/Oil e Commerce Small/medium merchants Others (please specify): The following is a brief description of files and tables that store cardholder data: Stored Cardholder Data: File or Table Name Database table: CC_Trans Description of stored Cardholder Data Column: Number - stores the encrypted card number Column: Expiration stores the encrypted card expiration Column: First_Name stores the encrypted card holder s first name Column: Last_Name stores the encrypted card holder s last name Components of the Payment Application Database table: CC_Customer Column: CC_Num stores the encrypted card number on file for a customer record. Column: CC_Exp stores the encrypted expiration date of a customer s card on file. The following are the application-vendor-developed components which comprise the payment application within scope of this assessment: All files are deployed to each POS terminal CRE2004.exe: Primary POS application pcamerica.paymentengine.cocardengine.dll: provides payment processing via CoCard pcamerica.paymentengine.debitinterface.dll: code that communicates with pinpads. pcamerica.paymentengine.expressmanualprocessorengine.dll: provides simple, local payment processing that does not use card data. It simply records a payment amount, with no extra information. pcamerica.paymentengine.fdcsengine.dll: provides payment processing via First Data Cardnet pcamerica.paymentengine.fdmsbuypass.dll: provides payment processing via First Data Buypass pcamerica.paymentengine.fdmsnashville.dll: provides payment processing via First Data Nashville pcamerica.paymentengine.fifththirdbanktandem.dll: provides payment processing via 5th 3rd Tandem/Vantiv pcamerica.paymentengine.freedompay.dll: provides payment processing via RFID chips using FreedomPay (not a credit card).

9 Required Third Party Payment Application Software: Database Software Supported/Tested : Other Required Third Party Software: Operating System(s) Supported/Tested Application Authentication pcamerica.paymentengine.globalpayments.dll: provides payment processing via the Global Payments Transport gateway. pcamerica.paymentengine.heartlandposgateway.dll: provides payment processing via Heartland Payment Systems pcamerica.paymentengine.manualprocessorengine.dll: provides simple, local payment processing that tracks minimal information about a card, and which data is not transmitted. pcamerica.paymentengine.merchantwareengine.dll: provides payment processing via the Merchant Warehouse Gateway pcamerica.paymentengine.mercuryengine.dll: provides payment processing via Mercury Payment Systems pcamerica.paymentengine.models.dll: defines data models used in payment processing pcamerica.paymentengine.moneris.dll: provides payment processing via Moneris (Canada only) pcamerica.paymentengine.monerisengine.dll: provides payment processing via Moneris (Canada only) pcamerica.paymentengine.netconnectengine.dll: provides payment processing via Chase Paymentech / NetConnect pcamerica.paymentengine.paymentprocessor.dll: provides shared logic for payment processing pcamerica.paymentengine.pcchargeengine.dll: provides payment processing via PC Charge using the file method pcamerica.paymentengine.pcchargetcpipengine.dll: provides payment processing via PC Charge using TCP/IP pcamerica.paymentengine.ppipaymover.dll: provides payment processing via the PayPros gateway pcamerica.paymentengine.securenetengine.dll: provides payment processing via Securenet pcamerica.paymentengine.tsysengine.dll: provides payment processing via TSYS The following are additional third party payment application components required by the payment application within scope of this assessment: No 3rd party payment applications are required by the payment application with the exception of PC Charge or Mercury Payment Systems processing. Verifone PC Charge version or higher Datacap Systems DSIClientX version or higher The following are database management systems supported by the payment application within scope of this assessment: SQL Server 2005 SP4/2008 R2 SP2/2012 SP1, express editions or higher The following are other required third party software components required by the payment application within scope of this assessment: No other 3 rd party software required. Windows 7 SP1 Windows 8 The pcamerica POS Suite has a built-in authentication mechanism that provides for both unique users and an administrator password for access to the program. Administrative access is defined as a user that has permission to change application configuration settings, or modify other user s permissions. To gain administrative access, the user must either type their own password, and have sufficient privileges, or provide the administrative password for the store.

