Secure Implementation Guide - SICOM Systems, Inc.
Secure Implementation Guide - SICOM Systems, Inc.
Secure Implementation Guide - SICOM Systems, Inc.
Do you know the secret to free website traffic?
Use this trick to increase the number of new potential customers.
SICOM SL Series
Secure Implementation Guide
SICOM Systems, Inc.
4140 Skyron Drive
Doylestown, Pennsylvania 18901
800-54-SICOM (800-547-4266)
http://www.sicom.com
sales@sicom.com
SICOM SL Series Secure Implementation Guide
by SICOM Systems, Inc.
4140 Skyron Drive
Doylestown, Pennsylvania 18902
800-54-SICOM (800-547-4266)
http://www.sicom.com
sales@sicom.com
Copyright © 2007 SICOM Systems, Inc.
PROPRIETARY RIGHTS NOTICE
All rights reserved. No part of this material may be reproduced or transmitted in any form or by any means,
electronic, mechanical, or otherwise, including photocopying and recording or in connection with any
information storage or retrieval system, without the written permission in writing from SICOM Systems, Inc.
SICOM Systems, Inc. has taken reasonable preventive measures to ensure the accuracy of the information
contained in this manual. However, SICOM Systems, Inc. makes no warranties or representations with respect
to the information contained herein and SICOM shall not be liable for damages resulting from any errors
or omissions herein or from the use of the information contained in this manual.
Document Revision: 1.3, 11/7/2008
Revision History:
1.1 – Addition of Antivirus option
1.2 – Change SL18 to SL series
1.3 - Change Meta Data
LINUX® is a registered trademark of Linus Torvalds.
SICOM and the "S" logo are trademarks of SICOM Systems Incorporated.
Table of Contents
Overview of Standards and Practices ...................................................................1
Visa CISP..........................................................................................................1
PCI Data Security Standard ..............................................................................1
PABP - Payment Applications Best Practices ...................................................2
PCI Standard v1.1.................................................................................................3
Payment Acceptance Environment.......................................................................4
General Guidance .............................................................................................5
General Recommendations ...........................................................................5
Passwords ..............................................................................................5
Network Security ....................................................................................5
Wireless Devices ....................................................................................6
Retention and Protection of Data - .........................................................6
Remote Access ......................................................................................6
External Review......................................................................................6
User Security ..........................................................................................6
Industry Best Practices...........................................................................7
Segregate Web and Payment Systems..................................................7
How do I know if my system is compliant? ........................................................7
1. Checking your Software Version................................................................7
2. If you are using older software...................................................................8
3. Verifying SICOM SL Series Configuration Compliance .............................9
Enhanced User and Login Security.....................................................................11
• All users must use complex passwords.........................................12
• Passwords expire after ..................................................................12
• Passwords may be repeated after.................................................12
• User is locked out..........................................................................12
• Lockout period...............................................................................12
• Minimum password length.............................................................12
• No activity timeout .........................................................................13
• Enable Clam Antivirus ...................................................................13
• Firewall Configuration....................................................................13
Log In Procedure.............................................................................................14
Change Password .......................................................................................15
Error Messages While Logging In................................................................15
Additional Changes Effective with V1.42.........................................................17
SICOM Certificate Authority (CA)........................................................................18
Background on the Browser Padlock...........................................................18
A Chain of Trust...........................................................................................18
Being a Proper “host” (Editing Your “hosts” File) .........................................19
Installing the SICOM Certificate Authority....................................................22
Cookies........................................................................................................25
OpenVPN ........................................................................................................27
Certificate needed before continuing ...........................................................27
OpenVPN Installation ..................................................................................27
Installation of OpenVPN Package................................................................27
Installation of OpenVPN GUI Package ........................................................29
Connecting to the Restaurant..........................................................................31
OpenVPN Configuration Files......................................................................32
Troubleshooting...............................................................................................32
Detailed PCI-DSS Requirements........................................................................35
Glossary..............................................................................................................54
This page intentionally left blank
Introduction to Electronic Payment Processing
SICOM Systems is pleased that you have elected to use our integrated electronic payment
processing software with your SL Series POS (Point of Sale) system. The software provides your
POS system the capability for both Dial-up and Broadband card authorizations, depending upon
your merchant processor, from any Point of Sale terminal.
Security is of paramount importance with any payment acceptance method, whether it is cash,
gift cards/certificates, or debit/credit payments. The widespread acceptance of credit cards in the
quick service industry (QSR) benefits the merchant as well as the cardholder. For the cardholder,
credit cards reduce the cash needed for everyday purchases, resulting in a decreased potential
for loss or theft. For the merchant, cash amounts are also reduced, thereby creating a safer
environment for all employees, while also ensuring that funds are deposited into the bank in a
safe and timely manner.
While accepting electronic payments provide many benefits for both the cardholder and the
merchant, it also comes with responsibilities. Many of these responsibilities, as well as much of
the information provided in this document, come from various industry regulations and guidelines.
The Payment Card Industry standards (PCI), VISA Cardholder Information Security Program
(CISP), Payment Application Best Practices (PABP) and the American Express Card Acceptance
and Processing Network (CAPN) initiative are some of them.
This document is part of our compliance efforts and will also inform you about the steps that
SICOM has taken to assist with your compliance efforts.
Overview of Standards and Practices
"CISP, PCI, PABP,CAPN; What does all of this mean to me?" you may ask. The information
supplied in this document is meant to provide information on some of the responsibilities that you,
as the merchant, have when accepting electronic payments. It is not meant to be authoritative
with respect to merchant processor requirements and guidelines, as much of this information is
taken directly from the Visa® and other industry websites which periodically update their
information.
Visa CISP
When customers offer their bankcard at the POS, over the Internet, on the phone, or through the
mail, they want assurance that their account information is safe. That is why Visa USA instituted
the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is
intended to protect Visa® cardholder data wherever it resides, ensuring that members,
merchants, and service providers maintain the highest information security standard. CISP is a
set of twelve requirements, also known as the "Digital Dozen", designed to limit merchant liability
and to protect cardholder data.
PCI Data Security Standard
Collaboration between Visa® and MasterCard®, the Payment Card Industry (PCI) Data Security
Standard is a set of common industry security requirements. For simplicity, they use the twelve
requirements of the CISP as the basis for this standard, which are designed to limit merchant
liability and protect cardholder data. Other card companies have incorporated these requirements
into their own programs as well.
As of September 7 th 2006, the standards are maintained by the PCI Security Standards
Council. The executive committee of the organization is comprised of members of
MasterCard®, Visa®, American Express®, Discover®, and JCB®.
PABP - Payment Applications Best Practices
Responsibility for PCI/CISP compliance rests with you, the merchant. However, there are many
aspects of card acceptance and processing that you have no control over. To assist merchants,
Visa has created the Payment Applications Best Practices program. Payment Applications that
have been independently validated, when implemented in a CISP compliant environment, provide
some assurance to the merchant. A PABP compliant application does not guarantee compliance
by the merchant. Since the Payment Application Provider (i.e. SICOM Systems) has no direct
control over the merchant and/or its overall technology infrastructure, the merchant is responsible
for providing the CISP compliant environment.
PABP validation by software vendors is voluntary and is not a requirement by Visa USA at
this time. Please note that some merchant processors require compliance and/or
validation in order to process transactions on their network. It is up to the merchant to
ensure that they comply with the guidelines established by their processor.
2
PCI Standard v1.1
As a merchant accepting payment card transactions, you are required to comply with the PCI
standards and must assess your compliance with the rules and regulations stipulated in PCI’s
agreements. The table below shows the twelve requirements of the PCI Standard as published at
http://www.pcisecuritystandards.org and www.visa.com/cisp. All merchants must comply with
PCI standards. Acquiring banks and Merchant Processors are responsible for ensuring that all of
their merchants comply with the PCI Data Security Standard requirements. Merchant compliance
has been prioritized based on the volume of transactions, the potential risk, and the exposure
introduced into the payment system. While you must check with your Merchant Processor to
determine your level, the QSR market in which SICOM’s SL Series Point of Sale System is used
is generally classified as level 4. Level 4 merchants are currently recommended to perform selfassessments
and quarterly scans of their Payment Acceptance Environment.
