PCI PA-DSS Implementation Guide Onslip PAYAPP V2.0 for Onslip S80, Onslip S90

Similar documents
PCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90

Point PA-DSS. Implementation Guide. Banksys Yomani VeriFone & PAX VPFIPA0201

PCI PA DSS. PBMUECR Implementation Guide

PCI PA DSS. MultiPOINT Implementation Guide

Verifone Finland PA-DSS

PA-DSS Implementation Guide For

PCI PA DSS Implementation Guide For Atos Worldline Banksys YOMANI XR terminals using the SAPC Y02.01.xxx Payment Core (Stand Alone)

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

PCI PA - DSS. Point Vx Implementation Guide. Version For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC)

PCI PA DSS Implementation Guide

Ready Theatre Systems RTS POS

PCI PA-DSS Implementation Guide

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Google Cloud Platform: Customer Responsibility Matrix. April 2017

PA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite

PCI PA-DSS Implementation Guide

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

PA-DSS Implementation Guide

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

Epicor Eagle PA-DSS 2.0 Implementation Guide

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

University of Sunderland Business Assurance PCI Security Policy

Stripe Terminal Implementation Guide

Implementation Guide paypoint version 5.08.xx, 5.11.xx, 5.13.xx, 5.14.xx, 5.15.xx

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Implementation Guide. Payment Card Industry Data Security Standard 2.0. Guide version 4.0

Qualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0

Implementation Guide paypoint v5.08.x, 5.11.x, 5.12.x, 5.13.x and 5.14.x

Sage Payment Solutions

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

Payment Card Industry (PCI) Payment Application Data Security Standard. Requirements and Security Assessment Procedures. Version 2.0.

PA DSS Implementation Guide For Verifone terminals e355 and Vx690 using the VEPP NB application version x

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Payment Card Industry Data Security Standard (PCI-DSS) Implementation Guide For XERA POS Version 1

Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Payment Card Industry (PCI) Data Security Standard

The Prioritized Approach to Pursue PCI DSS Compliance

QuickSale for QuickBooks Version 2.2.*.* Secure Payment Solutions Client Implementation Document PA-DSS 3.2 Last Revision: 03/14/2017

Voltage SecureData Mobile PCI DSS Technical Assessment

Activant Eagle PA-DSS Implementation Guide

Summary of Changes from PA-DSS Version 2.0 to 3.0

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Information about this New Document

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Rural Computer Consultants

Installation & Configuration Guide

Daxko s PCI DSS Responsibilities

Understanding the Intent of the Requirements

GlobalSCAPE EFT Server. HS Module. High Security. Detail Review. Facilitating Enterprise PCI DSS Compliance

Payment Card Industry (PCI) Data Security Standard

NETePay 5.0 CEPAS. Installation & Configuration Guide. (for the State of Michigan) Part Number:

Total Security Management PCI DSS Compliance Guide

University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

FTD MERCURY X2 IMPLEMENTATION GUIDE FOR PA-DSS

Payment Card Industry Data Security Standard Self-Assessment Questionnaire C Guide

IDPMS 4.1. PA-DSS implementation guide. Document version D01_IDPMS.1.1. By Dennis van Hilten. Amadeus Breda The Netherlands

Oracle Hospitality Suite8 Property Version: x PA-DSS 3.2 Implementation Guide. Date: 07/11/2017

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Oracle Hospitality OPERA Cloud Services PA-DSS 3.1 Implementation Guide Release 1.20 Part Number: E February 2016

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

The Prioritized Approach to Pursue PCI DSS Compliance

Payment Card Industry (PCI) Data Security Standard

Oracle Hospitality OPERA 5 PA-DSS 3.1 Implementation Guide Release (5.5.X.X) Part Number: E

Payment Card Industry (PCI) Data Security Standard and Bsafe/Enterprise Security

University of Colorado

Attestation of Compliance, SAQ D

Navigating the PCI DSS Challenge. 29 April 2011

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Payment Card Industry (PCI) Data Security Standard