10 Employee access cards cannot be used to gain administrative access. Passwords are stored in a SHA256 hashed format combined with a randomly generated, cryptographically strong, salt value that is unique per user account. The user passwords are secured in the program s database inside of SQL Server. Cardholder data is secured in the program database inside of SQL Server, using a 256-bit Rjindael strong encryption algorithm. The encryption key is derived from a password phrase provided by the application administrator, and is stored in an encrypted format in a file on disk. To enable compliant encryption key management, the application must be configured by using the Setup Screen System Access Password Policy page with at least the following minimum requirements: Application Encryption Encryption key valid for: 365 days Don t allow the same encryption key: 5 times in a row The application will request the administrator to create the encryption key upon startup, or upon configuring payment processing within the program. When the encryption key reaches its end of life, the administrator will once again be requested to generate an encryption key, at which time the program will re-encrypt all sensitive data using the new key. The encryption key may be changed at any time by the administrator, by using the Login Screen File Menu Security Change Encryption Key function. All sensitive data can be deleted from the application by using the Login Screen Database Maintenance Clear Database Clear Encrypted Data function, which will remove all cardholder data from the database. Application Functionality Supported Payment Application Functionality (check only one): Automated Fuel POS Kiosk Payment Gateway/Switch Dispenser Card Not Present POS Specialized Payment Middleware POS Admin POS Suite/General Payment Module X POS Face to Face/POI Payment Back Office Shopping Cart & Store Front Payment Processing Connections: Description of Listing Versioning Methodology The pcamerica POS Suite allows the acceptance of card payments in the course of conducting a point of sale transaction. In typical usage, the cashier will scan or use touchscreen ordering to assemble a customer receipt, press the Pay button, and choose the payment method. When choosing credit/debit, the cashier will then swipe the card using the card reader attached to the terminal or the customer will swipe the card themselves through the customer facing pin pad device. Once the card data is obtained, the transaction is then transmitted to the payment processor via a secure TCP/IP Internet connection. The processor will transmit the transaction to the card acquirer, and return the response to the POS application. The POS application records the successful payment in the database, optionally requests a digitally captured hand written signature from the customer, and prints the receipt. A user must then settle the transaction batches at the close of business to finalize them. pcamerica uses a versioning mechanism that follows the pattern of "Major.Minor.0.Build". Major changes constitute either a complete rewrite of a central piece of functionality or impacts PA-DSS requirements. Minor changes constitute small feature additions or changes that may or may not impact the way the program stores, retrieves, or manipulates data. Build changes represent bug fixes and would have no impact on PA-DSS requirements.

11 List of Resellers/Integrat ors (If Applicable): N/A

12 Typical Network Implementation

13 Dataflow Diagram

14 Difference between PCI Compliance and PA-DSS Validation As a software vendor, our responsibility is to be PA-DSS Validated. We have performed an assessment and certification compliance review with our independent assessment firm, to ensure that our platform does conform to industry best practices when handling, managing and storing payment related information. PA-DSS is the standard against which Payment Application has been tested, assessed, and validated. PCI Compliance is then later obtained by the merchant, and is an assessment of your actual server (or hosting) environment. Obtaining PCI Compliance is the responsibility of the merchant and your hosting provider, working together, using PCI compliant server architecture with proper hardware & software configurations and access control procedures. The PA-DSS Validation is intended to ensure that the Payment Application will help you achieve and maintain PCI Compliance with respect to how Payment Application handles user accounts, passwords, encryption, and other payment data related information. The Payment Card Industry (PCI) has developed security standards for handling cardholder information in a published standard called the PCI Data Security Standard (DSS). The security requirements defined in the DSS apply to all members, merchants, and service providers that store, process or transmit cardholder data. The PCI DSS requirements apply to all system components within the payment application environment which is defined as any network device, host, or application included in, or connected to, a network segment where cardholder data is stored, processed or transmitted. The 12 Requirements of the PCI DSS: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect Stored Data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security Considerations for the Implementation of Payment Application in a PCI-Compliant Environment The following areas must be considered for proper implementation in a PCI-Compliant environment. Sensitive Authentication Data requires special handling