Build and Maintain a Secure Network
1 Install and maintain a firewall configuration to protect cardholder data.
2 Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3 Protect stored cardholder data.
4 Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5 Use and regularly update anti-virus software.
6 Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7 Restrict access to cardholder data by business need-to-know.
8 Assign a unique ID to each person with computer access.
9 Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10 Track and monitor all access to network resources and cardholder data.
11 Regularly test security systems and processes.
Maintain an Information Security Policy
12 Maintain a policy that addresses information security.
Figure 1 - PCI Standards
3
Payment Acceptance Environment
SICOM’s SL Series Point of Sale System consists of POS terminals connected with an industry
standard Ethernet network communicating via TCP/IP. It is configured as a self-contained
network requiring no additional equipment. Its basic configuration requires telephone lines for
credit authorization and optional SICOM support assistance. The basic configuration limits the
Payment Acceptance Environment to POS equipment only. When configured in this manner,
compliance with your data security obligations should be straightforward and limited to selection
options in the “User Security” menu of your SICOM POS system.
Sample User Security Edit
Figure 2 - User Security Edit
Since the SICOM SL Series POS system uses an industry standard network, it is possible to
integrate the POS network with your existing network or to add additional peripherals like a backoffice
PC, order confirmation signs, and security equipment. Wireless and broadband access
could also be added. It is important to note that the addition of any non-SICOM peripherals or
access methods to the network extends the Payment Acceptance Environment to those devices.
Careful consideration must be used when planning additional connectivity to the POS
network/cardholder environment. Since merchant compliance extends to the entire Payment
Acceptance system, these security obligations extend to the entire network, not just the SICOM
POS system. Devices that do not specifically need to be on the POS network should be
separated via router, firewall or VLan (Virtual LAN). It is suggested that you consult with an IT
professional familiar with Payment Card Industry (PCI) guidelines when contemplating network
modifications. While it may be easy to add the desired functionality to the network, unintended
security risks may be associated with these additions.
Note:
It is important for you to conduct a thorough self-assessment because you may be required to
make representations to your merchant bank and card associations about your entire payment
system. SICOM Systems, Inc. can only furnish information about its own products, not the entire
Payment Acceptance Environment.
4
It is critical for you to remember that your obligation to protect consumer data does not end with
your SICOM POS system, even though it can be configured to comply with PCI requirements.
You have an ongoing responsibility to your merchant bank and to your customers to treat their
data with care. SICOM Systems, Inc. recommends instituting at least the practices listed on the
following pages, regardless of how you use your software.
SICOM Systems, Inc. encourages you to develop additional safeguards. Please be sure to
periodically verify with your cardholder associations, PCI, and your merchant bank that you are
complying with all applicable data security regulations and guidelines.
General Guidance
Some general information SICOM can provide for your compliance effort is that your SICOM SL
Series System with software version MGRNG v1.42 or higher does not store the following
information once an authorization has been given:
• Full track data from a card’s magnetic stripe
• CVV2, CVC2, and CID numbers from the physical card
• PIN block data from PIN-based Debit transactions
In addition, cardholder account numbers and expiration dates should be stored with 3DES
encryption with a 192-bit cipher to protect the data.
Once a batch is successfully closed (a closed batch means that we have received a confirmation
number from the payment processing network), cardholder account information is truncated and
never kept in its entirety.
General Recommendations
Passwords - Secure your SICOM SL Series System with recommended compliance options
using the User Security menu option. Require your computer users to log in using a complex
password (a password with both letters and numbers in it) and configure the operating system to
force users to change their passwords routinely—for example every 30 or 90 days. Do not grant
access to product features that a user does not need. For example, a “Cashier” may only facilitate
sales, and therefore would not need to have access to the Reporting or Void and Refund
functions. In this scenario, you could create two profiles called “Clerk” and “Supervisor” and
ensure that only members of the “Supervisor” profile can perform Generate Reports or Voids and
Refunds.
Network Security - Never install a payment software application on a computer with a direct
link to the Internet unless that link is secured. If you are using the Internet for your transaction
transport, make sure your Internet hardware (cable modem, DSL router, etc.) has built-in firewall
capabilities. Do not leave any administrator-level passwords in their default configuration—
change them to a complex password that only you know, as this password will be much more
difficult for a malicious user to guess. Only enable the minimum access necessary to the
network for maximum security and document why it is necessary. Connectivity to a SICOM POS
system requires port 443 for Secure Web access and port 1194 for OpenVPN. OpenVPN is an
open-source implementation of a Virtual Private Network. A Virtual Private Network adds security
by providing access to the POS network and resources through an SSL (Secure Sockets Layer)
encrypted connection to only those that have provided validated credentials. The SICOM SL
Series System requires both a Digital Certificate and password to grant access to the network.
See the broadband and VPN configuration section of the SICOM SL Series Manager Guide for
5
specific information about ports required for remote POS system access through a firewall. The
Windows version of OpenVPN can be obtained from http://openvpn.net/download . A Graphical
User Interface version can also be obtained from http://openvpn.se .
Wireless Devices - Your SICOM POS system does not require wireless connectivity of any
kind. However, it has been designed to work on any network that supports TCP/IP protocols,
without direct knowledge of the physical devices or communication technologies underlying the
TCP/IP layer. If you use wireless devices of any kind to store or transmit payment transaction
data, those devices must be configured to encrypt transmissions using technologies consistent
with the standards in the Payment Card Industry guidelines. Many wireless devices use WEP
(Wireless Encryption Protcol). It is strongly recommended that you implement additional security
measures on top of WEP, such as IPSec or SSL, because security issues have been found with
WEP. All sensitive Cardholder information originating from SICOM POS equipment is 3DES
encrypted for security.
Retention and Protection of Data - Your SICOM SL Series POS System does not store
sensitive transaction detail after a successful batch close.In addition, non-sensitive batch
transaction information is not stored for more than 30 days.
Remote Access - SICOM Systems support personnel have the ability to provide dial-in
remote-access support to your POS System. Each member of the SICOM support team has their
own individual username. The password they use changes daily. When we are requested to
provide assistance, we will ask for the modem access line to be turned on. If you have provided
a broadband connection to the system, it requires you, the merchant, to provide a VPN, or Virtual
Private Network, for system access.
Since most of SICOM’s customers do not have the requisite technical expertise to configure and
manage a VPN, the SICOM SL Series POS with MGRNG v1.42 and higher provides an optional
VPN using OpenVPN. With OpenVPN, SICOM Support personnel not only have an individual
user name with daily changing password, but also have a digital certificate to authenticate them
when connecting to the network for system-related tasks. If you are providing access to SICOM
personnel via a broadband connection, you will need to ensure that your router/firewall forwards
port 1194 to the SICOM SL Series server at 192.168.1.80 for system-level access. Furthermore,
any remote system-level access will require 2-factor (password and certificate) authentication.
System-level access includes the ability to import sales data poll files as well as exporting Auto
Update and other application data files. User certificates can be provided by SICOM, or the
customer can obtain one from a Certificate Authority such as Verisign or Thawte.
If you are providing remote access into the cardholder environment, it is imperative that you
configure and operate software on any systems in the Payment Card Environment in a manner
consistent with the Payment Card Industry guidelines. Remember that any device connected to
the SICOM SL Series POS network is part of the cardholder environment.
External Review - Depending on the amount of card transactions you process, you may be
obligated to engage an external security assessment company to judge your level of compliance
with the various security compliance programs. If you are required, or choose to follow this path,
consider engaging a CISP-qualified assessor who is versed in the latest requirements from the
card associations. Remember, cardholder security requirements change can change rapidly.
