Catapult PCI Compliance



Similar documents
Implementation Guide

SonicWALL PCI 1.1 Implementation Guide

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Payment Application Data Security Standards Implementation Guide

How To Comply With Pca Dss

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI implementation guide for L-POS

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

PA-DSS Implementation Guide: Steps to ensure that your POS system is secure

General Information. About This Document. MD RES PCI Data Standard November 14, 2007 Page 1 of 19

Lucas POS V4 for Windows

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)

paypoint implementation guide

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

PADSS Implementation Guide

Payment Card Industry (PCI) Data Security Standard. Version 1.1

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Credit Card Security

General Standards for Payment Card Environments at Miami University

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Did you know your security solution can help with PCI compliance too?

PA-DSS Implementation Guide

Enforcing PCI Data Security Standard Compliance

NETePay 5.0. FDMS Nashville. Installation & Configuration Guide. Part Number:

PA-DSS Implementation Guide. Version Document Owners. Approval Date: January 2012

Payment Card Industry Data Security Standard

University of Sunderland Business Assurance PCI Security Policy

Teleflora Point of Sales. Eagle 8. PA-DSS Implementation Guide

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

3M SelfCheck Self-Pay Software. Implementation Guide

Policies and Procedures

CISP Compliance and PCI Data Security Standard Adherence. according to the Payment Application-Data Security Standard Version 1.2

Payment Card Industry (PCI) Compliance. Management Guidelines

Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE

Parallels Plesk Panel

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

GFI White Paper PCI-DSS compliance and GFI Software products

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Credit Card Processing Overview

Achieving PCI-Compliance through Cyberoam

PCI Implementation Guide

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

74% 96 Action Items. Compliance

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI DSS Requirements - Security Controls and Processes

Point of Sale Versions 8.0, 9.0

CardControl. Credit Card Processing 101. Overview. Contents

PCI Compliance. by: David Koston

PCI Data Security Standard Adherence according to the Payment Application Data Security Standard Implementation Guide

Corporate and Payment Card Industry (PCI) compliance

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 3

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Table of Contents. BAR CODES Entering Bar Codes within EBMS Bar codes for inventory items Scanning Bar Codes...

Implementation Guide for PCI Compliance Microsoft Dynamics RMS

Retail Stores Networks and PCI compliance

RezStream Professional Credit Card Processing Manual. January 2011

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

How Reflection Software Facilitates PCI DSS Compliance

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

PCI DSS requirements solution mapping

The Comprehensive Guide to PCI Security Standards Compliance

Introduction. PCI DSS Overview

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Achieving PCI Compliance Using F5 Products

PCI Security Audit Procedures Version 1.0 December 2004

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Windows Azure Customer PCI Guide

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 2

March

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Tripwire PCI DSS Solutions: Automated, Continuous Compliance

PCI Compliance Training

CorreLog Alignment to PCI Security Standards Compliance

PADSS Implementation Guide for Blackbaud CRM 4.0 Service Pack 2

PCI PA-DSS Implementation Guide

RezStream Professional Credit Card Processing Manual. January 2011

Payment Card Industry (PCI) Data Security Standard

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

TCP/IP Credit Card Module

Transcription:

Catapult PCI Compliance Table of Contents Catapult PCI Compliance...1 Table of Contents...1 Overview Catapult (PCI)...2 Support and Contact Information...2 Dealer Support...2 End User Support...2 Catapult Payment Clients...2 Installation and Upgrades...2 Supported Operating Systems...3 Catapult topology...3 Firewall protection...3 Secure wireless network...3 Anti-virus software or programs...4 Secure network resources...4 Remote Access...5 Standard guidelines for remote access...5 Non Console Administration...5 Update secure systems and applications...5 Remove Default system passwords and security parameters...5 Protect Cardholder Data...5 PC/Network Access control...6 Catapult Access control...6 Catapult Logging...6 Logging Critical Data...7 Catapult Data Encryption and Key Management...7 Catapult Secure Deletion of Card Holder Data...7