15 Remove Historical Cardholder Data Set up Good Access Controls Properly Train and Monitor Admin Personnel Key Management Roles & Responsibilities PCI-Compliant Remote Access Use SSH, VPN, or SSLV3/TLS 1.0 or higher for encryption of administrative access Log settings must be compliant PCI-Compliant Wireless settings Data Transport Encryption PCI-Compliant Use of Network Segmentation Never store cardholder data on internet-accessible systems Use SSLV3 for Secure Data Transmission Delivery of Updates in a PCI Compliant Fashion Remove Historical Sensitive Authentication Data (PA-DSS a) Previous versions of pcamerica POS Suite did not store sensitive authentication data. Therefore, there is no need for secure removal of this historical data by the application as required by PA-DSS v2.0. Sensitive Authentication Data requires special handling (PA-DSS c) pcamerica does not store Sensitive Authentication data for any reason, and we strongly recommend that you do not do this either. However, if for any reason you should do so, the following guidelines must be followed when dealing with sensitive authentication data (swipe data, validation values or codes, PIN or PIN block data): Collect sensitive authentication data only when needed to solve a specific problem Store such data only in specific, known locations with limited access Collect only the limited amount of data needed to solve a specific problem Encrypt sensitive authentication data while stored Securely delete such data immediately after use Purging of Cardholder Data (PA-DSS 2.1) The following guidelines must be followed when dealing with cardholder data (PAN alone or with any of the following: expiry date, cardholder name or service code): A customer defined retention period must be defined with a business justification. Cardholder data exceeding the customer-defined retention period must be purged. Here are the locations of the cardholder data you must purge: CC_Trans database table, fields: Number, First_Name, Last_Name, Expiration Customer database table, fields: CC_Num, CC_Exp To purge the cardholder data you must do the following three things: 1. In the application you must use the Clear Database screen, and press the Clear Encrypted Data button. 2. In the operating system, configure Windows to do the following (see Appendix A for more detailed info): Disable System Restore Encrypt PageFile.sys Clear the System Pagefile.sys on shutdown Disable System Management of PageFile.sys Disable Windows Error Reporting 3. After removing cardholder data from the database, run the following command in SQL Server to remove data from the underlying SQL Server files that the application has deleted, but may be left in residual memory on-disk:

16 = 'cresql' Where 'cresql' is the actual name of your POS database. Any cardholder data you store outside of the application must be documented and you must define a retention period at which time you will purge (render irretrievable) the stored cardholder data. Cardholder Data Encryption Key Management (PA-DSS 2.5.c and 2.6.a) pcamerica does not enable merchants with information or details related to data encryption algorithms or key generation. pcamerica POS Suite encryption uses 256-bit Rjindael dynamically generated keys for encryption. The encryption will always be required when processing cards through the application. No additional configuration is necessary by the merchant. Removal of Cryptographic material (PA-DSS 2.7.a) When installing version (or later versions) of pcamerica POS Suite, all PAN data is automatically purged from the database. In addition: To render the data irretrievable you must run the sp_clean_db_free_space command in SQL Server to clean the database page files of deleted data, as described above This removal is absolutely necessary for PCI DSS Compliance. Set up Strong Access Controls (3.1.a and 3.2) The PCI DSS requires that access to all systems in the payment processing environment be protected through use of unique users and complex passwords. Unique user accounts indicate that every account used is associated with an individual user and/or process with no use of generic group accounts used by more than one user or process. 3.1.a: You must assign strong passwords to any default accounts (even if they won t be used), and then disable or do not use the accounts. All authentication credentials are provided by the application. For both the completion of the initial installation and for any subsequent changes (for example, any changes that result in user accounts reverting to default settings, any changes to existing account settings, or changes that generate new accounts or recreate existing accounts), the following 10 points must be followed per PCI 8.1, 8.2, and : 1. The application must assign unique IDs for user accounts. (8.1) 2. The application must provide at least one of the following three methods to authenticate users: (8.2) a. Something you know, such as a password or passphrase b. Something you have, such as a token device or smart card c. Something you are, such as a biometric 3. The application must NOT require or use any group, shared, or generic accounts or passwords.( The application requires passwords to be changed at least every 90 days (8.5.9) 5. The application requires passwords must to be at least 7 characters (8.5.10) 6. The application requires passwords to include both numeric and alphabetic characters (8.5.11) 7. The application keeps password history and requires that a new password is different than any of the last four passwords used. (8.5.12) 8. The application limits repeated access attempts by locking out the user account after not more than six logon attempts. (8.5.13) 9. The application sets the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. (8.5.14)

