PCI PA-DSS Implementation Guide
Contents
1. The Point SAPC does not disclose any cardholder data Sensitive authentication data is always encrypted when sent for authorization and never stored PAN is always truncated when stored Only truncated PANs are used for printouts of reports logs or receipts c What this means to you In case you need to enter card numbers manually or if you have to do voice referrals you must never keep written copies or otherwise store copies of cardholder data Also you must never e mail fax etc cardholder data For cards read by the Point SAPC magnetic stripe reader or chip card reader you do not need to take any additional security measures 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O int Date 2014 02 26 Page number 11 19 assion fo Requirement 8 Assign a unique ID to each person with computer access a What the requirement says Assigning a unique identification ID to each person with access ensures that each individual is uniquely accountable for his or her actions When such accountability is in place actions taken on critical data and systems are performed by and can be traced to known and authorized users ref erence 2 b How your Point SAPC helps you meet this requirement The Point SAPC does not allow access to critical data Requirement 8 3 The Point SAPC does2. The software of your Point SAPC could be updated remotely either automatically or manually triggered In the unlikely event that your newly downloaded software fails or malfunctions please contact your TMS operator in order to allow you to download an older version of the software 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O int Date 2014 02 26 Page number 17 19 passion for payme 5 Audit Trail log 5 1 How to change the address to the centralized log server By default the Audit Trail is sent to a centralized log server hosted by your PSP If you want to continue to use that log server you don t have to take any action However if you want to use another server and receive the Audit Trail in SYSLOG format then do as fol lows On the Point SAPC Select ADMIN Scroll down to LOG MENU Select A LOG Audit Trail Select Send TCP SYSLOG Select Real Time send Enter IP address for Audit Trail Log Server Enter PORT number Select ON Verify if terminal succeeds to connect and send by selecting Send once OMONOARWNY gt Once A LOG in SYSLOG format is activated all information of major events will be transferred to your des ignated server as soon as terminal will go out in IDLE NEW CUSTOMER screen Terminal will keep the se
3. cecccesseccsceseeeceeeseeeneesseeseeeeseeonssesssesesceseesesesoeseneseesseesenseeseoeseeaees b How your Point SAPC helps you meet this requirement C What this means to YOU wes se ccccceccseccces cues tec snereceecdueseuecavervseetecesecticacesdics aces svenseuesneresesaniceeessirsoersatele Requirement 11 Regularly test security systems ANA processes scseceseccecenesenesenenees 12 a What the requirement says b How your Point SAPC helps you meet this requireMent ccsescecececeeeeeeeeeseeeeeeeseaeeeetetetereeeeees 12 G Whatthis m ans 10 yous cincrd nadia aieania detec aandannbhinan mn aiadrnies 12 2 6 Maintain an Information Security POliCy scsscsssssssesssecsesseerssseenseenieeeseseeessenieenneeeees 13 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O n Date 2014 02 26 Page number 5 19 passion for payments Requirement 12 Maintain a policy that addresses information security for employees and CONTE ACT ONS PEE sass EA A E an E Sake aun A E ovut ins E E 13 a What the requirement SAYS cccecescseeseeeeseeeseeeeseeensessseeseneeseeesseseeseesssessseeseeesserenaeeesseseseeseenenenenerees 13 b How your Point SAPC helps you meet this requireMent ceeeecceeeeeeeeseseeeeeeeeeeeeeeeaeeeeeeeeeteeeeatees 13 C What this means 10 YO
4. Protocol Secure HTTPS is a combination of the Hypertext Transfer Protocol with the SSL protocol to provide encrypted communication and secure identification Magnetic Stripe Data Track data read from the magnetic stripe magnetic stripe image on the chip or elsewhere PAN Primary Account Number PAN also called card number is part of the mag netic stripe data and is also printed or embossed on the card PAN can also be stored in the chip of the card PCI DSS Payment Card Industry Data Security Standard the subject of this document Retailers that use applications to store process or transmit payment card data are subject to the PCI DSS standard PCI PA DSS Payment Card Industry Payment Application Data Security Standard is a standard for validation of payment applications that store process or transmit payment card data Applications that comply with PA DSS have built in protec tion of card data and hereby facilitates for retailers to comply with PCI DSS PED PIN Entry Device PIN Personal Identification Number Secret numeric password known only to the user and a system to authenticate the user to the system Point SAPC The Payment Core used by XENTA YOMANI and YOMANI XR Stand Alone terminals PSP Payment Service Provider offers merchants online services for accepting elec tronic payments Sensitive Magnetic Stripe Data CVV2 and PIN Authentication Data Service Code A three digit code from the magnetic stripe data defining
