Wireless Networking Best Practices Version 2.0

Wireless Networking Best Practices Version 2.0 About This Document This document is meant to serve as a guide for implementing MICROS wireless Hardware following Payment Application Data Security Standards (PA-DSS). This document is to be used as an implementation guide supplement. Copyright 2011 MICROS Systems, Inc. Columbia, MD USA All Rights Reserved Wireless Best Practices Page 1 of 94

Declarations Warranties Although the best efforts are made to ensure that the information in this document is complete and correct, MICROS Systems, Inc. makes no warranty of any kind with regard to this material, including but not limited to the implied warranties of marketability and fitness for a particular purpose. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or information recording and retrieval systems, for any purpose other than for personal use, without the express written permission of MICROS Systems, Inc. MICROS Systems, Inc. shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this document. Trademarks Adobe FrameMaker is a registered trademark of Adobe Systems Incorporated. The following are either registered trademarks or trademarks of Microsoft Corporation in the U.S. and/or other countries; Operating Systems - Windows 7, Microsoft Windows Server 2008 R2 (Release 2), Microsoft Windows Server 2008, Microsoft Windows Server 2003 and Windows XP. Database Platforms - Microsoft SQL Server 2008 R2 (Release 2), Microsoft SQL Server 2008 and Microsoft SQL Server 2005. Other products - Microsoft Excel, Win32 and Windows CE. The following are registered trademarks of the Oracle Corporation; Database Platforms - Oracle 11g R2 (Release 2), Oracle 11g and Oracle 10g. Visio is a registered trademark of Visio Corporation. All other trademarks are the property of their respective owners. Page 2 of 94

Who Should Be Reading This Document This document is intended for the following audiences: MICROS Installers/Programmers MICROS Dealers MICROS Customer Service MICROS Training Personnel MIS or IT Personnel What the Reader Should Already Know This document assumes the reader has the following knowledge or expertise: Operational understanding of PCs Understanding of basic network concepts Page 3 of 94

Important Security Warning: The PCI DSS Wireless Guideline Informational Supplement version 2.0 references several security methods. This document will specify the highest possible security method for each device. However, it is sometimes not practical to use all the recommendations specified in the supplement. See Below: From Section 4.4.1 Summary of Recommendations: A. WPA or WPA2 Enterprise mode with 802.1X authentication and AES encryption is recommended for WLAN networks. B. It is recommended that WPA2 Personal mode be used with a minimum 13-character random passphrase and AES encryption. C. Pre-Shared Keys should be changed on a regular basis D. Centralized management systems that can control and configure distributed wireless networks are recommended. E. The use of WEP in the CDE is prohibited for all deployment after June 30, 2010. PCI Wireless requirements can be broken down into two primary categories. 1. Generally applicable wireless requirements. These are requirements that all organizations should have in place to protect their networks from attacks via rogue or unknown wireless access points (APs) and clients. They apply to organizations regardless of their use of wireless technology and regardless of whether the wireless technology is a part of the CDE or not. As a result, they are generally applicable to organizations that wish to comply with PCI DSS. 2. Requirements applicable for in-scope wireless networks: These are requirements that all organizations that transmit payment card information over wireless technology should have in place to protect those systems. They are specific to the usage of wireless technology that is in scope for PCI DSS compliance, namely the Cardholder Data Environment (CDE). These requirements apply in addition to the universally applicable set of requirements. This document will assume that all Access Points will operate inside the CDE scope as explained in the PCI DSS Wireless Implementation Guide 2.0. For wireless environments, change wireless vendor defaults, including but not limited to: Wireless Equivalency Privacy (WEP) keys Default Services Set Identifiers (SSID) Default Passwords SNMP Community Strings Disable SSID Broadcasts Enable Wi-Fi protected access (WPA or WPA2) technology for encryption EAP authentication when WPA-capable Page 4 of 94

Default settings must be changed before the site goes live to maintain PCI compliancy. All wireless encryption keys must be changed at least once a year to maintain PCI compliancy. For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following: Use with a minimum 104-bit encryption key and 24 bit-initialization value Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or SSL/TLS Rotate shared WEP keys quarterly (or automatically if the technology permits) Rotate shared WEP keys whenever there are changes in personnel Restrict access based on media access code (MAC) address Page 5 of 94

Table of Contents Configuring the Wireless Workstation 4... 7 Configuring the Wireless Workstation 4 LX... 10 Configuring the Wireless Keyboard Workstation 270... 13 Configuring the Wireless Workstation 5... 16 Configuring the Windows CE Wireless Workstation 5a... 19 Configuring the POSReady 2009 Wireless Workstation 5a... 25 Configuring the Dual-Core Windows 7 Wireless Workstation 5a... 28 Configuring the POSReady 2009 Wireless PCWS 2015... 33 Configuring the Windows 7 Wireless PCWS 2015... 42 Configuring the Wireless PCWS 2010 with Windows XP Professional... 46 Configuring the Wireless PCWS 2010 with Windows Server 2003... 49 Configuring the PPT8846 to use PEAP Authentication... 52 Configuring the Symbol MC50 to use PEAP Authentication... 57 Configuring the Symbol MC70... 62 Configuring the Motorola MC55... 66 Configuring the Motorola MC55a... 69 Configuring the Symbol AP5131 Access Point... 72 Configuring the Symbol WS2000 Wireless Switch... 84 Configuring the Symbol RFS4000 Wireless Switch... 89 Page 6 of 94

Configuring the Wireless Workstation 4 It is possible to have a Wireless Workstation 4 (WS4) with one of the following configurations. 1. Cisco PCMCIA WLAN Card Aironet 350. MICROS part # 400624-001 Only capable of 128 Bit WEP encryption. This configuration is not PCI complaint To become complaint upgrade to 400633-110 See number 4 below 2. Linksys PCMCIA WLAN Card. MICROS part # 400624-701 Only capable of 128 Bit WEP encryption. This configuration is not PCI complaint To become complaint upgrade to 400633-110 See number 4 below 3. Microsoft MN-520 PCMCIA WLAN Card. MICROS Part # 400624-101 This card is capable of using WPA-PSK. This configuration is not PCI compliant because WPA2 is required. 4. KIT, MINI-PCI UPGRADE, WS4, KWS4. MICROS part # 400633-110 This card is capable of using WPA-Enterprise. This configuration is PCI compliant when using WPA encryption PEAP authentication and placed behind a Firewall See Procedure 1 below Criteria: 1. The WS4 and the server must have CAL version 1.0.2.27 or higher installed. CAL can be downloaded from the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/ 2. An Access Point capable of using WPA encryption 3. RADIUS Server. e.g. Internet Authentication Service 4. Must use a static IP address 5. Keyboard (PS/2 or USB) Summary: This document will explain the steps necessary to connect a Wireless WS4 for PCI compliance. Certain assumptions are made as this document is for reference only. Page 7 of 94

Procedure 1: Configuring the MICROS Mini-PCI wireless network card See Misc. Document MD0011-12 located on the Hardware Portal for instructions installing the card. 1. With the card installed according to the instructions in step 1, power-on the Workstation. If the card has never been configured, the WS4 will display a Wireless Configuration dialog box on the desktop. See Figure 1. Figure 1 2. Double click the [Add New ] selection to open the Wireless Network Properties dialog box (Figure 2.) 1. Enter the SSID for your AP. 2. Select TKIP for the Encryption 3. Select WPA for the Authentication 4. Select PEAP as the 802.1X protocol 5. Select Properties and unselect the Validate Server check box. 6. Press [OK] to close and save 7. Press [OK] to close and save 8. Highlight your AP and press [Connect] Figure 2 Page 8 of 94

3. Once you have association, you can leave the Wireless network card on DHCP (The default setting) or you can set a static address by going to START SETTINGS NETWORK AND DIAL-UP CONNECTIONS. Double click the ISLP21 icon and enter a static IP address, subnet mask, and gateway if using a router. 4. Run the MICROS CAL normally. Page 9 of 94

Configuring the Wireless Workstation 4 LX It is possible to have a Wireless Workstation 4LX with one of the two configurations below. 1. Mini-PCI Card Eazix, MICROS part #400633-110 (Discontinued) This card is capable of using WPA2 encryption This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall See Procedure 1 below 2. Mini-PCI Card Abocom MICROS part #400624-150 This card is capable of using WPA2 encryption This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall See Procedure 1 below Criteria: 1. The WS4 LX and the server must have a minimum CAL version 6.1.3.68 installed. CAL can be downloaded from the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/ 2. A WPA2 compatible Access Point 3. USB Keyboard Summary: This document will explain the steps necessary to connect a Wireless WS4 LX for PCI compliance. In this document we use the highest encryption level available to the device. It is recommended that the WS4LX always be used at a minimum of WPA2 encryption. Certain assumptions are made as this document is for reference only. Page 10 of 94