17 10. The application requires the user to re-authenticate to re-activate the session if the application session has been idle for more than 15 minutes. To fulfill password requirements, the application must be configured by using the Setup Screen System Access Password Policy page with at least the following minimum requirements: Passwords valid for: 90 days Don t allow the same password: 4 times in a row Lock accounts after X failed login attempts: 6 Lock accounts for X minutes after exceeding failed logins: 30 minutes Minimum password length: 7 These same account and password criteria from the above 10 requirements must also be applied to any applications or databases included in payment processing to be PCI compliant. pcamerica POS Suite, as tested in our PA-DSS audit, meets, or exceeds these requirements for the following additional required applications or databases: SQL Server 2008 R2 Express [Note: These password controls are not intended to apply to employees who only have access to one card number at a time to facilitate a single transaction. These controls are applicable for access by employees with administrative capabilities, for access to servers with cardholder data, and for access controlled by the application.] 3.2: Control access, via unique username and PCI DSS-compliant complex passwords, to any PCs or servers with payment applications and to databases storing cardholder data.

18 Properly Train and Monitor Admin Personnel It is your responsibility to institute proper personnel management techniques for allowing admin user access to cardholder data, site data, etc. You can control whether each individual admin user can see credit card PAN (or only last 4). In most systems, a security breach is the result of unethical personnel. So pay special attention to whom you trust into your admin site and who you allow to view full decrypted and unmasked payment information. Log settings must be compliant (PA-DSS 4.1.b, 4.4.b) 4.1.b: pcamerica POS Suite has PA-DSS compliant logging enabled by default. This logging is not configurable and may not be disabled. Disabling or subverting the logging function of pcamerica POS Suite in any way will result in non-compliance with PCI DSS. Implement automated assessment trails for all system components to reconstruct the following events: All individual user accesses to cardholder data All actions taken by any individual with root or administrative privileges Access to application audit trails managed by or within the application Invalid logical access attempts Use of the application s identification and authentication mechanisms Initialization of the application audit logs Creation and deletion of system-level objects within or by the application Record at least the following assessment trail entries for all system components for each event from 10.2.x above: User identification Type of event Date and time Success or failure indication Origination of event Identity or name of affected data, system component, or resource. 4.4.b: pcamerica POS Suite facilitates centralized logging. The application logs user and program activity to the Windows application & security logs. To access and correctly configure the Windows log settings, log in as an Administrator on the Windows system where the pcamerica POS Suite is installed. Once logged in, go to Start > Control Panel > Administrative Tools and open Event Viewer. Expand Applications and Services Logs, Right-Click on CRE, and then go to Properties. Make the following settings: Set Maximum Log Size to 4096 Select Archive the log when full, do not overwrite events Apply those changes. The Windows Event Log that captures program events may be exported for use in a centralized logging system. You may export them to either xml, text, or csv format by right-clicking the event log and clicking Save All Events As Services and Protocols (PA-DSS 5.4.c) pcamerica POS Suite does not require the use of any insecure services or protocols. Here are the services and protocols that pcamerica POS Suite does require: SSLV3

