TravStar1 ® POS System v9.01 Secure
Contents
1. TravStar1 POS System v9 01 Secure Implementation Guide Guidance on how to securely implement the TravStar1 POS System into a PCI DSS compliant retail environment Fiscal Systems Inc 102 Commerce Circle Madison AL 35758 Office 256 772 8920 Help Desk 800 838 4549 press 3 www fis cal com Document Version History 1 0 15 JUL 09 1 1 11 NOV 09 1 2 Corrected Typographical Errors 22 APR 10 1 3 12 JUL 11 Verified reference web links are valid 1 4 Updated web link on qualified QSAs KDS 10 AUG 12 Updated wireless guidelines TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 2 of 16 TravStar1 POS System v9 01 Secure Implementation Guide 1 0 PURPOSE This secure implementation guide is provided to Fiscal Systems customers resellers and support personnel with instructions notes and pointers on how to implement and maintain the TravStar1 POS system v9 01 in a PCI DSS compliant retail environment This guide will be updated at least annually to incorporate changes in the TravStar1 POS system and the Payment Application Data Security Standard PA DSS and Payment Card Industry PCI Data Security Standard PCI DSS This guide is provided and maintained to comply with the requirements of the PA DSS standard Following this guide does NOT make your retail environment PCI compliant nor does it guarantee your network s security It is your responsibility along with your network administrator to2. Invalid logical access attempts e Use of identification and authentication mechanisms e Initialization of the audit logs e Creation and deletion of system level objects Record at least the following audit trail entries for all system components for each event e User identification e Type of event e Date and time e Success or failure indication e Origination of event TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 14 of 16 e Identity or name of affected data system component or resource For more information on PCI requirements for security log settings please refer to the PCI DSS standard 12 0 INTERNET APPLICATIONS In order to meet the requirements of PCI DSS sensitive cardholder data cannot be stored on a computer connected to the internet The TravStar1 POS system does not provide internet services and does not require that any internet applications reside on the computer containing cardholder data Software that provides internet services such as a web server or FTP server must never be run on the same computer as the TravStarl POS system 13 0 SYSTEM TROUBLESHOOTING When troubleshooting cardholder problems PCI DSS requires that retail merchants resellers integrators and support personnel e Collect the minimum amount of sensitive data necessary to solve a specific problem e Store sensitive data in specific known locations with limited access e Sensitive authentication data must
3. New passwords can not be the same as the last 4 passwords PCI DSS user account requirements beyond uniqueness and password complexity are listed below e If an incorrect password is provided 6 times the account should be locked out e Account lock out duration should be at least 30 min or until an administrator resets it e Sessions idle for more than 15 minutes should require re entry of username and password to reactivate the session Each cashier must have a unique cashier ID and password so their activities on the POS system can be accounted for and tracked Cashier passwords are stored as a salted hash so they cannot be recovered if forgotten If a cashier ID and password are forgotten a new set must be created All unnecessary and insecure services and protocols e g NetBIOS file sharing Telnet FTP server HTTP server etc should be disabled on each POS terminal running the TravStar1 POS System Services can be disabled from Control Panel Administrative Tools Services The System Restore function of Windows operating system must be turned off First log onto the POS terminal with Adminstrator privileges Right click My Computer and then click Properties In the System Properties dialog box click the System Restore tab Click to select Turn off System Restore check box Then click OK when you receive the message You have chosen to turn off System Restore If you continue all existing restore points will be deleted a
4. be encrypted while stored e Securely delete sensitive data if stored electronically or physically destroy e g cross shredding printed sensitive data immediately after use Do not simply discard the sensitive data If you transmit or share any sensitive cardholder data outside of the POS system to a third party such as a Front End Processor corporate bookkeeping department or technical advisor it is your responsibility to understand and follow the PCI Data Security Standard requirements for the security of such transmissions The POS System does not have a facility to email sensitive cardholder data If you need to email or otherwise transmit sensitive cardholder data it must be transmitted only in an encrypted format such as SSL 14 0 OPERATING SYSTEM INFORMATION The current version of the TravStar1 POS system applications v9 01 are developed and deployed on the Windows and SuSE Linux operating systems TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 15 of 16 To comply with PCI requirements a validated application must execute from a system that is supported by the manufacturer to include up to date security related patches and enhancements If you are unsure of which operating systems are valid please reference the current operating system manufacturers page Example for Microsoft http www microsoft com windows lifecycle default mspx Example for SuSE Linux http support novell com linux psdb