Procedure 1: Configuring the WS4 LX for use with the MICROS wireless mini-pci card. Part # 400633-110 or 400624-150 1. See the Workstation 4LX Setup Guide (Part #100016-162) located on the Hardware Portal for instructions on installing the MICROS Mini-PCI Wireless card. 2. With the card installed according the instructions in step 1, Power-On the Workstation. If the card has never been configured, the WS4 LX will display a Wireless Configuration dialog box on the desktop asking you to configure the wireless network. See Figure 3 Figure 3 3. Double click the [Add New ] selection to open the Wireless Network dialog box. See Figure 4. Page 11 of 94

1. Enter the SSID for your Access Point. Case Sensitive 2. Select AES for the Encryption 3. Select WPA2-PSK for the Authentication 4. Enter a Network key. This is a passphrase and must match the WPA2-PSK passphrase of your AP. Please use a strong password policy that includes upper and lower case, numeric and special characters. 5. Press [OK] to close and save. 6. Highlight your AP and press [Connect] Figure 4 4. Once you have association, you can leave the Wireless network card on DHCP (The default setting) or you can set a static address by going to START SETTINGS NETWORK AND DIAL-UP CONNECTIONS. Double click the Wireless Card icon and enter a static IP address, subnet mask and gateway if using a router. 5. Run the MICROS CAL normally. Page 12 of 94

Configuring the Wireless Keyboard Workstation 270 It is possible to configure the KW270 with the Sagrad USB Wireless Card (MD0018-002) Part used to make the KW270 Wireless: MICROS Part #: MD0018-002 Description: Sagrad USB Wireless Card. Capable of WPA & WPA2 Personal and Enterprise This configuration is PCI compliant when using WPA encryption PEAP authentication and placed behind a Firewall Criteria: 1. The KW270 and the server must have CAL version X.X.X.X or higher installed. CAL can be downloaded from the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/ 2. An Access Point capable of using WPA2 encryption 3. RADIUS Server. e.g. Internet Authentication Service 4. Must use a static IP address 5. Keyboard (PS/2 or USB) Summary: This document will explain the steps necessary to connect a Wireless KW270 for PCI compliance. Certain assumptions are made as this document is for reference only. Page 13 of 94

Procedure 1: Configuring the Sagrad USB Wireless Card (MD0018-002) 1. Consult the instructions that come with the Sagrad USB Wireless Card MD0018-002, supplied with the kit for installing the card 2. With the card installed according to the instructions in Step 1, Power-On the KW270. If the card has never been configured, the KW270 will display a Wireless Configuration dialog box on the desktop. See Figure 5. Figure 5 3. If your Wireless network appears in the list, double click it, otherwise double click the Add New selection to open the Wireless Network dialog box. See Figure 6. 1. Enter the SSID of your Access Point. Case sensitive 2. Select AES for the Encryption 3. Select WPA2 for the Enterprise Authentication Figure 6 Page 14 of 94

4. In order to see the rest of the dialog box on the KW270 Screen, move the Wireless Network Properties window up as far as possible, so that it matches Figure 7. Figure 7 5. Once you have association, you can leave the Wireless network card on DHCP (The default setting) or you can set a static address by going to START SETTINGS NETWORK AND DIAL-UP CONNECTIONS. Double click the RT2501USB1 icon and enter a static IP address, subnet mask and gateway if using a router. 6. Run the MICROS CAL normally. 1. Select the now visible PEAP as your IEEE 802.1X authentication. PEAP is a security method that requires a user name and password before being able to join the network. 2. Select the Properties button. See Figure 8 if you are using a certificate to validate the RADIUS Server, enter the certificate now. If you are not using a certificate, uncheck the Validate Server box. 3. Press OK to close and save 4. Press OK on the top right of the Wireless Network Properties dialogue box to save. 5. Highlight your AP and press Connect Figure 8 Page 15 of 94

Configuring the Wireless Workstation 5 It is possible to have a Wireless Workstation 4LX with one of the two configurations below. Mini-PCI Card Eazix, MICROS part # = 400633-110 (Discontinued) This card is capable of using WPA2 encryption. This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall See Procedure 1 below Mini-PCI Card Abocom MICROS part # 400633-220 This card is capable of using WPA2 encryption. This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall See Procedure 1 below. Both cards are configured identically. Criteria: The WS5 must have a minimum CAL version 7.1.3.68 installed. CAL can be downloaded from the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/ A 802.11i compatible Access Point USB Keyboard Summary: This document will explain the steps necessary to connect a Wireless WS5 for PCI compliance. In this document we use the highest encryption level available to the device. It is recommended that the WS5 always be used at a minimum of WPA2 encryption. Certain assumptions are made as this document is for reference only. Page 16 of 94

Procedure 1: Configuring the WS5 for use with the MICROS wireless mini-pci card. Part # 400633-110 1. See the Workstation 5 Setup Guide (Part #100016-165) located on the Hardware Portal for instructions on installing the MICROS Mini-PCI Wireless card. 2. With the card installed according the instructions in step 1, Power-On the Workstation. If the card has never been configured, the WS5 will display a Wireless Configuration dialog box on the desktop asking you to configure the wireless network. See Figure 9. Figure 9 3. Double click the [Add New ] selection to open the Wireless Network dialog box. See Figure 10. Page 17 of 94

1. Enter the SSID for your Access Point. Case Sensitive 2. Select AES for the Encryption 3. Select WPA2-PSK for the Authentication 4. Enter a Network key. This is a passphrase and must match the WPA2-PSK passphrase of your AP. Please use a strong password policy that includes upper and lower case, numeric and special characters. 5. Press [OK] to close and save. 6. Highlight your AP and press [Connect] Figure 10 4. Once you have association, you can leave the Wireless network card on DHCP (The default setting) or you can set a static address by going to START SETTINGS NETWORK AND DIAL-UP CONNECTIONS. Double click the Wireless Network Connection icon and enter a static IP address, subnet mask and gateway if using a router. 5. Run the MICROS CAL normally. Page 18 of 94

Configuring the Windows CE Wireless Workstation 5a It is possible to configure the Workstation 5a with the same Mini-PCI wireless card as that used in the PCWS 2010, WS5 and WS4 LX Workstations. Part used to make the WS5a Wireless: MICROS part #: 400633-115 or 400633-220 Description: KIT,MINI-PCI UPGRADE,WS4LX,WS5,WS5a. This card is capable of using WPA2 encryption with AES. This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall See Procedure 1 below Criteria: 1. Read the PCI DSS Wireless Guideline Whitepaper Version 1.2. 2. The WS5a must have a minimum CAL version 13.1.3.68 installed. CAL can be downloaded from the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/ 3. The Wireless WS5a must use MICROS part # 400633-115 or 400633-220 4. A WPA2-AES compatible Access Point 5. If using PEAP, an Authentication device e.g. IAS Server or the WS2000 6. USB Keyboard Summary: This document will explain the steps necessary to connect a Wireless WS5a for PCI compliance. In this document we use the highest encryption level available to the device. It is recommended that the WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this document is for reference only. Page 19 of 94

Security Method 1: (WPA2-PSK) Wi-Fi Protected Access 2 with Pre-Shared Key Follow this procedure if you are using the 802.11i WPA2-Personal security method. NOTE: PCI DSS Wireless Guideline Whitepaper Version 1.2 section 4.4.1 states: It is recommended that WPA2 Personal mode be used with a minimum 13-character random passphrase and AES encryption. Pre-Shared Keys should be changed on a regular basis Procedure 1: Configuring the WS5 for use with the MICROS wireless mini-pci card. Part # 400633-220 1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing the MICROS Mini-PCI Wireless card. 2. With the card installed according to the instructions in step 1, Power-On the Workstation. If the card has never been configured, the WS5a will display a Wireless Configuration dialog box on the desktop asking you to configure the wireless network. See Figure 11 Figure 11 3. Double click the [Add New ] selection to open the Wireless Network dialog box. See Figure 12. Page 20 of 94

1. Enter the SSID for your Access Point. Case Sensitive 2. Select AES for the Encryption 3. Select WPA2-PSK for the Authentication 4. Enter a Network key. This is a passphrase and must match the WPA2-PSK passphrase of your AP. Please use a strong password policy that includes upper and lower case, numeric and special characters. 5. Press [OK] to close and save. 6. Highlight your AP and press [Connect] Figure 12 4. Once you have association, you can leave the Wireless network card on DHCP (The default setting) or you can set a static address by going to START SETTINGS NETWORK AND DIAL-UP CONNECTIONS. Double click the PCI-E1Y51CE61 icon and enter a static IP address, subnet mask and gateway if using a router. 5. Run the MICROS CAL normally. Page 21 of 94