Overview Catapult (PCI) This document defines key requirements and recommendations for Catapult users for Catapult Version 5.3. For supporting application information please see CatapultOverview_5.3_PCI.doc and the Catapult on-line help documentation shipped with Catapult. This document describes the Payment Card Industry (PCI) Data Security Standard (DSS) requirements and recommendations for Catapult users. Please see the official Payment Card Industry (PCI) Data Security Standard (DSS) document for more general information. Support and Contact Information Dealer Support If you purchased Catapult through an Authorized Dealer, your dealer provides technical support. Contact your dealer according to the terms of your purchase. End User Support Support is provided according to the terms of your Catapult purchase agreement and purchased extensions. The preferred method of contacting ECRS for product support is to use the following web site: https://support.ecrsoft.com Alternatively, ECRS may be contacted for product support by telephone at (828) 265-2907. Support services provided outside of contracted hours are only available in certain emergency situations and for additional fees. Refer to your Catapult support agreement for details. Catapult Payment Clients The following payment clients are PA-DSS certified and should be used with for Catapult to be PCI compliant. Newer versions of these tools that are PA-DSS certified may be used upon approval. DataCap Systems NetEPay 4.0 DSI ClientX T-Gate PayLink web service Element Payments Element Express web service NOTE: Legacy payment clients Net-CMS and PCCharge and SmartPayments Client are not PA-DSS compliant applications and should not be used with Catapult. Net-CMS has not been officially supported as of version 3.3. DataCap Systems provides processing for Canadian accounts. PCCharge has not been officially supported as of 7/17/2004. SmartPayments Client has not been officially supported as of 1/1/2012 2

Installation and Upgrades Refer to the on-line manual shipped with Catapult for instructions and guidance for secure installation and version upgrades of Catapult. Patch upgrades can be downloaded from the ECRS Customer web pages. To download and upgrade to a Catapult patch: Go to https://support.ecrsoft.com/customerweb Enter your id, user, and password. If you do not know this information then please call ECRS support or open a support ticket requesting this information. Select Catapult Version Status Matrix link. This page displays the available Catapult versions with information regarding the version. Select View Patch Info / Download Patch option on the page. This page displays patch information, upgrade instructions, and provides a download link. Print the page for download instructions. Select Download Patch xx for yyy option where xx is the patch number and yyy is the Catapult version. Download the appropriate patch from the download page and use the printed instructions to upgrade the patch. Supported Operating Systems. Catapult should be installed on Windows WEPOS, Windows POS Ready 7, Windows 7 Pro, Windows 8.1 Pro, Windows Embedded 8.1 Pro, Windows Server 2003, Windows Server 2008, Windows Server 2012. Automatic restore points should be disabled. To disable restore points: Click Start, right-click My Computer, and then click Properties. In the System Properties dialox box, click the System Restore tab. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box. Click OK. You will receive a confirmation message. Click Yes to confirm that you want to turn off System Restore. After a moment, the System Properties dialog box will close. Catapult topology Catapult should be hosted on a machine within the network behind a firewall. The PC should not have a public IP address. The Catapult database should be hosted on a machine within the network behind a firewall. The PC should not have a public IP address. It is preferable that the Catapult database and Catapult application should be installed on different PCs. Firewall protection Firewalls are computer devices that control computer traffic allowed into and out of a company s network, as well as traffic into more sensitive areas within a company s internal network. A firewall examines all 3