5. new technologies to shore up firewall and perimeter controls or increasing the logging and archiving procedures associated with transaction data e Create an action plan for on going compliance and assessment e Implement monitor and maintain the plan Compliance is not a one time event Regardless of merchant or service provider level all entities should complete annual self assessments using the PCI Self Assessment Questionnaire e Call in outside experts as needed PCI Security Standards Council trains tests and certifies organizations and individuals to assess and validate adherence to PCI Security Standards A current list of Qualified Security Assessor QSA companies is available on the Internet at www pcisecuritystandards org approved companies providers gsa_companies ph 10 0 SECURE REMOTE UPDATES Fiscal Systems does not force automatic updates of the TravStar1l POS system You have complete control over when and how POS system updates are installed on your system If you allow POS system software updates to be deployed remotely you must create a policy for critical employee facing technologies that contains the following security features to comply with PCI DSS requirements e Explicit management approval to use the devices e All device use is authenticated with two factor authentication such as a username and password and a physical authentication item token or certificate e List of all devices and personnel authori
6. passwords according to PCI DSS requirements e Rotate pre shared keys and certificates at least annually If you use remote access to perform non console administrative access you must use SSH VPN or SSL TLS encryption and the above security features to comply with PCI DSS requirements TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 10 of 16 8 0 WIRELESS NETWORKING If you deploy wireless networking devices on the same network as the POS system consult your networking equipment vendor documentation and online resources carefully for the optimum security configuration To comply with PCI DSS requirements when using wireless networks e Install and configure a firewall on each POS terminal and site controller e Modify the default wireless equipment settings including e Change default encryption keys e Change default service set identifier SSID e Change default passwords e Change default SNMP community strings e Disable SSID broadcasts e Enable strong cryptography such as WiFi protected access WPA or WPA2 technology for encryptions and authentication e If cardholder data is transmitted with a wireless network encrypt the transmission with strong cryptography such as WPA or WPA2 technology IPSEC VPN or SSL TLS Never rely on WEP to protect sensitive cardholder data and access to the wireless LAN You can learn more about wireless network installations in the PCI Security Standards Council information su
7. 6c78568d5d7b11827979ebc2759c8 gt V SHA256 fb17b448eb4bd7f03db759186af5Sf32c55970e724aee3cde5ee78fa6847395d5 C S F iskasas E IV SHA512 e35279d606423158ea08e22a4ffa726653862a1768224d5143d48cd0a23fa55a10798faa1 59e5bcd220ff7 3bb4b7d53fd01 44fee5674863f617926b9833cabc J RIPEMD160 J PANAMA M TIGER M CRC32 eDonkey ESS E eMule A TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 12 of 16 Install antivirus and spyware detection software and keep it up to date These software products are designed to detect and remove malicious software code that typically is installed without your knowledge or permission for the purpose of damaging files or data intercepting sensitive cardholder data or tracking your computer activities In addition to the preceding security recommendations a comprehensive approach to assessing and maintaining the security compliance of the payment application environment is necessary to protect the organization and sensitive cardholder data The following is a very basic plan every retail merchant should adopt in developing and implementing a security policy and program e Read the PCI DSS in full and perform a security gap analysis Identify any gaps between existing practices in your organization and those outlined by the PCI requirements e Once the gaps are identified determine the steps to close the gaps and protect cardholder data Changes could mean adding
8. OS System Secure Implementation Guide v9 01 August 2012 Page 16 of 16
9. a patch within 30 days of the identification of the vulnerability We will then contact merchants to notify them of the availability of the patch Typically merchants are expected to respond quickly to test and install available patches within 30 days Fiscal Systems does not remotely connect to your network without your permission to push POS system updates to you You have complete control over when and how POS system updates are installed on your system We deliver software and patches via secure remote access to customer networks We maintain a secure connection to your POS system by use of SSH or SFTP which ensure that all communication is encrypted and the legitimate identity of your system and ours is verified Refer to section 7 0 Remote Network Access for more information on secure remote network access The release notes for software and patches include MD5 SHA1 SHA256 and SHA512 hashes to verify the integrity of the file Fiscal Systems recommends HashCalc as a hash calculator available as free download from the Internet Download it at http www slavasoft com hashcalc index htm Hash values for software and patches and support for using HashCalc is available from the Fiscal Systems Help Desk at 800 838 4549 press 3 Data Format Data File x JC MArchive Utility Programs Kepboard setup 25EP09 EXE E Key Format Key M HMAC Text sting Y V MD5 ef38c137e8c1de9bd66b497536bf264 wie E na M SHA1 e6767b34e1f
