Activant Eagle PA-DSS Implementation Guide

Similar documents
Epicor Eagle PA-DSS 2.0 Implementation Guide

PA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite

PA-DSS Implementation Guide For

Ready Theatre Systems RTS POS

FTD MERCURY X2 IMPLEMENTATION GUIDE FOR PA-DSS

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

Point PA-DSS. Implementation Guide. Banksys Yomani VeriFone & PAX VPFIPA0201

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.0 for Onslip S80, Onslip S90

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90

Stripe Terminal Implementation Guide

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Implementation Guide. Payment Card Industry Data Security Standard 2.0. Guide version 4.0

Activant Compass Installation Guide For Upgrades to Version 4.1 or Higher

Implementation Guide for PCI Compliance Microsoft Dynamics Retail Management System (RMS)

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Google Cloud Platform: Customer Responsibility Matrix. April 2017

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Do it Best Corp. Interactive Async Communications Conversion Guide

Sage Payment Solutions

Payment Card Industry Data Security Standard (PCI-DSS) Implementation Guide For XERA POS Version 1

Fore! Reservations PA-DSS Implementation Guide

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Installation & Configuration Guide

ECONNECT USER S GUIDE. Activant Eagle econnect User s Guide EL8015

NETePay 5.0 CEPAS. Installation & Configuration Guide. (for the State of Michigan) Part Number:

Activant Eagle econnect Setup and User s Guide

Implementation Guide paypoint version 5.08.xx, 5.11.xx, 5.13.xx, 5.14.xx, 5.15.xx

Software Conversion Guide

NETePay 5.0. Heartland (Terminal) Installation & Configuration Guide. Part Number: With Dial Backup. NETePay Heartland (Terminal) 1

QuickSale for QuickBooks Version 2.2.*.* Secure Payment Solutions Client Implementation Document PA-DSS 3.2 Last Revision: 03/14/2017

Implementation Guide paypoint v5.08.x, 5.11.x, 5.12.x, 5.13.x and 5.14.x

PCI Guidance for Restaurant Manager Versions

Payment Application Data Security Standards (PA-DSS) Implementation Guide for Maintaining PCI Compliance on the FSC3000 Fuel Site Controller

Integrate Check Point Firewall. EventTracker v8.x and above

ACTIVANT PROPHET UPDATE GUIDE

IDPMS 4.1. PA-DSS implementation guide. Document version D01_IDPMS.1.1. By Dennis van Hilten. Amadeus Breda The Netherlands

Daisy 8.0 Release Notes

NETePay 5.0. Mercury Payment Systems Canadian EMV. Installation & Configuration Guide. Part Number: With Dial Backup

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

NETePay POSPAD. Moneris Canadian EMV Host. Installation & Configuration Guide V5.07. Part Number:

PCI PA DSS. PBMUECR Implementation Guide

Level 23 Eagle Software Conversion Guide. Please see page 5 for changes made to Special Security

At present, PABP is a voluntary compliance process for software vendors but will soon be mandatory.

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Qualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0

DigitalPersona Pro Enterprise

MU2b Authentication, Authorization and Accounting Questions Set 2

PCI PA-DSS Implementation Guide

Message Networking 5.2 Administration print guide

PCI PA - DSS. Point Vx Implementation Guide. Version For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC)

Activant Eagle DDS Integration Guide

Aspera Connect Windows XP, 2003, Vista, 2008, 7. Document Version: 1

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

TRIADR. Solutions By Computer Installation Guide

TRIADR. Solutions by Computer Conversion Guide

University of Sunderland Business Assurance PCI Security Policy

University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C

NETePay 5.0. EVO POS Technologies Terminal. Installation & Configuration Guide. Part Number: With Dial Backup

Area Access Manager User Guide

Activant Eagle Bank Reconcilation Viewer Procedures Guide

Payment Card Industry (PCI) Data Security Standard

Epicor Eagle econnect Setup and User s Guide

Verifone Finland PA-DSS

Secure Single Sign On with FingerTec OFIS

Area Access Manager User Guide

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.

Installation & Configuration Guide. NETePay for Mercury Payment Systems V Part Number:

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Configuring the VPN Client

PCI PA DSS. MultiPOINT Implementation Guide

DefendX Software Control-Audit for Hitachi Installation Guide

NETePay 4.0. Fifth Third Bank Host. Installation & Configuration Guide. With Dial Backup. Part Number: (ML) (SL) 4.