5. not allow direct remote access to the system But for remote up dates via Terminal Management Systems the authentication used as part of an authenticated remote soft ware distribution framework for the PED should be evaluated by a QSA as part of any PCI DSS assess ment c What this means to you Since the Point SAPC does not allow access to critical data you do not need to take any action Requirement 8 3 Ask your QSA to include the remote update process in the PCI DSS assessment Requirement 9 Restrict physical access to cardholder data a What the requirement says Any physical access to data or systems that house cardholder data provides the opportunity for indi viduals to access devices or data and to remove systems or hardcopies and should be appropriately restricted For the purposes of Requirement 9 onsite personnel refers to full time and part time em ployees temporary employees contractors and consultants who are physically present on the entity s premises A visitor refers to a vendor guest of any onsite personnel service workers or anyone who needs to enter the facility for a short duration usually not more than one day Media refers to all paper and electronic media containing cardholder data reference 2 b How your Point SAPC helps you meet this requirement The Point SAPC physically prevents by encryption and truncation users to access cardholder data c What this means to you For your
6. prohibited Version 1 10 O nt Date 2014 02 26 Page number 7 19 yassion for payments 2 Summary of PCI DSS requirements This summary provides a basic overview of the PCI DSS requirements and how they apply to your business when using Atos Worldline XENTA YOMANI or YOMANI XR stand alone terminal with Point SAPC SW In this chapter Point SAPC refers to Atos Worldline XENTA YOMANI or YOMANI XR terminals using the Point SAPC SW 2 1 Build and Maintain a Secure Network Requirement 1 Install and maintain a firewall configuration to protect cardholder data a What the requirement says Firewalls are devices that control computer traffic allowed between an entity s networks internal and untrusted networks external as well as traffic into and out of more sensitive areas within an entity s internal trusted networks The cardholder data environment is an example of a more sensitive area within an entity s trusted network A firewall examines all network traffic and blocks those transmis sions that do not meet the specified security criteria All systems must be protected from unauthorized access from untrusted networks whether entering the system via the Internet as e commerce em ployee Internet access through desktop browsers employee e mail access dedicated connections such as business to business connections via wireless networks or via other sources Often seem ingly insignificant paths to and from untrusted netwo
7. vulnerabilities 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O l nt Date 2014 02 26 Page number 13 19 passion for payments 2 6 Maintain an Information Security Policy Requirement 12 Maintain a policy that addresses information security for employees and contractors a What the requirement says All personnel should be aware of the sensitivity of data and their responsibilities for protecting it For the purposes of Requirement 12 personnel refers to full time and part time employees temporary employees contractors and consultants who are resident on the entity s site or otherwise have ac cess to the cardholder data environment reference 2 b How your Point SAPC helps you meet this requirement c What this means to you 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O int Date 2014 02 26 On 14 19 Page number yassion fc 3 How to set up your Point SAPC to ensure PCI DSS compliance In this chapter Point SAPC refers to Atos Worldline XENTA YOMANI and YOMANI XR terminals using the Point SAPC 3 1 HW dependencies The Point SAPC SW runs on the following HW platforms 1 A