Security Method 2: (WPA2) Wi-Fi Protected Access 2 and PEAP Authentication Follow this procedure if you are using the PCI recommended 802.11i WPA2-Enterprise security method. Procedure 1: Configuring the WS5 for use with the MICROS wireless mini-pci card. Part # 400633-220 1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing the MICROS Mini-PCI Wireless card. 2. With the card installed according to the instructions in step 1, Power-On the Workstation. If the card has never been configured, the WS5a will display a Wireless Configuration dialog box on the Desktop asking you to configure the wireless network. See Figure 13. Figure 13 3. If your Wireless network appears in the list, double click it, otherwise double click the [Add New ] selection to open the Wireless Network dialog box. See Figure 14. Page 22 of 94

Figure 14 1. Enter the SSID for your Access Point. Case Sensitive 2. Select AES for the Encryption 3. Select WPA2 for the Enterprise Authentication 4. Select PEAP as your IEEE 802.1X authentication. PEAP is a security method that requires a user name and password before being able to join the network. 5. Select the Properties button. See Figure 15 if you are using a certificate to validate the RADIUS Server, enter the certificate now. If you are not using a certificate, uncheck the Validate Server. 6. Press [OK] to close and save 7. Press [OK] to close and save 8. Highlight your AP and press [Connect] Figure 15 Page 23 of 94

4. Once you have association, you can leave the Wireless network card on DHCP (The default setting) or you can set a static address by going to START SETTINGS NETWORK AND DIAL-UP CONNECTIONS. Double click the PCI-E1Y51CE61 icon and enter a static IP address, subnet mask and gateway if using a router. 5. Run the MICROS CAL normally. Page 24 of 94

Configuring the POSReady 2009 Wireless Workstation 5a It is possible to configure the Workstation 5a with the same Mini-PCI wireless card as that used in the PCWS 2010, WS5 and WS4 LX Workstations. Part used to make the WS5a Wireless: MICROS part #: 400633-220 Description: KIT,MINI-PCI UPGRADE,WS4LX,WS5,WS5a This card is capable of using WPA2 encryption with AES. This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall Criteria: 1. Read the PCI DSS Wireless Guideline Whitepaper Version 2.0 2. The WS5a must have a minimum CAL version 13.1.3.68 installed. CAL can be downloaded from the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/ 3. The Wireless WS5a must use MICROS part #400633-220 4. A WPA2-AES compatible Access Point 5. If using a PEAP Authentication device e.g. IAS Server or the WS2000 6. USB Keyboard Summary: This document will explain the steps necessary to connect a Wireless WS5a for PCI compliance. In this document we use the highest encryption level available to the device. It is recommended that the WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this document is for reference only. Page 25 of 94

(WPA-PSK) Wi-Fi Protected Access with Pre-Shared Key Follow this procedure if you are using the 802.11i WPA2-Personal security method NOTE: PCI DSS Wireless Guidline Whitepaper Version 2.0 Section 4.4.1 states It is recommended that WPA2 Personal mode be used with a minimum 13-character random passphrase, with AES encryption Pre-Shared Keys should be changed on a regular basis Configuring the WS5a POSReady for use with the MICROS wireless mini-pci card. Part # 400633-220 1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing the MICROS Mini-PCI Wireless card. 2. With the card installed go to Start Settings Network Connections 3. Right click on the Wireless Network Connection icon and select Properties. See Figure 16. Figure 16 Figure 17 4. Select the Wireless Networks tab. See Figure 17. 5. Click the Add button. See Figure 18. Page 26 of 94

1. Enter the SSID of your Access Point (Case Sensitive) 2. Select WPA2-PSK and TKIP 3. Enter the secure Passphrase that matches the one entered on your Access Point 4. Click OK Figure 18 6. If you are using DHCP, you can click OK and let the WS5a make an association with the Acces Point designated in Step 4. If you are using a static IP address, do not press OK, instead highlight Internet Protocol (TCP/IP) and click Properties. The Internet Protocol Properties box will open. Highlight the Use the following IP address radio button and manually enter proper IP, subnet and gateway addresses. 7. Press OK 8. Press OK 9. You should now have an association with your AP. The taskbar icon should look like Figure 19. 10. Run the MICROS CAL normally. Figure 19 Wireless network card is associated Page 27 of 94

Configuring the Dual-Core Windows 7 Wireless Workstation 5a It is possible to configure the Workstation 5a with the same Mini-PCI wireless card as that used in the PCWS 2010, WS5 and WS4 LX Workstations. Part used to make the WS5a Wireless: MICROS part #: 400633-220 Description: KIT,MINI-PCI UPGRADE,WS4LX,WS5,WS5a This card is capable of using WPA2 encryption with AES. This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall Criteria: 1. Read the PCI DSS Wireless Guideline Whitepaper Version 2.0 2. The WS5a must have a minimum CAL version 13.1.3.115 installed. CAL can be downloaded from the 3. Micros web site at http://www.micros.com/members/product_support/hardware/drivers/ 4. The Wireless WS5a must use MICROS part #400633-220 5. A WPA2-AES compatible Access Point 6. If using PEAP, an Authentication device e.g. IAS Server or the WS2000 7. USB Keyboard Summary: This document will explain the steps necessary to connect a Wireless WS5a for PCI compliance. In this document we use the highest encryption level available to the device. It is recommended that the WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this document is for reference only. Page 28 of 94

(WPA-PSK) Wi-Fi Protected Access with Pre-Shared Key Follow this procedure if you are using the 802.11i WPA2-Personal security method NOTE: PCI DSS Wireless Guidline Whitepaper Version 2.0 Section 4.4.1 states It is recommended that WPA2 Personal mode be used with a minimum 13-character random passphrase, with AES encryption Pre-Shared Keys should be changed on a regular basis Configuring the DC WS5a Win7 for use with the MICROS wireless mini-pci card. Part # 400633-220 1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing the MICROS Mini-PCI Wireless card. 2. With the card installed go to Start Control Panel and click Network and Internet 3. Click on Network and Sharing Center 4. Click Set up a new connection or network, highlight Manually connect to a wireless network and press Next. See Figure 20. 1. Enter the SSID of your Access Point (Case Sensitive) 2. Select WPA2-Personal and AES Encryption type 3. Check Hide characters 4. Enter the secure Passphrase that matches the one entered on your Access Point Figure 20 5. Check Connect even if the network is not broadcasting * *NOTE: Windows recommends against connecting to APs that do not broadcast, however, the PCI Whitepaper v2.0 Section 4.2.1 states that while suppressing SSID is not required, broadcasting an Page 29 of 94

SSID that advertises the organization s name or is easily identifiable with the organization is not recommended. Default SSID values should always be changed. 5. Click Next 6. If you are using DHCP, your wireless card will associate with the AP now. If you are using a static IP, click on the Wireless Network Connection (SSID) in the Network and Sharing Center window and click Properties. Highlight Internet Protocol Version 4 (TCP/IPv4) and click Properties. The Internet Protocol Properties box will open. Highlight the Use the following IP addresses radio button and manually enter proper IP, subnet and gateway addresses. 7. Press OK twice. 8. You will now be associated with your AP. The taskbar icon should look like Figure 21. Figure 21 9. If the taskbar icon looks like Figure 22 then you need to ensure that you are connected with your AP. Figure 22 Page 30 of 94

10. Right click on the Wireless Connection Icon in the task bar and select Open Network and Sharing Center. Click on Wireless Network Connection (SSID) shown in Figure 23. Figure 23 11. Click Details 12. Look at the Value for IPv4 Address and verify that you have attained an IP address from the AP that fits within the proper IP Address Schema for your network. See Figure 24. Page 31 of 94

Figure 24 13. Click Close twice and close the Network and Sharing Center window. 14. Run the MICROS CAL normally. Page 32 of 94