User Security - Your SICOM SL Series software allows you to “lock down” access to only
those users with a legitimate need to use it. It also provides the capability to easily bring your
6
POS system (not necessarily your entire Payment Application Environment) into compliance.
Familiarize yourself with the options in the Enhanced User and Login Security document for
important information on how to set up and configure user account security. Follow the simple
rule of thumb that users should not be granted a particular privilege unless there is a legitimate
need for them to use it.
Industry Best Practices - SICOM Systems, Inc. recommends that you evaluate your
payment processing operations in the context of the comprehensive security guidelines published
by the Open Web Application Security Project. You can download and review their documentation
at http://www.owasp.org.
Segregate Web and Payment Systems – PCI requires that payment software
applications are not installed on the same system as a Web server. It is recommended that a
physical, hardware firewall is in place if the system is connected directly to the Internet. The
SICOM SL Series POS system poses a unique challenge with respect to compliance with
industry guidelines. Your system is a POS terminal, file server, and web server. It requires no
additional equipment. When configured securely, cardholder sensitive information (account
number, expiration dates) is stored on another terminal with no direct access to the Internet. To
check if your system is configured correctly, check the User Security Setting menu of your
system. An alert will be displayed if the remote data storage option is not selected. Remember, a
properly configured system does not mean the entire cardholder environment is in compliance.
How do I know if my system is compliant?
Software Versions 1.42 and higher have been designed to be compliant with PCI requirements.
Version 1.42 is currently pending certification by Visa. All versions prior to MGRNG Version 1.42
will not be certified and are deemed non-compliant
There are two things that you must check to see if your system is compliant. The first is to see if
your system has a certified compliant version of software. The second is to ensure that it is
configured in a compliant manner.
1. Checking your Software Version
From the Main Menu of your POS System, select Maintenance, then Software Release Info.
7
Figure 3 - Software Release Version
should be version 1.42 or higher with SecureLoad
2. If you are using older software
All versions prior to MGRNG Version 1.42 with SecurLoad are not certified compliant. If you are
using a SICOM SL Series POS product to authorize credit transactions that was not tested to be
compliant PCI industry standards, we urge you to upgrade to a more recent version of software.
Here are some additional reasons to upgrade:
• As a result of many changes to credit card processing rules, you may be paying more
than you should to process transactions with you payment processor.
• Your acquiring bank or processing company may require that you upgrade to a PABP
certified software application.
• Versions of software other than those explicitly listed in the Data Storage Statement will
not be tested for PABP compliance.
• You will not be able to take advantage of many other software features now available for
your SICOM POS system.
If you are not sure if your system is in compliance, or you need information about upgrading your
system, please contact SICOM Systems at 800-547-4266.
8
3. Verifying SICOM SL Series Configuration Compliance
Verifying your Compliance Options requires an administrator access level of 98. When logged in
with this level, you have the menu option of System Maintenance Tools. Select User Security
Settings to view or change your current settings
Figure 4 - User Security Setting/PABP Edit
The bottom of the screen will alert you to any settings which are outside of the recommended
standards.
Figure 5 - SICOM Compliance Alerts
9
To easily set all of the options to the recommended settings, and be sure of compliance, we have
also included the Use PABP Recommended Settings button. Seen below, this button will
automatically pre-fill all of the fields to the recommended values when clicked.
10
Enhanced User and Login Security
Beginning with the 1.42 release of the Management software for the SL Series POS, we have
implemented a stronger user security system for PABP and PCI compliance.
These industry standards require all payment environments to be reviewed for compliance. For
the merchant, this includes the POS network when the POS accepts, stores, or transmits
cardholder data and any other device connected to that network. “Any other” devices include a
customer’s PC, wireless devices, Internet Café; Satellite, DSL or Cable networks, or networked
security cameras. Our PABP compliance lists the SICOM Systems, Inc with either SL18 or SL
Series (depending upon your software version) on the VISA website as a compliant system when
configured according to our implementation guidelines. The intent of the Visa PABP compliance
listing is so that when implemented properly in a customers PCI compliant environment, the
system and the environment will be compliant. We must provide the tools and configuration
options for the system to be compliant, but it is up to the merchant to ensure that it is configured
correctly. Part of our compliance dictates that we provide materials to the merchant to educate
them on compliance procedures, which may be out of the scope of the POS system itself.
The enhanced user security settings allow our customers to become compliant with the above
standards and help them to pass the required annual PCI self-assessment questionnaire and
quarterly network scan (or audit, depending upon transaction volume) of their network’s security,
so that they may then be authorized to accept credit cards for payments.
The new security settings can now require users to:
• Ensure that all users use complex passwords.
• Create a new password after a set amount of days, and make sure that users cannot
reuse a password unless that password was used a set number of times ago.
• Make sure that users enter in the correct password, or else be locked out from the
system after a set number of incorrect attempts.
• Ensure that a user’s login password is at least a set number of characters long.
The security settings, when turned on, are enforced in the User Edit (located in the System
Security submenu) and the Change Password feature now included in the new Log In procedure
(see “New Log In Procedure” for more information.)
The following is a snapshot of the User Security Settings Edit, which has been placed on the
System Maintenance Tools menu. This edit is used to configure the restrictions that will aid in
making your payment environment PABP and PCI compliant.
11
Each of the fields is defined as follows:
12
• All users must use complex passwords. This option forces users to create
strong passwords in order to log in to the system. Each users’ password is the key that is
used to access the information stored on the system, and creating a strong password is
essential to preventing unauthorized people from gaining access to that information.
With this option enabled, the software will check the passwords that users enter and
reject those that it considers to be easily guessable, weak, too short, or based on
dictionary words.
• Passwords expire after X days. This option forces the user to change their
password after the amount of days entered. SICOM’s recommended setting is 90 days
to ensure PCI compliance. Users are alerted 14 days prior to expiration to change their
password.
• Passwords may be repeated after X changes. This setting forces the user to
not to repeat using any passwords that they have previously used. This means if a
password is used, then changed, it may not be reused again until the number of following
password changes has passed the value set. The recommended value for compliance is
4 changes.
• User is locked out after X consecutive failed login attempts. If someone
attempts to log in and uses an incorrect password, that username can be prevented from
logging in for a period of time. This option sets the number of times someone can
attempt to log in unsuccessfully before being locked out. The recommended setting for
compliance is no more than 6 failed attempts.
• Lockout period is X minutes. Used in conjunction with the previous option, the
value entered here determines the amount of time, in minutes, that the username is
prevented from logging in (even with the correct password.) The recommended setting
for compliance is 30 minutes.
• Minimum password length is X characters. Shorter passwords make it
easier for a criminal or malicious user to gain access to the system. To help prevent
short passwords, the minimum character length of a password can be restricted. The
value entered here will force the length of a password to be at least (or greater) than what
is input. The recommended value for compliance is 7 characters.
• No activity timeout is X minutes. This setting will automatically “log out” a user
if no activity has been logged by the system for the period of time set. The
recommended value for compliance is 15 minutes.
• Enable Clam Antivirus. When this box is checked and a broadband connection is
present, the SICOM SL Series POS System will periodically scan itself for viruses.
Customer downloaded files will be scanned before being acted on and the system will
perform a complete scan weekly. Virus definitions are updated daily and engine updates
are checked weekly. Contact SICOM Systems if you would like additional information or
changes to the frequency or data being scanned
• Firewall Configuration. The PABP Compliant firewall configuration does not allow
ANY FTP connections, not even via dialup. Options to allow FTP over dialup (Noncompliant);
SSH, VPN, and HTTPS (compliant); and VPN only (compliant) are available.
By default, when the software is installed, the enhanced settings are turned off. They can be
turned on by using the edit located in the System Maintenance Tools menu. Beginning with
Release v1.61, the recommended settings will be the default.
IMPORTANT: The first time the PABP settings are turned on, ALL users
will be required to change their password the next time they log in. This is
to ensure that all users are using the recommended settings. Make sure the
restaurant personnel are aware of this!