Oracle MICROS Simphony First Edition PA-DSS Implementation Guide Version 1.7

SC-3 USB Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

GIFTePay XML. SecurePay. Installation & Configuration Guide. Version Part Number: (ML) (SL)

Aventail Connect Client with Smart Tunneling

Manual for configuring VPN in Windows 7

Managing GSS User Accounts Through a TACACS+ Server

PCI DSS Compliance. White Paper Parallels Remote Application Server

Standard Req # Requirement D20MX Security Mechanisms D20ME II and Predecessors Security Mechanisms

USER MANUAL FOR SECURE E MAIL MICROSOFT OUTLOOK (2003)

ANIXIS Password Reset

ACTIVANT D2K. System Conventions User's Guide - GS. Server Release 4.0 and GS Release 2.1 Version P

DCRS has posted this. on the DCRS website (in Services and PCI sections) (or contact DCRS for a copy).

Transactional Security Setup Guide

SECURE FILE TRANSFER PROTOCOL. EventTracker v8.x and above

5 MANAGING USER ACCOUNTS AND GROUPS

Wireless-G Router User s Guide

Easy-to-Use PCI Kit to Enable PCI Compliance Audits

Getting Started with Network Access

NETePay 5. Nova/Elavon (Host) Installation & Configuration Guide. Part Number: With Dial Backup

PCI DSS and VNC Connect

SafeNet Authentication Manager

PCI DSS and the VNC SDK

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

Enterprise Payment Solutions User Administrator. User Administrator Handbook

MANAGING LOCAL AUTHENTICATION IN WINDOWS

Table of Contents. Table of Figures. 2 Wave Systems Corp. Client User Guide

ZyWALL 10W. Internet Security Gateway. Quick Start Guide Version 3.62 December 2003

Transcription:

ACTIVANT EAGLE PA-DSS IMPLEMENTATION GUIDE PA-DSS IMPLEMENTATION GUIDE Activant Eagle PA-DSS Implementation Guide EL2211

This manual contains reference information about software products from Activant Solutions Inc. The software described in this manual and the manual itself are furnished under the terms and conditions of a license agreement. The software consists of software options that are separately licensed. It is against the law to copy the software on any medium, or to enable any software options, except as specifically permitted under the license agreement. In addition, no part of this manual may be copied or transmitted in any form or by any means without the prior written permission of Activant Solutions Inc. From time to time, Activant makes changes to its software products. Therefore, information in this manual is subject to change, and the illustrations and screens that appear in the manual may differ somewhat from the version of the software provided to you. Created by Learning Products and Education Copyright: 2010 Activant Solutions Inc. All rights reserved. Activant, the Activant stylized logo design, and Eagle are registered trademarks, and Activant Eagle is a trademark, of Activant Solutions Inc. All other trademarks are property of their respective owners. Activant Solutions Inc. 7683 Southfront Road Livermore, CA 94551 Document No. EL2211 Publication Date: May 2010 EL2211 Activant PA-DSS Implementation Guide 2

Introduction Additional Resources For your convenience, this document encapsulates the procedures from the PA-DSS Technical Manual. If desired, you can download the technical manual from the Activant website, but this is optional. Click the following link to access the document. http://www.activant.com/eaglecustomers/dms/docsearch.cfm?category=misc PA-DSS Setup Overview Use this document to guide you through the PCI implementation process. To proceed, the following must be true: You have installed Eagle for Windows Release 19.1. If you use Eagle Mobile, you must be on Eagle Mobile release 1.5.0.57 or higher. You have worked with your Local Platform Specialist (LPS) to address any upgrades to peripherals or changes to your network setup. The procedures described in this document include: Install and Set Up SecureAccess Install and Set Up SSH for Legacy RF Guns Set Up Options Change User s Security Bits Microsoft Windows Setup Run OSPREY Utilities Review Additional Information Indicate Your System Is Now PCI Compliant Maintain Your Security Updates EL2211 Activant PA-DSS Implementation Guide 3