Configuring the POSReady 2009 Wireless PCWS 2015 Currently, only the SparkLAN WMIR-200N (P/N # 400633-225) is compatible with the PCWS 2015 Part used to make the WS5a Wireless: MICROS part #: 400633-225 Description: WIRELESS (802.11a/b/g/n) UPGRADE KIT WS5/WS5A/PCWS2015,INCLUDES MINI-PCI CARD,ANTENNAS AND INSTALLATION INSTRUCTIONS This card is capable of using WPA2 with AES encryption. This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall Criteria: 1. Read the PCI DSS Wireless Guideline Whitepaper Version 2.0 2. The PCWS 2015 must have a minimum CAL version 3.1.3.115 installed. CAL can be downloaded from the Micros web site at 3. http://www.micros.com/members/product_support/hardware/drivers/ 4. The Wireless PCWS2015 must use MICROS part #400633-225 5. A WPA2-AES compatible Access Point 6. If using PEAP, an Authentication device e.g. IAS Server or the WS2000 7. USB Keyboard Summary: This document will explain the steps necessary to connect a Wireless PCWS2015 for PCI compliance. In this document we use the highest encryption level available to the device. It is recommended that the WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this document is for reference only. Page 33 of 94

Procedure 1: Configuring the POSReady 2009 PCWS 2015 (WPA2-PSK) Wi-Fi Protected Access with Pre-Shared Key using the Windows Wireless Zero Configuration (WZC) Service Follow this procedure if you are using the 802.11i WPA2-Personal security method NOTE: PCI DSS Wireless Guidline Whitepaper Version 2.0 Section 4.4.1 states It is recommended that WPA2 Personal mode be used with a minimum 13-character random passphrase, with AES encryption Pre-Shared Keys should be changed on a regular basis Configuring the WS5a POSReady for use with the MICROS wireless mini-pci card. Part # 400633-220 1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing the MICROS Mini-PCI Wireless card. 2. With the card installed go to Start Settings Network Connections 3. Right click on the Wireless Network Connection icon and select Properties See Figure 25. Figure 25 Page 34 of 94

4. Select the Wireless Networks tab. See Figure 26. 5. Click the Add button. See Figure 27. Figure 26 1. Enter the SSID of your Access Point (Case Sensitive) 2. Select WPA2-PSK and TKIP 3. Enter the secure Passphrase that matches the one entered on your Access Point 4. Click OK Figure 27 Page 35 of 94

6. If you are using DHCP, you can click OK and let the WS5a make an association with the Access Point designated in Step 4. If you are using a static IP address, do not press OK, instead highlight Internet Protocol (TCP/IP) and click Properties. The Internet Protocol Properties box will open. Highlight the Use the following IP address radio button and manually enter proper IP, subnet and gateway addresses. 7. Press OK 8. Press OK 9. You should now have an association with your AP. The taskbar icon should look like Figure 28. 10. Run the MICROS CAL normally. Figure 28 Page 36 of 94

Procedure 2: Configuring the POSReady 2009 PCWS 2015 (WPA2-PSK) Wi-Fi Protected Access with Pre-Shared Key using the Ralink WLAN Utility and Ralink Configuration Tool Follow this procedure if you are using the 802.11i WPA2-Personal security method NOTE:PCI DSS Wireless Guidline Whitepaper Version 2.0 Section 4.4.1 states It is recommended that WPA2 Personal mode be used with a minimum 13-character random passphrase, with AES encryption Pre-Shared Keys should be changed on a regular basis This Procedure applies when, during the Mini-PCI Wireless Card driver installation, the option to use the Ralink WLAN Utility was chosen. Configuring the WS5a POSReady for use with the MICROS wireless mini-pci card. Part # 400633-220 1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing the MICROS Mini-PCI Wireless card. 2. When the installation of the driver and software is complete, the Ralink WLAN Utility will launch automatically 3. Click on the Profile tab at the top of the screen, seen in Figure 29. 4. Click the Add button Figure 29 Page 37 of 94

Figure 30 5. Enter the SSID of the Access Point you wish to connect to, seen in Figure 30. 6. Click the Auth. \Encry. Tab to setup the correct Authentication and Encryption types for your AP. Page 38 of 94

Figure 31 7. If your AP is using WPA2-PSK Personal Mode, select that for Authentication and choose AES for Encryption, as seen in Figure 31. Enter the Secure Passphrase that matches the one setup on the AP in the WPA Preshared Key field. 8. If your AP is setup with WPA2 Enterprise Mode, using AES Encryption and EAP Authentication, select WPA2 for Authentication and AES for Encryption, and click the 802.1x tab to continue the setup. Page 39 of 94

Figure 32 9. Click on the Client Certificate, seen in Figure 32, and check the Use Client certificate box. 10. Select your certificate from the drop down list and click OK Page 40 of 94

Figure 33 11. Highlight the Profile you have created and click the Activate button, as seen in Figure 33. 12. If you are using DHCP, verify that you have an IP address, Sub Mask, and Default Gateway assigned. If so, you are associated with the AP and can close the Ralink Configuration Utility and run the MICROS CAL. 13. If you are using a static IP address, close the Ralink Configuration Utility, and go to Start Settings Network Connections. Right click on the Wireless Network Connection, and select Properties. Highlight Internet Protocol (TCP/IP) and click Properties. The Internet Protocol Properties box will open. Highlight the Use the following IP address radio button and manually enter proper IP, subnet and gateway addresses. 14. Press OK 15. Press OK 16. You should now have an association with your AP. The taskbar icon should look like Figure 34. 17. Run the MICROS CAL normally. Figure 34 Page 41 of 94

Configuring the Windows 7 Wireless PCWS 2015 Currently, only the SparkLAN WMIR-200N (P/N # 400633-225) is compatible with the PCWS 2015 Part used to make the WS5a Wireless: MICROS part #: 400633-225 Description: WIRELESS (802.11a/b/g/n) UPGRADE KIT WS5/WS5A/PCWS2015,INCLUDES MINI-PCI CARD,ANTENNAS AND INSTALLATION INSTRUCTIONS This card is capable of using WPA2 with AES encryption. This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall Criteria: 1. Read the PCI DSS Wireless Guideline Whitepaper Version 2.0 2. The PCWS 2015 must have a minimum CAL version 3.1.3.115 installed. CAL can be downloaded from the Micros web site at 3. http://www.micros.com/members/product_support/hardware/drivers/ 4. The Wireless PCWS2015 must use MICROS part #400633-225 5. A WPA2-AES compatible Access Point 6. If using PEAP, an Authentication device e.g. IAS Server or the WS2000 7. USB Keyboard Summary: This document will explain the steps necessary to connect a Wireless PCWS2015 for PCI compliance. In this document we use the highest encryption level available to the device. It is recommended that the WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this document is for reference only. Page 42 of 94

(WPA-PSK) Wi-Fi Protected Access with Pre-Shared Key Follow this procedure if you are using the 802.11i WPA2-Personal security method NOTE: PCI DSS Wireless Guideline Whitepaper Version 2.0 Section 4.4.1 states It is recommended that WPA2 Personal mode be used with a minimum 13-character random passphrase, with AES encryption for WPA2 Pre-Shared Keys should be changed on a regular basis Configuring the PCWS 2015 Win7 for use with the MICROS wireless mini-pci card. Part # 400633-220 1. See the PCWS 2015 Setup Guide located on the Hardware Portal for instructions on installing the MICROS Mini-PCI Wireless card. 2. With the card installed go to Start Control Panel and click Network and Internet 3. Click on Network and Sharing Center 4. Click Set up a new connection or network, highlight Manually connect to a wireless network and press Next. See Figure 35. 1. Enter the SSID of your Access Point (Case Sensitive) Figure 35 2. Select WPA2-Personal and AES Encryption type 3. Check Hide Characters 4. Enter the secure Passphrase that matches the one entered on your Access Point 5. Check Connect even if the network is not broadcasting * *NOTE: Windows recommends against connecting to APs that do not broadcast, however, the PCI Whitepaper v2.0 Section 4.2.1 states that while suppressing SSID is not required, broadcasting an Page 43 of 94

SSID that advertises the organization s name or is easily identifiable with the organization is not recommended. Default SSID values should always be changed. 5. Click Next 6. If you are using DHCP, your wireless card will associate with the AP now. If you are using a static IP, click on the Wireless Network Connection (SSID) in the Network and Sharing Center window and click Properties. Highlight Internet Protocol Version 4 (TCP/IPv4) and click Properties. The Internet Protocol Properties box will open. Highlight the Use the following IP addresses radio button and manually enter proper IP, subnet and gateway addresses. 7. Press OK twice. 8. You will now be associated with your AP. The taskbar icon should look like Figure 36. Figure 36 9. If the taskbar icon looks like Figure 37 then you need to ensure that you are connected with your AP. Figure 37 10. Right click on the Wireless Connection Icon in the task bar and select Open Network and Sharing Center. Click on Wireless Network Connection (SSID) Shown in Figure 38. Figure 38 Page 44 of 94

11. Click Details 12. Look at the Value for IPv4 Address and verify that you have attained an IP address from the AP that fits within the proper IP Address Schema for your network. See Figure 39. Figure 39 13. Click Close twice and close the Network and Sharing Center window. 14. Run the MICROS CAL normally. Page 45 of 94