8. 1 Interchange and technology 2 Authorization processing and 3 Range of services and PIN re quirements SNMP Simple Network Management Protocol is a network protocol It is used mostly in network management systems to monitor network attached devices for con ditions that warrant administrative attention SSH Secure Shell SSH is a network protocol that allows data to be exchanged us ing a secure channel between two networked devices SSL Secure Sockets Layer is a commonly used method to protect transmission across public networks SSL includes strong encryption SYSLOG Syslog is a standard for computer data logging TCP Transmission Control Protocol is one of the core protocols of the Internet proto col suite TMS Terminal Management System UDP User Datagram Protocol is one of the core protocols of the Internet protocol suite WEP Wired Equivalent Privacy a wireless network security standard Sometimes er roneously called Wireless Encryption Protocol WPA and WPA2 Wi Fi Protected Access is a certification program created by the Wi Fi Alliance to indicate compliance with the security protocol created by the Wi Fi Alliance to secure wireless computer networks 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited
9. NT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O l n Date 2014 02 26 Page number 6 19 passion for payments 1 Introduction The Payment Card Industry Data Security Standard PCI DSS defines a set of requirements for the configuration operation and security of payment card transactions in your business If you use the VeriFone Vx terminal in your business to store process or transmit payment card information this standard and this guide apply to you The requirements are designed for use by assessors conducting onsite reviews and for merchants who must validate compliance with the PCI DSS For more details about PCI DSS please see the following link http www pcisecuritystandards org This guide is updated whenever there are changes in Point SAPC software that affect PCI DSS and is also reviewed annually and updated as needed to reflect changes in the software as well as the PCI standards You can download the latest version of this document from http Awww point se The Payment Card Industry PCI has also set the requirements for software applications that store process or transmit cardholder data These requirements are defined by the Payment Card Industry Payment Appli cation Data Security Standard PCI PA DSS In order to facilitate for you to get a PCI DSS assessment the Poi
10. Point SAPC you do not need to take any action 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O n Date 2014 02 26 Page number 12 19 passion for payments 2 5 Regularly Monitor and Test Networks Requirement 10 Track and monitor all access to network resources and cardholder data a What the requirement says Logging mechanisms and the ability to track user activities are critical in preventing detecting or minimizing the impact of a data compromise The presence of logs in all environments allows thor ough tracking alerting and analysis when something does go wrong Determining the cause of a compromise is very difficult if not impossible without system activity logs reference 2 b How your Point SAPC helps you meet this requirement The Point SAPC keeps a log for the 1000 latest transactions This log contains truncated PANs No card holder data is accessible from the Point SAPC The Point SAPC also keeps an Audit Trail to track changes to system level objects c What this means to you For the transaction log you do not need to take any action since no cardholder data is accessible For the Audit Trail there are no settings you need to do The Audit Trail is created automatically and cannot be disabled The Audit Trail could be sent manually to a centralize
11. U cizcsceccsczccceesdencceccacae seseenessnsesnescnserenesasepansedansecuecenaneendadeecesnenssnseiataivencstensceees 13 3 How to set up your Point SAPC to ensure PCI DSS compliance 14 3 1 HW dependencies 2 2 c0c ceseececceceecenceeeneeeceeeeeeceneeceeneneeeeenenneceenenaeresueraeseneerarseseeraerezeeeats 14 3 2 Do not retain full magnetic stripe or Card validation code cecsseeeeseeeneseenens 14 3 3 Protect stored card holder data c ccscsscsecsesseeeseeeseseenenseenenseeeneeeneneensesnenenseeeaneeneneens 15 3 4 Protect wireless traNSMiSSiONS cseeceeeeeeeeeeeseeeseseenensneneneeeeneeeeeneenaeenenenseeeaneeneneees 16 3 5 Facilitate secure remote Software updates cssscscceesseseeeeneeseeeeneeseeeenenseeeenenseeennenseeentens 16 3 6 Encrypt sensitive traffic over public NETWOFKS cscsseseceeseeseeeeneeseeeenenseeeenenseeeenenseeeenens 16 4 Back out or product de installation procedures cs cssescseseseeseeseseeneeseeneneeeeeneeeenes 16 5 Audit Trall NOG eas cece act Senses ENEA ESE 17 5 1 Howto change the address to the centralized log server sssececseeseeeseeseeenenseeeetens 17 5 2 Data Contents of Audit Trail cscsseeececnseeeeeenseneenenseseesenseneesenanseesenseseeenanseesensnseesenans 18 6 Terminology and abbreviations cscsscsceesseseeeseeseeceseeseeeeneeseeseneeseeeesenseeeenenseeennensneeenans 19 2013 POI
