Implementation Guide for PCI Compliance. Microsoft Dynamics AX 2012 R3

Implementatin Guide fr PCI Cmpliance Micrsft Dynamics AX 2012 R3 April 2014

Micrsft Dynamics is a line f integrated, adaptable business management slutins that enables yu and yur peple t make business decisins with greater cnfidence. Micrsft Dynamics wrks like and with familiar Micrsft sftware, autmating and streamlining financial, custmer relatinship and supply chain prcesses in a way that helps yu drive business success. U.S. and Canada Tll Free 1-888-477-7989 Wrldwide +1-701-281-6500 www.micrsft.cm/dynamics This dcument is prvided "as-is". Infrmatin and views expressed in this dcument, including URL and ther Internet Web site references, may change withut ntice. Yu bear the risk f using it. Sme examples depicted herein are prvided fr illustratin nly and are fictitius. N real assciatin r cnnectin is intended r shuld be inferred. This dcument des nt prvide yu with any legal rights t any intellectual prperty in any Micrsft prduct. Yu may cpy and use this dcument fr yur internal, reference purpses. Cpyright 2014 Micrsft. All rights reserved. Micrsft, Micrsft Dynamics, SQL Server, Windws, Windws Server, Windws Vista, and the Micrsft Dynamics Lg are trademarks f the Micrsft grup f cmpanies. All ther trademarks are prperty f their respective wners.

Table f cntents Intrductin... 1 Get the latest release f this guide... 1 Fr mre infrmatin... 1 Part 1: Setup... 2 Install the sftware... 2 All cmputers: Maintain security... 2 All cmputers: Prepare fr mnitring f event lgs... 2 All cmputers: Set up auditing f file access, bject access, and audit plicy changes... 2 Enable auditing f file access, bject access, and audit-plicy changes... 3 Audit access t system flders and files... 3 Required services and prtcls... 4 Cmmunicatin and database cmputers: Open the firewall... 5 Open Windws Firewall n Windws 7, Windws 8, Windws Server 2008, r Windws Server 2012... 6 Open Windws Firewall n Windws Embedded POSReady 2009... 7 At the head ffice: Set up the passwrd plicy... 7 At the head ffice: Set up database lgging... 7 At the head ffice: Enable SQL Server trace lgging... 9 Obtain a Payment Services fr Micrsft Dynamics ERP subscriptin... 9 Partner: In Partner Prtal, create a Payment Services accunt fr the retailer... 10 Retailer: In Custmer Prtal, set up a merchant accunt with a payment prvider... 10 Partner: In Partner Prtal, activate the payment prvider... 11 Retailer: In Custmer Prtal, test the payment service... 13 At the head ffice: Set up payment prcessing and hardware devices... 13 Setup payment prcessing... 13 Set up devices in the Retail mdule... 15 Cnfigure Terminal ID fr specific registers... 15 Set up payment methds fr payment prcessing... 16 Enable tender types and card types fr specific stres... 16 Send payment prcessing changes t the stres... 17 Test payment prcessing... 17 Stre cmputers: Set up the passwrd plicy... 17 Stre cmputers: Set up passwrd-prtected screen savers... 18 Stre cmputers: Turn ff System Restre... 19 Turn ff System Restre n Windws 7... 19 Turn ff System Restre n Windws Embedded POSReady 2009... 19 In Micrsft Dynamics AX, set up Accunts receivable fr Payment Services... 19 Implementatin Guide fr PCI Cmpliance Table f cntents i

In Micrsft Dynamics AX, set up nline stres fr Payment Services... 20 Part 2: Features that facilitate PCI cmpliance... 22 Audit lgging... 22 User names, passwrds, and authenticatin... 22 Set up a new cashier in Micrsft Dynamics AX... 22 Data strage and deletin... 23 Data transmissins... 23 Flw f payment data in Retail POS... 24 Flw f payment data in Micrsft Dynamics AX Accunts receivable... 25 Flw f payment data in a Micrsft Dynamics AX nline stre... 25 Part 3: Cnnectin limitatins... 26 Internet cnnectins... 26 Wireless cnnectins... 26 Remte access... 27 Nn-cnsle administrative access... 27 Part 4: Audit lgging... 28 Mnitr Micrsft Dynamics AX activity... 28 View infrmatin abut user lgn and user lgff... 28 View the audit trail... 28 View the SQL Server trace lg files... 28 Mnitr Retail POS activity... 29 Mnitr event lgs... 30 Part 5: Sftware updates and supprt... 31 Sftware updates... 31 Trubleshting and supprt... 31 Supprt persnnel access the custmer's desktp... 32 Supprt persnnel btain a cpy f the stre database... 33 Supprt persnnel travel t the custmer's place f business... 33 Distributin f htfixes... 33 Appendix A: Versin histry... 33 Implementatin Guide fr PCI Cmpliance Table f cntents ii

Intrductin The requirements in this guide must be fllwed if yu want t implement Micrsft Dynamics AX 2012 and Payment Services fr Micrsft Dynamics ERP (the integrated payment slutin frm Micrsft) in a way that is cmpliant with the Payment Card Industry (PCI) Data Security Standard versin 2.0. Nte Micrsft Dynamics AX 2012 includes Micrsft Dynamics AX fr Retail. The requirements in this guide represent best practices that shuld be implemented even if yu are nt required t cmply with the PCI Data Security Standard. This guide is intended fr and disseminated t custmers, Micrsft Certified Partners, resellers, and integratrs wh are deplying Micrsft Dynamics AX 2012 in a retail rganizatin where electrnic credit card and debit card payments are accepted, and where Micrsft Dynamics AX 2012 is used as the payment applicatin. As a payment applicatin, Micrsft Dynamics AX 2012 is subject t the PCI Payment Applicatin Data Security Standard (PA-DSS). The cntents f this guide reflect that standard. Imprtant Althugh this guide is made available t Micrsft custmers, sme f the steps in the guide are technical and shuld be cmpleted nly by a Micrsft Certified Partner. Implementatin by anyne ther than a Micrsft Certified Partner culd be cnsidered cause fr cncern by PCI Security Standards Cuncil assessrs, and culd cmprmise the security f bth cardhlder and prprietary infrmatin. Micrsft Dynamics AX 2012 has been validated fr PCI cmpliance nly with Payment Services fr Micrsft Dynamics ERP, the integrated payment slutin frm Micrsft. If yu intend t use Micrsft Dynamics AX 2012 with anther payment slutin, yu must btain separate cmpliance validatin. Get the latest release f this guide This guide is reviewed annually, whenever a service pack r htfix fr Micrsft Dynamics AX 2012 is released, and whenever an update t ne f the Data Security Standards is released. Fr infrmatin abut what has changed, see Appendix A: Versin histry, later in this guide. T btain the mst up-t-date cpy f this guide, g t http://g.micrsft.cm/fwlink/?linkid=275035. Fr mre infrmatin T read the full text f the PCI Data Security Standard r the PCI Payment Applicatin Data Security Standard, g t http://www.pcisecuritystandards.rg. Micrsft prvides training materials t ur partners, resellers, and integratrs t help implement Micrsft Dynamics AX 2012. Fr mre infrmatin, g t Micrsft Dynamics AX. Implementatin Guide fr PCI Cmpliance Intrductin 1

Part 1: Setup Fr PCI cmpliance, yu must cmplete all the prcedures in this part f the guide. Install the sftware T deply Micrsft Dynamics AX 2012 in a manner that is PCI-cmpliant, fllw the instructins in the Micrsft Dynamics AX 2012 Upgrade Guide, which is available as a dwnlad at http://g.micrsft.cm/fwlink/?linkid=221465. Imprtant Fr maximum security, Micrsft Dynamics AX 2012 must be installed in the Prgram Files flder r a lcatin with similar access cntrl prtectins. Requirement 8.5.8 f the PCI Data Security Standard specifies that grup, shared, and generic accunts (fr example, the sa accunt fr access t the database) must be disabled r remved. All cmputers: Maintain security Yu must install security htfixes and service packs as sn as they becme available. Fr best results, turn n Autmatic Updates. All cmputers: Prepare fr mnitring f event lgs The event lgging capabilities built in t Micrsft Windws help yu cmply with Requirements 10.2 and 10.3 f the PCI Data Security Standard. Cmplete the fllwing prcedure n all cmputers t cnfigure the retentin perid fr event lgs. Imprtant The event lgging shuld nt be disabled and ding s will result in nn-cmpliance with PCI DSS. 1. If yu are running Windws Embedded POSReady 2009, click Start, click Cntrl Panel, switch t Classic View, duble-click Administrative Tls, and then duble-click Event Viewer. If yu are running Windws 7, Windws Embedded POSReady 7, Windws 8, Windws 8.1, Windws Server 2012, r Windws Server 2008, click Start, type Event Viewer in the search bx, and then press ENTER. 2. If the Windws Lgs flder is available, expand it, right-click Security, and then click Prperties. 3. In the Maximum lg size field, type 102400. 4. Select Overwrite events as needed, and then click OK. All cmputers: Set up auditing f file access, bject access, and audit plicy changes Implementatin Guide fr PCI Cmpliance Part 1: Setup 2