10. byproduct html 15 0 RESELLER AND SUPPORT PERSONNEL TRAINING Training is available to resellers and support personnel to ensure that they can implement and maintain the TravStar1 POS system in a PCI DSS compliant retail environment Training is available via updated documentation and custom training session under standard consultancy arrangements Contact the Fiscal Systems Help Desk at 800 838 4549 for more information on training requirements and available dates 16 0 REFERENCE Payment Card Industry PCI Data Security Standard v1 2 1 https www pcisecuritystandards org security standards pci_dss shtml 17 0 ACKNOWLEDGEMENTS Throughout this guide we provided links to Internet sites of providers of security related products information and industry organizations that can provide additional assistance with understanding the PCI DSS requirements These links are provided for your convenience Unless specifically stated Fiscal Systems does not own endorse or specifically recommend any of the products or vendors listed Decisions on PCI compliance actions should take into account relevant factors that may be unique to your business procedures and operating policies TravStar1 is a Registered trademark of Fiscal Systems Inc All rights reserved Windows is a Registered trademark of Microsoft Corporation All rights reserved All other trademarks and copyrights are property of their respective owners All rights reserved TravStar1 P
11. curely delete data files log files and any back up files that might contain magnetic stripe data card validation codes PINs or PIN blocks This mandatory PCI DSS requirement also includes files or data collected for troubleshooting i e data loaded in a spreadsheet If you installed or made backups to other locations other than the default locations you must locate and securely delete the files in alternate locations as well File types to Securely Delete in POS and OPT terminals at C Program Files Fiscal tsr bak batch dat gzip cauth cmedia dat rcmedia tar pmedia comm receipt rar ej prn Zip vdf pch tgz File types to Securely Delete in Site Controller at home ccl ccl tfc dat dbatch ADSrev dpfallbk dat rbatch cbatch ADS_fb new bpfallOK dat bbatch ADSfallbk dat bpfallbk dat comm Note These are default filenames and extensions if you specified something different at any time delete those files as well Standard file deletion tools in the Windows and Linux operating systems do not meet the secure deletion standard specified in PCI DSS You must obtain and use a secure TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 5 of 16 deletion application for this purpose or utilize a qualified third party that provides this service Fiscal Systems recommends the following secure deletion applications They are available as free downloads from the Internet Support for their u
12. d by the POS system and cannot be accessed or modified by users or system developers The encrypted sensitive cardholder data and expired encryption keys are automatically deleted by the POS system at appropriate intervals No action on your part is required to enable these security features TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 4 of 16 When determining the measures that need to be taken for PCI compliance you need to review your entire system configuration e Your operating systems configuration and account controls e Your network architecture and remote access to it e Implementation of security software such as antivirus and firewall applications e Written policies and procedures for implementing and monitoring all of the above Decisions on PCI compliance actions should take into account relevant factors that may be unique to your business procedures and operating policies 4 0 INSTALLING OR UPGRADING TO TRAVSTAR1 POS SysTEM v9 01 Instructions for installing or upgrading the TravStar1 POS system can be found in the instructions supplied with your software Those instructions this secure implementation guide and a complete User Manual are available in electronic or printed formats from the Fiscal Systems Help Desk at 800 838 4549 press 3 Electronic format document viewing requires Adobe Acrobat reader After successfully upgrading from a previous TravStar1 version PCI DSS requires that you se
13. ensure that your software hardware and network systems are secure from internal as well as external intrusions Fiscal Systems makes no claims on the security of your network nor your compliance with the PCI Data Security Standard 2 0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD Systems which process payment transactions necessarily handle sensitive cardholder account information The Payment Card Industry founded by American Express Discover Financial Services JCB Mastercard Worldwide and Visa International has developed security standards for handling cardholder information in a published standard called the PCI DSS The security requirements defined in PCI DSS apply to all members merchants and service providers that store process or transmit cardholder data The PCI DSS requirements apply to all system components within the payment application environment which is defined as any network device host or application included in or connected to a network segment where cardholder data is stored processed or transmitted The following high level 12 Requirements comprise the core of the PCI DSS Build and Maintain a Secure Network 1 Install and maintain a firewall configuration to protect data 2 Do not use vendor supplied defaults for system passwords and other security parameters TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 3 of 16 Protect Cardholder Data 3 Protect Stored Data 4 Encrypt tra