12. acy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabili ties to gain privileged access to cardholder data environments reference 2 b How your Point SAPC helps you meet this requirement The Point SAPC encrypts card holder data using triple DES with a unique key per transaction On top of that the entire messages sent to and from the Point SAPC are protected using SSL if the processor supports SSL The Point SAPC does not provide any WLAN functionality c What this means to you If you are using a wireless network WLAN you must set up your wireless network to use WPA WPA2 en cryption for new installations N B WEP must not be used The WLAN encryption is applied on top of the triple DES encryption and SSL if SSL is supported by the processor implemented in the terminal If you connect to an external network without using WLAN you do not need to take any action 2 3 Maintain a Vulnerability Management Program Requirement 5 Use and regularly update anti virus software or programs a What the requirement says Malicious software commonly referred to as malware including viruses worms and Trojans en ters the network during many business approved activities including employee e mail and use of the Internet mobile computers and storage devices resulting in the exploitation of system vulnerabilities Anti virus software must be used on all systems commo
13. d server by entering the Point SAPC LOG MENU for further details please refer to the user s manual The address to the centralized log server is already set when you receive the terminal and normally there is no need to change that address in the terminal However if for some reason this address needs to be changed please contact the representative of your service provider Chapter 5 1 How to change the address to the centralized log server also gives you guidance on how to change the address of the central ized log server Requirement 11 Regularly test security systems and processes a What the requirement says Vulnerabilities are being discovered continually by malicious individuals and researchers and being introduced by new software System components processes and custom software should be tested frequently to ensure security controls continue to reflect a changing environment reference 2 b How your Point SAPC helps you meet this requirement Your Point SAPC has mechanisms to ensure that software and parameters can be downloaded from trusted sources only These mechanisms are based on cryptographic signatures and MAC protection Mes sage Authentication Code c What this means to you You should test your network connections including wireless networks periodically for vulnerabilities and make use of network vulnerability scans If you make any significant changes to your network you should also test for
14. ent 7 Restrict access to cardholder data by business need to know a What the requirement SAyS ee eeeseceseeeseeeseeeneeeeseeeeseeetatseeaeseneraeeeeaeeesateeeaesetetneeeaeeetats b How your Point SAPC helps you meet this requireMent eecececeeeseeseseeeeeeeeeeees C What THIS means 10 YOU sive sc cecccceseascescdetcce secences sev eeecrsvety sectetevenctvva cescvodscee suede saesrevensscitianneatiecessaveve Requirement 8 Assign a unique ID to each person with computer ACCESS s1ccecsececeeees a What the requirement SAYS ee eseeceseeeecenseeeseeeeseeeeaeseeeeseeeeseeetaneeeasseseseneesseeetaneneaseeeees b How your Point SAPC helps you meet this requireMent eceseseeeeeeeeeeeeeeeeeeeeeeeeeees c Whatthis m ans to you a isin ceid aeraethel cei adn evict eel el eee Requirement 9 Restrict physical access to cardholder data a What the requirement SAYS ee eeeeeceseeeseenseeeneeeesseeeseeeranseeaeseeetaeeecaeevateneasaeseraneeeaeeetats b How your Point SAPC helps you meet this requireMent eeeeceeeeeeeseeeeeeeseeteeeees C What this Means to YOU no eseeeseesesesseeeseeeseeeseeseeaeseeeeaeecaeesateeeataesaseneesaeesaneneasaetanenees 2 5 Regularly Monitor and Test Networks c csscscsssesseeenseseeeenseseeeenenseeeenenseesenenseesenenseeennans Requirement 10 Track and monitor all access to network resources and cardholder data 12 a What the requirement SayS