network traffic and blocks those transmissions that do not meet the specified security criteria. Catapult machines should be protected with a personal firewall to avoid unauthorized access from the Internet. Refer to section 1 of the official PCI compliance document. Secure wireless network The guidelines below apply to wireless access setup and configuration. A firewall must be installed between any wireless network and the network hosting Catapult and the firewall must deny or control (if traffic is necessary for business purposes) any traffic from the wireless environment to Catapult. Change wireless vendor defaults, including but not limited to, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication. NOTE: WEP encryption is not sufficient and WPA must be used. Change any encryption keys anytime anyone with knowledge of the keys leaves the company or changes positions. Request setup instructions for approved wireless devices from ECRS. Make sure firmware is updated to support strong encryption for authentication and transmission. Ie:WPA/WPA2 support. Install a non employee configurable personal firewall software on any mobile and employee-owned computers with direct connectivity to the wireless network (for example, laptops used by employees). Wireless networks should use WPA or WPA2 technology, IPSEC VPN, or SSL/TLS. Never rely on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. Refer to the PCI-DSS 2.0 guide sections 1.2.3, 2.1.1, and 4.1.1. Anti-virus software or programs Many vulnerabilities and malicious viruses enter the network via employees e-mail activities. Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software. Deploy anti-virus software on all systems running Catapult components or communicating to Catapult in any way. Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. Secure network resources Refer to Payment Card Industry (PCI) Data Security Standard (DSS) regarding how to secure and test the network. VPN, Users and roles, firewall requirements, etc. Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. Modem use is discouraged. If modem use is required for remote support, etc, then the modem should only be turned on when needed for downloads from ECRS and turned off immediately after complete. Install a personal firewall software on any mobile and employee-owned computers with direct connectivity to the network (for example, laptops used by employees). Catapult machines should never connect to a VPN. Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM), 4

and general packet radio service (GPRS). Disable FTP, Telnet, and other insecure transport protocols. Remote Access Standard support methodology for remote access ECRS support uses GoToAssist for remote access to a customer's computers. The customer is instructed to go to www.ecrshelp.com which redirects to https://support.ecrsoft.com/assist/index-ff12.php where they enter a pin number supplied by the support technician. This then downloads a small virus free plug-in for GoToAssist. Once the session starts the customer has to acknowledge through a dialog that they want to allow access. Standard guidelines for remote access The guidelines below apply to standard remote access tool setup and configuration. Two factor authentication is required while using remote access. Change default settings in the remote access software (for example, change default Passwords and use unique Passwords for each customer). Allow connections only from specific (known) IP/MAC addresses. Enable encrypted data transmission. Configure the system so a remote user must establish a Virtual Private Network ( VPN ) connection via a firewall before access is allowed. Enable the logging function. Restrict access to customer Passwords to authorized reseller/integrator personnel. Establish and control customer IDs and passwords according to PCI DSS requirements. All remote access users should be Identified with a unique user name and must be authenticated via password, token device (e.g., SecureID, certificates, or public key), biometrics, etc before being allowed to access the network. Encrypt all passwords during transmission and storage. Control addition, deletion, and modification of user IDs, credentials, and other identifier objects and control account passwords. Immediately remove inactive accounts when no longer needed. Limit remote access to the time period needed, preferably by enforcing a very short password expiration date. Set an expiration data of no more than 90 days for user passwords even when limiting access by other means. Use strong authentication or complex Passwords for logins. A minimum length of at least seven characters containing both numeric and alphabetic. Enable account lockout after no more than six failed login attempts. Non Console Administration Non console administration should use SSH, VPN, or SSL/TLS for encryption. FTP, Telnet, and other insecure non console tools should never be used. Update secure systems and applications Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches. Insure that Catapult security patches are applied as available within one month of release. Insure that Windows security patches are applied as available within one month of release. 5