Install and Set Up SecureAccess You must install the SecureAccess application on PCs from which you access any of Network Access ( legacy ) applications. To download SecureAccess, visit our PCI Readiness website at: https://www.activant.com/eaglecustomers/pci/ Install and Set Up SSH for Legacy RF Guns You must install and set up an SSH version of the Wavelink emulation software for Legacy RF guns including the Motorola (Symbol) MC3090, Motorola (Symbol) MC9090, and Datalogic Falcon 4423. For the procedure, see document number EL2209 Installing the TelnetCE SSH Plug-In Component. This document is available on Activant s website. Click the link below to access the document. http://www.activant.com/eaglecustomers/dms/files/el2209_installing_the_telnet CE_SSH_plug-in_component_final.pdf Set Up Options In Options Configuration, click ID, type the option ID number from the table below, and click OK. Click in the Current Value column, and select the setting indicated in the table. Repeat this process for each option listed in the table. Option Description ID# 311 Days to store credit card numbers in Quick Recall Set Option to this: 180 days or less. Additional Information Card numbers older than the value in this option are truncated with x s (e.g., 1234xxxxxxxx5678) when you run QRCCC in the next section. PA-DSS Requirement (PA-DSS Requirements 1.1.4, 2.1) It is both the merchant s and reseller s responsibility to remove any sensitive authentication data (magnetic stripe data, card validation values or codes, PINs or PIN block data, cryptographic key material, or cryptograms (e.g., encrypted credit card numbers)) stored by previous versions of the Eagle for Windows software. It is the responsibility of Activant Solutions Inc. to provide EL2211 Activant PA-DSS Implementation Guide 4

a means to do this. Removal of this prohibited historical data is absolutely necessary for PCI compliance. 1098 NetAccess.net on system Yes Net Access.net tells Eagle for Windows to launch SecureAccess in place of Network Access, and disables Telnet upon the next reboot, so that only SSH is allowed through SecureAccess. These two options fulfill PA-DSS Requirements 2.3, 1.1.5, 1.1.5.b, and 2.2.2 1099 CHILKAT on System 8965 Eagle for Windows startup action when trace logging is enabled Yes D-Deny CHILKAT is the name of the program used for Secure FTP through SSH. This tells Eagle for Windows to use SFTP in place of all FTP functions and it disables normal FTP on the next reboot. This ensures that trace logs are never written to the local PC if trace logging is enabled on the system. Change Users Security Bits Guidelines for Password Controls The following are the PA-DSS guidelines for password controls. You are advised against using administrative accounts for application logins (e.g., don t use the sa account for application access to the database). (PA- DSS 3.1c) You are advised to assign strong passwords to these default accounts (even if they won t be used), and then disable or do not use the accounts. (PA-DSS 3.1c) You are advised to assign strong application and system passwords whenever possible. (PA-DSS 3.1c) You are advised how to create PCI DSS-compliant complex passwords to access the payment application, per PCI Data Security Standard 8.5.8 through 8.5.15. (PA-DSS 3.1c) EL2211 Activant PA-DSS Implementation Guide 5

You are advised to control access, via unique username and PCI DSS-compliant complex passwords, to any PCs, servers, and databases with payment applications and cardholder data. (PA-DSS 3.2) You are advised that changing out of the box installation settings for unique user IDs and secure authentication will result in noncompliance with PCI DSS. Passwords should meet the requirements set in PCI DSS section 8.5.8 through 8.5.15, as listed here. Do not use group, shared, or generic accounts and passwords. Change user passwords at least every 90 days. Require a minimum password length of at least seven characters. Use passwords containing both numeric and alphabetic characters. Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. Limit repeated access attempts by locking out the user ID after not more than 6 attempts. Set the lockout duration to thirty minutes or until administrator enables the user ID. If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. Changing Security on the Eagle System 1. For users with any of the following security bits set to Yes, you must change them to a High Security Password user, or change the following security bits to No. 2. (PA-DSS Requirements 3.1 and 3.2) Security Bit Description 14 Add/Change/Delete security settings, bit lists 91 Allow system admin utilities (such as CDT, OSPREY, SHOWTASK) 506 Allow access to OSPREY's USRLOGIN function 689 View full customer credit card number 691 View full customer credit card number (decrypted mode) 757 Ability to view bankcard number in QuickRecall Users with any of these security bits set to Yes who are not set up as High Security Password users will not be allowed to log into the Eagle Browser or Eagle for Windows POS. For more information about changing a user s security bits, or about setting up High Security Passwords, see online help: From the Contents tab, click System Management Security. EL2211 Activant PA-DSS Implementation Guide 6

3. Make sure the user SYSTEM has the security bits in the list above set to No. 4. If a user has one or more of these security bits set to Yes, set option 3 Check Password at POS to Yes as follows: 5. In the Options Configuration window, click ID, type 3, and press Enter. 6. In the User field, select the appropriate user. 7. Change the Current Value column of Check Password at POS to Yes, and click OK. 8. Click Change on the toolbar to save the setting. 9. Repeat this process for any other users who require option 3 Check Password at POS set to Yes. 10. Set special security to S on all terminals. In the Options Configuration window, click ID, type 520, and press Enter. In the Terminal field, select the terminal number. Change the Current Value column of Terminal s Special Security to Yes, and click OK. Click Change on the toolbar to save the setting. Repeat this process for all other terminals. Microsoft Windows Setup This section describes the changes you must make in Microsoft Windows to meet PCI Compliance standards. Enabling Strong Passwords/Password Expiry/Screen Saver Passwords For a password to be strong, it should: Be at least seven characters long. Because of the way passwords are encrypted, the most secure passwords are seven or 14 characters long. Contain characters from each of the following three groups: EL2211 Activant PA-DSS Implementation Guide 7