15. ier and value name value exam ples Download Validate Install file filename Config param name value Audit send ip port ip port Audit read destination rs232 Below is an example of five lines of log entries from a Point SAPC terminal 1234567890123456 PPMAPP Download 1 10211092745 OK Timer filesMASPAR__ 080307135505 1234567890123456 PPMAPP Validate 1 1021 1092757 OK Auto file MASPAR__080307135505 1234567890123456 PPMAPP Install 1 1021 1092758 OK Auto files MASPAR__080307135505 1234567890123456 DCAPP Config 110211143510 OK Man TSP IP PORT Primary old 192 168 200 12 1234 TSP IP PORT Primary new 192 168 200 15 6015 1234567890123456 DCAPP Audit send 1 1021 1150852 NOK Man ip port 1 92 168 200 12 1234 reason host not found 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited oin ssion for payments Op Version 1 10 Date 2014 02 26 Page number 19 19 6 Terminology and abbreviations Cardholder Data PAN Expiration Date Cardholder Name not used by Point SAPC and Ser vice Code CVV2 Card Verification Value also called CVC2 is a three or four digit value printed on the back of the card but not encoded on the magnetic stripe or the chip ECR Electronic Cash Register HTTPS Hypertext Transfer
16. ity often use vendor default passwords and other vendor default settings to compromise systems These passwords and settings are well known by hacker communities and are easily determined via public information reference 2 b How your Point SAPC helps you meet this requirement Point SAPC does not allow users to access any card holder data or sensitive authentication data IP ad dresses for processors terminal management systems and software download servers are protected by unique passwords per terminal and these passwords are changed on a daily basis c What this means to you Since the password protection for the Point SAPC is handled entirely within the unit there is no need for you to take any action 2 2 Protect Cardholder Data Requirement 3 Protect stored cardholder data a What the requirement says Protection methods such as encryption truncation masking and hashing are critical components of cardholder data protection If an intruder circumvents other security controls and gains access to en crypted data without the proper cryptographic keys the data is unreadable and unusable to that per son Other effective methods of protecting stored data should be considered as potential risk mitiga tion opportunities For example methods for minimizing risk include not storing cardholder data un less absolutely necessary truncating cardholder data if full PAN is not needed and not sending un protected PANs using end u
17. nly affected by malware to protect systems from current and evolving malicious software threats reference 2 b How your Point SAPC helps you meet this requirement The Point SAPC cannot be used for e mails or internet activities All software downloaded to the terminal is controlled by Point protected by a digital signature MAC and sent over an SSL connection if the proces sor supports SSL These security measures prevent malicious software being installed onto your Point SAPC terminal c What this means to you You should install and maintain antivirus software which helps to protect your system Make sure that this software is up to date as security threats change For the Point SAPC you do not need to take any action regarding antivirus software 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O int Date 2014 02 26 Page number 10 19 aASsSiIon fe Requirement 6 Develop and maintain secure systems and applications a What the requirement says Unscrupulous individuals use security vulnerabilities to gain privileged access to systems Many of these vulnerabilities are fixed by vendor provided security patches which must be installed by the en tities that manage the systems All critical systems must have the most recently released appropriate software patches to pr
18. nt SAPC Point SAPC Payment Core software has been validated by PCI to comply with the PCI PA DSS requirements Note This guide refers to VeriFone Vx terminals using the Point SAPC Point SAPC Payment Core SW The version of the Point SAPC is listed on the PCI web site List of Validated Payment Applica tions that have been validated in accordance with PCI PA DSS If you cannot find the version of your Point SAPC on that list please contact your helpdesk in order to upgrade your terminal http Avww pcisecuritystandards org Document Use This PA DSS Implementation Guide contains information for proper use of VeriFone Vx terminals us ing the Point SAPC Point does not possess the authority to state that a merchant may be deemed PCI DSS Compliant if information contained within this document is followed Each merchant is re sponsible for creating a PCI DSS compliant environment The purpose of this guide is to provide infor mation needed during installation and operation of terminals using the Point SAPC in a manner that will support a merchant s PCI DSS compliance efforts Note 1 Both the System Installer and the controlling merchant must read this document Hence the Implementation Guide should be distributed to all relevant payment applica tion users 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International