All access t PCs, servers, and databases with Micrsft Dynamics AX must be cntrlled via unique user ID and PCI DSS cmpliant secure authenticatin. T audit changes made t the cmputer's audit plicy, and access t lg files and system bjects, cmplete bth the fllwing prcedures n all cmputers. Nte In an implementatin f Micrsft Dynamics AX 2012 that uses Payment Services fr Micrsft Dynamics ERP, n cardhlder data is stred, and users cannt change the flw r security f cardhlder data. Nevertheless, yu must cmplete the prcedures in this sectin t cmply with Requirements 10.2 and 10.3 f the PCI Data Security Standard, and t help make rganizatinal data mre secure. Fr dmain cmputers, wrk with the dmain administratr t ensure that lcal audit plicies are nt verwritten by less stringent dmain plicies. Fr infrmatin abut viewing and managing lg files, see Part 4: Audit lgging, later in this guide. Enable auditing f file access, bject access, and audit-plicy changes 1. If yu are running Windws Embedded POSReady 2009, click Start, click Cntrl Panel, switch t Classic View, duble-click Administrative Tls, and then duble-click Lcal Security Plicy. If yu are running Windws 7, Windws Embedded POSReady 7, Windws 8, Windws 8.1, Windws Server 2012, r Windws Server 2008, click Start, type Lcal Security Plicy in the search bx, and then press ENTER. 2. Expand the Lcal Plicies flder, and then click Audit Plicy. 3. Duble-click Audit accunt lgn events, select bth the Success and Failure check bxes, and then click OK. 4. Duble-click Audit accunt management, select bth the Success and Failure check bxes, and then click OK. 5. Duble-click Audit bject access, select bth the Success and Failure check bxes, and then click OK. 6. Duble-click Audit plicy change, select bth the Success and Failure check bxes, and then click OK. Audit access t system flders and files The fllwing prcedure prvides steps fr turning n flder and file auditing. The flders that yu must audit vary by perating system. Fr Windws 7, Windws Embedded POSReady 7, Windws 8, Windws 8.1, Windws Server 2012, r Windws Server 2008: C:\Windws\System32\winevt\Lgs. The flder where Micrsft Dynamics AX 2012 is installed (by default, C:\Prgram Files\Micrsft Dynamics AX r, n a 64-bit cmputer, C:\Prgram Files (x86)\micrsft Dynamics AX). See the nte in step 8 f the fllwing prcedure. Implementatin Guide fr PCI Cmpliance Part 1: Setup 3

The Micrsft SQL Server data directry (by default, C:\Prgram Files\Micrsft SQL Server\<instance name>\mssql\lg). Fr Windws Embedded POSReady 2009: C:\Windws\System32\cnfig. The flder where Micrsft Dynamics AX 2012 is installed (by default, C:\Prgram Files\Micrsft Dynamics AX). See the nte in step 8 f the fllwing prcedure. The SQL Server data directry (by default, C:\Prgram Files\Micrsft SQL Server\<instance>\MSSQL\Lg). Cmplete this prcedure fr each flder in the previus lists. 1. In Windws Explrer, right-click the flder name, and then click Prperties. 2. On the Security tab, click Advanced. Nte If the Security tab is nt available, click Flder Optins n the Tls menu, click the View tab, and then clear the Use simple file sharing check bx. 3. Click the Auditing tab. If yu receive a security message, click Cntinue. 4. Click Add. 5. In the Enter the bject name t select field, type Everyne, and then click Check Names. 6. If the name is valid, click OK. 7. In the Apply nt field, make sure that This flder, subflders and files is selected. 8. In the Access list, select bth the Successful and Failed check bxes fr the fllwing privileges, and then click OK: Create files/write data Create flders/append data Delete subflders and files Delete Read permissins Change permissins Nte D nt enable Read permissins fr the flder where Micrsft Dynamics AX fr Retail POS is installed (by default, C:\Prgram Files\Micrsft Dynamics AX\60\Retail POS). 9. If the previus settings prvide mre auditing than is therwise set up fr the flder, select the Replace all existing inheritable auditing entries check bx, and then click OK. 10. Click OK in the remaining dialg bxes. Required services and prtcls The fllwing table lists the services and prtcls that are required by Micrsft Dynamics AX fr Retail and its cmpnents. Implementatin Guide fr PCI Cmpliance Part 1: Setup 4

Retail cmpnents Retail Headquarters Required services and prtcls Micrsft Dynamics AX Cmmerce Data Exchange: Async Server Internet Infrmatin Services SQL Server (Default prt: 1433) Cmmerce Data Exchange: Synch Service Windws Sckets Internet Prtcl security (IPsec) (Default prt: 16750) SQL Server (Default prt: 1433) Micrsft Dynamics AX.NET Business Cnnectr (BC.NET) Cmmerce Data Exchange: Real-time Service Internet Infrmatin Services Business Cnnectr (BC.NET) Cmmerce Data Exchange: Real-time Service Micrsft.NET Remting (Default prt: 1239) Retail POS Internet Infrmatin Services.NET Business Cnnectr (BC.NET) SQL Server (Default prt: 1433) Retail POS Offline Sync Service Micrsft Sync Framewrk 2.1 Retail POS Database Utility SQL Server (Default prt: 1433) Cmmunicatin and database cmputers: Open the firewall T establish cmmunicatins between cmputers in the rganizatin, pen the firewall n any cmmunicatins server and n stre database cmputers, as described in the fllwing table. Type f cmputer Open the firewall t these prgrams Head ffice cmmunicatins server Cmmerce Data Exchange: Synch Service Cmmerce Data Exchange: Real-time Service Stre cmmunicatins server SQL Server, t enable cnnectins t the message database Stre database server Stre register with its wn lcal database Cmmerce Data Exchange: Synch Service SQL Server SQL Server, but nly if Cmmerce Data Exchange: Synch Service is n a different cmputer Implementatin Guide fr PCI Cmpliance Part 1: Setup 5

Nte Instead f pening the firewall t Cmmerce Data Exchange: Synch Service and Cmmerce Data Exchange: Real-time Service, yu might prefer t pen the firewall t the TCP prts used by these prgrams. In this case, yu must knw the prt numbers that yu specified when yu deplyed the services. By default, the prt numbers are 1433 fr SQL Server, 16750 fr Cmmerce Data Exchange: Synch Service, and 1239 fr Cmmerce Data Exchange: Real-time Service. If yu are using multiple instances f Cmmerce Data Exchange: Synch Service n a single cmputer, we recmmend that yu pen the firewall t specific prt numbers instead. Depending n the settings f yur firewall, yu might als need t pen the firewall t utbund traffic n client and register cmputers. T determine whether this is necessary, cnsult yur netwrk administratr. The instructins in the rest f this sectin are fr Windws Firewall. If yu are using anther firewall, see the firewall dcumentatin fr mre infrmatin. Open Windws Firewall n Windws 7, Windws 8, Windws 8.1, Windws Server 2008, r Windws Server 2012 T pen Windws Firewall t a prgram n Windws 7, Windws 8, Windws 8.1, Windws Server 2008, r Windws Server 2012, use the New Rule Wizard t create a rule that manages the cnnectins that the allwed prgram can receive. Yu can use the default settings fr each rule, but yu must prvide the path f the prgram and a name fr the rule. Prgram Typical prgram path Suggested rule name SQL Server Cmmerce Data Exchange: Async Server (if installed) Cmmerce Data Exchange: Real-time Service (if installed) C:\Prgram Files\Micrsft SQL Server\<instance name>\mssql\binn\sqlservr.exe C:\Prgram Files (x86)\micrsft Dynamics AX\60\CDX\Async Server C:\Prgram Files (x86)\micrsft Dynamics AX\60\CDX\Real-time Services SQL Server <instance name> Cmmerce Data Exchange Async Server Cmmerce Data Exchange Real-time Service Nte On a 64-bit perating system, Cmmerce Data Exchange: Async Server and Cmmerce Data Exchange: Real-time Service are in the Prgram Files (x86) flder path instead. 1. Lg n t the cmputer as a Windws Administratr. 2. Click Start, type wf.msc in the search bx, and then press ENTER. 3. Click Inbund Rules. 4. T create a new rule, click New Rule, select Prgram, and then cmplete the New Inbund Rule Wizard. 5. Repeat step 4 fr the ther prgrams that shuld be allwed thrugh the firewall. Implementatin Guide fr PCI Cmpliance Part 1: Setup 6

Open Windws Firewall n Windws Embedded POSReady 2009 1. Lg n t the cmputer as a Windws Administratr. 2. Click Start, and then click Cntrl Panel. 3. If necessary, switch t Classic View, and then duble-click Windws Firewall. 4. On the Exceptins tab, click Add Prgram. 5. In the Prgrams list, select the prgram, and then click OK. 6. Repeat steps 4 and 5 ther the ther prgrams that shuld be allwed thrugh the firewall, and then click OK. At the head ffice: Set up the passwrd plicy Requirement 8.5.8 f the PCI Data Security Standard specifies that grup, shared, and generic accunts must nt be used, and prvides test prcedures fr verifying this. Requirements 8.5.9 thrugh 8.5.14 specify passwrd and accunt security regulatins fr peple with administrative access t the payment applicatin. T cmply with these requirements, cntact the dmain administratr t establish grup plicies fr the dmain that meet the minimum requirements described in the fllwing table. Plicy Enfrce passwrd histry Maximum passwrd age Minimum passwrd length Passwrd must meet cmplexity requirements Accunt lckut duratin Accunt lckut threshld Security setting 4 passwrds remembered 90 days 7 characters Enabled 30 minutes 6 invalid lgn attempts Nte Users f Micrsft Dynamics AX 2012 are subject t Active Directry Dmain Services security plicies. Therefre, users f Micrsft Dynamics AX are subject t the same passwrd plicy as dmain users. Installing Micrsft Dynamics AX 2012 n a cmputer that is nt part f the dmain is nt supprted. These plicies represent the minimum requirements f Requirements 8.5.9 thrugh 8.5.14. Mre stringent settings can be used. Fr mre infrmatin abut managing passwrd plicy via grup plicies, see "Wrking with Grup Plicy bjects" at http://technet.micrsft.cm/enus/library/cc731212.aspx. At the head ffice: Set up database lgging By mdifying the audit trail in Micrsft Dynamics AX 2012, yu can enable lgging f the fllwing events in the head ffice database: Implementatin Guide fr PCI Cmpliance Part 1: Setup 7

Changes t the audit trail settings. These settings are stred in the DATABASELOG table fr the head ffice and in the RetailFunctinalityPrfile table fr Retail POS. Changes t the payment prcessing cnfiguratin. These settings are stred in the RetailHardwarePrfile table fr bth the head ffice and Retail POS. The creatin, deletin, r mdificatin f cashier user accunts and permissins. These settings are stred in the RetailStaffPermissinGrup table fr the head ffice and in the RetailStaffTable table fr Retail POS. Nte Althugh the lgging f activity in the head-ffice database is related t Requirements 10.2 and 10.3 f the PCI Data Security Standard, it is beynd the scpe f the PCI requirements because, in an implementatin f Micrsft Dynamics AX 2012 that uses Payment Services fr Micrsft Dynamics ERP, n cardhlder data is stred, and users cannt change the cardhlder data flw r the security f cardhlder data. Therefre, the fllwing prcedure is included in this guide as an ptinal best practice that helps make rganizatinal data mre secure. 1. T set up lgging in the head ffice database, click System administratin > Setup > Database > Database lg setup. 2. Create the fllwing new entries by fllwing the wizard. Table name POS functinality prfile POS hardware prfiles Cmpnent Item ID Staff permissin grup Staff Audit trail setup Actual system name RetailFunctinalityPrfile RetailHardwarePrfile RetailStaffLginLg RetailStaffPermissinGrup RetailStaffTable SysDatabaseLgTableSetup 3. Click System administratin > Setup > Licensing > Licensing cnfiguratin. 4. Under Administratin, select the Electrnic signature check bx, and then click OK. If yu are prmpted t synchrnize tables, click Yes. Nte This prcedure sets up lgging n Insert, Delete, Update, and RenameKey actins. T view r mdify this setup, click System administratin > Setup > Database > Database lg setup. Fr each change t ne f these tables, Micrsft Dynamics AX recrds the user wh perfrmed the actin, the table that was mdified, the actin that was taken, the attribute that was changed, the time and date f the actin, and the ID f the recrd that was mdified r added. Fr each Update actin, it als recrds bth the previus and new settings. By default, any user wh has database access can query a database lg by using.net Business Cnnectr, X++, r alerts, r by using direct database access. T prtect data, restrict permissins n the SysDatabaseLg table. Fr mre infrmatin, see "Manage Implementatin Guide fr PCI Cmpliance Part 1: Setup 8

table and field access" at http://technet.micrsft.cm/en-us/library/aa834466.aspx and "Table Prperties" at http://msdn.micrsft.cm/en-us/library/aa871620.aspx. Fr infrmatin abut viewing lgged actins, see Mnitr Micrsft Dynamics AX activity, later in this guide. At the head ffice: Enable SQL Server trace lgging T mnitr access t the audit lg, enable SQL Server trace lgging by using the AxRetailTrace.sql file. Nte AxRetailTrace.sql is included in the Micrsft Dynamics AX 2012 dwnlad package and can be fund in the RetailSecurityGrups subflder f the flder where yu extracted the installatin files. Althugh this prcedure is related t Requirements 10.2 and 10.3 f the PCI Data Security Standard, it is beynd the scpe f the PCI requirements because, in an implementatin f Micrsft Dynamics AX 2012 that uses Payment Services fr Micrsft Dynamics ERP, n cardhlder data is stred, and users cannt change the cardhlder data flw r the security f cardhlder data. Therefre, the fllwing prcedure is included in this guide as an ptinal best practice that helps make rganizatinal data mre secure. 1. Cpy AxRetailTrace.sql t the cmputer where the head ffice database is lcated. 2. Open SQL Server Management Studi, and cnnect t the instance f SQL Server that is used in the Micrsft Dynamics AX deplyment. 3. On the File menu, pint t Open, click File, brwse t and select the.sql file, and then click OK. 4. Click Execute. Nte The trace lg files are lcated in the Lg directry fr the instance. SQL Server trace lg files have a maximum size f 100 MB. When the size f a lg file exceeds this limit, a new lg file is created by using a date-based numbering scheme. Fr infrmatin abut viewing and managing lg files, see Part 4: Audit lgging, later in this guide. A cmmented sectin at the end f the AxRetailTrace.sql script file cntains the cde fr perfrming several peratins related t trace lgging. These include manually starting and stpping the trace, viewing the cntents f the Micrsft Dynamics AX lg tables, viewing the trace detail, and disabling the autmatic start f tracing. T cmplete ne f these peratins, cpy the cde fr the peratin int a new query file, mdify the script as described in the cmments, and then click Execute. Obtain a Payment Services fr Micrsft Dynamics ERP subscriptin Yu can cnfigure Micrsft Dynamics AX with Payment Services fr Micrsft Dynamics ERP t prcess credit card and debit card transactins at retail pint-f-sale (POS) registers, in nline stres, and in the Accunts receivable mdule in Micrsft Dynamics AX. Payment Services accepts a variety f payment types, and yu can chse frm several payment prviders. Implementatin Guide fr PCI Cmpliance Part 1: Setup 9

The prcess fr setting up Payment Services includes the fllwing steps, sme perfrmed by the retailer and thers by the Micrsft Dynamics AX partner. The steps are perfrmed in this rder: 1. Partner: In Partner Prtal, create a Payment Services accunt fr the retailer. 2. Retailer: In Custmer Prtal, set up a merchant accunt with a payment prvider. 3. Partner: In Partner Prtal, activate the payment prvider. 4. Retailer: In Custmer Prtal, test the payment service. Nte When wrking with payments accunts fr custmers, partners must use the custmer's Micrsft accunt, rather their wn Micrsft accunt. Partner: In Partner Prtal, create a Payment Services accunt fr the retailer 1. Sign in t Partner Prtal by using yur Micrsft accunt email address and passwrd. 2. Click Custmer List, and then click New Custmer t add the retailer. 3. Select the retailer in the list, click Add Service, and then create a Payment Services accunt fr the retailer. 4. In the Add Service frm, in the Purpse f accunt field, select Prductin. 5. Click Service List, select the payment service that yu created in step 3, and then click Send Activatin t send an invitatin t the retailer. The retailer receives this invitatin by email. Retailer: In Custmer Prtal, set up a merchant accunt with a payment prvider 1. In the invitatin email message frm yur Micrsft Dynamics AX partner, click the invitatin link t Payment Services, and then sign in with yur Micrsft accunt email address and passwrd. 2. Under Payment settings, click Payment prviders. 3. Cmpare the payment prviders, read their terms, and then click Sign up nw fr the prvider that yu want. If yu select First Data (EMPS), yur cntact infrmatin is autmatically sent t First Data Merchant Services (FDMS). FDMS will cntact yu t prcess the applicatin. If yu select CyberSurce, yur cntact infrmatin is autmatically sent t CyberSurce. CyberSurce will cntact yu t prcess the applicatin. If yu select anther prvider, fllw the prvider s instructins t submit an applicatin. 4. Sign in t Custmer Prtal by using yur Micrsft accunt email address and passwrd. 5. Click Service list, select the check bx fr the payment service, and then click Change Partner. 6. In the Change supprt partner frm, select the partner in the list, select the Grant service access t the selected partner check bx, and then click Change Partner. Implementatin Guide fr PCI Cmpliance Part 1: Setup 10

Nte If yu d nt find yur partner in the list, tell yur partner t register as a partner fr nline services fr Micrsft Dynamics ERP. Fr mre infrmatin, see the Partner Prtal Prvisining Guide. 7. Sign ut f Custmer Prtal. The payment prvider will cntact yu t prcess yur applicatin and set up a merchant accunt fr yu. The prcess f setting up a merchant accunt typically includes perfrming a credit check, discussing terms f service, and signing a cntract with the payment prvider. This might take several days. This prcess des nt invlve any actin in Micrsft Dynamics AX. After yur merchant accunt is set up with the payment prvider, the payment prvider prvides the settings fr the merchant accunt t yu. Prvide the settings fr the merchant accunt t yur Micrsft Dynamics AX partner. Partner: In Partner Prtal, activate the payment prvider 1. Sign in t Partner Prtal by using yur Micrsft accunt email address and passwrd. 2. In the Custmer list, select the custmer, and then click the link in the Services clumn. 3. Select the service, and then click Open Service. 4. Under Payment Settings, click Payment Methds. 5. Under Payment Prvider Accunts, select an accunt, and then under Actins, click Activate. The Payment Services website displays the Payment Prvider Accunt Activatin frm. 6. Depending n the payment prvider, d ne f the fllwing: First Data Use the fllwing guidelines t enter the merchant accunt infrmatin that yu received frm the retailer and the payment prvider, and then click Activate. AcquirerBin Enter the acquirer BIN (Bank Identificatin Number). AgentBankNumber Enter the agent number. AgentChainNumber Enter the chain number. City Enter the city f the merchant. Cuntry / Regin Cde Enter the three-letter cuntry cde, such as USA r CAN. Email Enter the email address that was prvided t the payment prvider. LanguageCde Enter the tw-letter language cde, such as 00 fr US English. LcatinNumber Enter the lcatin number. MerchantAbaNumber If a value is nt prvided by the payment prvider, leave this field blank. MerchantCategryCde Enter the merchant categry, als knwn as the SIC (Standard Industry Cde). This is prvided by the payment prvider. MerchantId Enter the merchant number. MerchantName Enter the name f the merchant. Pstal Cde Enter the pstal cde f the merchant. Implementatin Guide fr PCI Cmpliance Part 1: Setup 11

Reimbursement If a value is nt prvided by the payment prvider, leave the field blank. ServicePhneNumber Enter 8884777877. SettlementAgentNumber If a value is nt prvided by the payment prvider, leave the field blank. SharingGrup If a value is nt prvided by the payment prvider, leave the field blank. MerchantState Enter the state r prvince f the merchant, such as WA fr Washingtn. StreNumber Enter the stre number. Street Address Enter the street address f the merchant. TerminalId Enter the terminal number f the merchant. VNumber Enter the V number. The V number is seven digits and starts with 7. First Data/Express Merchant Prcessing Slutins (EMPS) Use the fllwing guidelines t enter the merchant accunt infrmatin that yu received frm the retailer and the payment prvider, and then click Activate. DOPSIdentifier Enter DOPSIdentifier. DOPSPasswrd Enter DOPSPasswrd. MerchantCategryCde Enter the merchant categry cde, which is als called the MCC cde. This is prvided by the payment prvider. MerchantCity Enter the city f the merchant. MerchantCuntryCde Enter the tw-letter cuntry cde, such as US r CA. MerchantId Enter the merchant ID. If there are tw merchant IDs, d nt enter Nashville MID. MerchantName Enter the name f the merchant. MerchantPstalCde Enter the pstal cde f the merchant. MerchantStateOrPrvince Enter the state r prvince f the merchant. MerchantStatus Enter 1. MerchantStreetAddress Enter the street address f the merchant. ServicePhneNumber Enter 8884777877. StreNumber If a value is nt prvided by the payment prvider, leave this field blank. TerminalId Enter the terminal ID f the merchant. CyberSurce Use the fllwing guidelines t enter the merchant accunt infrmatin that yu received frm the retailer and the payment prvider, and then click Activate. MerchantId If a value is nt prvided by the payment prvider, enter MerchantId. RawPrvisinData Enter any value, such as 123abc. Nte Yu must have tw CyberSurce accunts; ne fr transactins in which the card is present and ne fr transactins in which the card is nt present. Bth accunts need t be activated in the CyberSurce live envirnment. Implementatin Guide fr PCI Cmpliance Part 1: Setup 12

PayPal N actin is needed. A merchant accunt is activated autmatically after it is created and activated by the payment prvider. 7. Under Accepted Payment Methds, select the payment prvider t use fr each payment methd. 8. Click Save and Clse. Retailer: In Custmer Prtal, test the payment service 1. Sign in t Custmer Prtal by using yur Micrsft accunt email address and passwrd. 2. Click Dashbard, and then click the Payment Services accunt. 3. Under Places, click Manage payments, and then click New Payment. 4. Under Card Infrmatin, enter the required infrmatin, including a minimum payment amunt, such as $1.00. 5. Under Billing Address, enter the required infrmatin, and then click Prcess Payment. 6. Repeat steps 3 thrugh 5 fr each type f credit card that yu accept in yur stres. 7. Sign ut f Custmer Prtal. 8. Cntact the payment prvider fr each test transactin and make sure that the transactins are prcessed crrectly. Als check that the crrect transactins fees are assessed, as specified in yur payment prvider agreement. 9. Sign in t Custmer Prtal, click Dashbard, and then click the same Payment Services accunt as in step 2. 10. Under Places, click Manage payments, and then select and refund each f the test transactins. At the head ffice: Set up payment prcessing and hardware devices fr stres In Micrsft Dynamics AX 2012, the nly time that stre emplyees have access t card numbers is at the time f sale, when the cashier swipes the card. Payment infrmatin is sent directly frm Retail POS t the prcessr at that time, and transactins are settled immediately. Payment infrmatin in the Micrsft Dynamics AX 2012 database is limited t the custmer's name, the payment amunt, the card type, and the last fur digits f the card number. The entire primary accunt number (PAN) is never stred. Setup payment prcessing After auditing and ther security measures are in place, the stre can begin accepting card payments. T d this, cmplete the fllwing steps: 1. Obtain a Payment Services fr Micrsft Dynamics ERP subscriptin, and assciate it with the retail rganizatin's merchant accunt. Fr mre infrmatin abut Payment Services fr Micrsft Dynamics ERP, g t http://g.micrsft.cm/fwlink/?linkid=188806. 2. Click Retail > Setup > POS > Prfiles > Hardware prfiles, and then in the left pane, select the hardware prfile fr the stre. Implementatin Guide fr PCI Cmpliance Part 1: Setup 13

3. On the EFT service FastTab, in the EFT service field, select Payment Cnnectr. 4. In the Merchant accunt ID field, enter the merchant accunt ID that yu received frm the payment prvider. 5. In the Service accunt ID field, enter the service accunt ID that yu received frm the payment prvider. 6. In the Micrsft accunt field, enter the Micrsft accunt email address. This must be the same Micrsft accunt that was used t set up the merchant accunt n Custmer Prtal. 7. In the Micrsft accunt passwrd field, enter the passwrd fr the Micrsft accunt. 8. In the Supprted currencies field, enter currency cdes fr the currencies that are supprted by the payment service. Separate the currency cdes by semiclns withut spaces. Fr example, enter USD;CAD. 9. In the Supprted payment methds field, enter the payment methds that are accepted by the payment service. Separate the payment methds by semiclns withut spaces. Fr example, enter Visa;AmericanExpress;Debit. 10. Cpy the cntents f the Public key field. 11. Sign in t Custmer Prtal by using yur Micrsft accunt email address and passwrd. 12. Under Organizatin settings, click User management, and then in the New grup, click System User. 13. In the Public key field, enter the public key that yu cpied in step 10, and then click Save. 14. In the User management list, click the first name r the last name f the system user that yu created in step 13, and then click Edit. 15. Under Services and Rles, select Payment Administratrs in the Available Rles list, use the right arrw buttn t add the rle t the Selected Rles list, and then click Save. 16. Sign ut f Custmer Prtal. 17. Assciate a hardware prfile with each register t enable payment prcessing and t select devices. Fr mre infrmatin, see Set up devices in the Retail mdule. 18. Set up payment methds t use payment prcessing. Fr mre infrmatin, see Set up payment methds fr payment prcessing. 19. Enable ne r mre payment prcessing tender types fr each stre. Fr mre infrmatin, see Enable tender types and card types fr specific stres. 20. Turn n payment prcessing at stres by running scheduled jbs. Fr mre infrmatin, see Send payment prcessing changes t the stres. 21. Cnfigure Accunts receivable fr payment prcessing t supprt custmer rders. Fr mre infrmatin, see In Micrsft Dynamics AX, set up Accunts receivable fr Payment Services. Nte These steps are nt specifically required fr PCI cmpliance. Hwever, if these steps are skipped, the stre cannt use Micrsft Dynamics AX 2012 t prcess the payments that are subject t the PCI Data Security Standard. The steps are described in mre detail later in this sectin. By using Payment Services fr Micrsft Dynamics ERP, yu can easily and securely accept and prcess credit and debit card payments in yur applicatins, nline, frm the Implementatin Guide fr PCI Cmpliance Part 1: Setup 14

head ffice, and in yur stres. The PCI-certified service lets yu chse frm a number f payment prviders, and seamlessly incrprates multiple payment ptins withut the need fr additinal sftware r integratin. As Micrsft Dynamics AX 2012 is shipped in the United States and Canada, the nly prcessr that it cmmunicates with is Payment Services fr Micrsft Dynamics ERP. This cmmunicatin is cnfigured in the Retail mdule, and then the settings are sent dwn t the stres. During authrizatin and settlement, these settings are used t identify the rganizatin's subscriptin and its assciated merchant accunt. N cardhlder data is included. Imprtant Micrsft Dynamics AX 2012 has been validated fr PCI cmpliance nly with Payment Services fr Micrsft Dynamics ERP. If yu intend t use Micrsft Dynamics AX 2012 with anther payment slutin, yu must btain separate cmpliance validatin. Set up devices in the Retail mdule Yu must btain the actual device names frm the stre t cmplete this prcedure. Device names can be viewed n the register by viewing the apprpriate device class (MSR, PINPad, r POSPrinter) in the fllwing registry key: HKEY_LOCAL_MACHINE\SOFTWARE\OLEfrRetail\ServiceOPOS 1. Click Retail > Setup > POS > Prfiles > Hardware prfiles. 2. In the list, select the crrect prfile. 3. Cnfigure hardware devices, such as receipt printers, MSRs (magnetic stripe readers), and PIN (persnal identificatin number) pad devices. On the tab fr each device, in the Device name field, type the apprpriate device name. A descriptin fr the device is ptinal. Nte Yu must use the same device names in the hardware prfile that yu use when yu cnfigure the actual devices n each terminal. If yu have registers where payment prcessing will nt take place, cnsider using a hardware prfile that des nt have payment prcessing cnfigured. Yu must create a separate hardware prfile fr each cmbinatin f devices used at the stres. Similarly, if like devices are named differently n different registers r at different stres, yu must create additinal hardware prfiles. Cnfigure Terminal ID fr specific registers T enable payment prcessing and select devices, assciate the hardware prfile with each register. 1. Click Retail > Setup > POS > POS Registers. 2. Duble-click the register t mdify. 3. On the General tab, in the Hardware prfile field, select the apprpriate prfile. Then, in the EFT POS register number field, type ne f the terminal IDs that yu received frm the payment prvider. Implementatin Guide fr PCI Cmpliance Part 1: Setup 15

Nte Sme payment prviders refer t EFT POS register numbers as terminal IDs. In Retail POS, terminal ID refers t the terminal number shwn n the General tab. The terminal number and the EFT POS register number d nt have t match, but bth numbers must be unique fr each terminal. 4. Repeat steps 2 and 3 fr ther registers. When yu have finished assciating hardware prfiles with registers, clse the frm. Set up payment methds fr payment prcessing Payment methds are the types f tender accepted by the stre in this case, credit cards and debit cards. Card types are the specific credit cards accepted fr a card tender type. Fr mre infrmatin abut the steps in this prcedure, see Micrsft Dynamics AX 2012 Help. 1. Click Retail > Setup > Payment methds > Payment methds. 2. On the tlbar, click New. 3. In the new rw, type a unique number and descriptin fr the new payment methd. Then, in the Default functin clumn, click the arrw, and select Card. 4. Clse the frm. 5. Click Retail > Setup > Payment methds > Card types. 6. On the tlbar, click New. 7. In the new rw, type a unique ID and name fr the new card type. Then, in the Card types clumn, click the arrw, and select the apprpriate ptin. 8. While the new rw is still selected, click Card number. 9. Create a verificatin mask fr the card type by entering the range f digits that all cards f this type begin with. Fr example, Visa card numbers begin with 4, s yu culd verify that cards accepted as the Visa card type are really Visa cards by creating a mask f 4. 10. Clse the Card number frm. 11. Clse the Card type frm. Enable tender types and card types fr specific stres 1. Click Retail > Cmmn > Retail channels > Retail stres. 2. Select a stre, and then, n the Setup tab, click Payment methds. 3. On the tlbar, click New, and then, n the General tab, in the Payment methd field, select a payment methd. The infrmatin fr the selected payment methd is filled in autmatically. 4. While the new payment methd rw is still selected, click Card setup. 5. On the tlbar, click New, and then, in the Card ID field, select the card type fr this payment methd. 6. Select the new card setup, and then, n the General tab, select the Check expiratin date check bx. Implementatin Guide fr PCI Cmpliance Part 1: Setup 16

7. Clse the Card setup frm. 8. Clse the Payment methd frm. 9. Repeat steps 3 thrugh 8 fr any ther payment methds fr this stre. Send payment prcessing changes t the stres Payment prcessing changes d nt take effect until the assciated scheduled jbs are run and the infrmatin included in the jbs is sent dwn t the stres. This prcedure describes hw t run the jbs manually. 1. Click Retail > Peridic > Data distributin > Create actins. The preactins that were generated when yu changed the payment prcessing settings are cnverted int actins, r jbs. 2. Click Retail > Peridic > Data distributin > Distributin schedule. 3. T send dwn the payment prcessing and device settings in the hardware prfile, select the 1090 Registers jb, and then click Run directly. 4. T send dwn the payment methds, card types, and card numbers, select the 1070 Stres and tenders jb, and then click Run scheduler jb directly. Test payment prcessing Yu can test payment prcessing by prcessing card transactins in test mde. 1. In a register r stre database, in the POSHARDWAREPROFILE table, change the value in the EFTTESTMODE clumn t 1. 2. Prcess a card transactin. 3. Verify that the transactin went thrugh by visiting the Payment Services payment prtal at https://payments.dynamicsnline.cm/hme/dashbard.aspx. Nte Yu can test payment prcessing nly if Retail POS is running in prductin mde. Stre cmputers: Set up the passwrd plicy Requirements 8.5.9 thrugh 8.5.14 f the PCI Data Security Standard specify passwrd and accunt security regulatins fr peple with access t the payment applicatin. T cmply with these requirements, the passwrd plicy n each stre cmputer where Retail POS is installed must meet the minimum requirements described in the fllwing table. Plicy Enfrce passwrd histry Maximum passwrd age Minimum passwrd length Passwrd must meet cmplexity requirements Accunt lckut duratin Accunt lckut threshld Security setting 4 passwrds remembered 90 days 7 characters Enabled 30 minutes 6 invalid lgn attempts Implementatin Guide fr PCI Cmpliance Part 1: Setup 17

Nte These plicies represent the minimum requirements f Requirements 8.5.9 thrugh 8.5.14. Mre stringent settings can be used. Fr mre infrmatin abut setting up a Windws accunt fr each stre user, see the Micrsft Dynamics AX 2012 Upgrade Guide, which is available as a dwnlad at http://g.micrsft.cm/fwlink/?linkid=221465. 1. If yu are running Windws Embedded POSReady 2009, click Start, click Cntrl Panel, switch t Classic View, duble-click Administrative Tls, and then duble-click Lcal Security Plicy. If yu are running Windws 7, Windws Embedded POSReady 7, Windws 8, Windws 8.1, Windws Server 2008, r Windws Server 2012, click Start, type Lcal Security Plicy in the search bx, and then press ENTER. 2. Expand Accunt Plicies, and then click Passwrd Plicy. 3. T mdify a plicy, right-click the plicy, and then click Prperties. 4. Click Accunt Lckut Plicy. 5. T mdify a plicy, right-click the plicy, and then click Prperties. Stre cmputers: Set up passwrd-prtected screen savers At each register, set up a screen saver that appears when the register is idle, and that requires the passwrd fr the cashier's Windws user accunt t be entered befre access t Retail POS is regained. 1. In the C:\Windws\System32 flder, lcate the screen saver (.scr) file t use. 2. If yu are running Windws Embedded POSReady 2009, click Start, click Run, type mmc, and then click OK. If yu are running Windws 7, Windws Embedded POSReady 7, Windws 8, Windws 8.1, Windws Server 2008, r Windws Server 2012, click Start, type mmc in the search bx, and then press ENTER. 3. On the File menu, click Add/Remve Snap-in, and then, if yu are running Windws Embedded POSReady 2009, click Add. 4. Select Grup Plicy Object Editr, click Add, click Finish, and then click Clse r OK. 5. Expand Lcal Cmputer Plicy, expand User Cnfiguratin, expand Administrative Templates, expand Cntrl Panel, and then click Persnalizatin (n Windws 7) r Display (n ther perating systems). 6. Duble-click Frce specific screen saver (n Windws 7) r Screen Saver executable name (n ther perating systems), select Enabled, type the path and name f the screen saver (.scr) file that yu selected in step 1, and then click OK. 7. Duble-click Passwrd prtect the screen saver, select Enabled, and then click OK. 8. Duble-click Screen Saver timeut, select Enabled, type 900 r a smaller value, and then click OK. Implementatin Guide fr PCI Cmpliance Part 1: Setup 18

Nte Cmpleting this prcedure n each cmputer in the stre helps satisfy Requirement 8.5.15 f the PCI Data Security Standard. Accrding t this requirement, 900 secnds (15 minutes) is the maximum time that the register can be idle withut lcking. Yu can specify a shrter time if yu prefer. Stre cmputers: Turn ff System Restre System Restre is a Windws feature that restres yur cmputer's system files t the state they were in at an earlier time. The restre pints saved by this feature are nt cnsidered secure by the PCI Security Standards Cuncil. Nte System Restre is nt available n Windws Server 2008. Turn ff System Restre n Windws 7 1. On the Start menu, right-click Cmputer, and then click Prperties. 2. Click System prtectin. 3. Select the C: drive, click Cnfigure, select Turn ff system prtectin, and then click OK. Turn ff System Restre n Windws Embedded POSReady 2009 1. On the Start menu, right-click My Cmputer, and then click Prperties. 2. On the System Restre tab, select the Turn ff System Restre check bx, and then click OK. In Micrsft Dynamics AX, set up Accunts receivable fr Payment Services 1. Click Accunts receivable > Setup > Payment > Payment services. 2. In the Payment services frm, click New, and then in the Payment service field, enter a name fr the payment service. 3. In the Payment cnnectr field, select Dynamics Payment Cnnectr. 4. Under Payment service accunt, enter the fllwing infrmatin: In the Merchant accunt ID field, enter the merchant accunt ID that yu received frm the payment prvider. In the Service accunt ID field, enter the service accunt ID that yu received frm the payment prvider. In the Micrsft accunt field, enter the Micrsft accunt email address. This must be the same Micrsft accunt that was used t set up the merchant accunt n Custmer Prtal. In the Micrsft accunt passwrd field, enter the passwrd fr the Micrsft accunt. In the Supprted currencies field, enter currency cdes fr the currencies that are supprted by the payment service. Separate the currency cdes by semiclns, withut using spaces. Fr example, enter USD;CAD. Implementatin Guide fr PCI Cmpliance Part 1: Setup 19

In the Supprted payment methds field, enter the payment methds that are accepted by the payment service. Separate the payment methds by semiclns withut spaces. Fr example, enter Visa;AmericanExpress;Debit. Nte Infrmatin is entered autmatically in the Assembly name, Envirnment, Prtal URL, and Public key fields. The public key is autmatically generated by Micrsft Dynamics AX t encrypt the data that is sent t the payment service. 5. Cpy the cntents f the Public key field. 6. Sign in t Custmer Prtal by using yur Micrsft accunt email address and passwrd. 7. Under Organizatin settings, click User management, and then in the New grup, click System User. 8. In the Public key field, enter the public key that yu cpied in step 5, and then click Save. 9. In the User management list, click the first name r the last name f the system user that yu created in step 8, and then click Edit. 10. Under Services and Rles, select Payment Administratrs in the Available Rles list, use the right arrw buttn t add the rle t the Selected Rles list, and then click Save. 11. Sign ut f Custmer Prtal. 12. In Micrsft Dynamics AX, in the Payment services frm, click Validate. Micrsft Dynamics AX cnfirms that the validatin is successful. 13. Click Credit card types, and then add all the credit cards that yu accept. In Micrsft Dynamics AX, set up nline stres fr Payment Services 1. Click Retail > Retail channels > Online stres. 2. Select an nline stre, and then n the Actin Pane, click Edit. 3. On the Payment accunts FastTab, in the Cnnectrs field, select Dynamics Payment Cnnectr. 4. Click Add, and then under Details, enter the fllwing infrmatin: In the Merchant accunt ID field, enter the merchant accunt ID that yu received frm the payment prvider. In the Service accunt ID field, enter the service accunt ID that yu received frm the payment prvider. In the Micrsft accunt field, enter the Micrsft accunt email address. This must be the same Micrsft accunt that was used t set up the merchant accunt n Custmer Prtal. In the Micrsft accunt passwrd field, enter the passwrd fr the Micrsft accunt. In the Supprted currencies field, enter currency cdes fr the currencies that are supprted by the payment service. Separate the currency cdes by semiclns. Fr example, enter USD;CAD. In the Supprted payment methds field, enter the payment methds that are accepted by the payment service. Separate the payment methds by semiclns Implementatin Guide fr PCI Cmpliance Part 1: Setup 20

Nte Infrmatin is entered autmatically in the Assembly name, Envirnment, Prtal URL, and Public key fields. The public key is autmatically generated by Micrsft Dynamics AX t encrypt the data that is sent t the payment service. 5. Cpy the cntents f the Public key field. 6. Sign in t Custmer Prtal with yur Micrsft accunt email address and passwrd. 7. Under Organizatin settings, click User management, and then in the New grup, click System User. 8. In the Public key field, enter the public key that yu cpied in step 5, and then click Save. 9. In the User management list, click the first name r the last name f the system user that yu created in step 8, and then click Edit. 10. Under Services and Rles, select Payment Administratrs in the Available Rles list, use the right arrw buttn t add the rle t the Selected Rles list, and then click Save. 11. Sign ut f Custmer Prtal. Implementatin Guide fr PCI Cmpliance Part 1: Setup 21

Part 2: Features that facilitate PCI cmpliance This part f the guide discusses sme f the features in Micrsft Dynamics AX 2012 that facilitate merchant cmpliance with the PCI Data Security Standard. Audit lgging Lgging f PCI-relevant activity at the register is autmatic. Fr mre infrmatin, see Mnitr Retail POS activity, later in this guide. User names, passwrds, and authenticatin Stres and cashiers have n administrative access, and n access t reprts. They have access t card numbers nly when a card is swiped. Users f Micrsft Dynamics AX are subject t Active Directry Dmain Services security plicies. Therefre, users f Micrsft Dynamics AX are subject t the same passwrd plicy as dmain users. Emplyee user names and passwrds are set up in the Retail mdule f Micrsft Dynamics AX 2012. Only apprved Micrsft Dynamics AX users have access t these features. Micrsft Dynamics AX 2012 des nt prvide any default accunts r passwrds. Instead, a unique user name and passwrd are required fr each user, including the user wh sets up the sftware. These features help satisfy Requirements 2.1 and 8 f the PCI Data Security Standard. Activities related t setting up new emplyees, deleting emplyees, and changing emplyee user names r passwrds are lgged. Fr mre infrmatin, see Mnitr Micrsft Dynamics AX activity, later in this guide. When cashiers lg n t Retail POS at the stre, their emplyee user names and passwrds are securely authenticated by either Cmmerce Data Exchange: Real-time Service r Cmmerce Data Exchange: Synch Service, depending n emplyee settings. Cashier passwrds are always hashed (bscured). Set up a new cashier in Micrsft Dynamics AX 1. Click Retail > Cmmn > Wrkers. 2. Click Hire new wrker, and then type the new cashier's name. 3. Enter infrmatin abut the emplyee n the tabs as needed. 4. In the Wrker frm, click the Retail link, and then select a layut ID and a language fr the emplyee. 5. In the Emplyment type field, select Cashier, and then type a name in the Name n receipt field. 6. In the Passwrd field, type the emplyee's passwrd. 7. Click POS permissins, and then select a psitin fr the cashier. Imprtant When setting up Windws user accunts fr emplyees, and when setting up emplyee accunts in Micrsft Dynamics AX, yu must use a "least privilege" apprach, granting Implementatin Guide fr PCI Cmpliance Part 2: Features that facilitate PCI cmpliance 22

emplyees nly thse privileges that they require t perfrm their duties. Fr example, althugh trusted management persnnel might require Administratr privileges n stre cmputers, emplyee lgn accunts must belng t a grup that des nt have these privileges. This helps yu cmply with Requirement 7 f the PCI Data Security Standard. Accrding t Requirement 8.1 f the PCI Data Security Standard, each emplyee must have his r her wn lgn accunt. D nt allw emplyees t share emplyee IDs r passwrds. Fr mre infrmatin abut user accunts fr emplyees, see the Micrsft Dynamics AX 2012 Upgrade Guide, which is available as a dwnlad at http://g.micrsft.cm/fwlink/?linkid=221465. Data strage and deletin Several requirements in the PCI Data Security Standard relate t prtecting sensitive cardhlder data. These requirements call fr the safe strage, encryptin, and remval f cardhlder infrmatin, such as magnetic stripe data, card validatin cdes and values, PINs, and PIN blcks. In particular, Requirements 1.3 and 1.3.4 prhibit string cardhlder data n servers that are cnnected t the Internet. The database server cannt als be a web server. Micrsft Dynamics AX 2012 helps merchants cmply with the PCI Data Security Standard regarding data strage and retentin in the fllwing ways: Primary accunt numbers (PANs) are nt retained, s n peridic purging is necessary. This helps satisfy Requirement 3.1 f the PCI Data Security Standard. Sensitive authenticatin data is never retained, cannt be reprduced frm within the prgram, and is nt available in lg files r debug files. Credit card numbers are tkenized and secured by the cnnectr fr Payment Services and are never sent t Micrsft Dynamics AX 2012 R2 as plain text. Tkens expire after 120 days frm the last time used. Card numbers are truncated after authrizatin, s that nly the last fur digits remain. Card numbers n bth printed and jurnaled receipts are always truncated. Like this release f Micrsft Dynamics AX 2012, the previus release (Micrsft Dynamics AX fr Retail) did nt retain any sensitive authenticatin data. Cmpliance with Requirement 3.2 f the PCI Data Security Standard des nt require the remval f histrical data. Because cardhlder data is nt retained, n encryptin is required. Therefre, there is n need t peridically delete the encryptin key. This helps satisfy Requirement 3.6 f the PCI Data Security Standard. Data transmissins All Micrsft Dynamics AX 2012 transmissins f cardhlder data, whether ver a private netwrk r a public netwrk, are secured by the use f Secure Sckets Layer (SSL). This helps satisfy Requirement 4.1 f the PCI Data Security Standard. Micrsft Dynamics AX 2012 des nt allw r facilitate the transmissin f PANs via email r ther end-user messaging technlgies. Any such transmissin that takes place must be encrypted t satisfy Requirement 4.2 f the PCI Data Security Standard. Implementatin Guide fr PCI Cmpliance Part 2: Features that facilitate PCI cmpliance 23

Imprtant Strng cryptgraphy and security prtcls must be used fr data transmissin ver public netwrks. Flw f payment data in Retail POS Figure 1 shws the flw f payment data in the Retail POS system. Figure 1 Payment data flw in Retail POS Implementatin Guide fr PCI Cmpliance Part 2: Features that facilitate PCI cmpliance 24

Flw f payment data in Micrsft Dynamics AX Accunts receivable Figure 2 shws the flw f payment data in the Accunts receivable. Figure 2 Payment data flw in Accunts receivable Flw f payment data in a Micrsft Dynamics AX nline stre Figure 3 shws the flw f payment data in a Micrsft Dynamics AX nline stre. Figure 3 Payment data flw in an nline stre Implementatin Guide fr PCI Cmpliance Part 2: Features that facilitate PCI cmpliance 25

Part 3: Cnnectin limitatins Internet cnnectins Micrsft Dynamics AX 2012 des nt require a web server. A perimeter netwrk, which is als knwn as a DMZ (demilitarized zne) and a screened subnet, can be used t separate the Internet frm systems that transmit cardhlder data. Cardhlder data is never stred, including n the internal netwrk and the perimeter netwrk. The database server shuld never be n a web server r in a DMZ that cntains a web server, and Micrsft Dynamics AX 2012 des nt require these cnfiguratins. This helps satisfy Requirement 1.3 f the PCI Data Security Standard. Wireless cnnectins Micrsft Dynamics AX 2012 des nt require r supprt wireless cnnectins, and we d nt recmmend using wireless cnnectins with Micrsft Dynamics AX 2012. Using wireless cnnectins culd cause the sftware t stp wrking and culd prevent PCI cmpliance. If wireless cnnectins are part f the stre's lcal area netwrk (LAN) even if they are nt used with Micrsft Dynamics AX 2012 yu must install a firewall and use cmpliant wireless settings, as described in Requirements 1.2.3, 2.1.1, and 4.1.1 f the PCI Data Security Standard. Specific requirements include: Install perimeter firewalls between any wireless netwrks and the cardhlder data envirnment, and cnfigure these firewalls t deny r cntrl any traffic frm the wireless envirnment int the cardhlder data envirnment. Change wireless vendr defaults, including but nt limited t default wireless encryptin keys, passwrds, and Simple Netwrk Management Prtcl (SNMP) cmmunity strings. Ensure that wireless device security settings are enabled fr strng encryptin technlgy fr authenticatin and transmissin. Use industry best practices (fr example, IEEE 802.11i) t implement strng encryptin fr authenticatin and transmissin. Nte Fr new wireless implementatins, implementing Wired Equivalent Privacy (WEP) has been prhibited since March 31, 2009. Fr current wireless implementatins, WEP is prhibited after June 30, 2010. Imprtant Encryptin keys shall be changed frm default at installatin, and shall be changed anytime anyne with knwledge f the keys leaves the cmpany r changes psitins. Default SNMP cmmunity strings n wireless devices shall be changed. Default passwrds/passphrases n access pints shall be changed. Firmware n wireless devices shall be updated t supprt strng encryptin fr authenticatin and transmissin ver wireless netwrks. Other security-related wireless vendr defaults shall be changed, if applicable. Implementatin Guide fr PCI Cmpliance Part 3: Cnnectin limitatins 26

Remte access Micrsft Dynamics AX 2012 des nt prvide features that allw r facilitate remte cnnectins int the payment envirnment, and Micrsft des nt prvide supprt fr such cnnectins. If yu chse t use a remte cnnectin, yu must use tw-factr authenticatin (user name and passwrd, plus an additinal authenticatin item, such as a tken), as required by Requirement 8.3 f the PCI Data Security Standard. If remte access sftware is used by partners r resellers, security features must be implemented and used. Examples f remte access security features include: Change default settings in the remte access sftware (fr example, change default passwrds, and use unique passwrds fr each user). Allw cnnectins nly frm specific (knwn) IP/MAC addresses. Use strng authenticatin, and establish user passwrd plicies, accrding t Requirement 8 f the PCI Data Security Standard. Enable encrypted data transmissin, accrding t Requirement 4.1 f the PCI Data Security Standard. Enable accunt lckut after a certain number f failed lgn attempts, accrding t Requirement 8.5.13 f the PCI Data Security Standard. Cnfigure the system s that a remte user must establish a virtual private netwrk (VPN) cnnectin via a firewall befre access is allwed. Enable lgging. Restrict access t user passwrds t authrized reseller/integratr persnnel. Nn-cnsle administrative access Nn-cnsle administrative access t Micrsft Dynamics AX 2012 is nt supprted and culd prevent PCI cmpliance. If yu chse t use nn-cnsle administrative access, yu must implement and use Secure Shell (SSH), VPN, r Secure Sckets Layer/Transprt Layer Security (SSL/TLS) fr encryptin, as required by Requirement 2.3 f the PCI Data Security Standard. Implementatin Guide fr PCI Cmpliance Part 3: Cnnectin limitatins 27

Part 4: Audit lgging T cmply with Requirement 10 f the PCI Data Security Standard, yu must enable lgging as described in the fllwing sectins in this guide: All cmputers: Prepare fr mnitring the event lgs All cmputers: Set up auditing f file access, bject access, and audit-plicy changes At the head ffice: Set up database lgging Yu must mnitr and manage the lg files that are prduced. Mnitr Micrsft Dynamics AX activity At the head ffice, audit lgged infrmatin accrding t the schedule described in Requirement 10 f the PCI Data Security Standard. Nte Althugh the prcedures in this sectin are related t Requirement 10 f the PCI Data Security Standard, they are beynd the scpe f the PCI requirement because, in an implementatin f Micrsft Dynamics AX 2012 that uses Payment Services fr Micrsft Dynamics ERP, n cardhlder data is stred, and users cannt change the cardhlder data flw r the security f cardhlder data. Therefre, the fllwing prcedures are included in this guide as ptinal best practices that help make rganizatinal data mre secure. View infrmatin abut user lgn and user lgff View the user lg in Micrsft Dynamics AX t see lgn infrmatin fr each authrized user. 1. Click System administratin > Inquiries > Users > User lg. The lgn dates and times shwn are als the dates and times that the lg was initialized. 2. T view the date and time that a particular user lgged ff, select the lgn event that yu are interested in, and then click the General tab. View the audit trail Use the database lg in Micrsft Dynamics AX t view changes t the tables that yu selected fr auditing as described in At the head ffice: Set up database lgging, earlier in this guide. 1. Click System administratin > Inquiries > Database > Database lg. 2. Select the recrd t view, and then click the Histry tab. View the SQL Server trace lg files Mnitr the SQL Server trace lg files t see which users accessed the lg files. Each entry in the trace lg file includes the user wh lgged n t access data, the type f event, the specific database query that was used t access data (which indicates whether data was read r mdified), the date and time f access, the success r failure f the peratin, the riginatin f the event (client applicatin), and the identity r name f the resurce (database table) that was accessed. 1. In SQL Server Management Studi, n the File menu, pint t New, and then click Query with Current Cnnectin. Implementatin Guide fr PCI Cmpliance Part 5: Sftware updates and supprt 28

2. In the right pane, type the fllwing text, replacing C:\<path> with the actual lcatin f the trace file and <date> with the date string f the crrect trace file. select * FROM ::fn_trace_gettable('c:\<path>\ps_trace_pmt_<date>.trc', default) 3. On the Query menu, click Execute. The results f the query prvide the audit lg. Nte The SQL Server trace lg files are saved in a secure lcatin that nly administratrs can access. Typically, the path f the files is C:\Prgram Files\Micrsft SQL Server\<instance name>\mssql\lg. Mnitr Retail POS activity Activity in Retail POS is lgged in the AX.RetailTransactinTable table in the stre r register ffline database. It prvides lgging f the events that must be mnitred fr PCI cmpliance. These events are as fllws: Prgram startup (the initializatin f the lg file) Emplyee lgn and lgff Failed lgn attempts Nte The lgging can be mdified nly at the head ffice, via changes t the functinality prfile fr each terminal. Cnfirm that the Audit lgging is still assigned t each functinality prfile in the Functinality prfile frm (Retail > Setup > POS > Prfiles > Functinality prfiles). Imprtant Lgging shuld nt be disabled and ding s will result in nn-cmpliance with PCI DSS. At the stre, use a query in SQL Server Management Studi t view the AX.RetailTransactinTable table. Fr each event in the table, the fllwing infrmatin is lgged: The type f event The date and time that the event ccurred The riginatin f the event (stre and terminal) Fr lgn events, the ID f the cashier wh lgged n. This cashier is assciated with all events after the lgn event, until a lgff event ccurs. Lgged events in stres are transmitted t central back ffice and stred in RetailTransactinTable table. At the back ffice database, use a query in SQL Server Management Studi t view the RetailTransactinTable table. Fr each event in the table, the fllwing infrmatin is lgged: The type f event The date and time that the event ccurred The riginatin f the event (stre and terminal) Implementatin Guide fr PCI Cmpliance Part 5: Sftware updates and supprt 29

Fr lgn events, the ID f the cashier wh lgged n. This cashier is assciated with all events after the lgn event, until a lgff event ccurs. Mnitr event lgs Yu must mnitr the event lgs n every cmputer in the Micrsft Dynamics AX 2012 system. Windws user lgn and lgff events, and ther user management events, can be viewed frm the Windws event lg. When file and system bject access is audited, yu can als use the event lg t mnitr access t the auditing files themselves. The event lg als shws initializatin f the lg file in Micrsft Dynamics AX. This is indicated by the event fr Applicatin Object Server (AOS) startup, because when the AOS service is running, lgging is turned n. The event is Event ID 149, "Object Server <server name>: Ready fr peratin." 1. If yu are running Windws Embedded POSReady 2009, click Start, click Cntrl Panel, duble-click Administrative Tls, and then duble-click Event Viewer. If yu are running Windws 7, Windws Embedded POSReady 7, Windws 8, Windws 8.1, Windws Server 2008, r Windws Server 2012, click Start, type Event Viewer in the search bx, and then press ENTER. 2. If the Windws Lgs flder is available, expand it, and then click Security. Each event has a unique Event ID, and the Windws Event Viewer prvides a filter tl t make it easier t view ccurrences f specific events. The fllwing table identifies the Event IDs that are lgged, based n crrespnding peratins in Windws. Fr each event, the fllwing infrmatin is lgged and can be viewed in Event Viewer: The Windws user accunt that was invlved in the peratin The type f event The date and time that the event ccurred The success r failure f the peratin The riginatin f the event The identity r name f any affected data, cmpnent, r resurce If apprpriate, the user grup fr which a user was added r remved Operatin Event ID Windws Embedded POSReady 7, Windws 7, Windws 8, Windws 8.1, Windws Server 2012, r Windws Server 2008 Lgn attempt 4776 680 Lgn success 4624 528 Windws Embedded POSReady 2009 Lgn failure 529, 535, 539 529, 535, 539 Lgff 538 538 Implementatin Guide fr PCI Cmpliance Part 5: Sftware updates and supprt 30

Operatin Event ID Windws Embedded POSReady 7, Windws 7, Windws 8, Windws 8.1, Windws Server 2012, r Windws Server 2008 User passwrd reset 4724 628 User accunt created 4720 624 User accunt disabled 4725 629 User accunt deleted 4726 630 User accunt added 4728 632 User accunt changed 4738 642 User accunt lcked ut 4740 644 Member added t user grup 4732 636 Member remved frm user grup 4733 637 Object access (update r deletin f mnitred files) Nne 560 File mdified and saved 4663 567 Audit plicy changed Nne 612 Dmain plicy changed 4739 643 Event Viewer Security lg cleared 1102 517 Windws Embedded POSReady 2009 Part 5: Sftware updates and supprt Sftware updates Updates t Micrsft Dynamics AX 2012 are nt delivered via remte cnnectin. Instead, updates are either dwnladed frm a secure website, at the merchant's specific request, r installed frm a CD. Sftware updates must nt be dwnladed via remte cnnectin. Trubleshting and supprt This sectin utlines the prcess that Micrsft and its Certified Partners are required t fllw when a Micrsft Dynamics AX 2012 custmer requires trubleshting f a specific prblem. This prcess is designed t ensure the security f sensitive infrmatin in the database, including emplyee passwrds and payment-related data, and helps satisfy Requirement 3.2 f the PCI Data Security Standard. Supprt persnnel are required t cllect nly the limited amunt f data needed t slve the specific prblem being reprted. The remaining paragraphs in this sectin describe the prcess fllwed by Micrsft supprt persnnel and the Micrsft Dynamics AX 2012 prduct team. Micrsft Certified Partners are required t implement supprt prcesses and tls with equivalent security measures in place. These measures include but are nt limited t the fllwing: Implementatin Guide fr PCI Cmpliance Part 5: Sftware updates and supprt 31

Cllect sensitive authenticatin data nly when it is needed t slve a specific prblem. Stre such data nly in specific, knwn lcatins with limited access. Cllect nly the limited amunt f data needed t slve a specific prblem. Securely delete such data immediately after use. Encrypt sensitive authenticatin data while it is stred. (N sensitive data is stred by Micrsft Dynamics AX 2012. This refers t any data that might be stred via third-party addins r ther surces.) When a custmer cntacts Micrsft Technical Supprt, the supprt engineer creates a recrd f the issue and initiates an investigatin. The prduct team then attempts t reprduce the issue n test databases and, if necessary, with test credit card accunts. If the issue cannt be reprduced n test databases, supprt persnnel fllw ne f the fllwing prcesses, depending n the situatin: Supprt persnnel access the custmer's desktp. Supprt persnnel btain a cpy f the stre database (which cntains n sensitive cardhlder data). Supprt persnnel travel t the custmer's place f business. In all scenaris, access t the database is restricted t these supprt persnnel: Escalatin Engineers, Supprt Escalatin Engineers, Tech Leads, and Team r Service Delivery Managers. Supprt persnnel access the custmer's desktp With the custmer's specific apprval, a supprt engineer can use Micrsft Easy Assist t access the custmer's desktp and investigate the issue directly. Easy Assist is a remte supprt slutin based n the Micrsft Office Live Meeting 2007 service and subject t all Live Meeting security measures. These include a full suite f access, cntent strage, hsting infrastructure, and data transmissin security features and measures. Fr details, see the Micrsft Office Live Meeting Service Security Guide, which is available fr dwnlad at http://www.micrsft.cm/enus/dwnlad/details.aspx?id=10873. The Easy Assist prcess is as fllws: 1. The supprt engineer sets up the sessin, and then sends a sessin invitatin t the custmer. This invitatin cntains a link that cnnects the custmer t a specific Easy Assist sessin. Alternatively, the engineer can prvide the Sessin ID, which the custmer can use t lg n at http://supprt.micrsft.cm/ea. 2. The custmer accepts the Easy Assist Terms f Use and, if necessary, installs the Easy Assist sftware. 3. In the Easy Assist sessin, the custmer specifically allws the supprt engineer t share the custmer's desktp by pinting t Share My Desktp n the Tls menu, and then clicking Start. Alternatively, the supprt engineer can send the custmer a request fr sharing, which the custmer can explicitly apprve r deny. 4. At the cnclusin f the sessin, r at any time that the custmer chses, the custmer stps sharing the desktp by pinting t Share My Desktp n the Tls menu, and then clicking Stp. At this pint, the supprt engineer can still exchange chat messages with the Implementatin Guide fr PCI Cmpliance Part 5: Sftware updates and supprt 32

custmer and accept files specifically transferred by the custmer, but the engineer has n direct access t the custmer's cmputer. 5. The custmer terminates the Easy Assist sessin at any time by clicking Exit n the File menu. After the sessin is terminated, the supprt engineer cannt send r receive chat messages, cannt receive files, and has n access t the custmer's cmputer. There is n way fr the engineer t reestablish the sessin. At n pint in this prcess des the supprt engineer have access t the custmer's card number r card data. Supprt persnnel btain a cpy f the stre database The database is transmitted t Micrsft either by means f the File Transfer utility in Easy Assist r by using the secure Micrsft HTTPS file transfer services. After the database reaches Micrsft, it is stred n a specific supprt file server that is secured accrding t Micrsft crprate and Supprt guidelines, and t which nly supprt persnnel have access. There is n sensitive authenticatin data in the database, and the database is attached t a SQL Server nly during active trubleshting. When trubleshting is cmpleted, the stre database is immediately, securely deleted frm the Micrsft server. Any assciated.bak,.mdf, and.ldf files are als destryed. Supprt persnnel travel t the custmer's place f business The supprt engineer investigates the issue n-site, and the custmer's data never leaves the stre. Distributin f htfixes When a reslutin becmes available fr a reprted issue, a htfix is released. Htfixes are distributed via secure dwnlad frm the Micrsft website at the custmer's specific request. Appendix A: Versin histry The fllwing changes have been made t this guide since it was riginally published in June 2010: Dates and versin numbers have been updated. The nte at the beginning f "All cmputers: Set up auditing f file access, bject access, and audit-plicy changes" has been mdified t indicate that cmpleting the prcedures in that sectin is required, and the wrds "less stringent" have been added t the secnd bulleted item. An errr in step 2 f "Audit access t system flders and files" has been crrected. A nte has been added t "Stre cmputers: Turn ff System Restre" t pint ut that System Restre is nt available n Windws Server 2008. The figure in "Flw f payment data" has been updated t include the flw f the respnse cde frm Payment Services t the Retail POS database. Minr editrial changes have been made. Implementatin Guide fr PCI Cmpliance Part 5: Sftware updates and supprt 33

The infrmatin has been updated fr the release f Micrsft Dynamics AX 2012. The infrmatin has been updated fr the release f Micrsft Dynamics AX 2012 Feature Pack. The infrmatin has been updated fr the release f Micrsft Dynamics AX 2012 R2. The infrmatin has been updated fr the release f Micrsft Dynamics AX 2012 R3. Implementatin Guide fr PCI Cmpliance Appendix A: Versin histry 34