Group Letters (uppercase and lowercase) Examples A, B, C... (and a, b, c...) Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 Symbols (all characters not defined as letters or numerals) ` ~! @ # $ % ^ & * ( ) _ + - = { } [ ] \ : " ; ' < >?,. / Have at least one symbol character in the second through sixth positions. Be significantly different from prior passwords. Not contain your name or user name. In addition to setting up strong passwords, you may also want to set up Lockout Policies, which can be used to temporarily or permanently (until reset) lock out a user after a certain number of failed login attempts. This is useful for systems that may be accessible by the general public, and prevents someone from trying to guess a login password. There are many other policies that you can enable/disable using Lockout Policies, but be careful as you can restrict yourself so much that you can no longer access the system. Carefully read and understand the various policies if you decide to pursue further policy changes. Enabling Strong Passwords/Password Expiry/Screen Saver Passwords - Windows 7 and Vista Only If you use Windows XP, skip to the next section. To set up password enforcement in Windows 7 or Vista, you must be an Administrator. Set up global Per User password requirements, as follows: 1. Click Start, Run, then type secpol.msc into the text box, and click OK. Here is an example of what the editor looks like when first started: EL2211 Activant PA-DSS Implementation Guide 8

2. To set password policies, double click the Account Policies item in the left pane. You will then see the Password Policy item in the right pane. Double click this item and the following displays: 3. Double click each item in the right pane to set its value. Below are some recommended settings: 4. When you are finished, close the Local Security Policy window. 5. Enable the requirement to enter a password when resuming from sleep mode, or when the screen saver has been activated. Click Start, then Control Panel, then Personalization. 6. Select Screen Saver. Enter 10 in the Wait field, click the checkbox for On resume, display logon screen, and click OK. EL2211 Activant PA-DSS Implementation Guide 9

Enabling Strong Passwords/Password Expiry/Screen Saver Passwords- Windows XP Only This procedure is for Windows XP users only. Go to the previous section if you use Windows 7 or Vista. To set up password enforcement in Windows XP, you must be an Administrator. Set up global Per User password requirements, as follows: 1. Click Start, Run, then type secpol.msc into the text box, and click OK. Here is an example of what the editor looks like when first started: 2. To set password policies, double click the Account Policies folder in the left pane. You will then see the Password Policy folder in the right pane. Double click this folder and the following displays: EL2211 Activant PA-DSS Implementation Guide 10

3. Double click each item in the right pane to set its value. Below are some recommended settings: 4. When you are finished, close the Local Security Settings window. 5. Enable the requirement to enter a password when resuming from sleep mode, or when the screen saver has been activated. 6. Click Start, click Control Panel, then click the Display icon. 7. Click the Screen Saver tab. 8. Enter 10 in the Wait field, click the checkbox for On resume, display logon screen, and click OK. EL2211 Activant PA-DSS Implementation Guide 11

Run Osprey Utilities Configure the SysLog Server in SETIP IMPORTANT! Activant strongly recommends that you consult with your Local Platform Specialist (LPS) before attempting to set up the SysLog Server. You must configure the Eagle to pass logs to a SysLog Server in order to be compliant with PCI DSS. If you are executing this procedure during business hours, you must use Offline POS until because this process puts the system into Quiet mode. All logging conforms to PCI DSS version 1.2 requirements 10.2.1-10.2.7 and 10.3.1-10.3.6. The Syslog Server itself provides a prompt backup audit trail to a centralized log server that is difficult to alter, as per PCI DSS 10.5.3. 1. From the console terminal (the one attached to the CPU), at the login prompt, type OSPREY and press Enter. At Password, type AVATAR and press Enter. 2. At Selection, type SetIP and press Enter. This quiets the system (you cannot run any eagle applications except Offline POS). 3. Type an e, and press Enter. Then type yes, and press Enter to put the system in maintenance mode. 4. At the prompt, Do you want to change the current setting (y/n) [default y]? press Enter to accept the default of yes. EL2211 Activant PA-DSS Implementation Guide 12