Configuring the Wireless PCWS 2010 with Windows XP Professional It is possible to configure the PCWS2010 with the same Mini-PCI wireless card as that used in the WS4, WS4 LX and WS5. Part used to make the PCWS 2010 Wireless: MICROS part #: 400633-110 Description: KIT,MINI-PCI UPGRADE, 2010, WS4 LX, PCWS 2010. This card is capable of using WPA2 encryption. This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall See Procedure 1 below Criteria: 1. The PCWS 2010 must have a minimum CAL version 3.1.3.56 installed. CAL can be downloaded from the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/ 2. The Wireless PCWS 2010 must use MICROS part # 400633-110 3. A WPA2 compatible Access Point 4. USB Keyboard Summary: This document will explain the steps necessary to connect a Wireless PCWS 2010 for PCI compliance. In this document we use the highest encryption level available to the device. It is recommended that the PCWS 2010 always be used at a minimum of WPA2 encryption. Certain assumptions are made as this document is for reference only. Page 46 of 94

Procedure 1: Configuring the PCWS 2010 for use with the MICROS wireless mini-pci card. Part # 400633-110 1. See the PCWS 2010 Setup Guide (Part #100016-144) located on the Hardware Portal for instructions on installing the MICROS Mini-PCI Wireless card. 2. With the card installed according the instructions in step 1, Power-On the Workstation. If the card has never been configured, the PCWS 2010 display a message indicating that it has found new Hardware. Browse to the C:\B\MINI PCI LAN Drivers folder and let the install utility setup the drivers. After the drivers are loaded, go to Start Settings Network Connections. When the dialog box opens, highlight the Wireless Network Connection icon and select the Change settings of this connection. See Figure 40. Figure 40 3. Select the Wireless Networks tab. See Figure 41. 4. Click [Add ]. See Figure 42. Page 47 of 94

1. Enter the SSID of your Access Point (Case Sensitive) 2. Select WPA2-PSK and AES 3. Enter the secure Passphrase that matches the one entered on your AP 4. Click [OK] Figure 41 Figure 42 8. If you are using DHCP, you can click [OK] and let the PCWS 2010 make an association with the Access Point designated in step 4. If you are using a static IP address, do not press [OK], instead highlight Internet Protocol (TCP/IP) and click properties. The Internet Protocol Properties box will open. Highlight the Use the following IP address radio button and manually enter proper IP, subnet and gateway addresses. 9. Press [OK] 10. Press [OK] 11. You should now have an association with your AP. The taskbar icon should look like Figure 43. 12. Run the MICROS CAL normally. Wireless Network Card is associated Figure 43 Page 48 of 94

Configuring the Wireless PCWS 2010 with Windows Server 2003 It is possible to configure the PCWS2010 with the same Mini-PCI wireless card as that used in the WS4, WS4 LX and WS5. Part used to make the PCWS 2010 Wireless: MICROS part #: 400633-110 Description: KIT,MINI-PCI UPGRADE,PCWS 2010, WS4 LX, WS5. This card is capable of using WPA2 encryption. This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall See Procedure 1 below Criteria: 1. The PCWS 2010 must have a minimum CAL version 3.1.3.56 installed. CAL can be downloaded from the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/ 2. The Wireless PCWS 2010 must use MICROS part # 400633-110 3. A WPA2 compatible Access Point 4. USB Keyboard Summary: This document will explain the steps necessary to connect a Wireless PCWS 2010 for PCI compliance. In this document we use the highest encryption level available to the device. It is recommended that the PCWS 2010 always be used at a minimum of WPA2 encryption. Certain assumptions are made as this document is for reference only. Page 49 of 94

Procedure 1: Configuring the PCWS 2010 for use with the MICROS wireless mini-pci card. Part # 400633-110 1. See the PCWS 2010 Setup Guide (Part #100016-144) located on the Hardware Portal for instructions on installing the MICROS Mini-PCI Wireless card. 2. With the card installed according the instructions in step 1, Power-On the Workstation. If the card has never been configured, the PCWS 2010 display a message indicating that it has found new Hardware. Browse to the C:\B\MINI PCI LAN Drivers folder and let the install utility setup the drivers. After the drivers are loaded, go to Start Settings Network Connections. When the dialog box opens, highlight the Wireless Network Connection icon and select File Properties. See Figure 44. Figure 44 3. Select the Wireless Networks tab. See Figure 45. 4. Click [Add ]. See Figure 46. Figure 45 Figure 46 1. Enter the SSID of your Access Point (Case Sensitive) 2. Select WPA2-PSK and AES 3. Enter the secure Passphrase that matches the one entered on your AP 4. Click [OK] 5. If you are using DHCP, you can click [OK] and let the PCWS 2010 make an association with the Access Point designated in step 4. If you are using a static IP address, do not press [OK], instead choose the [General] Tab, and highlight Internet Protocol (TCP/IP) and click properties The Page 50 of 94

Internet Protocol Properties box will open. Highlight the Use the following IP address radio button and manually enter proper IP, subnet and gateway addresses. 6. Press [OK] 7. Press [OK] 8. You should now have an associate with your AP. The taskbar icon will look like Figure 47. 9. Run the MICROS CAL normally. Wireless Network Card is associated Figure 47 Page 51 of 94

Configuring the PPT8846 to use PEAP Authentication The Symbol PPT8846 is certified to work with MICROS versions or higher: RES 3.2, 4.0 9700 2.7 Simphony (Check the release notes) The PPT8846 runs Pocket PC 2003 (Windows CE 4.21) which is capable of utilizing the WPA encryption security standard. The PCI-DSS Wireless recommendations (802.1x Authentication) can be met with the use of a third-party utility called Aegis. The Aegis utility is available for download from the Motorola website at http://support.symbol.com or the micros portal at: http://portal.micros.com/sites/hardware.. The manuals for Aegis are also included in the same zip file as this document. For more information please reference those manuals. Criteria: The PPT8846 must have: 1. A minimum platform version of 33 or higher 2. A WPA and 802.1x compatible Access Point 3. Fully charged battery Summary: This document will explain the steps necessary to connect a Symbol PPT8846 for Wireless PCI compliant recommendations. In this document we use the highest encryption level available to the device. It is recommended that the PPT8846 always be used with 802.1X authentication. Certain assumptions are made as this document is for reference only. Page 52 of 94

Configuring the Symbol PPT8846 for PEAP 1. Read the product warranty information that came with your Symbol PPT8846. 2. Attach the battery to the PPT8846 according to the enclosed instructions. 3. Charge the battery for several hours to make sure you have sufficient battery time to configure the PPT8846 and download the application. Install the Aegis 802.1X Client (Once the Aegis Utility is installed and running there is no need to configure the Built-in Mobile Companion) 1. Obtain a copy of the Aegis client (AEGIS 2.1.13-0 WM 2003 PPT8800.cab) from the micros hardware portal or packaged with this document. Copy the Aegis Utility to the \Application folder of the PPT8846. Also copy the following files to the \Application folder a. AegisCopy.cpyAEGISPPT8846.reg b. SaveAegis.lnk c. AegisScript.spt d. AegisLicense.reg e. SimScriptWM.exe 2. On the PPT8846, browse the \Application folder and tap the AEGIS 2.1.13-0 WM 2003 PPT8800.cab file to install Aegis. 3. Perform a Cold Boot on the PPT8846. See the instructions at the end of this section. 4. Go through the startup wizard. A message will display indicating that This is the first time the Aegis Client has run Press OK to this message. 5. The Aegis client opens. See Figure 48. 6. If you are going to use more than one network, you can create multiple profiles. Otherwise the profile name can be left at default. For the Authentication type, select PEAP. See Figure 48. Enter your PEAP user name and password into the Identity and password fields. This user name must correspond to the user on your RADIUS Server. See Figure 48. NOTE: A strong, alphanumeric password must be created Figure 48 with a minimum length of eight characters that includes upper and lower case letters, numbers, and special characters. Page 53 of 94

7. Choose EAP-MSCHAP v2 from the protocol list box. 8. Select the Server tab. See Figure 49. 9. Place a check mark at: Do not validate server certificate chain. This will prevent the Aegis utility from looking for a certificate. If you are using certificates, do not check this box. See Figure 49. 10. Press OK. You will receive a message indicating that you must restart the client. Press OK again. If the utility closes it can be re-opened by tapping the Icon in the lower right corner. A Four-Button press may be required to get around the POSLoader. See instructions for this process at the bottom of this section. 11. When the Start Icon appears. Press START Today to enter the Today screen 12. Open the Aegis utility by tapping the Aegis utility in the lower right corner of the today screen. 13. Tap the Spectrum24 LA41 label on the Aegis screen. Another window will open. See Figure 50. Figure 49 14. Select Configure See Figure 51. 15. In the Available Network list, highlight you access point and press move to configured or click Add if your access point is not on the list. Figure 50 Figure 51 Page 54 of 94