Third-Party Service Provider/Auto Club Group (ACG) PCI DSS Responsibility Matrix

PCI Guidance for Restaurant Manager Versions

Applying Oracle Technologies in PCI DSS certification process

Payment Card Industry (PCI) Data Security Standard

CASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

Oracle Hospitality OPERA Property Management Versions: , , , , and PA-DSS 3.0 Implementation Guide

Old requirement New requirement Detail Effect Impact

Oracle Hospitality RES 3700 PA-DSS 3.1 Implementation Guide Release 5.5 E June 2016

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

NETePay 5. Monetary Host. Installation & Configuration Guide. Part Number: Version Includes PCI PA-DSS 3.2 Implementation Guide

Payment Card Industry (PCI) Data Security Standard

Oracle Hospitality e7 PA-DSS 3.2 Implementation Guide Release 4.4.X E May 2018

Requirements for University Related Activities that Accept Payment Cards

Assessor Company: Control Gap Inc. Contact Contact Phone: Report Date: Report Status: Final

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance

NETePay 5. TSYS Host. Installation & Configuration Guide V5.07. Part Number: With Dial Backup. Includes PA-DSS V3.2 Implementation Guide

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers

NETePay 5. Installation & Configuration Guide. Vantiv Integrated Payments. With Non-EMV Dial Backup V Part Number:

PCI DSS Responsibility Matrix PCI DSS 3.2 Requirement

Payment Card Industry Self-Assessment Questionnaire

Section 1: Assessment Information

Payment Card Industry (PCI) Data Security Standard

Segmentation, Compensating Controls and P2PE Summary

Transcription:

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.0 for Onslip S80, Onslip S90

Revision history Revision Date Author Comments 0.1 2013-10-04 Robert Hansson Created 1.0 2014-01-14 Robert Hansson Review and update of document Page 2 of 12

References #no Reference title Version [1] Payment Card Industry Payment Application Data Security Standard 2.0 [2] Payment Card Industry Data Security Standard 2.0 [3] Security Requirements for an EFTPOS Terminal 3.0 [4] PCI PIN Security Requirements 1.0 Page 3 of 12

Table of Contents REVISION HISTORY 2 REFERENCES 3 INTRODUCTION 6 BACKGROUND 6 PURPOSE 6 USAGE FEL! BOKMÄRKET ÄR INTE DEFINIERAT. ABBREVIATIONS 6 PA-DSS REQUIREMENTS 7 1.1.4 DELETE SENSITIVE AUTHENTICATION DATA STORED BY PREVIOUS PAYMENT APPLICATION VERSIONS 7 7 7 1.1.5 DELETE SENSITIVE AUTHENTICATION DATA STORED BY PREVIOUS PAYMENT APPLICATION VERSIONS 7 7 7 2.1 PURGE CARDHOLDER DATA AFTER CUSTOMER-DEFINED RETENTION PERIOD. 7 7 8 2.5 PROTECT KEYS USED TO SECURE CARDHOLDER DATA AGAINST DISCLOSURE AND MISUSE. 8 8 8 2.6 IMPLEMENT KEY MANAGEMENT PROCESSES AND PROCEDURES FOR CRYPTOGRAPHIC KEYS USED FOR ENCRYPTION OF CARDHOLDER DATA. 8 8 8 2.7 RENDER IRRETRIEVABLE CRYPTOGRAPHIC KEY MATERIAL OR CRYPTOGRAMS STORED BY PREVIOUS PAYMENT APPLICATION VERSIONS. 8 8 8 3.1 USE UNIQUE USER IDS AND SECURE AUTHENTICATION FOR ADMINISTRATIVE ACCESS AND ACCESS TO CARDHOLDER DATA. 8 9 9 3.2 USE UNIQUE USER IDS AND SECURE AUTHENTICATION FOR ACCESS TO PCS, SERVERS, AND DATABASES WITH PAYMENT APPLICATIONS. 9 9 9 4.1 IMPLEMENT AUTOMATED AUDIT TRAILS. 9 9 9 4.4 FACILITATE CENTRALIZED LOGGING. 9 9 9 5.4 USE ONLY NECESSARY AND SECURE SERVICES, PROTOCOLS, COMPONENTS, AND DEPENDENT SOFTWARE AND HARDWARE, INCLUDING THOSE PROVIDED BY THIRD PARTIES. 9 9 10 6.1 SECURELY IMPLEMENT WIRELESS TECHNOLOGY. 10 10 10 Page 4 of 12