19. oint ssion for payments p PCI PA DSS Implementation Guide For Atos Worldline Banksys XENTA Atos Worldline YOMANI and Atos Worldline YOMANI XR terminals using the Point SAPC Y01 01 Software Stand Alone Payment Core Version 1 10 Date 26 February 2014 2014 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O n t Date 2014 02 26 Page number 2 19 passion for payments Revision History Version Name Date Comments 1 00 Mats Oscarsson 2013 09 18 Initial Revision 1 10 Mats Oscarsson 2014 02 26 Changed to also cover the YOMANI XR HW plat form 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O n t Date 2014 02 26 Page number 3 19 passion for payments References Nbr Title Version 1 Payment Card Industry Payment Application Data Security Standard 2 0 2 Payment Card Industry Data Security Standard 2 0 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O Nn Date 2014 02 26 a Page number 4 19 ssion for payments Table of content
20. otect against exploitation and compromise of cardholder data by malicious indi viduals and malicious software Note Appropriate software patches are those patches that have been evaluated and tested suffi ciently to determine that the patches do not conflict with existing security configurations For in house developed applications numerous vulnerabilities can be avoided by using standard system develop ment processes and secure coding techniques reference 2 b How your Point SAPC helps you meet this requirement Point Transaction Systems constantly works with the latest security findings and requirements throughout the life cycle of your Point SAPC This includes automatic SW updates whenever necessary c What this means to you You should keep your system up to date with software updates operating system updates and any other security patches For the Point SAPC you do not need to take any action 2 4 Implement Strong Access Control Measures Requirement 7 Restrict access to cardholder data by business need to know a What the requirement says To ensure critical data can only be accessed by authorized personnel systems and processes must be in place to limit access based on need to know and according to job responsibilities Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job reference 2 b How your Point SAPC helps you meet this requirement
21. rks can provide unprotected pathways into key systems Firewalls are a key protection mechanism for any computer network Other system compo nents may provide firewall functionality provided they meet the minimum requirements for firewalls as provided in Requirement 1 Where other system components are used within the cardholder data en vironment to provide firewall functionality these devices must be included within the scope and as sessment of Requirement 1 reference 2 b How your Point SAPC helps you meet this requirement The Point SAPC does not provide any WLAN functionality and is designed to operate in a network behind a firewall c What this means to you If you are using wireless technology you must install and maintain a firewall to protect your Point SAPC from someone hacking the wireless environment Also if your network connection allows inbound traffic you should use a firewall The terminal should not be placed in an Internet accessible network zone DMZ 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O n Date 2014 02 26 Page number 8 19 passion for payments Requirement 2 Do not use vendor supplied defaults for system passwords and other security parame ters a What the requirement says Malicious individuals external and internal to an ent
22. s 1 MVE OCU CUNO ooo asc cece Sts ansiseenadcnsencuncenencactinsiensnerantans ce anenannsaarcnecdndendnsacs A E A 6 2 Summary of PCI DSS requirements sssssscscecerssssssseseceseenenensssssseessenenennirororeeererenanenanees 7 2 1 Build and Maintain a Secure Network sccccscsssseeseseseesceseseesenseseesenseseesensnseesensnseesenans 7 Requirement 1 Install and maintain a firewall configuration to protect cardholder data 7 a What the requirement SayS eccscecceceeseeeeseesseeseesesecenseessseneseeseesesesenseeesseneseeseesesesenseeeseenesenseeiees b How your Point SAPC helps you meet this requirement c Whatthis me ans 10 YOu sa tsencicscieniniaiiie ets tina RA Gn detain Requirement 2 Do not use vendor supplied defaults for system passwords and other security PA IMETI S 2355 osic cei A A A N AAEN a What the requirement says b How your Point SAPC helps you meet this requirement C What this means to YOU eeeeeseeeeseeseeeseeeseeesecseeeesesecaeecaesesaseeeassesasaneesseeerateneaeeetanenees 2 2 Protect Cardholder Data scscscsssssssesssccesssssieesssseensseeeenssseenenenaeenseseesnenaeenneseenenenaeenseseees Requirement 3 Protect stored cardholder data scsscssssccesessccecsessrsncsenseseesensnsensensnsensensnseneensnnenens a What the requirement SayS csceccsescseesceseesecesseesseeseeseeeseseseeseeeseesseeseesesesenseeesseeess b Ho