When configuring the settings in this edit, an alert will notify the user if any of the settings do not
meet the minimum requirements for compliance:
To easily set all of the options to the recommended settings, and be sure of compliance, we have
also included the Use PABP Recommended Settings button. Seen below, this button will
automatically pre-fill all of the fields to the recommended values when clicked.
13
The Remote User Password edit (located in the System Security submenu) and the
Remote Access User edit (located in the System Maintenance Tools menu) will
always require a complex password be used and a minimum password length of
7 characters, regardless of the settings in the User Security edit.
Log In Procedure
When first attempting to log in, the user will see a text field to input their username. There will not
be a field to input the password.
The user enters his/her username and then presses PROCESS LOGIN to continue. The
software will validate the username to make sure that it is correct, and then present the screen to
input the password.
Once the user enters their password, they can either log in by clicking the PROCESS LOGIN
button, or change their password by clicking the CHANGE PASSWORD button.
14
PLEASE NOTE
All users level 98 or higher will ALWAYS require a complex and minimum 7 character
password be entered regardless of the settings configured!
If the enhanced user security is turned on and the user’s password has expired, the PROCESS
LOGIN button will not appear. The user’s account has been deactivated. Only an administrator
can reset the expired password (to reactivate the account) before they can log in.
Change Password
When changing a password, the current password must be entered, followed by the new
password twice. This ensures that the person making the changes not only knows the current
password (and is not changing the password while the real user is away from the terminal) but
also makes sure that the new password is being correctly entered.
Error Messages While Logging In
Here are the error messages possible when logging in with the system configured for the new
security settings:
The username that was entered does not exist in the database. Be sure that the username was
typed in correctly. The username field is not case-sensitive.
15
They will need to re-enter the username/password combination. This password field is CASE-
SENSITIVE, so that means entries like PASSWORD, PaSsWoRd, and password are not the
same. Check the spelling and Caps Lock keys and have the user try to log in again.
If they incorrectly enter the password, they will see this message appear the next time they
attempt to log in. It will go away if once they successfully enter the correct password and log in.
This message will only appear if the system is configured for PABP compliance.
If they fail to correctly enter the password numerous times in succession, the user account will be
locked, preventing any more log in attempts over a fixed period of time. This message will only
appear if your system is configured for PABP compliance, and will display how long the timeout
is.
If the system is configured for PABP compliance, a user will see this message displayed once
their account’s password is set to expire. By default, the message will be displayed 14 days prior
to the password’s expiration. They have to be sure to choose a new, different password before
the expiration, or else the account will get locked. They will not be able to log in once the account
has been locked.
This message is displayed if the account has been locked due to the password expiring. The
user must contact the system’s administrator (or another user with equal or higher access that
can access the User Edit) to input a new password for the account so that they can log in again.
16
Additional Changes Effective with V1.42
• POS *2.56 – The “*” indicates the POS supports 3DES encryption for transmission of
cardholder data across the network. It is required for sites with software version 1.42
or higher!
• Complete credit card numbers are NO LONGER AVAILABLE in the batch history. Once
a batch is successfully closed, the expiration date and most of the card number is
removed.
• Cardholder data in an open batch has been increased to 3DES encryption.
• Usernames and passwords must be unique. I.E. User: manager, Password: manager is
not valid.
17
SICOM Certificate Authority (CA)
When attempting to connect with a system running MGRNG version 1.42 and higher, you will now
need to use https instead of http. This is because communications between your browser and
the SICOM POS system is encrypted. Many sites on the web will redirect you to the proper
connection, possibly alerting you that you are entering or leaving a secure connection. The SL
Series System cannot because there is no guarantee that the systems are registered with valid
domain names and fixed IP addresses.
Secure connections require 2 things:
• Encrypted Communications
• Trust
Background on the Browser Padlock
When visiting sites on the Internet such as Paypal, eBay, etc., a padlock is often displayed on
your browser. This padlock indicates that the communications session is encrypted. However,
the browser wants to go a step further. To help prevent fraud, the browser wants to check to see
if the site that has been visited can be verified. You could have clicked on a web link and not
really made it to the site that you “thought” you were going to. This is where the trust comes in.
E-commerce sites will register with a Certificate Authority (CA) that they are indeed who they say
that they are. The level of trust often depends upon the information the company provided to the
CA. It could be as simple as an email address, name, and physical address that can be verified
or as complex as submitted incorporation documents for a company. Companies like Verisign,
Thawte, and Commodo provide this research and verification. Furthermore, when visiting a
company’s website, your browser reads a certificate stored on the website and then confirms with
the CA (Verisign, Thawte, etc.). Once confirmed, the information provided by the CA and the
website is used to decrypt the information you requested from the website.
A Chain of Trust
How does the browser know to trust the Certificate Authority? All browsers are preconfigured
with certificates from many CAs. The browser checks the Certificate Authority’s certificate with
one that is in the browser. Since the browser can trust the CA and the CA trusts the website
(eBay, Paypal, etc.), the browser knows it can now trust the website as well. The chain of trust is
complete!
Since each and every SL Series system cannot feasibly be registered with a Certificate Authority,
how can a chain of trust be established? There needs to be another method. SICOM has
created a Self-Signed Certificate and Certificate Authority. As a user of a SICOM product, you
have an inherent trust in us. In addition, you will need to obtain our CA Certificate (or CACERT)
to install in your browser. Unlike major Certificate Authorities, a CA Cert from SICOM will never
be pre-installed in your browser. SICOM’s CACERT can be obtained at
http://www.sicom.com/sicom_ca.crt. It is recommended that you type this address in exactly how
it is written to ensure that the link is not subverted in any way. This is a big part of the chain of
trust, making sure that you receive it from the proper, trusted, source.
18
Being a Proper “host” (Editing Your “hosts” File)
Internet addresses are made up of a series of numbers. Those numbers can change depending
upon where you are connecting from. For example, one address (192.168.1.80) may find the
system in a restaurant while another (146.145.212.68) may find the same system from the
Internet. The certificate installed on the system has to be consistent—no matter how you connect
to it—for it to identify itself properly.
To do this, you will need to modify the “hosts” file you your Windows computer. This file is
located at: \windows\system32\drivers\etc\hosts (in Windows XP). This file lets you reference
an address consistently because you are able to specify the IP address or name to which the
entry refers.
For an in-restaurant system that is addressed at 192.168.1.80, add the following to your hosts
file:
192.168.1.80 manager.penguinpos.com
If you are outside the restaurant, you may wish to create the name or alias of the restaurant with
the fixed IP address. For example, if the restaurant IP address is 146.145.212.68 for Burger
Restaurant #123 in Doylestown, you might want either of the following in your hosts file:
146.145.212.68 bgr123.penguinpos.com
146.145.212.68 doylestown.penguinpos.com
192.168.202.1 vpn.penguinpos.com
192.168.201.1 vpn.penguinpos.com
Notice that all entries have “penguinpos.com”. This is how the SL Series System will identify
itself to you.
Please Note – Do not use an underscore “_” in your name/alias. It will cause our check for
cookies to fail.
The following is an example that should not be used.
146.145.212.68 bgr_123.penguinpos.com
When you attempt to connect to the system at https://192.168.1.80, you will see the following:
19
If you have a domain name associated with the restaurant location, you will not be able to
reference the POS system using that name without an error from your browser. The reason is
that the system is reporting as xxx.penguinpos.com and you may be surfing to it as
bgr123.mycompany.com. Since “mycompany.com” doesn’t match SICOM’s certificate, it will alert
you.
In that case, you would want to reference the system as:
bgr123.mycompany.com bgr123.penguinpos.com
This is especially important if the restaurant location is using a Dynamic DNS (DYNDNS) service
instead of a fixed ip address. The entry in the hosts file will permit mapping from an accepted
name for the certificate to the DYNDNS name that will ultimately find the restaurant.