6.2 SECURE TRANSMISSIONS OF CARDHOLDER DATA OVER WIRELESS NETWORKS. 10 10 10 9.1 STORE CARDHOLDER DATA ONLY ON SERVERS NOT CONNECTED TO THE INTERNET. 10 11 11 10.2 IMPLEMENT TWO-FACTOR AUTHENTICATION FOR REMOTE ACCESS TO PAYMENT APPLICATION. 11 11 11 10.3.1 SECURELY DELIVER REMOTE PAYMENT APPLICATION UPDATES. 11 11 11 10.3.2 SECURELY IMPLEMENT REMOTE ACCESS SOFTWARE. 11 11 11 11.1 SECURE TRANSMISSIONS OF CARDHOLDER DATA OVER PUBLIC NETWORKS. 11 11 12 11.2 ENCRYPT CARDHOLDER DATA SENT OVER ENDUSER MESSAGING TECHNOLOGIES. 12 12 12 12.1 ENCRYPT NON-CONSOLE ADMINISTRATIVE ACCESS. 12 12 12 Page 5 of 12

Introduction Background The Payment Card Industry Data Security Standard (PCI-DSS) defines specific requirements to make sure that the payment equipment are configured, used and maintained in the merchant s payment environment in a way that card transactions are stored, processed and transferred in a secure way. The requirements for the Payment Application Data Security Standard (PA-DSS) are derived from the PCI DSS Requirements and Security Assessment Procedures. The PA-DSS applies to terminal vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. In order to help merchants to fulfill those requirements the terminal vendor obtains a PA-DSS approval to demonstrate that the payment application follows the PCI DSS. The purpose of this guide The purpose of this PA DSS implementation guide is to provide merchants and integrators with information on how to use, install, maintain and secure a PCI DSS compliant environment for Onslip PAYAPP and the Onslip payment equipment in a way that does not compromise the PCI DSS compliance. The merchant is responsible for creating and maintaining a PCI compliant environment with the help of this guide and the PCI regulations. The merchant will also find installation guides, quick guides for how to install and use a card terminal and this implementation guide at Onslip support web site, http://support.onslip.com. Abbreviations Abbreviation Full name PCI-DSS PA DSS ECR PNC E2EE PPL SSL IPSEC Payment Industry Data Security Standard Payment Application Data Security Standard Electronic Cash Register Pan Nordic Card Association End To End Encryption Program and parameter loading Secure Sockets Layer Internet Protocol Security Page 6 of 12

PA-DSS Requirements 1.1.4 Delete sensitive authentication data stored by previous payment application versions Historical data must be removed (magnetic stripe data, card verification codes, PINs, or PIN blocks stored by previous versions of the payment application) How to remove historical data Such removal is absolutely necessary for PCI DSS compliance The payment application does not store any historical cardholder data in the payment application from any processed and transmitted card transaction. Therefor there is no need to delete historical cardholder data and such functionality is not provided. The merchant is responsible to make sure that any historical cardholder data (magnetic stripe data, card verification codes, Pins or Pin blocks) is removed from all surrounding storage devices used in the merchant s computers, ECRs, data storage or electronic cash registers. If the merchants absolutely need to enter PAN, expiration date and CVV2 manually the merchant shall never ever write down or otherwise store such sensitive cardholder data. 1.1.5 Delete sensitive authentication data stored by previous payment application versions Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem Such data must be stored only in specific, known locations with limited access Only collect a limited amount of such data as needed to solve a specific problem Sensitive authentication data must be encrypted while stored Such data must be securely deleted immediately after use The payment application does not store any historical cardholder data in the payment application from any processed and transmitted card transaction. The payment application will check if there exist any store-andforward (S&F) transactions that have not been transferred to the host using previous application version of payment application. The new payment application will make sure that all transaction data in S&F will be sent and thereafter be completely erased from payment application. 2.1 Purge cardholder data after customer-defined retention period. Cardholder data must be purged after it exceeds the customer-defined retention period All locations where payment application stores cardholder data Cardholder data is sent encrypted in the authorization message making the transaction end-to-end encrypted required by PNC, the E2EE requirement and the requirements described in the specification Security Requirements for an EFTPOS Terminal. If the host is unavailable sensitive cardholder data of the transaction will be stored fully encrypted in a store-and-forward (S&F) queue. All transaction data in S&F will be sent immediately when host is available and will thereafter be completely erased from S&F queue when host have accepted the transaction. Page 7 of 12