23. s settings even after power loss or reboot Important e SysLog is sent in TCP message instead of UDP Make sure your SysLog server supports it e SysLog is based on standard internet protocols as specified by RFC 3164 and RFC 3195 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O l nt Date 2014 02 26 Page number 18 19 passion for payments 5 2 Data Contents of Audit Trail The AuditTrail log file is a readable ascii text file with one entry on each line The log entries consist of data according to the table below with each value separated by semi colon Affected data may be more than one field In that case they should be separated with For configuration changes at least the name of affected data is logged If possible both old and new values are logged Requirement Name Value 10 3 5 Terminal identity Numerical terminal identity as used in the TMS 10 3 1 User ID Full name of process or script depending on application platform 10 3 2 Type of event Download Validate Install Config Audit send Audit read 10 3 3 Date amp Time YYMMDDhhmmss 10 3 4 Success OK NOK 10 3 5 Origination Auto Man Timer 10 3 6 Affected data Depending on type of event May be multiple fields separated with P each field consists of identif
24. ser messaging technologies such as e mail and instant messaging Please refer to the PCI DSS and PA DSS Glossary of Terms Abbreviations and Acronyms for defini tions of strong cryptography and other PCI DSS terms reference 2 b How your Point SAPC helps you meet this requirement Point SAPC never stores full magnetic stripe data from the card For offline transactions PAN and expiry date are stored encrypted using a unique key per transaction At transaction time PAN is truncated before it is stored only the first 6 and last 4 digits are stored For printout of receipts and reports the truncated PAN is used c What this means to you For cards read by the Point SAPC magnetic stripe reader or chip card reader you do not have to take any action For manually entered PAN and for voice referrals it is never allowed to write down or otherwise store PAN expiration date or CVV2 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O int Date 2014 02 26 Page number 9 19 ymassion fe Requirement 4 Encrypt transmission of cardholder data across open public networks a What the requirement says Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals Misconfigured wireless networks and vulnerabilities in leg
25. strings on wireless devices are changed e Firmware on wireless devices is updated to support strong encryption for authentication and trans mission over wireless networks for example IEEE 802 11i Please note that the use if WEP as a security control was prohibited e Other security related vendor defaults are changed 3 5 Facilitate secure remote software updates The software of your Point SAPC could be updated remotely and automatically For connection to external networks it is recommended to use firewall protection as per 2 1 Build and Maintain a Secure Network in this document The terminal should not be placed in an Internet accessible network zone DMZ Also the security part of the software that resides in the PED PIN Entry Device part of the terminal could be updated remotely The Terminal Management System that is used for distribution of the PED software should be evaluated by a QSA as part of any PCI DSS assessment 3 6 Encrypt sensitive traffic over public networks Your Point SAPC allows transmission over public networks e g public internet To protect sensitive data your Point SAPC uses triple DES encryption with a unique key per transaction On top of that all data sent to and from the Point SAPC is protected under SSL if the processor supports SSL To connect your Point SAPC to public networks you do not need to take any further action regarding encryption 4 Back out or product de installation procedures
26. ted from the Point SAPC memory To comply with the PCI DSS requirements all cryptographic material must be rendered irretrievable This is handled within the Point SAPC and you do not need to take any action 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O l nt Date 2014 02 26 Page number 16 19 passion for payments 3 4 Protect wireless transmissions Neither the Point SAPC SW nor the Atosworldline XENTA YOMANI YOMANI XR terminals provide any WLAN functionality However if you are using wireless network within your business you must make sure that firewalls are in stalled that deny or control if such traffic is necessary for business purposes any traffic from the wireless environment into the Point SAPC environment Please refer to your firewall manual In case you are using a wireless network you must also make sure that e Encryption keys were changed from vendor defaults at installation e Passwords to access the wireless router access point were changed from vendor defaults e Strong encryption https or SSH are used for authentication i e entry of user identity and pass word to access the wireless router access point e Encryption keys are changed anytime someone with knowledge of the keys leaves the company or changes position e Default SNMP community