You will now want to connect to https://manager.penguinpos.com (or whatever entry you created
in your hosts file). However, you will get the following message because there is one more step
that is needed:
You have entered the correct address, but your browser doesn’t trust the security certificate. If
you have Internet Explorer 7, you can continue to the site (although IE actually recommends
closing the browser).
If you do, the address bar on your browser will have a red highlight and indicate a certificate error
as shown below:
20
You can access the system without this warning by installing the SICOM Certificate Authority
(CA)/. SICOM generates the certificates on a secure computer located on our premises and not
connected to any network. You can get the SICOM CA here: http://www.sicom.com/sicom_ca.crt
Save this file to an easily remembered location on your computer’s hard drive. We’ll need it later.
21
Installing the SICOM Certificate Authority
In Internet Explorer, select Tools, then Internet Options, click on the Content tab. The following
window will open:
Select Certificates.
22
Now select Import…and enter the location of the cacert.crt saved earlier.
Let Windows determine which certificate store to place the certificate in by clicking the radio
button marked Automatically select the certificate store based on the type of certificate and click
Next.
23
You will be presented with a security warning:
It is imperative that you receive the SICOM directly from SICOM’s website. This way you can
ensure a chain of trust. Review the thumbprint ID displayed in the security warning, and make
sure it matches what is written here:
97EC3435 D2F3C302 4C116425 BE511FE3 6DE697B9
If the thumbprint ID matches the code above, then select Yes to this security warning.
Otherwise, click No and download another copy of the file from SICOM’s website. If you continue
to encounter difficulty matching the thumbprint ID, contact SICOM Systems Technical Support as
soon as possible.
Once installed, you are able to view the site without any further warnings from Internet Explorer.
You will also have the padlock icon indicating that you have a secure connection.
Warning – Do not remove the “sicom” Certificate Authority (CA) after installing
unless you no longer trust SICOM
If you remove the “sicom” Certificate Authority, you will no longer be able to access your SICOM
SL Series POS system securely. Internet Explorer 7 will no longer alert you to a security
certificate error but will block access to the web pages.
24
Cookies
The SICOM SL Series system uses cookies to confirm your logged in state. This way you do not
need to log in every time you visit a new menu/page. You may wish to ensure that cookies are
enabled from penguinpos.com. Enabling cookies will ensure that you are always allowed to log
in.
In Internet Explorer, select Tools, then Internet Options, click on the Privacy tab.
25
Select the Sites button. Here is where you will specify that penguinpos.com is always allowed to
leave a cookie.
Enter penguinpos.com in the field marked “Address of website”, click Allow and then OK.
26
OpenVPN
When attempting to connect with a system running MGRNG version 1.42 and higher, you might
be required to connect to the restaurant over a VPN (Virtual Private Networking) connection. This
section details the steps necessary to install, configure, and use the OpenVPN software on your
Windows XP computer. OpenVPN cannot be used on a Windows 9x/Me.
OpenVPN is a software package that SICOM Systems, Inc. has chosen to use as the VPN server
on SL Series terminals. It requires the OpenVPN client to connect to the server. You cannot use
the built-in Windows XP VPN client. OpenVPN supports the use of password and “certificate”
authentication, so called “dual-factor authentication”, that is required for our customers to remain
PCI compliant in their sales environments.
The actual restaurant configuration and the type of access to the system desired will determine if
OpenVPN is needed. A very secure installation will require OpenVPN for all connectivity to the
system. Most configurations will allow browser access via SSL – HTTPS, but will also require
OpenVPN for shell and FTP access. Simply put, most IT department personnel retrieving poll
files or downloading auto-updates of other data files will be required to use OpenVPN or some
other VPN solution.
Certificate needed before continuing
Each user granted access to the system through the VPN will need his own security certificate in
addition to being listed in the Remote Access User edit in the system. The Security Certificate is
good for all restaurants owned by the company. Contact SICOM Systems for details and
procedures required to obtain these certificates. Remote users need to be re-added if a hard
drive is replaced in the restaurant.
OpenVPN Installation
First, the OpenVPN software needs to be installed on your Windows computer. It requires
Windows XP and will not work on Windows 9x or Me computers. The latest version of the
software is available at http://openvpn.net/download.html The current release as of this
document’s date is 2.0.9. Select the “Windows Installer” download link, and save the file to your
hard drive. Once the file is downloaded, double-click the saved file to begin the installation.
There is also a Graphical User Interface version (OpenVPN GUI for Windows) available at
http://openvpn.se/download.html
Installation of OpenVPN Package
You will see a security warning displayed by Windows. Click “Run” to continue.
27
Keep pressing “Next” and “Install” until you see another message displayed. Press “Continue
Anyway.”
Once the software is installed, you will see a new icon appear in the system tray on the bottomright
corner of the screen. This indicates that the OpenVPN network adaptor has been
successfully installed.
By default, the adaptor is named “Local Area Connection 2.” To avoid confusion in the future, we
shall rename the connection to something more specific and related to its real use, VPN.
28
Open up your “Network Connections” folder by selecting “Control Panel” from the Start Menu,
then “Network and Internet Connections”, and finally “Network Connections.” You should see the
“Local Area Connection 2” icon in the “LAN or High-Speed Internet” section. Make sure the
bottom line reads “TAP-Win32 Adapter V8.” Right-click on the icon, and select “Rename.”
Use your keyboard to input the new name for the connection, “OpenVPN Connection” and press
enter.
The icon should now be renamed in the window and on the taskbar.
Installation of OpenVPN GUI Package
29
Read the License and click “I Agree” if you accept, click Next. Keep pressing “Next” and “Install”
until you see another message displayed. Press “Continue Anyway.”
Once the software is installed, you will see a new icon appear in the system tray on the bottomright
corner of the screen. This indicates that the OpenVPN network adaptor has been
successfully installed.
30
By default, the adaptor is named “Local Area Connection 2.” To avoid confusion in the future, we
shall rename the connection to something more specific and related to its real use, VPN.
Open up your “Network Connections” folder by selecting “Control Panel” from the Start Menu,
then “Network and Internet Connections”, and finally “Network Connections.” You should see the
“Local Area Connection 2” icon in the “LAN or High-Speed Internet” section. Make sure the
bottom line reads “TAP-Win32 Adapter V8.” Right-click on the icon, and select “Rename.”
Use your keyboard to input the new name for the connection, “OpenVPN Connection” and press
enter.
The icon should now be renamed in the window and on the taskbar.
Connecting to the Restaurant
Now that the software is installed, the next logical step is to try to connect to the restaurant. This
requires several steps to be completed before you can attempt a connection. First, you need
your user certificate provided by SICOM Systems. Each user connecting through OpenVPN must
have an individual user certificate that indicates the user and company. This file (actually a set of
files) is needed to gain access to the system. A corresponding entry is added to the system in
addition to the entry in remote access edit to allow connection to the system. Certificate requests
31
must be made, in writing, by an authorized member or delegate of your company’s executive
staff. You will also need the domain name or IP address of the restaurant you wish to connect
with.
The combination of your username, password, and digital certificate provide the security needed
to positively verify your identity while remotely connecting to a SICOM SL Series system.
Compliance standards state that a remote user needs to possess two forms of identification when
connecting. The first item is “something you know,” a password that is assigned to you and only
you. The second is “something you have,” and this item is in the form of a signed encryption
certificate that is saved on your USB memory stick. Having both of these items proves that you
are who you say you are, and allows the software to grant you access to the remote system.
OpenVPN Configuration Files
If you are using the Windows GUI installation of OpenVPN, Place your digital certificate and
configuration files you received into the OpenVPN config directory. This is usually C:\Program
Files\OpenVPN\config. Right-clicking the OpenVPN icon will let you start OpenVPN for a
specific user configuration file. If more than one user has access to the computer, it is
recommended that the certificate and configuration files be stored on a separate device such as a
USB flash drive. Better yet, the file should be stored on a secure, encrypted portion of the flash
drive.