At this point, a series of prompts will display, one by one, on the screen. Simply press Enter for every prompt, until you get to the prompt to set up the logging server. At this point, select y to add syslog servers. 5. Type a lowercase a to add syslog server for compliancy regulations. Note: You will also be required to know the port number and protocol in use; the default for most syslog servers is 514 and UDP. 6. Enter the log server address. Then press Enter. 7. Enter the log server port number. Then press Enter. 8. Enter the log server protocol. Then press Enter. 9. Once you have added your required syslog servers, press Enter through the rest of the prompts that display. 10. When the SETIP main screen redisplays, when asked if you want to continue editing the configuration, type n and press Enter. Press Enter at the following prompt: Do you want to update the network settings (y/n) [default y]? 11. Press Enter at the following prompt: Please press <ENTER> to continue. 12. At the main menu, press <Esc>, and then press the spacebar. 13. Press Enter at the following prompt: Type 'QUIET' if you do NOT want the system back in normal mode now. Changes take effect after the reboot. Truncate or Encrypt Credit Card Data with QRCCC Use Osprey function QRCCC (QuickRecall Credit Card Clean-Up) to either truncate existing credit card data (based on option 311), or encrypt it into the card number encryption file (MSF). 1. From the console terminal (the one attached to the CPU), at the login prompt, type OSPREY and press Enter. At Password, type AVATAR and press Enter. 2. At Selection, type QRCCC and press Enter. EL2211 Activant PA-DSS Implementation Guide 13

3. Type T to truncate, or E to encrypt. 4. At Action, type E to execute, and press Enter. Review Additional Information Review the information in this section to verify that you are complying with the relevant PA-DSS requirements discussed. Remote Access Two-factor Authentication (PA-DSS Requirement 11.2) If Eagle for Windows can be accessed remotely, all network connectivity must use twofactor authentication per PCI DSS requirement 8.3. Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as a remote authentication and dial-in service (RADIUS) or a terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. Both a password and an additional authentication item (for example, smart card, token, PIN) must be required. Remote Access Software Security Configuration (PA-DSS Requirement 11.3) Implement the following applicable security features for all remote access software used by the merchant, reseller or integrator. Change default settings in the remote access software (for example, change default Passwords and use unique Passwords for each customer) Allow connections only from specific (known) IP/MAC addresses. Use strong authentication or complex passwords for logins. Enable encrypted data transmission. Enable account lockout after a certain number of failed login attempts. Configure the system so a remote user must establish a Virtual Private Network ( VPN ) connection via a firewall before access is allowed. Enable the logging function. Restrict access to customer Passwords to authorized reseller/integrator personnel. Establish customer Passwords as described in section Password Controls of this document (according to PCI DSS requirements 8.1, 8.2, 8.4, and 8.5). Disable Remote Access via Modem The Eagle system allows remote access via modem. Any method of remote access by vendors must be activated only when needed by vendors, with immediate deactivation after use. To disable remote access via modem, go to Function SETRSP (available from the Eagle for Windows Launch Bar or from Network Access) and choose Disable. Encrypt Network Traffic Transmission of Cardholder Data (PA-DSS Requirement 12.1) EL2211 Activant PA-DSS Implementation Guide 14

Eagle uses strong SSL/TLS encryption technology when transmitting cardholder data over networks between the Eagle client and server. Outgoing connections over public networks are protected by the included ProtoBase software. End-user Messaging and Cardholder Data (PA-DSS Requirement 12.2) Eagle for Windows does not include or support any end-user messaging technologies (e.g., e-mail, instant messaging, and chat). Unencrypted cardholder data must never be sent using these technologies. Non-Console Administrative Access (PA-DSS Requirement 13.1) Eagle uses SSH for encryption of for all non-console administrative access to payment application or servers in cardholder data environment. Telnet or other non-encrypted access methods must not be used. Indicate Your System Is Now PA-DSS Compliant To indicate that your system is now PA-DSS compliant, you must set option 1061 PA- DSS Compliant System to Yes in the Options Configuration window. This option is password-controlled; therefore, the process to change it is different from setting other options. To set to Yes: 1. In Options Configuration, click ID, type 1061, and press Enter. 2. Click Misc. on the toolbar. 3. Choose option F to restore option to factory default (which is Yes) 4. Click Change (F5). Maintain Your Security Updates Now that you have completed all the steps to implement PCI compliance, be sure to maintain your system s security updates by visiting Activant s PCI Readiness site on a regular basis. The site is located at: https://www.activant.com/eaglecustomers/pci/ EL2211 Activant PA-DSS Implementation Guide 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback