Implementation Guide
Contents
1. How your Point Vx helps you meet this requireMent ecseceeseeeseeeeseeteeeteeeteeeeeaeeetees C What this Means to YOU oo eeeeeseeeeseseeeeeeeeseeeteeseeaeseeeesesecaeeesaseeeasseseeaeeessenesateeeasaetenenees Requirement 11 Regularly test security systems and processes a Whatthe requirement Say issccccaheciadiviie dnd deinen ania Abate inde dies b How your Point Vx helps you meet this requireMent eseeeeseceteeceeeeeeseteeeeeeeeeneeetaes C What this Means to YOU ee eeesesseeseeeeseeeeseeetecseeeeaeeecaesesaesetesaeeasaeneraeeeeateevatensataenenanees 2 6 Maintain an Information Security POliCy scssecssssssesssseesseesieeeessenseeneeneeseeessenineneeeeees Requirement 12 Maintain a policy that addresses information security for employees and CONTACTOS xc cc anan ee aeea agnor sedate steals vp ea aa aa arch nena a anda aaaea as a What the requirement says b How your Point Vx helps you meet this requirement Cc Whatthis means to yoUiininss neronen aan a Lien ernie 3 How to set up your Point Vx to ensure PCI DSS compliance cs sseeeeeeeeens 15 3 1 Do not retain full magnetic stripe or card validation code cccssseeeseeeetneeeetens 15 3 2 Protect stored card holder data s cscsscsccsessesceeeneeseeeeneeseeenseeseeeeneeseeeenenseeennenseeeenenseeennens 15 3 3 Protect wireless traNSMiSSiONS scsecseeeeeeeeeeseeeeseenenseeneneeeeneeeneneenaeenenens2. CVC2 is a three or four digit value printed on the back of the card but not encoded on the magnetic stripe or the chip SNMP Simple Network Management Protocol is a network protocol It is used mostly in network manage ment systems to monitor network attached devices for conditions that warrant administrative attention WPA and WPA2 Wi Fi Protected Access is a certification program created by the Wi Fi Alliance to indi cate compliance with the security protocol created by the Wi Fi Alliance to secure wireless computer net works WEP Wired Equivalent Privacy a wireless network security standard Sometimes erroneously called Wire less Encryption Protocol Magnetic Stripe Data Track data read from the magnetic stripe magnetic stripe image on the chip or elsewhere Sensitive Authentication Data Magnetic Stripe Data CVV2 and PIN TMS Terminal Management System SSH Secure Shell SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices HTTPS Hypertext Transfer Protocol Secure HTTPS is a combination of the Hypertext Transfer Protocol with the SSL protocol to provide encrypted communication and secure identification Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited
3. Point Vx helps you meet this requirement C What this means to YOU oo ee eeseeeeeeeeeeeeeeseeesecseeaeseeesaeecaesesaseeeatsesateneasaeeevaneeeaeaetanenees 2 3 Maintain a Vulnerability Management Program sscesseseeeeseeseeeeneeseeeenenseeeenenseeeenens Requirement 5 Use and regularly update anti virus software or programs a What the requirement SAYS ee eseeseseeeeeenseeeteeeeseeeeaeseceesneeeseeetaneesasseseteneeeseeerateneaeaeees b How your Point Vx helps you meet this requirement GC _ What this means 10 Yous sci nindciiGadndiand amano E A antes Requirement 6 Develop and maintain secure systems and applications a What the requirement SayS s csceccececeeeeseseesseessenesecensneessessseeseeesnetenseensseeesenseeeneres b How your Point Vx helps you meet this requireMent eeeeeeeceteeeseeeeeseeeteeeeeeeeeetats C What this Means to YOU ee eeeseesseeseeeceeeeseeeteeseeeeaeeecaesetaeseseeseeasaenesaeeecaeeetatensasaenenatees 2 4 Implement Strong Access Control Me aSures ssssssecsessesssesesseenseenieesneseenssenieenneeeees Requirement 7 Restrict access to cardholder data by business need to know a What the requirement SAyS seceeseeseeeseeeseeeeeeeesseeeseeeraeeeaesenetaeeeeaeerateeeasaeeetsneeeaeeetate b How your Point Vx helps you meet this requireMent ecsecesseeseeeeeeeeeeteeeeeereaeeetees C What This means 10 YOU wsieec nc cece coececteescteiedeeseecnees csuv
4. 3 Maintain a Vulnerability Management Program Requirement 5 Use and regularly update anti virus software or programs a What the requirement says Malicious software commonly referred to as malware including viruses worms and Trojans enters the network during many business approved activities including employee e mail and use of the Internet mobile computers and storage devices resulting in the exploitation of system vulnerabili ties Anti virus software must be used on all systems commonly affected by malware to protect sys tems from current and evolving malicious software threats reference 2 b How your Point Vx helps you meet this requirement The Point Vx cannot be used for e mails or internet activities All software downloaded to the terminal is controlled by Point protected by a digital signature MAC and sent over an SSL connection if the proces sor supports SSL These security measures prevent malicious software being installed onto your Point Vx terminal c What this means to you You should install and maintain antivirus software which helps to protect your system Make sure that this software is up to date as security threats change For the Point Vx you do not need to take any action regarding antivirus software Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohi
5. D to each person with computer access a What the requirement says Assigning a unique identification ID to each person with access ensures that each individual is uni quely accountable for his or her actions When such accountability is in place actions taken on critical data and systems are performed by and can be traced to known and authorized users reference 2 b How your Point Vx helps you meet this requirement The Point Vx does not allow access to critical data Requirement 8 3 The Point Vx does not allow direct remote access to the system But for remote updates via Terminal Management Systems the authentication used as part of an authenticated remote software distribution framework for the PED should be evaluated by a QSA as part of any PCI DSS assessment c What this means to you Since the Point Vx does not allow access to critical data you do not need to take any action Requirement 8 3 Ask your QSA to include the remote update process in the PCI DSS assessment Requirement 9 Restrict physical access to cardholder data a What the requirement says Any physical access to data or systems that house cardholder data provides the opportunity for indi viduals to access devices or data and to remove systems or hardcopies and should be appropriately restricted For the purposes of Requirement 9 onsite personnel refers to full time and part time em ployees temporary employees contractors and consultants who a
6. Opoint PCI PA DSS Point Vx Implementation Guide For VeriFone Vx520 Vx680 Vx820 terminals using the Point Vx Payment Core Point VxPC Version 2 02 POINT TRANSACTION SYSTEMS AB Box 92031 120 06 Stockholm Tel 46 8 566 287 00 www point se Opoint sion Revision History Version Name Date Version 2 02 Date 2012 02 22 Page number 2 17 Comments 1 00 1 01 2 01 2 02 Mats Oscarsson Mats Oscarsson Mats Oscarsson Mats Oscarsson 2011 03 25 2011 05 03 2011 12 09 2012 02 22 Initial version Chapter 3 3 Protect wireless transmissions is up dated A new chapter Back out or product de installation procedures is added Changed for version 2 0 of the PA DSS require ments Chapter 3 4 Added information that the TMS used for PED SW distribution should be checked by a QSA Chapters 2 1 and 3 4 Added instruction not to place the terminal in an In ternet accessible network zone DMZ Chapter 3 3 Protect Wireless Transmissions is up dated Chapter 2 5 Regularly Monitor and Test Networks Requirement 10 c What this means to you is up dated to contain information about how to change to address to the centralized log server Chapter 3 1 updated to clarify that only non PCI PA DSS compliant terminals must be returned to Point if a physical terminal replacement takes place Chapter 2 1 Build and Maintain a Secure Network Requ
7. Point Vx please refer to the manual sup plied by your firewall vendor Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited Version 2 02 O int Date 2012 02 22 Page number 9 17 ssion for Requirement 2 Do not use vendor supplied defaults for system passwords and other security parame ters a What the requirement says Malicious individuals external and internal to an entity often use vendor default passwords and oth er vendor default settings to compromise systems These passwords and settings are well known by hacker communities and are easily determined via public information reference 2 b How your Point Vx helps you meet this requirement Point Vx does not allow users to access any card holder data or sensitive authentication data IP addresses for processors terminal management systems and software download servers are protected by unique passwords per terminal and these passwords are changed on a daily basis c What this means to you Since the password protection for the Point Vx is handled entirely within the unit there is no need for you to take any action 2 2 Protect Cardholder Data Requirement 3 Protect stored cardholder data a What the requirement says Protection methods such as encryption truncation masking and hashing are critical components
8. T AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited Version 2 02 O i n t Date 2012 02 22 Page number 10 17 ssion for Requirement 4 Encrypt transmission of cardholder data across open public networks a What the requirement says Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabili ties to gain privileged access to cardholder data environments reference 2 b How your Point Vx helps you meet this requirement The Point Vx encrypts card holder data using triple DES with a unique key per transaction On top of that the entire messages sent to and from the Point Vx are protected using SSL if the processor supports SSL c What this means to you If you are using a wireless network WLAN you must set up your wireless network to use WPA WPA2 en cryption for new installations N B WEP must not be used after June 30 2010 The WLAN encryption is applied on top of the triple DES encryption and SSL if SSL is supported by the processor implemented in the terminal If you connect to an external network without using WLAN you do not need to take any action 2