Right-click OpenVPN
for options
Troubleshooting
Next, we need to set the Windows Firewall settings so that it does not automatically block your
attempts to connect to a restaurant. Right-click the “OpenVPN Connection” icon from the
“Network Connections” window and select “Properties.”
32
Click on the “Advanced” tab shown.
Click the “Settings” button to open the Windows Firewall settings dialog. Click on the “Advanced”
tab of the Windows Firewall dialog box.
33
Under “Network Connection Settings,” find your “OpenVPN Connection” from the list of choices
displayed. Uncheck the box to the left of the connection name to disable Windows Firewall
filtering over the OpenVPN connection.
If you are using Windows XP with Service Pack 2, there are some known third party firewall
software issues. Please refer to this link: http://openvpn.se/xpsp2_problem.html to see if there is
a reported issue with your third party firewall.
34
Detailed PCI-DSS Requirements
The following chart provides the detailed requirements of the PCI Data Security Standard as of
this printing. The column of “Pertinent SICOM SL Series Information” provides 2 types of
information related to your compliance. It either provides information on steps that the SICOM
System has implemented to aid in your compliance efforts or provides alerts to your
responsibilities as the Merchant. Remember, the SICOM SL Series system is designed as a selfcontained,
private network. SICOM has taken steps to assure compliance if the system is
integrated into another network or if the system is connected to a broadband network.
PCI-DSS Topic Pertinent SICOM SL
Information
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect data.
Firewalls are computer devices that control computer traffic allowed into a company’s network from
outside, as well as traffic into more sensitive areas within a company’s internal network. All systems
need to be protected from unauthorized access from the Internet, whether for e-commerce, employees
Internet-based access via desktop browsers, or employees’ email access. Often, seemingly insignificant
paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key
protection mechanism for any computer network
1.1 Establish firewall configuration standards that
include:
1.1.1 A formal process for approving and testing all
external network connections and changes to
the firewall configuration
1.1.2 A current network diagram with all connections
to cardholder data, including any wireless
networks
1.1.3 Requirements for a firewall at each Internet
connection and between any DMZ and the
Intranet
1.1.4 Description of groups, roles, and responsibilities
for logical management of network components
1.1.5 Documented list of services/ports necessary for
business
Devices that do not need to be
accessed by the SICOM POS
system should be placed onto a
different network segment.
SICOM SL Series has a firewall
in place limiting traffic. A limited
selection of firewall options
exist in the system which the
user can select for their
compliance efforts. The
merchant must provide a
hardware firewall device as a
means of first-line defense if the
POS network is connected to
an external source.
Port 22 (ssh), 443 (https) and
1194(VPN) must be open for
customers desiring external,
remote, connection to an SL
Series System. If using the
OpenVPN service on the
terminal, port 22 does not need
35
36
1.1.6 Justification and documentation for any
available protocols besides HTTP and SSL,
SSH, and VPN
1.1.7 Justification and documentation for any risky
protocols allowed (FTP, etc.), which includes
reason for use of protocol and security features
implemented
to be available. If desired, port
443 may also be closed if you
desire all connectivity to the
SICOM POS system to use the
VPN. This is the safest and
most secure option. Any ports
additional ports open to the
network must be justified by the
merchant.
No insecure protocols are
permitted. Merchant must justify
any protocol access on the
cardholder network for non-
SICOM equipment.
Merchant must justify any
protocol access on the
cardholder network for non-
SICOM equipment.
1.1.8 Periodic review of firewall/router rule sets Refer to the Enhanced User
and Login Security document
on how to check your SICOM
firewall configuration. Merchant
must provide a router
connecting the POS system to
additional devices/resources
and must verify their
router/firewall rules.
1.1.9 Configuration standards for routers
1.2 Build a firewall configuration that denies all
traffic from “un-trusted” networks/hosts, except
for:
1.2.1 Web protocols - HTTP (port 80) and Secure
Sockets Layer (SSL) (typically port 443)
1.2.2 System administration protocols (e.g., Secure
Shell (SSH) or Virtual Private Network (VPN)
1.2.3 Other protocols required by the business (e.g.,
for ISO 8583).
1.3 Build a firewall configuration that restricts
connections between publicly accessible
servers and any system component storing
cardholder data, including any connections from
wireless networks. This firewall configuration
should include:
1.3.1 Restricting inbound Internet traffic to IP
addresses within the DMZ (ingress filters)
Refer to the Enhanced User
and Login Security document
on how to check your SICOM
firewall configuration.
The only external connection to
the POS network shall be to the
SICOM SL Series Manager
Terminal which is addressed as
192.168.1.80. This terminal
does not house sensitive
cardholder data when
configured with a remote
datastore.
1.3.2 Restricting inbound and outbound Internet
traffic to ports 80 and 443
1.3.3 Not allowing internal addresses to pass from
the Internet into the DMZ (egress filters)
1.3.4 Stateful inspection, also known as dynamic
packet filtering (only ”established” connections
are allowed into the network)
1.3.5 Placing the database in an internal network
zone, segregated from the DMZ
1.3.6 Restricting outbound traffic to that which is
necessary for the payment card environment
1.3.7 Securing and synchronizing router configuration
files (e.g., running configuration files – used for
normal running of the routers, and start-up
configuration files - used when machines are rebooted,
should have the same, secure
configuration).
1.3.8 Denying all other inbound and outbound traffic
not specifically allowed
1.3.9 Installation of perimeter firewalls between any
wireless networks and the payment card
environment, and configuration of these
firewalls to deny or control (if such traffic is
necessary for business purposes) any traffic
from the wireless environment
1.3.10 1.3.10 Installation of personal firewall software
on any mobile and/or employee-owned
computers with direct connectivity to the
Internet (e.g., laptops used by employees),
which are used to access the organization’s
network
1.4 Prohibit direct public access between external
networks and any system component that
stores cardholder information (e.g., databases)
1.4.1 Implement a DMZ to filter and screen all traffic,
to prohibit direct routes for inbound and
outbound Internet traffic
1.4.2 Restrict outbound traffic from payment card
applications to IP addresses within the DMZ.
1.5 Implement Internet Protocol (IP) masquerading
to prevent internal addresses from being
translated and revealed on the Internet. Use
technologies that implement RFC 1918 address
space, such as Port Address Translation (PAT)
or Network Address Translation (NAT)
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters.
37
Hackers (external and internal to a company) often use vendor default passwords and other vendor
default settings to compromise systems. These passwords and settings are well known in hacker
communities and easily determined via public information.
38
2.1 Always change the vendor-supplied defaults
before you install a system on the network (e.g.,
passwords, SNMP community strings, and
elimination of unnecessary accounts).
2.1.1 For wireless environments, change wireless
vendor defaults, including but not limited to,
WEP keys, default SSID, passwords, and
SNMP community strings, and disabling of
SSID broadcasts. Enable Wi-Fi Protected
Access (WPA) technology for encryption and
authentication when WPA-capable.
2.2 Develop configuration standards for all system
components. Make sure these standards
address all known security vulnerabilities and
industry best practices.
2.2.1 Implement only one primary function per server
(e.g., web servers, database servers, and DNS
should be implemented on separate servers)
2.2.2 Disable all unnecessary and insecure services
and protocols (services and protocols not
directly needed to perform the devices’
specified function).
2.2.3 Configure system security parameters to
prevent misuse
2.2.4 Remove all unnecessary functionality, such as
scripts, drivers, features, subsystems, file
systems (e.g., unnecessary web servers).
2.3 Encrypt all non-console administrative access.
Use technologies such as SSH, VPN, or
SSL/TLS for web-based management and other
non-console administrative access.
Non-SICOM devices should be
monitored for enabled services
to ensure that access to the
POS network is not
inadvertently provided.
The SICOM SL Series system
has functionality limited to POS
specific tasks for security
reasons.