16. Select Properties to edit the access point details. See Figure 52. 17. Select the Authentication Profile created in step 5 and corresponds to your PEAP network. 18. Select WPA Settings tab. See Figure 53. 19. In the WPA Mode list box, choose WPA 802.1X 20. In the Encryption list box, choose AES. 21. Click OK 22. Restart the client, Choose Client Restart to restart the utility. The utility should start Authenticated when connected. If you do not get an Authenticated message, go back and double check everything Figure 52 Figure 53 Page 55 of 94

Once Connected to the Network 1. Close the Aegis client. Do not Exit. Exiting will disable the utility and remove the PPT8846 from the network. 2. Save your settings with Start, Save Aegis. Pressing this utility will make your device Cold Boot persistent. It is highly recommended that you run this utility after every change to the network. 3. Cold Boot the PPT8846 4. Run the POSLoader as normal except DO NOT configure the Wireless settings. Just skip that section. 5. At the Configure Network Adapters window, tap 802.11b Wireless LAN. 6. Configure the IP scheme appropriately to your network. 7. Continue the POSLoader wizard. Enter the Server IP address and the HHT name. 8. The loader will force a reboot and continue. Performing a Four-Finger Press to Exit the MICROS Application When the PPT8846 shipped from micros is booted the POSLoader will take over. It is possible to exit from the POSLoader while on the very first splash screen. One at a time, press the following buttons: F1, F4, Function, and F1 (again). This will cause the Start Icon display in the top left corner. You can navigate anywhere from the Start button. Performing a Cold Boot Remove the back cover and depress the small white reset button while simultaneously depressing the Function button. Replace the back cover and hit the red Power button (Lower left-hand side.) Making Aegis Persistant Once the network is configured and communicating, run the Save Aegis utility located on the start menu. Make a good practice of re-running this utility every time you reconfigure your network settings. You did this procedure in the first two steps of the Once Connected to the Network section. Page 56 of 94

Configuring the Symbol MC50 to use PEAP Authentication The Symbol MC50 is certified to work with MICROS versions or higher: RES 4.0 9700 3.0 SP10 Simphony 1.x The MC50 runs Pocket PC 2003 (Windows CE 4.21) which is capable of utilizing the WPA encryption security standard. The PCI-DSS Wireless recommendations (802.1x Authentication) can be met with the use of a third-party utility called Aegis. The Aegis utility is available for download from the Motorola website at http://support.symbol.com or the micros portal at: http://portal.micros.com/sites/hardware. The manuals for Aegis are also included in the same zip file as this document. For more information please reference those manuals. Criteria: 1. The MC50 must be on a minimum platform version of 19i or higher 2. A WPA and 802.1x compatible Access Point 3. Fully charged Battery Summary: This document will explain the steps necessary to connect a Symbol MC50 for Wireless PCI compliant recommendations. In this document we use the highest encryption level available to the device. It is recommended that the MC50 always be used with 802.1X authentication. Certain assumptions are made as this document is for reference only. Page 57 of 94

Configuring the Symbol MC50 for PEAP 1. Read the product warranty information that came with your Symbol MC50. 2. Attach the battery to the MC50 according to the enclosed instructions. 3. Charge the battery for several hours to make sure you have sufficient battery time to configure the MC50 and download the application. Install the Aegis 802.1X Client (Once the Aegis Utility is installed and running there is no need to configure the Built-in Mobile Companion) 1. Obtain a copy of the Aegis client (AEGIS 2.1.13-0 WM 2003 PPT8800.cab) from the micros hardware portal or packaged with this document. Copy the Aegis Utility to the \Application folder of the MC50. Also copy the following files to the \Application folder a. AegisCopy.cpy b. SaveAegis.lnk c. AegisScript.spt d. AegisLicense.reg e. SimScriptWM.exe 2. On the MC50, browse the \Application folder and tap the AEGIS 2.1.13-0 WM 2003 PPT8800.cab file to install Aegis. 3. Cold Boot the MC50 to force the Aegis utility to run. The Aegis client will pop open a message indicating that If this is the first time, Press OK Figure 54 4. The Aegis Client will open. See Figure 54. 5. If you are going to use more than one network, you can create multiple profiles. Otherwise the profile name can be left at default. For the Authentication type, select PEAP. See Figure 54. Enter your PEAP user name and password into the Identity and password fields. This user name must correspond to the user on your RADIUS Server. See Figure 54. NOTE: A strong, alphanumeric password must be created with a minimum length of eight characters that includes upper and lower case letters, numbers, and special characters. 6. Choose EAP-MSCHAP v2 from the protocol list box. 7. Select the Server tab. See Figure 55. 8. Place a check mark at: Do not validate server certificate chain. This will prevent the Aegis utility from looking for a certificate. If you are using certificates, do not check this box. See Figure 55. Page 58 of 94

Figure 55 9. Press OK. You will receive a message indicating that you must restart the client. Press OK again. If the utility closes it can be re-opened by tapping the Icon in the lower right corner. 10. Tap the Pegasus WLAN CF label on the Aegis screen. Another window will open. See Figure 56. 11. Select Configure. See Figure 57. 12. In the Available Network list, highlight you access point and press move to configured or click Add if your access point is not on the list. 13. Select Properties to edit the access point details. See Figure 58. 14. Select the Authentication Profile created in step 5 and corresponds to your PEAP network. 15. Select WPA Settings tab. See Figure 59. 16. In the WPA Mode list box, choose WPA 802.1X 17. In the Encryption list box, choose AES. 18. Click OK 19. Restart the client, Choose Client Restart to restart the utility. The utility should start Authenticated when connected. If you do not get an Authenticated message, go back and double check everything. Once the network is configured, run the Save Aegis utility located on the start menu. Make a good practice of re-running this utility every time you reconfigure your network settings Figure 56 Page 59 of 94

Figure 57 Figure 58 Figure 59 Page 60 of 94

Performing a Cold Boot Hold down the Power button and right Scan/Action button, then press and release the reset button located below the battery release on the back of the mobile computer. Release the Power button and right Scan/Action button. See Figure 60. Performing a Warm Boot Figure 60 Press the reset button located below the battery release on the back of the mobile computer. Closing the CAL Client The CAL client is forced to start every time a reboot occurs. You can by-pass the CAL screen by using the following method: 1. When the CAL is at the Version Window, press the green phone key 2. Press the calendar key 3. Press the red phone key The CAL will disappear. You can restart it again with a Warm boot. Page 61 of 94

Configuring the Symbol MC70 The Symbol MC70 is certified to work with MICROS versions or higher: RES 4.4 9700-3.1 SP4 and 3.2 SP1 Simphony - 1.0 (Check documentation for Service Pack level) The Symbol MC70 uses Windows Mobile 5.0 (OS Version 05.01.0478) which is capable of utilizing the WPA and WPA2 encryption security standards. The MC70 is shipped from MICROS with the CAL pre-loaded. Criteria: 1. The MC70 must be on a minimum OEM Version of 4.39.0000. 2. A WPA2 compatible Access Point 3. Fully charged battery Summary: This document will explain the steps necessary to connect a Symbol MC70 for PCI compliance. It is recommended that the MC70 always be used at a minimum of WPA2 encryption. Certain assumptions are made as this document is for reference only. Page 62 of 94

Configuring the Symbol MC70 for use on a MICROS system 1. Read the product warranty and enclosed documentation that shipped with your Symbol MC70. 2. Attach the battery to the MC70 according to the enclosed instructions. 3. Charge the battery for several hours to make sure you have sufficient battery time to configure the MC70 and download the application. 4. Click the Fusion (Instead of the Mobile Companion that was used in the past. Motorola\Symbol has changed to a similar utility called Fusion ) icon located in the lower right corner of the Today screen. See Figure 61. 5. Tap the Fusion icon and select Manage Profiles. The Manage Profiles window will open. 6. Hold the stylus on the empty space in the Window and select Add. See Figure 62. 7. The Profile Entry window will open. Enter the name and ESSID of the Access Point. See Figure 63. 8. Click Next 9. Enter you Operating Mode and Country. The Operating Mode choices are Infrastructure or Ad-Hoc. Choose Infrastructure if you are connecting to an Access Point or Access Port. Select Ad-Hoc if you are only connecting mobile device to mobile device. See Figure 64. 10. Click Next 11. Select the Authentication type required. Some sites require a stronger security than WPA2_PSK. At these sites there will be an Authentication device that will require you to type a password or provide a certificate. 12. Click Next 13. The Encryption window will open. Select AES. See Figure 65. 14. Click Next 15. The Pass Phrase Window will open. Enter the WPA2 Pre-Shared Key Pass Phrase that matches your Infrastructure. See Figure 66. NOTE: A strong, alphanumeric password must be created with a minimum length of eight characters that includes upper and lower case letters, numbers and special characters. 16. Click Next Figure 61 Page 63 of 94

