Please note that in VISA s vernacular this security program for merchants is sometimes called CISP (cardholder information security program).

Transcription

1 Introduction This document serves as a guide for TCS Retail users who are credit card merchants. It is written to help them become compliant with the PCI (payment card industry) security requirements. Please note that as a credit card merchant you must be compliant with these standards, they are not optional. This guide focuses on the things that you must do within our system, but there are also several things that fall outside the scope of our system. To get more detailed information please read the documents on Visa s website: Please note that in VISA s vernacular this security program for merchants is sometimes called CISP (cardholder information security program). Validation Basics Requirements The following are the requirements as stated on Visa s website. Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security Copyright 2007 Total Computing Solutions, LLC Page 1

2 Access to System Local Local access means within the local network at your business place. Each user should be assigned a separate User ID and password to get onto the system. Passwords should be complex and should meet the following requirements: Password Requirements 1. Be at least 7 characters in length. 2. A mixture of letters and numbers. 3. Passwords should not be reused. 4. Group passwords should not be used; each user should have their own. 5. They must be changed at least every 90 days. 6. After initially setting up the user s password, the user should change it to their own the next time they log into the system. Additionally regular employees or users of the system should not have access to cardholder information, administrative functions and data, or other sensitive information. Later in this document is explained how to set up a user and set the correct privelege levels on the system to allow them to do their job, but restrict them from the unauthorized areas of the system. Remote Periodically you may need someone to have remote access to your system for support over the Internet. You may also wish to work from home and access your machine over the Internet. Please follow these guidelines which are also required by the PCI compliance rules. 1. Two levels of security or authentication are required for access to your bookstore server over the Internet. At least one of these must involve encryption. Typical would be a connection to the network with an encrypted VPN and then remote desktop in. Another example would be the SSH protocol. In this case the two levels of security/authentication are the encryption and then the user/password to access the system. 2. Do not use insecure protocols like telnet to get into the system. The firewall on the server should be setup to deny entry by this method. Firewall As part of the PCI compliance a firewall must be setup and configured. There are several requirements that are to be met. 1. It is recommended that a network diagram be made showing all connections to the bookstore server which holds cardholder data. This includes wireless networks. 2. Changes to the firewall must be authorized and documented. 3. Limit the traffic to that which is required to conduct business. 4. To prevent spoofed IP addresses, egress (outgoing) and ingress (incoming) filters should be placed on border routers. 5. The cardholder database should not be on a direct internet connection. This is termed DMZ or demilitarized zone. It should be on the internal network. 6. Web servers that are publicly reachable on the Internet should be separated from the bookstore server and internal network by a firewall. Copyright 2007 Total Computing Solutions, LLC Page 2

3 Wireless Wireless networks have some special requirements that must be paid attention to. 1. Access must be limited to authorized devices on the wireless network. 2. A perimeter firewall must be setup between the wireless network and the bookstore server. 3. Vendor default settings should be changed (i.e. WEP keys, SSID, passwords, SNMP community strings, disabling SSID broadcasts). 4. Use Wi-Fi Protected Access (WPA) or an equivalent or greater standard for authentication on the network. 5. Use Wi-Fi Protected Access (WPA), VPN, SSL at 128-bit, or WEP for encryption. (WEP keys must be rotated quarterly.) 6. Be sure to restrict physical access to wireless access points, gateways and handheld devices. 7. You should periodically identify all wireless devices using a wireless analyzer. Testing and Analyzing Access 1. A vulnerability scan or penetration test should be performed quarterly by a qualified scan vendor. 2. Be sure to review access logs to firewalls, wireless gateways and your server for unauthorized traffic. Updating of Systems 1. Total Computing Solutions, LLC will be ing users information on recommended patches to install. These include patches to our software, Windows and OpenSSL and other auxiliary software. 2. Users should also keep their AutoUpdate for Windows turned on, or regularly monitor the Internet for security updates to their operating system. Copyright 2007 Total Computing Solutions, LLC Page 3

4 Setting Up Security Measures on TCS Retail This is a walkthrough on how to specifically set up the security measures in TCS Retail. User Accounts This section of the document does not explain every detail about adding a new user, it just covers establishing the user s privilege level in the system. For additional information about setting up a user, see the training documentation. Lets define three basic levels of privilege in the system and assign them the privilege number to put into the system: Privelege Title Roles 9 Administrator Maintaining user accounts, establishing system parameters. 6 Manager/Asst. Manager Running reports, information access, maintaining system data, advanced cashier functions. 1 Cashier Running basic cashier functions. Your may vary from this. You may decide to define more privilege levels, your numbers may be slightly different, but the purpose of this is to get you acquainted with how to set it up on the TCS system to meet the PCI requirements. You may need to adjust it to meet your own needs and policies. The way the privilege level works in TCS Retail is that any menu option in the system can be assigned a privilege. Users with a privilege of 9 would have use of anything that was assigned a privilege of 9 or lower, or anything that did not have a privilege assigned to it. So to keep users with privilege 6 out of something, give the menu a privilege of 7 or higher. Copyright 2007 Total Computing Solutions, LLC Page 4

5 Setup the privilege level for System Administrator Guidelines for PCI Security Requirements Go to User Maintenance (POS-UU-5-1) Lets start with your user profile so use your code where test is used below. Make sure your privilege level is 9 for each account shown. Setup the privilege for all users Go to User Maintenance (POS-UU-5-1) Copyright 2007 Total Computing Solutions, LLC Page 5