27. to installing your PCI PA DSS compliant Point SAPC terminal Therefore you must make sure that historical data magnetic stripe data cardholder data and CVV2s are removed from all storage devices used in your system ECRs PCs servers etc For further details please refer to your ven dor No specific setup of your Point SAPC PCI PA DSS compliant terminal is required PAN is stored either trun cated or encrypted Full magnetic stripe data is deleted immediately after authorization and never stored However if you need to enter PAN and expiration date manually or do a voice referral you should never write down or otherwise store PAN expiration date or CVV2 Collect this type of data only when absolutely necessary to perform manual entry or voice referral Note Using the PCI PA DSS compliant Point SAPC terminal you will never be prompted to enter CVV2 2013 POINT INTERNATIONAL All rights reserved Copying and or redistribution of this information in whole or in part without the express permission of Point International prohibited Version 1 10 O l nt Date 2014 02 26 Page number 15 19 passion for payments 3 3 Protect stored card holder data PAN and expiration date are encrypted and stored in a Store and Forward file within your Point SAPC for offline transactions For this encryption a unique key per transaction is used Once your Point SAPC goes online any stored transactions are sent to the processor and securely dele
28. tos Worldline Banksys XENTA PCI PTS approval 4 30001 2 Atos Worldline YOMANI PCI PTS approval 4 30046 3 Atos Worldline YOMANI XR PCI PTS approval 4 30092 No insecure or unnecessary protocol service component or other dependent software is used or required 3 2 Do not retain full magnetic stripe or card validation code When upgrading the payment application in your Point SAPC to comply with the PCI PA DSS requirements this could be done two ways 1 Your old unit is physically replaced by a new Point SAPC loaded with software that complies with the PCI PA DSS requirements If the old unit is not PCI PA DSS compliant it could contain historical magnetic stripe data PANs and CVV2s Therefore the non PCI PA DSS compliant unit must be returned to Point 2 Your existing Point SAPC is downloaded remotely with new software that complies with the PCI PA DSS requirements After download your Point SAPC software is designed to remove all historical magnetic stripe data PANs and CVV2s stored by previous versions of the soft ware In both cases you must make sure that the software version of the Point SAPC that runs on your Point SAPC is listed on the PCI web site List of Validated Payment Applications that have been validated in ac cordance with PCI PA DSS http www pcisecuritystandards org In order for your organization to comply with PCI DSS requirements it is absolutely necessary to remove historical data stored prior
29. w your Point SAPC helps you meet this requirement C What this means to YOU irissen inris aa raia iiaii Requirement 4 Encrypt transmission of cardholder data across open public networks 9 a What the requirement SayS csceccsceceseescseesseesseseeeceesceesseseseeseenesesonseessseseseeseeseseconseeesseneseeseenees b How your Point SAPC helps you meet this requirement C What this means to YOU oo ee eesseseseeeseeeeeeseeeseeseeseseeecaesecaseesaseesaesesananeesseeesateeeaseetanenees 2 3 Maintain a Vulnerability Management Program s esecessesseeeserseeeeenseeeeeensneeneenseeentens Requirement 5 Use and regularly update anti virus software or programs a What the requirement SAYS ee eseeeseeeeeenseeeneeeeseeeeaeseceeeneeeseeetateeeassesseeneeeseeetaneneataetes b How your Point SAPC helps you meet this requirement Gc _ What this me ans 10 you sc noca ana adiaci finn en ei een E N Requirement 6 Develop and maintain secure systems and applications a What the requirement SayS cccsceccececeeesseseesseesseneseceesneeseseseesseessetenseensseeesonseeenees b How your Point SAPC helps you meet this requireMent ceceseeeseeeeeeeeeeeeeeeeeeeeeeeaens C What this Means to YOU ee eeeeseesseeseeeeseeeeseetecseeeeaeecacsesasseseeseeasaesesaeeeeaeeratensasaeeenatees 2 4 Implement Strong Access Control MeCaSures csssssssecsecseesseeeesseenseenieesseseensnennenneeeees Requirem
Download Pdf Manuals
Related Search