17. The IP Address Entry Window will open. Select Static or DHCP depending upon your needs and which product you will be using. In most cases a RES site will use a Static IP address and a 9700 or Simphony site will use a DHCP address. 18. Click next. If you selected DHCP above a Transmit Power window will open. If you selected Static above an IP address Entry window will open. If you selected Static above enter the appropriate IP address and Subnet Mask for your system. 19. Click Next to leave the Transmit Power set to Automatic. 20. The Battery Usage window will open. You can leave the default setting of Fast Power Save or choose and alternative. 21. Click Finish 22. Click [OK] to close the Fusion utility. 23. There will be a 60 second delay until you get a Network Connect response on the desktop. This will mean that you are successfully connected. See Figure 67. Figure 62 Figure 63 Figure 64 Page 64 of 94

Figure 65 Figure 66 Figure 67 Page 65 of 94

Configuring the Motorola MC55 The Motorola MC55 is certified to work with MICROS versions or higher: RES 4.6 9700-3.5 Simphony - 1.x (Check documentation for Service Pack level) The Motorola MC55 uses Windows Mobile 6.1 (OS Version 05.02.20758) which is capable of utilizing the WPA and WPA2 encryption security standards. The MC55 is shipped from MICROS with the CAL pre-loaded. Criteria: 1. The MC55 must be on a minimum OEM Version of 1.27.0006. 2. A WPA2 compatible Access Point 3. Fully charged battery Summary: This document will explain the steps necessary to connect a Motorola MC55 for PCI compliance. It is recommended that the MC55 always be used at a minimum of WPA2-PSK encryption. Certain assumptions are made as this document is for reference only. Page 66 of 94

Configuring the Motorola MC55 for use on a MICROS System 1. Read the product warranty and enclosed documentation that shipped with your Motorola MC55. 2. Attach the battery to the MC55 according to the enclosed instructions. 3. Charge the battery for several hours to make sure you have sufficient battery time to configure the MC55 and download the application. 4. Click the Fusion icon located in the lower right corner of the Today screen. See Figure 68. 5. Tap the Fusion icon and select Manage Profiles. The Manage Profiles window will open. 6. Hold the Stylus on the Profile Motorola Wireless Out of Box Magic and select Delete to remove this Profile. If this profile does not exist, go to step 7. 7. Hold the stylus on the empty space in the Window and select Add. See Figure 69. 8. The Profile Entry window will open. Enter the name and ESSID of the Access Point. See Figure 70. 9. Click Next Figure 68 Figure 69 Figure 70 Page 67 of 94

10. Enter you Operating Mode and Country. The Operating Mode choices are Infrastructure or Ad-Hoc. Choose Infrastructure if you are connecting to an Access Point or Access Port. Select Ad-Hoc if you are only connecting mobile device to mobile device. 11. Click Next 12. Select the Security Mode used by your Infrastructure. At a minimum, WPA2-Personal must be used. 13. Select the Authentication type if required. Some sites require a stronger security than WPA2-PSK. At these sites there will be an Authentication device that will require you to type a password or provide a certificate. If you are using WPA2-Personal only, leave Authentication type at None. 14. Click Next 15. The Encryption window will open. Select AES. See Figure 71. 16. Choose Pass-phrase or Hexadecimal Keys are an entry method. Click Next. 17. The Pass-phrase Window will open. Enter the WPA Pre-Shared Key Pass-phrase or Hexadecimal key that matches your Infrastructure. See Figure 72. 18. Click Next. The IP Address Entry Window will open. Figure 71 Select Static or DHCP depending upon your needs and which product you will be using. In most cases a RES site will use a Static IP address and a 9700 or Simphony site will use a DHCP address. 19. Click next. If you selected DHCP above a Transmit Power window will open. If you selected Static above an IP address Entry window will open. If you selected Static above enter the appropriate IP address and Subnet Mask for your system. 20. Click Next to leave the Transmit Power set to Automatic. 21. The Battery Usage window will open. You can leave the default setting of Fast Power Save or choose and alternative. 22. Click Save 23. Click [OK] to close the Fusion utility. 24. Warm Boot the MC55 and allow the micros CAL to run as normal. Figure 72 Page 68 of 94

Configuring the Motorola MC55a The Motorola MC55 is certified to work with MICROS versions or higher: RES 4.6 9700-3.5 Simphony - 1.x (Check documentation for Service Pack level) The Motorola MC55a uses Windows Mobile 6.5 (OS Version 05.02.23121) which is capable of utilizing the WPA and WPA2 encryption security standards. The MC55a is shipped from MICROS with the CAL pre-loaded. Criteria: 1. The MC55a must be on a minimum OEM Version of 1.34.0005. 2. The MC55a must have a minimum CAL version 15.1.3.115 installed. CAL can be downloaded from the Micros web site at 3. A WPA2 compatible Access Point 4. A Fully charged battery Summary: This document will explain the steps necessary to connect a Motorola MC55a for PCI compliance. It is recommended that the MC55a always be used at a minimum of WPA2-PSK encryption. Certain assumptions are made as this document is for reference only. Page 69 of 94

Configuring the Motorola MC55a for use on a MICROS system 1. Read the product warranty and enclosed documentation that shipped with your Motorola MC55a. 2. Attach the battery to the MC55a according to the enclosed instructions. 3. Charge the battery for several hours to make sure you have sufficient battery time to configure the MC55a and run CAL 4. Highlight the Wi-Fi row on the Home screen, and click the Fusion Menu button at the bottom of the screen, seen in Figure 73 Figure 73 Figure 74 5. Click the Manage Profiles button 6. Hold the stylus on the profile Motorola Wireless Out of Box Magic and select Delete to remove this profile. If this profile does not exist go to step 7. 7. Hold the stylus on the empty space in the window and select Add, as seen in Figure 74. 8. The Wireless Lan Profile Entry window will open, enter a Profile Name and the ESSID (case sensitive) of the Access Point you are connecting to, see Figure 75. 9. Click Next 10. Select your Operating Mode and Country, the default is Infrastructure for connecting to an Access Point. Select Ad-Hoc if you are only connecting mobile device to mobile device. 11. Click Next Page 70 of 94

12. Select the Security Mode used by your Infrastructure. At a minimum, WPA2-Personal must be used. 13. Select the Authentication type if required. Some sites require a stronger security than WPA2-PSK. At these sites there will be an Authentication device that will require you to type a password or provide a certificate. If you are using WPA2-Personal only, leave Authentication type at None 14. Click Next 15. At the Encryption window in, Figure 76, select AES for Encryption type. 16. Click the Pass-phrase radio button and make sure the check box next to For added security Mask characthers entered is selected. 17. Click Next 18. Enter the WPA Pre-Shared Key pass-phrase that matches your infrastructure. 19. Click Next 20. At the IP Address window, un-check Obtain Device IP Address Automatically if you are using a static IP. Click Next to enter your IP, Subnet and Gateway information. If you are using DHCP leave the box checked and click Next 21. Click Next to leave the Transmit Power set to Automatic 22. Click Save to leave the Battery Usage Mode set to Fast Power Save, or choose an alternative. 23. Click OK to close the Manage Profile Fusion Window. 24. Warm Boot the MC55a and allow the MICROS CAL to run as normal. Figure 75 Figure 76 Page 71 of 94

Configuring the Symbol AP5131 Access Point Criteria: 1. This Access Point must be on a minimum firmware version of 1.1.1.0-020R. 2. A Firewall must separate the AP5131 from the MICROS Server. This can be accomplished by either: a. Use of an external firewall b. Use of the internal firewall as described in this section Summary: This document will explain the steps necessary to connect a Symbol AP5131 Access Point for PCI compliance. In this document we use the highest encryption level available to the device. It is recommended that the AP5131 always be used at a minimum of WPA2-PSK encryption. Certain assumptions are made as this document is for reference only. Page 72 of 94