14. f your implementation will transmit sensitive card holder data over open public network such as a broadband Internet connection you must employ strong cryptography and security protocols such as secure socket layer SSL and Internet Protocol Security IPSEC to safeguard the sensitive cardholder data 7 0 REMOTE NETWORK ACCESS To comply with PCI DSS requirements you must implement two factor authentication for remote access granted to the network for employees administrators and third parties Employ network security technologies such as remote authentication and dial in service RADIUS terminal access controller access control system TACACS with tokens or VPN based on SSL TLS or IPSEC with individual certificates When utilizing remote network access software you must implement the following security features e Change default settings in the remote access software for example change default passwords e Use unique passwords for each user of remote network access e Allow connections only from specific known IP and MAC addresses e Use strong authentication or complex passwords for logins e Enable encrypted data transmission e Enable account lock out after a certain number of failed login attempts e Configure the system so a remote user must establish a VPN connection via a firewall before access is granted e Enable the logging function e Restrict access to passwords to authorized reseller support personnel e Establish
15. lso suppress interactive mode i switch F Wipe free space on specified filesystem h Display help screen and exit md US DoD 5200 28 seven pass extended character rotation wiping V Run in verbose mode Note Display the help screen bcwipe h to see a full list of available commands Examples 1 Removing specific files To remove batch files batch on the Site Controller bcwipe mdvf rbatch 2 Wiping free space on drive to remove traces of files that were previously deleted by insecure methods bcwipe Fmdv home ccl ccl 5 0 SECURE ACCESS CONTROL The PCI DSS requires that access to all systems in the payment processing environment be protected through use of unique users and complex passwords Unique user accounts indicate that every account used is associated with an individual user and or process Additionally any default accounts provided with operating systems and or devices should be removed disabled renamed as possible or at least should have PCI DSS compliant complex passwords and should not be used Examples of default administrator accounts include administrator Windows and root SuSE Linux TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 7 of 16 PCI DSS requires the following password complexity for compliance e Passwords must be at least 7 characters e Passwords must include both numeric and alphabetic characters e Passwords must be changed at least every 90 days e
16. nd you will not be able to track or undo changes to your POS terminal Do you want to turn off System Restore The System Properties dialog box will close in a few moments Repeat this process for each POS terminal The POS terminal should never be used to host a public FTP or HTTP Web server Protocols and Ports can be disabled from the Windows Firewall and the Hardware Firewall TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 8 of 16 6 0 BUILDING AND MAINTAINING A SECURE NETWORK Consistent with network security best practices the PCI DSS requires that your network e Be protected from unauthorized traffic using a firewall e Have antivirus software installed and updated regularly e Is regularly updated with the latest operating systems and network software patches to keep your system current The following guidelines are general in nature It is recommended that you consult a qualified network administrator to review your particular network setup for purposes of implementing the best protective measures for your unique situation Build a firewall configuration that e Denies all traffic from untrusted networks and hosts except for protocols necessary for the cardholder data environment e Restricts connections between publicly accessible servers and any system component storing cardholder data including any connections from wireless networks include e Restricting inbound internet traffic t
17. nsmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5 Use and regularly update anti virus software 6 Develop and maintain secure systems and applications Implement Strong Access Control Measures 7 Restrict access to data by business need to know 8 Assign a unique ID to each person with computer access 9 Restrict physical access to cardholder data Regularly Monitor and Test Networks 10 Track and monitor all access to network resources and cardholder data 11 Regularly test security systems and processes Maintain an Information Security Policy 12 Maintain a policy that addresses information security The remainder of this document describes the essential guidance for implementing TravStar1 POS system in a PCI DSS compliant environment You can learn more about the PCI Security Standards Council and get a copy of the PCI DSS Standards at www pcisecuritystandards org 3 0 INTRODUCTION TO TRAVSTAR1 POS SYSTEM The TravStarl POS system does not store full track data or sensitive authentication data i e CVV CVV2 or PIN blocks after authorization The TravStar1 POS system does not provide any access to or reporting of sensitive cardholder data even by administrator accounts All sensitive cardholder data is encrypted when stored and transmitted between POS system application modules with AES 256 bit encryption Encryption keys are automatically generated and rotate