6 If you type?? in User ID you will get a list of all the users. You will want to make sure that only the appropriate users have a privilege level of 9 on any account. Copyright 2007 Total Computing Solutions, LLC Page 6

7 We recommend that you keep the privilege levels the same on every account. The reason is that if they have privilege level of 3 on POS, but a privilege level of 9 on TEXT, then on TEXT they will have the ability to change security, change users, etc. Establish the privileges in the System Here is an example of setting up a privilege level for a menu. This example will be for the System Administrator menu. First you must find the process name of the menu. To do that you must go to a place on the system that contains the System Administration menu. Log into POS. Go to User Utilities (POS-UU) and look at the menu: Notice that the System Administrator menu is option #5. Now type.v and hit enter. You ll see something like the following: Copyright 2007 Total Computing Solutions, LLC Page 7

8 The process name is just to the left of the menu option. For our example the process name of the System Administrator menu is SA. Now we need to set the System Administrator menu to privilege level 9. Go to Process Control (POS-UU-5-2) For the process name type SA and choose Add. Copyright 2007 Total Computing Solutions, LLC Page 8

9 Set the Privilege to 9. This will keep unauthorized users, anyone with a privilege lower than 9, out of the System Administration menu. Also add another Process Name, TL.ENCRYPTION. Copyright 2007 Total Computing Solutions, LLC Page 9

10 Set this Privilege to 9. This will keep unauthorized users out of the encryption settings in TotaLink. (You can access the encryption settings either through POS-UU or POS Now both paths are restricted.) Be sure that the correct privilege level is set on all your users. Non-administrators should not have a privilege level of 9 on any account. Credit Card Encryption Credit card encryption involves several steps, which should be done by someone with administrative privileges. You must first install or have installed OpenSSL onto your bookstore server (we will help you with this). You must setup your user on the system to have full privileges and then install OpenSSL. Take the file Win32OpenSSL-v0.9.7d.exe from TCS and put it on the bookstore server. Open the file. It will automatically extract OpenSSL Choose the path in which you wish to install it. The default is C:\OpenSSL. On the TCS System go to Encryption Settings (POS-UU ) Copyright 2007 Total Computing Solutions, LLC Page 10

11 Put the path plus \bin in the OpenSSL Path field in Enryption Settings. Now test the settings by choosing T. Copyright 2007 Total Computing Solutions, LLC Page 11

12 If you see the message If_you_can_read_this_then_test_passed! then the installing of OpenSSL worked. If you see anything else, then there is a problem and you should contact support. Set Privilege Levels Make sure that you have appropriately defined the privilege level for you and your employees. This is explained in the User Accounts section of the document. Next, turn on the security settings. Go to Security Settings (POS-UU ). Set Activate Credit Card Encryption to Y. (You can also set Activate Password Security to Y which is explained later.) Since this is the first time doing it, as soon as you update this record you will be prompted to setup the encryption key and to setup a secure password. If you do not have the TotaLink account, you will not be allowed to enter an encryption key nor to activate the card encryption. Copyright 2007 Total Computing Solutions, LLC Page 12

13 (If you are not prepared to enter an encryption key at this time, hit the up arrow and you will be forced to change the Activation Card Encryption to N.) Copyright 2007 Total Computing Solutions, LLC Page 13

14 Because your system at this point does not yet have an encryption key you should leave the Old Key field blank. Do not lose the encryption key you enter! You cannot retrieve it and must call technical support.. You will be charged a fee for us to get on your system and retrieve it. Once you enter the new key you will be prompted to encrypt all of the card data with the new key. If you choose to Re-encrypt data then it could take several hours to finish. If you choose to cancel, it will not encrypt the data now, but will prompt you with the same options when you log on again. You may choose Reencrypt or wait until later to finish this. If you chose to turn on Password Security, you will be prompted to reset your password. The reason for this is that it must be encrypted and meet security requirements. The password security is explained in the next section. Copyright 2007 Total Computing Solutions, LLC Page 14

15 Password Security This explains how to turn on the password security settings. Note that this will encrypt your password and enforce the secure password guidelines required by the PCI guide. If you chose Y to Activate Password Security while turning on the Credit Card Encryption (coming from the last section), you ll be prompted to reset your password and can skip to that section of the document (next page). If you have not done so, you must first do the following: 1. Install OpenSSL 2. Set the OpenSSL path in the Encryption Settings (POS-UU ). Both of those steps are explained in the Credit Card Encryption section. Then you must set Activate Password Security in the Security Settings. Go to Security Settings (POS-UU ). Set Activate Password to Y. Copyright 2007 Total Computing Solutions, LLC Page 15

16 Notice that you are now being told to reset your password. This is so that it make sure that the password encryption works, and to force you to enter a password that meets the new requirements. Copyright 2007 Total Computing Solutions, LLC Page 16

17 You must enter your current POS password and then enter and reenter a new password. The new password must be at least 7 characters in length and must be a mixture of numbers and letters. You also are not allowed to reuse passwords and each user must reset their password every 90 days. Once you do this you will be told that password security is enabled. You will also be prompted with the following: Copyright 2007 Total Computing Solutions, LLC Page 17

18 Here you should answer Yes to allow the users to reset their own password for the following 2 days. If you answer No you will be required to reset all users passwords individually. Copyright 2007 Total Computing Solutions, LLC Page 18