19 HTTPS The merchant must ensure that the outbound TCP/IP port 443 is open to be able to securely transmit authorization requests. PCI-Compliant Wireless settings (PA-DSS 6.1.f and 6.2.b) pcamerica POS Suite does not require or is bundled with wireless technologies. If you choose to implement wireless technology into your environment, you must follow these guidelines for secure wireless settings must be followed per PCI Data Security Standard 1.2.3, and 4.1.1: 2.1.1: Change wireless vendor defaults per the following 5 points: 1. Encryption keys must be changed from default at installation, and must be changed anytime anyone with knowledge of the keys leaves the company or changes positions. Refer to the user manual for the merchant s router to make the appropriate changes. 2. Default SNMP community strings on wireless devices must be changed. Refer to the user manual for the merchant s router to make the appropriate changes. 3. Default passwords/passphrases on access points must be changed. Refer to the user manual for the merchant s router to make the appropriate changes. 4. Firmware on wireless devices must be updated to support strong encryption for authentication and transmission over wireless networks. Refer to the user manual for the merchant s router to make the appropriate changes. 5. Other security-related wireless vendor defaults, if applicable, must be changed. Refer to the user manual for the merchant s router to make the appropriate changes : Perimeter firewalls must be installed between any wireless networks and systems that store cardholder data, and these firewalls must deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment : Industry best practices (for example, IEEE i) must be used to implement strong encryption for authentication and transmission of cardholder data. Note: The use of WEP as a security control was prohibited as of June 30, Never store cardholder data on internet-accessible systems (PA-DSS 9.1.b) Never store cardholder data on Internet-accessible systems (e.g., web server and database server must not be on same server.) PCI-Compliant Remote Access (10.2) The PCI standard requires that if employees, administrators, or vendors are granted remote access to the payment processing environment; access should be authenticated using a two-factor authentication mechanism. The means two of the following three authentication methods must be used: 1. Something you know, such as a password or passphrase 2. Something you have, such as a token device or smart card 3. Something you are, such as a biometric PCI-Compliant Delivery of Updates (PA-DSS ) pcamerica POS Suite delivers patches and updates in a secure manner:

20 As a development company, we keep abreast of the relevant security concerns and vulnerabilities in our area of development and expertise. We do this by subscribing to industry news, security digests, and payment processor subscription lists. Once we identify a relevant vulnerability, we work to develop and test a patch that helps protect pcamerica POS Suite against the specific, new vulnerability. We attempt to publish a patch within 10 days of the identification of the vulnerability. We will then contact vendors and dealers to encourage them to install the patch. Typically, merchants are expected to respond quickly to and install available patches within 30 days. We do not deliver software and/or updates via remote access to customer networks. Instead, software and updates are available for download by customers, resellers, or integrators from our secure file server delivered via HTTPS. It is the responsibility of the customer, reseller, or integrator to download patches and updates and manually install them on their own systems running the pcamerica POS Suite application. Once downloaded, the user may verify the software authenticity by examining the digital signature to see that it is valid and signed by Automation Inc. dba pcamerica either by viewing the properties of the file, or in the user security warning presented by Windows when running the software update. PCI-Compliant Remote Access ( b) The PCI standard requires that if employees, administrators, or vendors are granted remote access to the payment processing environment; access should be authenticated using a two-factor authentication mechanism (username/ password and an additional authentication item such as a token or certificate). In the case of vendor remote access accounts, in addition to the standard access controls, vendor accounts should only be active while access is required to provide service. Access rights should include only the access rights required for the service rendered, and should be robustly audited. If users and hosts within the payment application environment may need to use third-party remote access software such as Remote Desktop to access other hosts within the payment processing environment, special care must be taken. In order to be compliant, every such session must be encrypted with at least 128-bit encryption (in addition to satisfying the requirement for two-factor authentication required for users connecting from outside the payment processing environment). For RDP this means using the high encryption setting on the server. Additionally, the PCI user account and password requirements will apply to these access methods as well. When requesting support from a vendor, reseller, or integrator, customers are advised to take the following precautions: Change default settings (such as usernames and passwords) on remote access software (e.g. VNC) Allow connections only from specific IP and/or MAC addresses Use strong authentication and complex passwords for logins according to PA-DSS and PCI DSS 8.1, 8.3, and Enable encrypted data transmission according to PA-DSS 12.1 and PCI DSS 4.1 Enable account lockouts after a certain number of failed login attempts according to PA-DSS and PCI DSS Require that remote access take place over a VPN via a firewall as opposed to allowing connections directly from the internet Enable logging for auditing purposes Restrict access to customer passwords to authorized reseller/integrator personnel. Establish customer passwords according to PA-DSS and PCI DSS Requirements 8.1, 8.2, 8.4, and 8.5.

21 The pcamerica POS Suite does not have any built-in remote access capabilities. The support staff at pcamerica currently uses an application known as showmypc.com in order to access customer systems remotely. All connectivity in this manner performs using two-factor authentication. A username and PIN are used as the first factor, and it is a requirement for the customer to physically click on a dialog box allowing pcamerica support staff the right to enter the customer s system. This physical act of clicking provides a second factor for access. All remote access is initiated by the customer. AT no time is it possible for pcamerica to actually remotely access and system running the application unless the customer has contacted pcamerica support and requested such assistance. In all cases, pcamerica will: Whenever possible, pcamerica will not gather data locally. Instead, pcamerica will use remote troubleshooting applications that require express permission to access the computer, and which encrypts all traffic over HTTPS/SSL. pcamerica will never request magnetic stripe data, card validation codes, PINs, or PIN block numbers. Data is only gathered with express permission, and only when required to resolve the specific problem. pcamerica will never gather data that is not needed to solve the specific problem. Data is encrypted and stored in locations that have limited access. Data is deleted immediately after use. Data Transport Encryption (PA-DSS 11.1.b) The PCI DSS requires the use of strong cryptography and encryption techniques with at least a 128 bit encryption strength (either at the transport layer with SSLV3 or IPSEC; or at the data layer with algorithms such as RSA or Triple-DES) to safeguard cardholder data during transmission over public networks (this includes the Internet and Internet accessible DMZ network segments). PCI DSS requirement 4.1: Use strong cryptography and security protocols such as secure sockets layer (SSLV3) / transport layer security (TLS 1.0 or higher) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS are: The Internet Wireless technologies Global System for Mobile Communications (GSM) General Packet Radio Service (GPRS) The pcamerica POS Suite uses HTTPS/SSL for transmission of cardholder data over public networks, per PCI DSS 4.1. Refer to the Dataflow diagram for an understanding of the flow of encrypted data associated with pcamerica POS Suite. PCI-Compliant Use of End User Messaging Technologies (PA-DSS 11.2.b) pcamerica POS Suite does not allow or facilitate the sending of PANs via any end user messaging technology (for example, , instant messaging, and chat). Non-console administration (PA-DSS 12.1) Although pcamerica POS Suite does not support non-console administration and we do not recommend using non-console administration, should you ever choose to do this, must use SSH, VPN, or SSLV3/TLS 1.0 or higher for encryption of this non-console administrative access.

22 Network Segmentation The PCI DSS requires that firewall services be used (with NAT or PAT) to segment network segments into logical security domains based on the environmental needs for internet access. Traditionally, this corresponds to the creation of at least a DMZ and a trusted network segment where only authorized, business-justified traffic from the DMZ is allowed to connect to the trusted segment. No direct incoming internet traffic to the trusted application environment can be allowed. Additionally, outbound internet access from the trusted segment must be limited to required and justified ports and services. Refer to the standardized Network diagram for an understanding of the flow of encrypted data associated with pcamerica POS Suite. Maintain an Information Security Program In addition to the preceding security recommendations, a comprehensive approach to assessing and maintaining the security compliance of the payment application environment is necessary to protect the organization and sensitive cardholder data. The following is a very basic plan every merchant/service provider should adopt in developing and implementing a security policy and program: Read the PCI DSS in full and perform a security gap analysis. Identify any gaps between existing practices in your organization and those outlined by the PCI requirements. Once the gaps are identified, determine the steps to close the gaps and protect cardholder data. Changes could mean adding new technologies to shore up firewall and perimeter controls, or increasing the logging and archiving procedures associated with transaction data. Create an action plan for on-going compliance and assessment. Implement, monitor and maintain the plan. Compliance is not a one-time event. Regardless of merchant or service provider level, all entities should complete annual self-assessments using the PCI Self Assessment Questionnaire. Call in outside experts as needed. Application System Configuration Below are the operating systems and dependent application patch levels and configurations supported and tested for continued PCI DSS compliance. Windows XP SP3, POS Ready 2009, Windows 7 SP1, POS Ready 7, Windows 8. All latest updates and hot-fixes should be tested and applied. 1GB of RAM minimum, 2GB or higher recommended 15GB of available hard-disk space TCP/IP network connectivity SQL Server 2005, 2008 R2, or All latest updates and hot-fixes should be tested and applied Payment Application Initial Setup & Configuration Installing the Payment Application Refer to the installation guide and other helpful information located at: Defining the Payment Gateway Depending on payment processor, follow the instructions for configuring the merchant s processor by referring to this page:

23 Conducting Test Transactions When initially configuring the system, the merchant will be asked to use one of their own payment cards to conduct a test transaction. No PANs will be sent to the merchant or given over the phone to them for testing. Updating your Encryption Key on a Periodic basis At any time, you may change your encryption key by navigating to File Security Change Data Encryption Key on the program Login Screen. You must then provide the administrator password to proceed. Similarly, the encryption key that s used to protect your data encryption key should be periodically rotated. You can change this at any time by navigating to File Security Change Key Encryption Key. No passphrase is necessary, the system will automatically create a new key for you and your registers will start using the new one. Mandatory Windows System Settings Overview of Windows security and settings One of the important elements in maintaining a secure system that is fully compliant with PCI DSS 2.0 and PA DSS 2.0 is to use the built-in security features of Microsoft Windows. These features include: Password policies Account lockout policies Idle time and screensaver lockout Audit trail Windows XP Restore Point Settings We also recommend following some best practices in terms of Windows security: Turn on Windows automatic updates and make sure that your computer is always up to date with the latest security patches and updates. Do not share Windows accounts between users. All users should have their own unique user accounts. You should communicate your security and password policies to any employees that have access to your systems or to sensitive cardholder data. If you allow vendors or contractors to access your systems remotely, you should provide with accounts that are only available temporarily, or change your passwords on any existing accounts that you give them access to. Note: If you contact pcamerica support for assistance, our support team typically does not need account access to Windows, and can only access your system with express permission from you, and only for the time period that you allow. In this case, there is no need to change your passwords or provide temporary account access. Inactive Windows user accounts must be removed at least every 90 days. Whenever possible, do not allow public access to computers. If you do allow public access, you should set up idle lockout policies on these computers. For more information about using Windows in a secure fashion and ensuring compliance with PCI DSS 2.0 and PA DSS 2.0, it is mandatory that the user, merchant, reseller, or integrator installing and/or using this product reads the topics below and configures the system housing the pcamerica POS Suite accordingly.

24 Password policies Windows provides the ability to configure password policies. To access this configuration, go to Start > Control Panel > Administrative Tools, and open Local Security Policy. Expand Account Policy from the tree menu on the left, and click Password Policy. The following settings are mandated by the PCI DSS standard: Enforce password history: 4 passwords remembered Maximum password age: 90 days Minimum password age: 0 days Minimum password length: 7 characters Password must meet complexity requirements: Enabled Store password using reversible encryption: Disabled Note that Password must meet complexity requirements will enforce the following requirements for all Windows passwords: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least seven characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example,!, $, #, %) Complexity requirements are enforced when passwords are changed or created. Mandatory MS-SQL Settings Overview of MS-SQL Settings It is mandatory that the Windows system housing the pcamerica POS Suite is not using a default SQL username such as sa and/or a generic or default password.