18. o IP addresses within the DMZ ingress filters e Not allowing internal addresses to pass from the internet into the DMZ e Implementing stateful inspection also known as dynamic packet filtering that is only established connections are allowed into the network e Outbound Internet access from the trusted segment must be limited to required and justified ports and services e Placing the database in an internal network zone segregated from the DMZ e Restricting inbound and outbound traffic to that which is necessary for the cardholder data environment and denying all other traffic e Employ an encryption method with at least 128 bit encryption strength either at the transport layer with SSL or IPSEC or at the data layer with algorithms such as AES on outbound Internet access or Internet accessible DMZ network segments to comply with PCI DSS requirements e Securing and synchronizing router configuration files e Installing perimeter firewalls between any wireless networks and the cardholder data environment and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic if such traffic is necessary for business purposes TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 9 of 16 e Installing personal firewall software on any mobile and employee owned computers with direct connectivity to the Internet which is also used to access the company network I
19. pplement PCI DSS Wireless Guidelines You can download a copy at www pcisecuritystandards org pdfs PCI_ DSS v2 Wireless Guidelines pdf 9 0 MAINTAINING A VULNERABILITY MANAGEMENT PROGRAM Updates to the TravStar1 POS system are released periodically to add or enhance functionality and fix identified defects or vulnerabilities If there are changes to the PCI DSS requirements or in related POS features the updates will include updated electronic documentation including this implementation guide to facilitate your compliance Check with the Fiscal Systems Help Desk at 800 838 4549 press 3 periodically for updates As a software development company we keep abreast of the relevant security concerns and vulnerabilities in our area of Point of Sale systems We do this by subscribing to relevant data feeds and news services which inform us of potential security issues We recommend that your systems Linux and Windows operating systems be maintained automatically by using an automatic update service to download security patches daily Refer to section 14 0 Operating System Information for more information on operating system support TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 11 of 16 If security vulnerabilities are identified not covered by these automatic updates we work to develop and test a patch that helps protect the TravStar1 POS system against the specific new vulnerability We attempt to publish
20. se is available from the Fiscal Systems Help Desk at 800 838 4549 press 3 POS and OPT Terminal Windows operating system SDelete Secure Deletion Download from http technet microsoft com en us sysinternals bb897443 aspx Directions SDelete is a command line utility that takes a number of options In any given use it allows you to delete one or more files and or directories or to cleanse the free space on a logical disk SDe ete accepts wild card characters as part of the directory or file specifier Usage sdelete p passes s q lt file or directory gt sdelete p passes z c drive letter C P S q Z Examples Zero free space good for virtual disk optimization Specifies number of overwrite passes Recurse subdirectories Don t print errors quiet Cleanse free space 1 Removing specific files To remove void data files vdf on the POS sdelete p 7 s C Program Files Fiscal vdf 2 Wiping free space on drive to remove traces of files that were previously deleted by insecure methods sdelete p 7 z c C TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 6 of 16 Site Controller CCL Linux operating system BCWipe Download from http www jetico com bcwipe_unix htm BCWipe for UNIX is designed as UNIX style command line utility Usage bcwipe fhMv m mode n delay FILE1 FILE2 f Force wipe files with no write permissions A
21. zed to use the devices TravStar1 POS System Secure Implementation Guide v9 01 August 2012 Page 13 of 16 e Labeling of devices with owner contact information and purpose e Define acceptable uses for the technology e Establish acceptable network locations for the technology e Establish a company approved products e Require an automatic disconnect of sessions after a period of inactivity e Require the activation of modems used by vendors only when needed by vendors with immediate deactivation after use e Prohibit the storage of cardholder data onto local hard drives floppy disks or other external media e Prohibit cut and paste and print functions during remote access e Require the use of a personal firewall product if computer is connected via VPN or other high speed connection to secure these always on connections to comply with PCI DSS requirements 11 0 LOGGING AND AUDITING Even though POS system logs cannot be configured to contain sensitive cardholder data it is encouraged to set logging configurations to keep logs only for the number of days necessary to support the stores PCI DSS requirements state users must employ a backup procedure that archives and stores all security logs for at least one year Sites should implement automated audit trails for all system components to reconstruct the following events e All actions taken by and individual with root or administrative privileges e Access to all audit trails e
Download Pdf Manuals
Related Search