Configuring the Symbol AP5131 for use on a MICROS System 1. Read the product warranty information that came with your Symbol AP5131. 2. Gain access to the configuration utility on the AP5131 according to the manufacturer s instructions. This can be done over a Serial cable and HyperTerminal or via a Web Browser. If using a web browser, you must use a secure connection of either https or SSH. 3. Once you have gained access to the AP5131 and entered the administrator password, Enter the name of this Access Point in the System Name field. See Figure 78. 4. Click [Apply] 5. Double Click [Network Configuration] 6. Click LAN See Figure 79. Figure 78 Page 73 of 94

Figure 79 Figure 80 Page 74 of 94

7. Configure the LAN to have 2 subnets. One named WIRED that uses the Ethernet Port, as shown in Figure 79. 8. The other named WIRELESS that is mapped to the WLAN. Click [WLAN Mapping] and configure it as shown in Figure 80. 9. Click OK on the Mapping Configuration screen. 10. Click [Apply] to save your LAN configuration. 11. Select the WIRED LAN, see Figure 81. Figure 81 12. Enter the IP information for your WIRED network 13. Click [Apply] Page 75 of 94

Figure 82 14. Select the WIRELES LAN, see Figure 82. 15. Enter your IP information for your WIRELESS network 16. Click [Apply] Page 76 of 94

Figure 83 17. Select the Firewall, see Figure 83. 18. Make sure that Disable Firewall is NOT checked. 19. Under Configurable Firewall Filters, check all settings EXCEPT MIME Flood Attack Check. This rule incorrectly drops packets associated with running Manager Procedures. 20. Click [Apply] Page 77 of 94

Figure 84 21. Select Firewall-Subnet Access, see Figure 84. 22. Select the intersection of From WIRELESS and To WIRED 23. In the Rules section, select Deny all protocols, except 24. Make sure that all the standard protocols along the left are unchecked 25. Use the [Add] button to create the exceptions as shown above. The exceptions pertain directly to the micros application. Contact the micros helpdesk for application ports. 26. Continue using the [Add] button to create the exceptions list. In this case it is RES. See Figure 85. Figure 85 Page 78 of 94

Figure 86 27. Click [Apply] 28. Select Firewall-Subnet Access, see Figure 86. 29. Select the intersection of From WIRED and To WIRELESS 30. In the Rules section, select Deny all protocols, except 31. Make sure that all the standard protocols along the left are unchecked 32. Use the [Add] button to create the exceptions as shown above 33. Click [Apply] Page 79 of 94

Figure 87 34. Create or Edit an existing Wireless Configuration. See Figure 87. 35. Enter the ESSID and Device Name. 36. Click [Apply] Page 80 of 94

Figure 88 37. Click Security to enter the Wireless Security Configuration menu. See Figure 88. 38. Create or Edit an existing Policy Page 81 of 94

Figure 89 39. Select the WPA2/CCMP radio button 40. Select the ASCII PassPhrase radio button 41. Enter your secret pass phrase using a strong password. See Figure 89. NOTE: use a strong password. A strong, alphanumeric password must be created with a minimum length of eight characters that includes upper and lower case letters, numbers, and special characters. 42. Click AP-5131 Access to enter the AP-5131 Access menu. See Figure 90. 43. Uncheck the following items from both the LAN and WAN columns. Leaving only: a. Applet https (Port 443) and SSH (Port 22) secure access methods. b. Applet http (Port 80) uncheck c. CLI Telnet (Port 23) uncheck d. SNMP (Port 161) uncheck NOTE: Removing these items will limit the means in which the AP-5131 can be managed. You must use one of these (https or SSH) secure methods to manage the access point for all future management sessions Page 82 of 94

Figure 90 44. Set the Applet Timeout for http/s access to 2 Minutes. See Figure 90. 45. Click [Apply]. All future management sessions must be done over a secure connection using https of SSH. For example, instead of typing http://10.0.0.0 to access the AP-5131, you must use https://10.0.0.0 46. Click [Apply] to save your settings. 47. Exit the configuration and proceed with normal network setup. Page 83 of 94

Configuring the Symbol WS2000 Wireless Switch Criteria: 1. This Wireless Switch must be on a minimum firmware version of 2.2.0.0-021R. 2. The Firewall must be enabled and blocking no MICROS applications Summary: This document will explain the steps necessary to connect a Symbol Wireless Switch 2000 for PCI compliance. In this document we use the highest encryption level available to the device. It is recommended that the WS2000 always be used at a minimum of WPA2-PSK encryption. Certain assumptions are made as this document is for reference only. Page 84 of 94

Configuring the Symbol WS2000 for use on a MICROS System 1. Read the product warranty information that came with your Symbol WS2000. 2. Gain access to the configuration utility on the WS2000 according to the manufacturer s instructions. This can be done over a Serial cable and HyperTerminal or via Internet Explorer. 3. Once you have gained access to the WS2000 and entered the administrator password, enter the name of this WS2000 in the System Name field. See Figure 91. 4. Click [Apply] 5. Double Click [Network Configuration] 6. Click Lan 7. Select a Subnet. See Figure 92. Figure 91 Page 85 of 94

Figure 92 8. Enter the IP information for your network 9. Click [Apply] 10. Double Click Wireless 11. Double Click the first SSID. See Figure 93. 12. Enter the ESSID of this Wireless Switch. 13. Check the secure Beacon check box to disable the broadcast beacon. 14. Click Apply. 15. Click the security for this SSID. See Figure 94. Page 86 of 94

Figure 93 Figure 94 Page 87 of 94

16. Select thewpa2-ccmp (802.11i) radio button. 17. Select the highlighted [WPA2-CCMP Se ] button. See Figure 94. Figure 95 18. Enter the ASCII Passphrase. See Figure 95. NOTE: use a strong password. A strong, alphanumeric password must be created with a minimum length of eight characters that includes upper and lower case letters, numbers, and special characters. 19. Click [OK] 20. Click [Apply] 21. Click Firewall 22. Make sure the Firewall is Enabled 23. Create Firewall rules that meet your network requirements. Page 88 of 94

Configuring the Symbol RFS4000 Wireless Switch Criteria: 1. This Switch must be on a minimum firmware version of 5.0.3.9-001R. 2. The Firewall must be enabled and blocking all non-micros applications. Summary: This document will explain the steps necessary to connect a Symbol RFS4000 Wireless Switch for PCI compliance. In this document we use the highest encryption level available to the device. It is recommended that the RFS4000 always be used at a minimum of WPA2-PSK encryption. Certain assumptions are made as this document is for reference only. Page 89 of 94

Configuring the Symbol RFS4000 for use on a MICROS system. 1. Read the product warranty information that came with your Symbol RFS4000. 2. Gain access to the configuration utility on the AP5131 according to the manufacturer s instructions. This can be done over a Serial cable and HyperTerminal or via a Web Browser. If using a web browser, you must use a secure connection of either https or SSH. 3. Once you have gained access to the RFS4000 and entered the administrator password, navigate to the Configuration tab. 4. Select Wireless, on the right side of the screen all of the Wireless LAN Access Points setup for the switch will be displayed. Click Add 5. The WLAN setup screen will appear as seen in Figure 96. 1. Enter a name for this WLAN 2. Enter the SSID of your Access Point 3. Uncheck Broadcast SSID 4. Uncheck Answer Broadcast Probes 5. Enter the name of the VLAN that this WLAN will be assigned to Figure 96 Page 90 of 94

6. Click the Security link as seen in Figure 97, and click the EAP radio button for Authentication Type Figure 97 Page 91 of 94

7. Leave the default settings for the Captive Portal enforcement policy set to off 8. Select WPA2-CCMP Encryption type for the highest possible encryption as recommended in PCI Whitepaper V2.0 section 4.4.1. Once the check-box is clicked you will see the Encryption settings below as in Figure 98. 1. Enter the ASCII Passphrase. NOTE: Use a strong alphanumeric password, with a minimum length of eight characters that includes upper and lower case letters, numbers and special characters Figure 98 Page 92 of 94

9. Click OK 10. Click Firewall 11. Select Inbound and Outbound IP Firewall rules that apply for your network, you can create new rules or edit the selected ones from this screen by Clicking the Create or Edit icons next to the dropdown boxes, as seen in Figure 99. Figure 99 Page 93 of 94

12. Make sure the Firewall is enabled for the whole device by clicking on Security under the Configuration tab at the top of the screen. 13. Expand the Wireless Firewall selection as seen in Figure 100. Figure 100 14. Highlight Firewall Policy, select the default policy and click Edit 15. Make sure the Firewall is set to Enabled 16. You can add, and edit IP Firewall Rules and MAC Firewall Rules as mentioned previously in step 11. 17. Once the Firewall rules have been configured for your network click the Save button at the top right of the screen 18. Exit the configuration and proceed with normal network setup Page 94 of 94