25 For more information about using MS-SQL in a secure fashion and ensuring compliance with PCI DSS 2.0 and PA DSS 2.0, it is mandatory that the user, merchant, reseller, or integrator installing and/or using this product reads the information below and configures the system housing the pcamerica POS Suite accordingly. How to Create the MS-SQL Server Account 1. While logged into Windows using an administrator account, open the command prompt: Start -> Run -> type 'cmd' (without the quotes) -> Click OK 2. Type in the following command to connect to the local SQL Server and press enter: sqlcmd S.\PCAMERICA E 3. You will then see a prompt that starts with '1>'. After each line press enter. Substitute the 'xxxxx' with your new password. It is mandatory you use a 'strong' password. This means you must create a password that has at least one number or special character, as well as a mix of upper and lower case letters. create login posapp with password = 'xxxxx', check_expiration = OFF GO use cresql create user posapp for login posapp GO use cresql execute sp_addrolemember db_owner, posapp GO 4. When you re done, type EXIT and press enter, and then you may close the command window. (See illustration below)

26 5. Now, you will need to reconfigure the pcamerica POS Suite to use the new database login you have just created. At the application s login screen, go to File Database Maintenance View Database Settings. Enter the information for your database server, using the user name and password that you just created, and click done. Repeat step 5 on all of your POS computers.

27 Appendix A: Addressing Inadvertent Capture of PAN Addressing Inadvertent Capture of PAN on WINDOWS 7 Disabling System Restore Windows 7 Right Click on Computer > Select Properties Select System Protection on the top left list, the following screen will appear: Select Configure, the following screen will appear: Select Turn off system protection Click apply, and OK to shut the System Protection window Click OK again to shut the System Properties window Reboot the computer Encrypting PageFile.sys Windows 7 * Please note that in order to perform this operation the hard disk must be formatted using NTFS. Click on the Windows Orb and in the search box type in cmd. Right click on cmd.exe and select Run as Administrator

28 To Encrypt the Pagefile type the following command: fsutil behavior set EncryptPagingFile 1 To verify configuration type the following command: fsutil behavior query EncryptPagingFile If encryption is enabled EncryptPagingFile = 1 should appear In the event you need to disable PageFile encryption type the following command: fsutil behavior set EncryptPagingFile 0 To verify configuration type the following command: fsutil behavior query EncryptPagingFile If encryption is disabled EncryptPagingFile = 0 should appear Clear the System Pagefile.sys on shutdown Windows has the ability to clear the Pagefile.sys upon system shutdown. This will purge all temporary data from the pagefile.sys (temporary data may include system and application passwords, cardholder data (PAN/Track), etc.). NOTE: Enabling this feature may increase windows shutdown time. Click on the Windows Orb and in the search box type in regedit. Right click on regedit.exe and select Run as Administrator Navigate to HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management Change the value from 0 to 1 Click OK and close Regedit

29 If the value does not exist, add the following: o Value Name: ClearPageFileAtShutdown o Value Type: REG_DWORD o Value: 1

30 Disabling System Management of PageFile.sys Windows 7 Right Click on Computer > Select Properties Select Advanced System Settings on the top left list, the following screen will appear: Under performance select Settings and go to the Advanced tab, the following screen will appear: Select Change under Virtual Memory, the following screen will appear:

31 Uncheck Automatically manage page file size for all drives Select Custom Size Enter the following for the size selections: o Initial Size as a good rule of thumb, the size should be equivalent to the amount of memory in the system. o Maximum Size as a good rule of thumb, the size should be equivalent to 2x the amount of memory in the system. Click Ok, OK, and OK You will be prompted to reboot your computer.

32 Disabling Windows Error Reporting Windows 7 Open the Control Panel Open the Action Center Select Change Action Center Settings Select Problem Reporting Settings Select Never Check for Solutions

33