2.5 Protect keys used to secure cardholder data against disclosure and misuse. Restrict access to keys to the fewest number of custodians necessary. Store keys securely in the fewest possible locations and forms All keys used to secure encryption are stored in a secure memory of the terminal, which is never allowed to be accessed by the payment application. The key loading is handled in a secure environment where a limited amount of key custodians have access to the key loading facility following PCI PIN Security Requirements. 2.6 Implement key management processes and procedures for cryptographic keys used for encryption of cardholder data. How to securely generate, distribute, protect, change, store, and retire/replace encryption keys, where customers or resellers/integrators are involved in these key management activities. A sample Key Custodian form for key custodians to acknowledge that they understand and accept their key-custodian responsibilities. How to perform key management functions defined in PA-DSS requirements 2.6.1 through 2.6.7. The key management process where the most secure keys are loaded in a secure environment follows procedures defined by the PCI PIN Security Requirements and the specifications defined by acquiring banks. 2.7 Render irretrievable cryptographic key material or cryptograms stored by previous payment application versions. Cryptographic material must be rendered irretrievable How to render cryptographic material irretrievable Such irretrievability is absolutely necessary for PCI compliance How to re-encrypt historic data with new keys The payment application does not store any cryptographic key material or cryptograms. 3.1 Use unique user IDs and secure authentication for administrative access and access to cardholder data. That the payment application enforces secure authentication for any authentication credentials (e.g. users, passwords) that the application generates by: - Enforcing secure changes to authentication credentials by the completion of installation and for any subsequent changes (after installation) per PA-DSS requirements 3.1.1 through 3.1. Assign secure authentication to default accounts (even if not used), and disable or do not use the accounts. Page 8 of 12

How to change and create authentication credentials when such credentials are not generated or managed by the payment application, per PCI DSS Requirements 8.5.8 through 8.5.15, by the completion of installation and for subsequent changes after installation, for all application level accounts with administrative access or access to cardholder data. The payment application has no administrative access to any sensitive cardholder data. Any existing administrative access is used for common configuration of the terminal. 3.2 Use unique user IDs and secure authentication for access to PCs, servers, and databases with payment applications. Use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data, PA-DSS requirements 3.1.1 through 3.1.10. The payment application has no administrative access to any sensitive cardholder data. Any existing administrative access is used for common configuration of the terminal. 4.1 Implement automated audit trails. Set PCI DSS-compliant log settings, per PA-DSS Requirements 4.2, 4.3 and 4.4 Logs must be enabled, and disabling the logs will result in non-compliance with PCI DSS. The payment application has no administrative access to any sensitive cardholder data. 4.4 Facilitate centralized logging. Provide instructions and procedures for incorporating the payment application logs into a centralized logging server. The payment application has no administrative access to any sensitive cardholder data. 5.4 Use only necessary and secure services, protocols, components, and dependent software and hardware, including those provided by third parties. Document all required protocols, services, components, and dependent software and hardware that are necessary for any functionality of the payment application. Any data sent over public networks are either SSL/TLS- or IPSec-encrypted. Page 9 of 12