Remove Default system passwords and security parameters Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information. Catapult is installed with default users and passwords. Modify or remove the users and passwords for all Catapult default users (1,2,3,9). Especially user 9 since this is the default administrator. Protect Cardholder Data Catapult does not store or transmit card holder data other than the last 4 digits of the PAN. Subsequent to transaction authorization, Catapult does not retain a) full magnetic stripe data, b) CVC2, CVV2, or CID data, or c) PIN or PIN block data. Catapult does not log card holder data. The PAN number may be known by the attendant (if entered manually due to bad swipe). Never send the PAN by e-mail unless 128-encryption is used. PC/Network Access control This requirement ensures critical data can only be accessed by authorized personnel. Any PC that Catapult is installed on or communicates with should only be accessible by authorized personnel only. Each user should have a unique identification (ID). Employ at least one of the following methods to authenticate all users: Password, Token devices, (e.g., SecureID, certificates, or public key), Biometrics. VPN, DNS, Domain, etc should be used to secure the network via role-based authentication. Do not use default administrative accounts. This applies to Catapult as well as 3 rd party tools like anti-virus and firewalls and also applied to the operating system. Assign secure authentication to any default account even one that is not being used. Assign secure authentication to other (non-administrator) accounts where possible. Catapult Access control This requirement ensures critical data can only be accessed by authorized personnel. Note: Changing Catapult's out of the box access control settings may result in non-compliance with PCI DSS. Catapult provides user authentication. Users and roles should be managed so users have access on a Need-to-know basis. At least one Super user should be created and maintained by the authorized Catapult administrator. Terminated users should be immediately revoked (made inactive). Group, shared, or generic accounts should never be used. All groups Password Failures should be 6, meaning that for users of this group that after 6 failed login attempts, the user account will be locked until unlocked by an administrator. Administrator groups Password Strength should be set to strong, meaning that users of this group must have strong passwords of 7 or more characters containing alpha and numeric. Administrator groups Password expire should be set to 90, meaning that users of this group need to change their passwords every 90 days. Administrator groups Password force expire should be set to 3, meaning that users of this group will be forced to change their passwords on the 4 th warning. Add groups Password Retention should be set to 4, meaning that users of this group can not set a password to a value that has been used in the last 4 passwords for the user. Add groups PWD Change should be set to Required, meaning that users of this group are required to enter a new password upon first login when the account is created or when an administrator has reset the password. Administrator groups The idle time out should be set to 15 minutes so that if a session has been idle for 15 minutes, the user is required to re-enter the password. 6

Catapult Logging When additional logging is required to resolve an issue, ECRS may enable the logging per configuration or with a Patch. Standard logging should be collected only when necessary to resolve a problem and deleted after use. It is the responsibility of the party that enabled the logging to disable the logging and delete any log data generated. Auditing for all PA-DSS required elements is done by each terminal recording data to the central Sybase database located at each customer site. The data is recorded in ActionLog and ActivityLog tables. The data that is recorded in these tables is also sent to the Windows event log or the Unix Syslog on the database server machine under the name SQLANY 12.0 Admin. This centralized logging at the store can then be configured through the operating system to be shared for further centralizing of the log data. Logging Critical Data In the event that sensitive data is needed, Catapult can log sensitive data with the following rules applied. A 3Des 128-bit encrypted key file must be supplied by ECRS. The key file must be placed on the Catapult terminal. When the key file is in place, Catapult logs via 3Des 128-bit encryption. The key file expires in 30 days and logging stops occurring. The key file is out of date in 40 days and the log file and key file are automatically securely wiped from disk. When the key file is removed, the log file is automatically securely wiped from disk. The log file generated can be decrypted by ECRS and only be ECRS based on the key file content and other confidential information. NOTE: ECRS Maintains Internal confidential documentation regarding specifics of encryption and decryption and key management of sensitive data in compliance with PCI-DSS specifications. Catapult Data Encryption and Key Management. Catapult encrypts user passwords using 128 bit 3des encryption. Catapult does not store card holder data. A special case where Catapult securely logs sensitive data is listed in the Logging Critical Data section. ECRS Maintains Internal confidential documentation regarding specifics of encryption and decryption and key management of sensitive data in compliance with PCI-DSS specifications. Catapult Secure Deletion of Card Holder Data Please see Catapult Logging / Logging Critical Data section above regarding secure collection and deletion of card holder data. Catapult 5.3 does not store sensitive card holder data. Catapult versions prior to 5.3 did not store critical card holder data. Document Legend Version Date Description Change agent 1.0 07/24/2012 Initial Creation per PA-DSS guidelines. Steve Smith 08/31/2012 Added notes about central logging to the logging section Steve Smith 09/06/2012 Changed all references from PABP to PA-DSS. Added more Steve Smith 7

specifics on remote logging using GoToAssist. 02/14/14 Changed for version 5.3. Added new operating systems. Steve Smith 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information