Ruby VASC Instructor Guide

Transcription

1 Ruby VASC Instructor Guide Client Services, Training 300 S. Park Place Blvd. Suite Main Reception Training Administration Fax [email protected]

2 Published: March 11, 2011 VeriFone, Inc. Integrated Systems 300 South Park Place Blvd., Suite 100 Clearwater, FL Office: (727) Fax: (727) Printed in the United States of America 2010 VeriFone, Inc. All rights reserved. No part of this publication may be copied, distributed, stored in a retrieval system, translated into any human or computer language, or transmitted in any form or by any means, without the prior written consent of VeriFone, Inc. The content of this document is subject to change without notice. The information contained herein does not represent a commitment on the part of VeriFone, Inc. VeriFone, Inc. is a registered trademark of VeriFone, Inc. All other brand names and trademarks appearing in this documentation are the property of their respective owners. Published: 02/12/10 Page: 2

3 Document Revision History Revision Date Author Description /12/10 John_B1 Original Documentation /11/11 John_B11 Changed Module number to 8 Published: 02/12/10 Page: 3

4 Subject: PCI /PA-DSS Overview Skill Level: 2 - Intermediate Time Involved: 1 Hour 30 Minutes Objective(s) Students will be able to: Demonstrate a knowledge of PCI-DSS, PA-DSS Explain how PCI-DSS impacts Merchant s and VASC s Demonstrate the steps for a compliant installation Understanding the Software Download Agreement Documentation Needed Ruby VASC Instructor Guide: Module VASC Service Manual: Card Security, PCI Handouts Equipment Needed Pencils, pens, highlighters, and post-its for students 1 Ruby SuperSystem for each student (this includes power brick, Y-Cable, AC Power and a Printer) installed with the software application you are choosing to teach. Class Preparation Tables and chairs should be set up either classroom or U-shaped style. You will need 3 of table space for each student. Determine the application you will be using. This application will need to be installed on each student s Ruby terminal. Rubies should be powered up with all cables, connectors, connected. The physical keys on the Rubies should be arranged based on the keyboard set up diagram found in the Instructor Preparation materials. Published: 02/12/10 Page: 4

5 Instructor Notes Instruct and show students how to navigate to the Card Security section in the VASC Service Manual. Points to Stress: To counter the growing identity theft and credit card problem, the major credit card providers have joined together to introduce a compliance standard called PCI-DSS or the Payment Card Industry Data Security Standard. PCI-DSS applies to any company that accepts card based payments. PCI DSS was developed to protect cardholder data. The PCI-DSS requirements cover security management, policies, procedures, network architecture and other critical protective measures. The PCI-DSS standard mandates that all merchants, service providers, and software developers follow 12 critical points to ensure cardholder information, such as account numbers, PINs, etc. is protected. Being ignorant of knowing how to be PCI compliant is not a defense. Some merchants believe once you setup compliancy, it s DONE!... not the case. Merchants are responsible for being PCI compliant. Also, maintaining security should be a common goal. Pass-out the following handout to students: VASC Handout 12 Points for PCI-DSS PA-DSS PA-DSS stands for Payment Application Data Security Standards. PA-DSS Applies to Payment Applications such as Ruby, Sapphire, and Topaz. The goal of PA- DSS is to protect account numbers and support a merchant's ability to comply with PCI DSS. Points to Stress: Where PCI-DSS is directed at merchant implementation, PA-DSS is directed at software vendors and provides standards for building, testing, distributing and supporting software that is meant for card payment processing. PA-DSS is also meant to provide software vendors a guideline so they may facilitate a merchants ability to be PCI-DSS compliant. For each software application, VeriFone has a PA-DSS Implementation Guide that provides a breakdown by topic of what is necessary to install a site to ensure PCI-DSS compliancy. The PA-DSS Implementation Guide is available at all times on VeriFone s Premier Portal and a new copy should be downloaded each time you visit a location for installation and a copy should be left at the site for the merchant as part of the training. Published: 02/12/10 Page: 5

6 The PA-DSS Implementation Guide is a living document that may be updated at any time, because of this you should not retain old copies. You should ALWAYS download a fresh copy from the Premier Portal before providing it to a site or referencing it. How Does PA-DSS Affect VASCs? As a VASC when performing software installations you must ensure the following: 1. Become familiar with the PA-DSS Implementation Guide and adhere to the procedures within this document when installing and upgrading card payment processing equipment. 2. The merchant's POS system is installed with the most current software application. 3. When configuring the site's card network, ensure the communication devices (routers, hubs, datawire, etc.) are protected and configured properly. If the site will be using TCP/IP configurations please work with the site's IT personnel to ensure the appropriate firewalls, port forwarding, and IP addressing is configured properly. 4. Work with the Site Manager to ensure the default UserIDs and Passwords for the POS system and computer systems have been changed prior to leaving the site. 5. For sites with a Sapphire Mini-Server ensure the Site Manager is familiar with the LogIn switch. This switch should ALWAYS be in the UP POSITION. This will prevent users from receiving and transmitting data into the Sapphire. Should the site need help with a card transaction situation, it may be necessary for the VeriFone HelpDesk Agent to obtain card transaction information. The VeriFone HelpDesk Agent will instruct the site personnel to put the LogIn switch in the DOWN POSITION. After gathering the necessary information the VeriFone HelpDesk Agent will instruct the site personnel to put the Log-In switch to the UP POSITION. 6. Ensure the Merchant is given the following documents: 1. Do s and Don ts Handout 2. What Should I do About PCI Compliance? 3. PA-DSS Implementation Document (most current copy from Premier Portal) Published: 02/12/10 Page: 6

7 PA-DSS 14 Requirements for Vendors Review the following 14 requirements for Vendors with the students. 1 Do not retain full magnetic stripe data or CVV2/PIN data 2 Protect stored data (including account numbers) 3 Provide secure password features 4 Log application activity 5 Develop secure applications 6 Protect wireless transmissions 7 Test applications to address vulnerabilities 8 Facilitate secure network implementations 9 Never store cardholder data on a server connected to the Internet 10 Facilitate secure remote software update 11 Facilitate secure remote access to application 12 Encrypt sensitive traffic over public networks 13 Encrypt all non-console admin access Maintain instructional documents for customers, resellers, and 14 integrators Download Disclaimer on VeriFone s Premier Portal When downloading any application on VeriFone s Premier Portal you will have to agree to the following disclaimer: Download Acknowledgment of BUYPAK Ruby Production Software It is required that you print or download a copy of the PA-DSS Implementation Guide. Also, you MUST review the guide with the merchant and leave a copy with the merchant. Make sure students are aware of this disclaimer when downloading software from VeriFone s Premier Portal. PCI-DSS Training Module Play for the students the PCI-DSS Training Module video. Published: 02/12/10 Page: 7