6.1 Securely implement wireless technology. If wireless is used within payment environment: Change wireless vendor defaults, including default wireless encryption keys, passwords, and SNMP community strings Install a firewall: - Between any wireless networks and systems that store cardholder data, and - Configured to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment Any wireless network shall be setup and maintained as a secure wireless network at all times. If the merchant uses a wireless network within the office network the merchant must make sure to: 1. Always change all wireless vendor default settings of wireless encryption keys, passwords or SNMP community strings and other related security settings for any wireless product used in the network. 2. Always use a minimum of WPA2 for encryption for wireless traffic and never use any wireless network without encryption or any less secure encryption such as WEP. 3. Always update firmware for any wireless products used in the network to support strongest possible encryption using IEEE 802.11i (WPA2) for authentication and data transmission over the wireless network. 4. Always change encryption keys, router/firewall settings or any other security issues each time an merchant employee leaves the company, have no need of knowing such security details or changing position where access to such security details are not needed anymore. 5. Always configure to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. 6.2 Secure transmissions of cardholder data over wireless networks. If payment application is implemented into a wireless environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission of cardholder data. Any wireless network shall be setup and maintained as a secure wireless network at all times. If the merchant uses a wireless network within the office network the merchant must make sure to: 1. Always change all wireless vendor default settings of wireless encryption keys, passwords or SNMP community strings and other related security settings for any wireless product used in the network. 2. Always use a minimum of WPA2 for encryption for wireless traffic and never use any wireless network without encryption or any less secure encryption such as WEP. 3. Always update firmware for any wireless products used in the network to support strongest possible encryption using IEEE 802.11i (WPA2) for authentication and data transmission over the wireless network. 4. Always change encryption keys, router/firewall settings or any other security issues each time an merchant employee leaves the company, have no need of knowing such security details or changing position where access to such security details are not needed anymore. 5. Always configure to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. 9.1 Store cardholder data only on servers not connected to the Internet. Do not store cardholder data on Internet-accessible systems (for example, web server and database server must not be on same server). Page 10 of 12

No sensitive cardholder data are stored on any servers. 10.2 Implement two-factor authentication for remote access to payment application. Use two-factor authentication (user ID and password and an additional authentication item such as a token) if the payment application may be accessed remotely. There is no remote access allowed to the payment application. 10.3.1 Securely deliver remote payment application updates. Activate remote-access technologies for payment application updates only when needed for downloads, and turn off immediately after download completes, per PCI DSS Requirement 12.3.9. If computer is connected via VPN or other high-speed connection, receive remote payment application updates via a securely configured firewall or personal firewall per PCI DSS Requirement 1. The payment application will initiate an update when needed by fetching software and parameters over secure Internet connection using secure FTP connection to PPL terminal management system following the PPL specification. The merchant need to make sure that a merchant managed PPL terminal management system or other third party PPL terminal management system have been implemented in a PCI DSS certified environment. 10.3.2 Securely implement remote access software. Implement and use remote access software security features if remote access software is used to remotely access the payment application or payment environment. There is no remote access allowed to the payment application. 11.1 Secure transmissions of cardholder data over public networks. Implement and use strong cryptography and security protocols for secure cardholder data transmission over public networks. Cardholder data is sent encrypted in the authorization message making the transaction end-to-end encrypted required by PNC, the E2EE requirement and the requirements described in the specification Security Requirements for an EFTPOS Terminal. The encrypted transaction is transferred to the bank hosts using SSL and IPSEC protocols to make it secure and not transferred on open public networks. Page 11 of 12

11.2 Encrypt cardholder data sent over enduser messaging technologies. Implement and use a solution that renders the PAN unreadable or implements strong cryptography if PANs can be sent with end-user messaging technologies. There are no such messaging technologies. 12.1 Encrypt non-console administrative access. Implement and use strong cryptography (such as SSH, VPN, or SSL/TLS) for encryption of any non-console administrative access to payment application or servers in cardholder data environment. There is no remote access allowed to the payment application. Page 12 of 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback