MICROS e7 Version 2.7 Patch 1 Upgrade Best Practices General Information About this Document This document is intended to convey best practice information when upgrading the MICROS e7 application from a non-pci compliant version to a PCI compliant version. The table below lists all of the PCI compliant and non-pci compliant versions of MICROS e7. Non-PCI Compliant Version 1.0 1.5 1.5 Patch 1 2.0 2.0 Patches 1 & 2 2.7 Compliant PCI Versions 2.1 2.1 Patches 1, 2, 3 & 4 2.5 2.6 2.6 Patches 1, 2 & 3 2.7 Patch 1 Visa established the Payment Card Industry (PCI) Data Security Standard to protect Visa cardholder data wherever it resides ensuring that members, merchants, and service providers maintain the highest information security standard. Page 1 of 6
General Information Non-PCI compliant versions of MICROS e7 may allow sensitive information, such as credit card numbers, to exist in a non-encrypted format. Such historical data (magnetic stripe data, card validation codes, PINs, or PIN blocks) must be removed. Removal of such data is necessary to ensure the MICROS software upgrade is conducted in a manner that is PCI compliant. The sensitive information cannot simply be deleted from the file system. When files are deleted from the file system, most operating systems do not delete the files themselves, only the reference to each file is deleted. So, as a security measure, sites must follow the upgrade best practices and use a wipe tool to securely remove any historical sensitive information data. Such data must be removed not only from the database, but anywhere the historical sensitive information resides, including backup tapes and logs. MICROS Systems, Inc. mandates the secure deletion of historical sensitive information wherever it resides using the secure wipe tool Eraser. For more information, refer to the MICROS Secure Wipe Tool document. Page 2 of 6
General Information Declarations Warranties Although the best efforts are made to ensure that the information in this manual is complete and correct, MICROS Systems, Inc. makes no warranty of any kind with regard to this material, including but not limited to the implied warranties of marketability and fitness for a particular purpose. Information in this manual is subject to change without notice. No part of this manual may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or information recording and retrieval systems, for any purpose other than for personal use, without the express written permission of MICROS Systems, Inc. MICROS Systems, Inc. shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual. Trademarks Framemaker is a registered trademark of Adobe Corporation. Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are the property of their respective owners. Printing History New editions of this manual incorporate additions and changes to the material since the previous release. Edition Month Year 1 st September 2007 2 nd November 2007 3 rd March 2008 Page 3 of 6
Upgrade Best Practices Upgrade Best Practices Follow these steps to execute a secure upgrade to a PCI compliant version of the MICROS e7 software. These steps should be performed on the PC running MICROS e7. Page 4 of 6 Clear Virtual Memory on Shutdown Virtual memory is used by the Windows operating system to optimize the use of RAM and disk memory. It is possible for MICROS e7 data to be written to virtual memory by the operating system in the normal course of swapping data between RAM and virtual memory. The only way to clear the virtual memory is during the boot process. It is important to clear virtual memory whenever a MICROS e7 PC is rebooted. A scheduled reboot of the PC is also recommended as a means of clearing the virtual memory. Instructions for clearing virtual memory are provided below for the following operating systems: Windows 2000 Windows Server 2003 and Windows XP Windows Vista Business Edition Steps to set up clearing virtual memory on shutdown on a System Running Windows 2000 1. Click Start. 2. Click Microsoft Control Panel. 3. Click Administrative Tools. 4. Click Local Security Policy. 5. Expand the local policies by clicking the +. 6. Select the Security Options folder. 7. Double click on the Clear Virtual Memory Page File When System Shuts Down. 8. Select Enable. 9. Click [Ok].
Upgrade Best Practices Steps to set up clearing virtual memory on shutdown on a System Running Windows Server 2003 and Windows XP 1. Click Start. 2. Click Microsoft Control Panel. 3. Click Administrative Tools. 4. Click Local Security Policy. 5. Expand the local policies by clicking the +. 6. Select the Security Options folder. 7. Double click on the Shutdown: Clear Virtual Memory Pagefile. 8. Select Enabled. 9. Click [Ok]. Steps to set up clearing virtual memory on shutdown on a System Running Windows Vista Business Edition 1. Click Start. 2. Click Microsoft Control Panel. 3. Click Administrative Tools. 4. Click Local Security Policy. 5. Expand the local policies by clicking the +. 6. Select the Security Options folder. 7. Double click on the Clear Virtual Memory Page File When System Shuts Down. 8. Select Enabled. 9. Click [Ok]. Page 5 of 6
Upgrade Best Practices Wipe all Old Copies of the Database and Database Logs from System The recommended way to wipe these files is to use the ERASER removal utility (http:// www.tolvanen.com/eraser). Simply deleting the files is not sufficient. A hacker could use a variety of tools to recover data where a proper removal utility has not been used to wipe the old databases. Using the Windows delete function simply unlinks the filename from the data, leaving the data intact on the system. Wiping or removing the data will write over the data with garbage data, making the original file unrecoverable. For more information, refer to the MICROS Secure Wipe Tool document. 1. The current database files should not be wiped off the system. These files can be found at the following location: \MICROS\e7\db 2. For removal of files from the system, use the ERASER removal utility available at the following location: http://www.tolvanen.com/eraser. It is important to find all instances of the db and logs. Search for *gz* and any other naming conventions you may use to archive your databases and logs. This utility may be used to delete any type of file. Any files stored on the system that contain customer data should be wiped from the system. If you are unsure that you have located all possible files, than a reinstallation to a completely blank hard drive is recommended. Make a Backup of the Current Database 1. Go to the MICROS e7 Configurator and select the Functionality drop-down arrow on the top right-hand corner of the screen. 2. Select Backup the Database. The database backup file (backup.001.gz or backup.002.gz) will be stored at the following location: \Micors\e7\dbbackups 3. Make a copy of the backup database and place it in a secure location outside of the MICROS tree. Page 6 of 6