Connection to SICOM terminals
is limited to SSH and SSL
connections. Remote access
should be via a VPN with
specific, tracked user accounts.
The SICOM SL can optionally
provide OpenVPN. It should be
configured for broadband
remote access if no other VPN
is used. Certificates can be
obtained and installed by the
merchant or optionally provided
by SICOM Systems, Inc.
Protect Cardholder Data
Requirement 3: Protect Stored Data
Encryption is the ultimate protection mechanism because even if someone breaks through all other
protection mechanisms and gains access to encrypted data, they will not be able to read the data without
further breaking the encryption. This is an illustration of the defense in depth principle.
3.1 Keep cardholder information storage to a
minimum. Develop a data retention and
disposal policy. Limit your storage amount and
retention time to that which is required for
business, legal, and/or regulatory purposes, as
documented in the data retention policy.
3.2 Do not store sensitive authentication data
subsequent to authorization (not even if
encrypted):
3.2.1 Do not store the full contents of any track from
the magnetic stripe (on the back of a card, in a
chip, etc.)
3.2.2 Do not store the card-validation code (Threedigit
or four-digit value printed on the front or
back of a payment card (e.g., CVV2 and CVC2
data))
The SICOM SL Series terminal
does not store any sensitive
cardholder information once a
batch is closed successfully.
Magnetic stripe contents and
PIN blocks are never stored
after authorization.
Not Stored.
3.2.3 Do not store the PIN Verification Value (PVV) Not Stored.
3.3 Mask account numbers when displayed (the
first six and last four digits are the maximum
number of digits to be displayed).
Note that this does not apply to those employees and other
parties with a specific need to see full credit card numbers.
3.4 Render sensitive cardholder data unreadable
anywhere it is stored (including data on portable
media, backup media, in logs, and data
received from or stored by wireless networks)
by using any of the following approaches:
• One-way hashes (hashed indexes),
such as SHA-1
• Truncation
• Index tokens and PADs, with the PADs
being securely stored
• Strong cryptography, such as Triple-
DES 128-bit or AES 256-bit with
associated key management processes
and procedures.
The MINIMUM account information that needs to be rendered
unreadable is the payment card account number.
3.5 Protect encryption keys against both disclosure
and misuse.
Validation code is not requested
or stored.
Only the last 4 digits of account
numbers are displayed.
3DES encryption is used for all
sensitive cardholder data in the
SICOM SL Series POS System.
39
3.5.1 Restrict access to keys to the fewest number of
custodians necessary
3.5.2 Store keys securely in the fewest possible
locations and forms.
3.6 Fully document and implement all key
management processes and procedures,
including:
3.6.1 Generation of strong keys
3.6.2 Secure key distribution
3.6.3 Secure key storage
3.6.4 Periodic key changes
3.6.5 Destruction of old keys
3.6.6 Split knowledge and dual control of keys (so
that it requires 2 or 3 people, each knowing only
their part of the key, to reconstruct the whole
key).
3.6.7 Prevention of unauthorized substitution of keys
3.6.8 Replacement of known or suspected
compromised keys
3.6.9 Revocation of old or invalid keys (mainly for
RSA keys)
3.6.10 Requirement for key custodians to sign a form
specifying that they understand and accept their
key-custodian responsibilities
Contact SICOM Systems
immediately at 800-547-4266 if
it is suspected that these keys
have been compromised.
RSA keys are not used.
Requirement 4: Encrypt transmission of cardholder and sensitive information across
public networks.
Sensitive information must be encrypted during transmission over the Internet, because it is easy and
common for a hacker to intercept and/or divert data while in transit.
40
4.1 Use strong cryptography and encryption
techniques (at least 128 bit) such as Secure
Sockets Layer (SSL), Point-to-Point Tunneling
Protocol (PPTP), Internet Protocol Security
(IPSEC) to safeguard sensitive cardholder data
during transmission over public networks
SICOM encrypts all cardholder
information when transmitted
between terminals.
4.1.1 For wireless networks transmitting cardholder
data, encrypt the transmissions by using Wi-Fi
Protected Access (WPA) technology if WPA
capable, or VPN or SSL at 128-bit. Never rely
exclusively on WEP to protect confidentiality
and access to a wireless LAN. Use one of the
above methodologies in conjunction with WEP
at 128 bit, and rotate shared WEP keys
quarterly and whenever there are personnel
changes.
4.2 Never send cardholder information via
unencrypted e-mail.
The application is designed for
the specific POS hardware and
OS provide by SICOM. It is not
designed for wireless
enablement. Should the
Merchant add wireless
capability to the network, that
Merchant is responsible for
securing it properly.
Full cardholder information is
not normally provided at any
time for merchants. Should
there be an instance where the
merchant obtains cardholder
information, they must ensure
that any transmission of that
data is securely transmitted in
an encrypted format.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs.
Many vulnerabilities and malicious viruses enter the network via employees’ email activities. Anti-virus
software must be used on all email systems and desktops to protect systems from malicious software.
5.1 Deploy anti-virus mechanisms on all systems
commonly affected by viruses (e.g. PC’s and
servers).
5.2 Ensure that all anti-virus mechanisms are
current, actively running, and capable of
generating audit logs.
Requirement 6: Develop and maintain secure systems and applications
The SICOM SL Series Manager
Terminal is a closed Linux
system running only POS
related software. Due to the
controlled nature of the host
and application environment,
there are no significant risks.
The customer should either
provide an Antivirus Gateway to
protect the environment or
request (or enable) built-in
ClamAV support. ClamAV is an
opensource AntiVirus package
which the SL Series system
supports.In addition, all non-
SICOM network devices should
have anti-virus and spy-ware
software enabled to ensure no
outside threat to the
environment.
41
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these
vulnerabilities are fixed via vendor security patches, and all systems should have current software
patches to protect against exploitation by employees, external hackers, and viruses. For in-house
developed applications, numerous vulnerabilities can be avoided by using standard system development
processes and secure coding techniques.
42
6.1 Ensure that all system components and
software have the latest vendor-supplied
security patches.
6.1.1 Install relevant security patches within one
month of release.
6.2 Establish a process to identify newly discovered
security vulnerabilities (e.g., subscribe to alert
services freely available on the Internet).
Update your standards to address new
vulnerability issues.
6.3 Develop software applications based on
industry best practices and include information
security throughout the software development
life cycle. Include the following:
6.3.1 Testing of all security patches and system and
software configuration changes before
deployment
6.3.2 Separate development/test and production
environments
6.3.3 Separation of duties between development/test
and production environments
6.3.4 Production data (real credit card numbers) are
not used for testing or development
6.3.5 Removal of test data and accounts before
production systems become active
6.3.6 Removal of custom application accounts,
usernames, and passwords before applications
become active or are released to customers.
6.3.7 Review of custom code prior to release to
production or customers, to identify any
potential coding vulnerability
6.4 Follow change control procedures for all system
and software configuration changes. The
procedures should include:
6.4.1 Documentation of impact
A SICOM Support contract
provides for software patches
and security updates for the
SICOM POS system. The
Merchant must ensure that all
non-SICOM POS devices on
the network are adequately
maintained to prevent a security
vulnerability to the network.
When necessary, the Merchant
must ensure that all updates
provided by the POS Vendor or
scheduled for installation in a
timely basis.
6.4.2 Management sign-off by appropriate parties
6.4.3 Testing that verifies operational functionality
6.4.4 Back-out procedures.
6.5 Develop web software and applications based
on secure coding guidelines such as the Open
Web Application Security Project guidelines.
Review custom application code to identify
coding vulnerabilities. See www.owasp.org -
“The Ten Most Critical Web Application Security
Vulnerabilities.” Cover prevention of common
coding vulnerabilities in software development
processes, to include:
6.5.1 Unvalidated input
6.5.2 Broken access control (e.g., malicious use of
user IDs)
6.5.3 Broken authentication/session management
(use of account credentials and session
cookies)
6.5.4 Cross-site scripting (XSS) attacks
6.5.5 Buffer overflows
6.5.6 Injection flaws (e.g., SQL injection)
6.5.7 Improper error handling
6.5.8 Insecure storage
6.5.9 Denial of service
6.5.10 Insecure configuration management.
Implement Strong Access Control Measures
Requirement 7: Restrict access to data by business need-to-know.