9. affect PCI DSS and is also reviewed annually and updated as needed to reflect changes in the software as well as the PCI standards You can download the latest version of this document from http www point se The Payment Card Industry PCI has also set the requirements for software applications that store process or transmit cardholder data These requirements are defined by the Payment Card Industry Payment Appli cation Data Security Standard PCI PA DSS In order to facilitate for you to get a PCI DSS assessment the Point VxPC Point Vx Payment Core software has been validated by PCI to comply with the PCI PA DSS requirements Note This guide refers to Point Vx terminals using the Point VxPC Point Vx Payment Core The version of the Point VxPC is listed on the PCI web site List of Validated Payment Applications that have been validated in accordance with PCI PA DSS If you cannot find the version of your Point VxPC on that list please contact our helpdesk at Point in order to upgrade your terminal http Awww pcisecuritystandards org Document Use This PA DSS Implementation Guide contains information for proper use of terminals using the Point VxPC Point Transaction Systems AB does not possess the authority to state that a merchant may be deemed PCI DSS Compliant if information contained within this document is followed Each merchant is responsible for creating a PCI DSS compliant environment The purpose of this guide
10. bited Version 2 02 O i n t Date 2012 02 22 Page number 11 17 ssion for Requirement 6 Develop and maintain secure systems and applications a What the requirement says Unscrupulous individuals use security vulnerabilities to gain privileged access to systems Many of these vulnerabilities are fixed by vendor provided security patches which must be installed by the entities that manage the systems All critical systems must have the most recently released appropri ate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software Note Appropriate software patches are those patches that have been evaluated and tested sufficient ly to determine that the patches do not conflict with existing security configurations For in house de veloped applications numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques reference 2 b How your Point Vx helps you meet this requirement Point Transaction Systems constantly works with the latest security findings and requirements throughout the life cycle of your Point Vx This includes automatic SW updates whenever necessary c What this means to you You should keep your system up to date with software updates operating system updates and any other security patches For the Point Vx you do not need to take any action 2 4 Implement Strong Access Contr
11. cduersvetysectetevenctraceecvocsces suede saerevensscitiannestiecersateve Requirement 8 Assign a unique ID to each person with computer ACCESS s1ccecsecceceeees a What the requirement SAYS csceceeeeceeeeceseeeceeeseesseceneseeeseseseeseeesestesseesesesenseeetieeess b How your Point Vx helps you meet this requirement c Whatthis me ans to You sccce2twetishisienie dein a A I E Requirement 9 Restrict physical access to cardholder data a What the requirement SAYS ee eeeseeseeeeeeeseeeseeeeseeeeseeetaeeeeaeseeetaeeeeaeeerateneataeneraneeeaeeetats b How your Point Vx helps you meet this requireMent ecesecesseeseeeeeeeeeeteeeteeeeaeeetees Cz What this MOAN 10 YOU secs cccssczeccescceecc desi cacisescsaesceaesenecgeecnecessecastanensaeeciegednaes deeeitcecenreasstetensencpecesenees Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited Version 2 02 On O int Date 2012 02 22 Page number 5 17 ssion fe 2 5 Regularly Monitor and Test Networks c cscsccsesseseesesseseeeeneeseenenenseeeensnseeeenenseeeenenseeentans 13 Requirement 10 Track and monitor all access to network resources and cardholder data 13 a What the requirement SAYS ccccscecceesceeesseseeseeesseneseseeessenesecenseeesseseseeseeesserenaseessesesenseenesenenerees b
12. e based on cryptographic signatures and MAC protection Message Authentication Code c What this means to you You should test your network connections including wireless networks periodically for vulnerabilities and make use of network vulnerability scans If you make any significant changes to your network you should also test for vulnerabilities Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited Version 2 02 9 O I n Date 2012 02 22 e Page number 14 17 ssion for payments 2 6 Maintain an Information Security Policy Requirement 12 Maintain a policy that addresses information security for employees and contractors a What the requirement says All personnel should be aware of the sensitivity of data and their responsibilities for protecting it For the purposes of Requirement 12 personnel refers to full time and part time employees temporary employees contractors and consultants who are resident on the entity s site or otherwise have access to the cardholder data environment reference 2 b How your Point Vx helps you meet this requirement c What this means to you Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibit
13. ed Version 2 02 O n t Date 2012 02 22 Page number 15 17 ssion fe 3 How to set up your Point Vx to ensure PCI DSS compliance In this chapter Point Vx refers to terminals using the Point VxPC 3 1 Do not retain full magnetic stripe or card validation code When upgrading the payment application in your Point Vx to comply with the PCI PA DSS requirements this could be done two ways 1 Your old unit is physically replaced by a new Point Vx loaded with software that complies with the PCI PA DSS requirements If the old unit is not PCI PA DSS compliant it could contain his torical magnetic stripe data PANs and CVV2s Therefore the non PCI PA DSS compliant unit must be returned to Point 2 Your existing Point Vx is downloaded remotely with new software that complies with the PCI PA DSS requirements After download your Point Vx software is designed to remove all histor ical magnetic stripe data PANs and CVV2s stored by previous versions of the software In both cases you must make sure that the software version of the Point VxPC that runs on your Point Vx is listed on the PCI web site List of Validated Payment Applications that have been validated in accordance with PCI PA DSS http www pcisecuritystandards org In order for your organization to comply with PCI DSS requirements it is absolutely necessary to remove historical data stored prior to installing your PCI PA DSS compliant Point Vx terminal Therefore you mu
14. eeeaneeneneens 16 3 4 Facilitate secure remote Software updates cscsscsecssseseeeeseeseeeeneeseeeenenseeeenenseeeenenseeeetens 16 3 5 Encrypt sensitive traffic over public NETWOFKS cssseseceeseeseeeeneeseeeeneeseeeenenseeeenenseeeetens 16 4 Back out or product de installation procedures sssesscsesseeessesseeeeeenseeeeeenseeseneneeeennens 16 5 Terminology and abbreviations s cscsscscscseeseeceseeseeeeneeseeeeneeneeeeneeseeeeneeseeeenenseenenensneentans 17 Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited Version 2 02 O int Date 2012 02 22 Page number 6 17 ssion fe 1 Introduction The Payment Card Industry Data Security Standard PCI DSS defines a set of requirements for the configuration operation and security of payment card transactions in your business If you use the Point Vx terminal in your business to store process or transmit payment card information this stan dard and this guide apply to you The requirements are designed for use by assessors conducting onsite reviews and for merchants who must validate compliance with the PCI DSS For more details about PCI DSS please see the following link http www pcisecuritystandards org This guide is updated whenever there are changes in Point Vx software using the Point VxPC that
15. ensitive area within an entity s trusted network A firewall examines all network traffic and blocks those transmis sions that do not meet the specified security criteria All systems must be protected from unauthorized access from untrusted networks whether entering the system via the Internet as e commerce em ployee Internet access through desktop browsers employee e mail access dedicated connections such as business to business connections via wireless networks or via other sources Often see mingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems Firewalls are a key protection mechanism for any computer network Other system compo nents may provide firewall functionality provided they meet the minimum requirements for firewalls as provided in Requirement 1 Where other system components are used within the cardholder data en vironment to provide firewall functionality these devices must be included within the scope and as sessment of Requirement 1 reference 2 b How your Point Vx helps you meet this requirement Point Vx is designed to operate in a network behind a firewall c What this means to you If you are using wireless technology you must install and maintain a firewall to protect your Point Vx from someone hacking the wireless environment Also if your network connection allows inbound traffic you should use a firewall The terminal should not be placed in an Inter
16. ibited Version 2 02 O n t Date 2012 02 22 Page number 16 17 ssion fe 3 3 Protect wireless transmissions If you are using wireless network within your business you must make sure that firewalls are installed that deny or control if such traffic is necessary for business purposes any traffic from the wireless environment into the Point Vx environment Please refer to your firewall manual In case you are using a wireless network you must also make sure that e Encryption keys were changed from vendor defaults at installation e Passwords to access the wireless router access point were changed from vendor defaults e Strong encryption https or SSH are used for authentication i e entry of user identity and pass word to access the wireless router access point e Encryption keys are changed anytime someone with knowledge of the keys leaves the company or changes position e Default SNMP community strings on wireless devices are changed e Firmware on wireless devices is updated to support strong encryption for authentication and trans mission over wireless networks for example IEEE 802 11i Please note that the use if WEP as a security control was prohibited as of 30 June 2010 e Other security related vendor defaults are changed 3 4 Facilitate secure remote software updates The software of your Point Vx could be updated remotely and automatically For connection to external net works it is recommended to use firewall
17. irement 1 c What this means to you is up dated to describe the ports that need to be opened Chapter 3 2 Protect stored card holder data The wording is changed from removal to rendered irre trievable Chapter 1 Note 1 Updated to state that the Implementation Guide should be distributed to all relevant payment applica tion users Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited Version 2 02 O n t Date 2012 02 22 Page number 3 17 passion for payments References Nbr Title Version 1 Payment Card Industry Payment Application Data Security Standard 2 0 2 Payment Card Industry Data Security Standard 2 0 Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited Version 2 02 On O int Date 2012 02 22 Page number 4 17 ssion fe Table of contents 1 MVE OCU CUNO n Eea ane a aE E E EEE E A E AE 6 2 Summary of PCI DSS requirements sssssssscecerssssssseseseseenenensnssseeeeseseneneorirorererenenanenanees 7 2 1 Build and Maintain a Secure Network s cssssesscesseeescessseesseeneesecoenaeeseenaeensnenanenseeneeanees 7 Requirement 1 Install and maintain a firewall configuration t
18. is to provide information needed during installation and operation of terminals using the Point VxPC ina manner that will support a merchant s PCI DSS compliance efforts Note 1 Both the System Installer and the controlling merchant must read this document Hence the Implementation Guide should be distributed to all relevant payment applica tion users customers resellers and integrators Note 2 This document must also be used when training integrators resellers at initial work shops Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited Version 2 02 O int Date 2012 02 22 Page number 7 17 ssion for 2 Summary of PCI DSS requirements This summary provides a basic overview of the PCI DSS requirements and how they apply to your business and the Point Vx terminal In this chapter Point Vx refers to terminals using the Point VxPC 2 1 Build and Maintain a Secure Network Requirement 1 Install and maintain a firewall configuration to protect cardholder data a What the requirement says Firewalls are devices that control computer traffic allowed between an entity s networks internal and untrusted networks external as well as traffic into and out of more sensitive areas within an entity s internal trusted networks The cardholder data environment is an example of a more s
19. mber 17 17 ssion fe 5 Terminology and abbreviations PCI DSS Payment Card Industry Data Security Standard the subject of this document Retailers that use applications to store process or transmit payment card data are subject to the PCI DSS standard PA DSS Payment Application Data Security Standard is a standard for validation of payment applications that store process or transmit payment card data Applications that comply with PA DSS have built in pro tection of card data and hereby facilitates for retailers to comply with PCI DSS Point VxPC The Payment Core used by Point Vx terminals The Point VxPC is the part of the Point Vx software that stores processes and transmits cardholder data The Point VxPC is validated in accordance with the requirements of PCI PA DSS Cardholder Data PAN Expiration Date Cardholder Name not used by Point Vx and Service Code Service Code A three digit code from the magnetic stripe data defining 1 Interchange and technology 2 Authorization processing and 3 Range of services and PIN requirements PAN Primary Account Number PAN also called card number is part of the magnetic stripe data and is also printed or embossed on the card PAN can also be stored in the chip of the card SSL Secure Sockets Layer is a commonly used method to protect transmission across public networks SSL includes strong encryption ECR Electronic Cash Register CVV2 Card Verification Value also called
20. net accessible network zone DMZ In case the terminal is connected to an ECR and a firewall is connected between the terminal and the ECR TCP port 2000 must be opened to enable communication between the two Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited Version 2 02 O Nn Date 2012 02 22 i Page number 8 17 assion for payments For ports used for outbound traffic please refer to the information menu of the terminal as described below Stand Alone Vx 520 terminals 1 Press the F3 key 2 Press the F3 key TERMINAL INFO 3 Select HOST to print the information Stand Alone Vx 680 terminals 1 Press MENU on the touch screen 2 Press INST LLNINGAR 3 Press TERMINAL INFO 4 Press HOST to print the information Vx520 terminals connected to an ECR or equivalent Press the F1 key Enter password when ANGE L SENORD is prompted Press F4 INFORMATION Press F4 HOST INFO Then scroll up or down to display the information IRN Vx820 terminals connected to an ECR or equivalent Press MENU on the touch screen Press MAINTENANCE Press TERMINAL INFO Press HOST Then scroll up or down to display the information I eN For more information about setting up your firewall to work with
21. o protect cardholder data 7 a What the requirement SayS csceccececeseeseseesseesseseeceeseesseseseeseesesesonseeesessseeseesesesenseeeseeneseesennees b How your Point Vx helps you meet this requirement Cc What this me ans 10 YOu isa02 eciteetetietienieiial Gara R Gn datas Requirement 2 Do not use vendor supplied defaults for system passwords and other security PA IMETI S 53h osis cosas A AAA gece ee a What the requirement says b How your Point Vx helps you meet this requirement C What this Means to YOU no ee eeesseeeeseseeecseeeseeesecseeeeseeeeaeeecaeeesateeeasseseeeeeaeseeesaneneaeeetanenees 2 2 Protect Cardholder Data scscsscsssssssesssccesssseseessssenssseaeenssseenenseaeenseseeasseuaeanasseeeennaeensesnens Requirement 3 Protect stored Cardholder data scsscsssscceseseccesessnsecsensnseesensnseesensnsensensnseneensnnsneans a What the requirement SayS cececceeeeeesceseeeceesseeseeeeteseeeseseeeeseeesseesseeseesesetenseeetieeese b How your Point Vx helps you meet this requirement C What this M a ns to yOu eeececeseeseeeeceeesseeeceeeseseeeeseeeeseeesaeseesseesseneneeseesssesenseessensseeeeseeesenseeessenese Requirement 4 Encrypt transmission of cardholder data across open public networks 10 a What the requirement SayS eccscecceesceeeseeseeceoesceeseseceeseenesecenseeesseseseesenesserenaseesseeseeseenseeeeterens b How your
22. of cardholder data protection If an intruder circumvents other security controls and gains access to en crypted data without the proper cryptographic keys the data is unreadable and unusable to that per son Other effective methods of protecting stored data should be considered as potential risk mitiga tion opportunities For example methods for minimizing risk include not storing cardholder data un less absolutely necessary truncating cardholder data if full PAN is not needed and not sending un protected PANs using end user messaging technologies such as e mail and instant messaging Please refer to the PCI DSS and PA DSS Glossary of Terms Abbreviations and Acronyms for defini tions of strong cryptography and other PCI DSS terms reference 2 b How your Point Vx helps you meet this requirement Point Vx never stores full magnetic stripe data from the card For offline transactions PAN and expiry date are stored encrypted using a unique key per transaction At transaction time PAN is truncated before it is stored only the first 6 and last 4 digits are stored For prin tout of receipts and reports the truncated PAN is sent to the ECR c What this means to you For cards read by the Point Vx magnetic stripe reader or chip card reader you do not have to take any ac tion For manually entered PAN and for voice referrals it is never allowed to write down or otherwise store PAN expiration date or CVV2 Copyright 2011 POIN
23. ol Measures Requirement 7 Restrict access to cardholder data by business need to know a What the requirement says To ensure critical data can only be accessed by authorized personnel systems and processes must be in place to limit access based on need to know and according to job responsibilities Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job reference 2 b How your Point Vx helps you meet this requirement The Point Vx does not disclose any cardholder data Sensitive authentication data is always encrypted when sent for authorization and never stored PAN is always truncated when stored thus only truncated PANs are sent to the ECR for printouts of reports logs or receipts c What this means to you In case you need to enter card numbers manually or if you have to do voice referrals you must never keep written copies or otherwise store copies of cardholder data Also you must never e mail fax etc cardholder data For cards read by the Point Vx magnetic stripe reader or chip card reader you do not need to take any addi tional security measures Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited Version 2 02 O i n t Date 2012 02 22 Page number 12 17 ssion for Requirement 8 Assign a unique I
24. or the 1000 latest transactions This log contains truncated PANs No cardholder data is accessible from the Point Vx The Point Vx also keeps an Audit Trail to track changes to system level objects c What this means to you For the transaction log you do not need to take any action since no cardholder data is accessible For the Audit Trail there are no settings you need to do The Audit Trail is created automatically and cannot be disabled The Audit Trail could be sent manually to a centralized server by entering the Point Vx LOG MENU for further details please refer to the user s manual The address to the centralized log server is already set when you receive the terminal and normally there is no need to change that address in the terminal However if for some reason this address needs to be changed please contact the representative of your service provider Requirement 11 Regularly test security systems and processes a What the requirement says Vulnerabilities are being discovered continually by malicious individuals and researchers and being introduced by new software System components processes and custom software should be tested frequently to ensure security controls continue to reflect a changing environment reference 2 b How your Point Vx helps you meet this requirement Your Point Vx has mechanisms to ensure that software and parameters can be downloaded from trusted sources only These mechanisms ar
25. protection as per 2 1 Build and Maintain a Secure Network in this document The terminal should not be placed in an Internet accessible network zone DMZ Also the security part of the software that resides in the PED PIN Entry Device part of the terminal could be updated remotely The Terminal Management System that is used for distribution of the PED software should be evaluated by a QSA as part of any PCI DSS assessment 3 5 Encrypt sensitive traffic over public networks Your Point Vx allows transmission over public networks e g public internet To protect sensitive data your Point Vx uses triple DES encryption with a unique key per transaction On top of that all data sent to and from the Point Vx is protected under SSL if the processor supports SSL To connect your Point Vx to public networks you do not need to take any further action regarding encryption 4 Back out or product de installation procedures The software of your Point Vx could be updated remotely either automatically or manually triggered In the unlikely event that your newly downloaded software fails or malfunctions please contact your TMS operator in order to allow you to download an older version of the software Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited Version 2 02 O n t Date 2012 02 22 Page nu
26. re physically present on the entity s premises A visitor refers to a vendor guest of any onsite personnel service workers or anyone who needs to enter the facility for a short duration usually not more than one day Media refers to all paper and electronic media containing cardholder data reference 2 b How your Point Vx helps you meet this requirement The Point Vx physically prevents by encryption and truncation users to access cardholder data c What this means to you For your Point Vx you do not need to take any action Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are prohibited Version 2 02 O i n t Date 2012 02 22 Page number 13 17 ssion for 2 5 Regularly Monitor and Test Networks Requirement 10 Track and monitor all access to network resources and cardholder data a What the requirement says Logging mechanisms and the ability to track user activities are critical in preventing detecting or mi nimizing the impact of a data compromise The presence of logs in all environments allows thorough tracking alerting and analysis when something does go wrong Determining the cause of a compro mise is very difficult if not impossible without system activity logs reference 2 b How your Point Vx helps you meet this requirement The Point Vx keeps a log f
27. st make sure that historical data magnetic stripe data cardholder data and CVV2s are removed from all sto rage devices used in your system ECRs PCs servers etc For further details please refer to your vendor No specific setup of your Point Vx PCI PA DSS compliant terminal is required PAN is stored either trun cated or encrypted Full magnetic stripe data is deleted immediately after authorization and never stored However if you need to enter PAN and expiration date manually or do a voice referral you should never write down or otherwise store PAN expiration date or CVV2 Collect this type of data only when absolutely necessary to perform manual entry or voice referral Note Using the PCI PA DSS compliant Point Vx terminal you will never be prompted to enter CVV2 3 2 Protect stored card holder data PAN and expiration date are encrypted and stored in your Point Vx for offline transactions For this encryp tion a unique key per transaction is used Once your Point Vx goes online any stored transactions are sent to the processor and securely deleted from the Point Vx memory To comply with the PCI DSS requirements all cryptographic material must be rendered irretrievable This is handled within the Point Vx and you do not need to take any action Copyright 2011 POINT AB All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point Transaction Systems AB are proh
Download Pdf Manuals
Related Search