This ensures critical data can only be accessed in an authorized manner.
7.1 Limit access to computing resources and
cardholder information to only those individuals
whose job requires such access.
7.2 Establish a mechanism for systems with
multiple users that restricts access based on a
user’s need to know, and is set to “deny all”
unless specifically allowed.
The POS system provides
limited access to cardholder
information. Merchant is to
assign security levels to credit
information to only those who
require access. In addition,
merchant is to limit access to
system employee data and
employee creation (via
assigned security levels) as
employees are the entry point
of cardholder data into the
environment.
The POS system prevents
access to all management
functions unless the user has
been assigned a level
43
44
permitting access.
Requirement 8: Assign a unique ID to each person with computer access.
This ensures that actions taken on critical data and systems are performed by, and can be traced to,
known and authorized users.
8.1 Identify all users with a unique username
before allowing them to access system
components or cardholder data.
8.2 Employ at least one of the methods below,
in addition to unique identification, to
authenticate all users:
• Password
• Token devices (e.g., SecureID,
certificates, or public key)
• Biometrics.
8.3 Implement 2-factor authentication for
remote access to the network by
employees, administrators, and third
parties. Use technologies such as RADIUS
or TACACS with tokens, or VPN with
individual certificates.
8.4 Encrypt all passwords during transmission
and storage, on all system components.
8.5 Ensure proper user authentication and
password management for non-consumer
users and administrators, on all system
components:
8.5.1 Control the addition, deletion, and
modification of user IDs, credentials, and
other identifier objects.
8.5.2 Verify user identity before performing
password resets.
8.5.3 Set first-time passwords to a unique value
per user and change immediately after first
use
8.5.4 Immediately revoke accesses of
terminated users.
8.5.5 Remove inactive user accounts at least
every 90 days
8.5.6 Enable accounts used by vendors for
remote maintenance only during the time
needed
User Security Setting edit provides
merchant controls for authentication
requirements and provides on-screen
guidance when items are out of
recommended settings. A single
button option provides in-spec
choices for all items. The Merchant is
required to review these settings for
compliance.
See 8.5 response above.
SICOM Support personnel log in with
unique user names and passwords
which change daily. In addition,
individual certificates linked to the
user are required if the OpenVPN
45
8.5.7 Distribute password procedures and
policies to all users who have access to
cardholder information
8.5.8 Do not use group, shared, or generic
accounts/passwords
8.5.9 Change user passwords at least every 90
days
8.5.10 Require a minimum password length of at
least seven characters
8.5.11 Use passwords containing both numeric
and alphabetic characters
8.5.12 Do not allow an individual to submit a new
password that is the same as any of the
last four passwords he or she has used
8.5.13 Limit repeated access attempts by locking
out the user ID after not more than six
attempts
8.5.14 Set the lockout duration to thirty minutes or
until administrator enables the user ID
8.5.15 If a session has been idle for more than 15
minutes, require the user to re-enter the
password to re-activate the terminal
8.5.16 Authenticate all access to any database
containing cardholder information. This
includes access by applications,
administrators, and all other users.
service has been enabled. Best
practice is to disconnect the modem
when not specifically needed. Since
the modem may be used for the
credit authorization, this may not be
practical in all cases. SICOM
recommends that connectivity via
dial-up be through the OpenVPN
service to discourage attacks on the
application environment.
Merchant must develop policies and
procedures for all users with access
to cardholder data.
Merchant must ensure that each
authorized user has their own
account.
See 8.5 response above.
See 8.5 response above.
See 8.5 response above.
See 8.5 response above.
See 8.5 response above.
See 8.5 response above.
See 8.5 response above.
The Application provides this
authentication.
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data allows the opportunity to access
devices or data, and remove systems or hardcopies, and should be appropriately restricted.
46
9.1 Use appropriate facility entry controls to
limit and monitor physical access to
systems that store, process, or transmit
cardholder data.
9.1.1 Use cameras to monitor sensitive areas.
Audit this data and correlate with other
entries. Store for at least three months,
unless otherwise restricted by law.
9.1.2 Restrict physical access to publicly
accessible network jacks.
9.1.3 Restrict physical access to wireless access
points, gateways, and handheld devices.
9.2 Develop procedures to help all personnel
easily distinguish between employees and
visitors, especially in areas where
cardholder information is accessible.
“Employee” refers to full-time and part-time
employees, temporary employees/personnel,
and consultants who are “resident” on the
entity’s site. A “visitor” is defined as a vendor,
guest of an employee, service personnel, or
anyone who needs to enter the facility for a
short duration, usually not more than one day.
9.3 Make sure all visitors are:
9.3.1 Authorized before entering areas where
cardholder data is processed or maintained
9.3.2 Given a physical token (e.g., badge or
access device) that expires, and that
identifies them as non-employees
9.3.3 Asked to surrender the physical token
before leaving the facility or at the date of
expiration.
9.4 Use a visitor log to retain a physical audit
trail of visitor activity. Retain this log for a
minimum of three months, unless
otherwise restricted by law.
9.5 Store media back-ups in a secure off-site
facility, which may be either an alternate
third-party or a commercial storage facility.
9.6 Physically secure all paper and electronic
media (e.g., computers, electronic media,
networking and communications hardware,
telecommunication lines, paper receipts,
paper reports, and faxes) that contain
cardholder information.
9.7 Maintain strict control over the internal or
external distribution of any kind of media
that contains cardholder information
9.7.1 Label the media so it can be identified as
confidential.
9.7.2 Send the media via secured courier or a
delivery mechanism that can be accurately
tracked.
9.8 Ensure management approves all media
that is moved from a secured area
(especially when media is distributed to
47
individuals).
9.9 Maintain strict control over the storage and
accessibility of media that contains
cardholder information:
9.9.1 Properly inventory all media and make
sure it is securely stored.
9.10 Destroy media containing cardholder
information when it is no longer needed for
business or legal reasons:
9.10.1 Cross-cut shred, incinerate, or pulp
hardcopy materials
9.10.2 Purge, degauss, shred, or otherwise
destroy electronic media so that cardholder
data cannot be reconstructed.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder
data.
Logging mechanisms and the ability to track user activities are critical. The presence of logs in all
environments allows thorough tracking and analysis when something does go wrong. Determining the
cause of a compromise is very difficult without system activity logs.
10.1 Establish a process for linking all access to
system components (especially those done
with administrative privileges such as root)
to an individual user.
48
10.2 Implement automated audit trails to
reconstruct the following events, for all
system components:
10.2.1 All individual user accesses to cardholder
data
10.2.2 All actions taken by any individual with root
or administrative privileges
10.2.3 Access to all audit trails
10.2.4 Invalid logical access attempts
10.2 5 Use of identification and authentication
mechanisms
10.2.6 Initialization of the audit logs
10.2.7 Creation and deletion of system-level
objects.
10.3 Record at least the following audit trail
entries for each event, for all system
components:
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system
component, or resource.
10.4 Synchronize all critical system clocks and
times.
10.5 Secure audit trails so they cannot be
altered, including the following:
10.5.1 Limit viewing of audit trails to those with a
job-related need
10.5.2 Protect audit trail files from unauthorized
modifications
10.5.3 Promptly back-up audit trail files to a
centralized log server or media that is
difficult to alter
10.5.4 Copy logs for wireless networks onto a log
server on the internal LAN.
10.5.5 Use file integrity monitoring/change
detection software (such a Tripwire) on
logs to ensure that existing log data cannot
be changed without generating alerts
(although new data being added should not
cause an alert).
10.6 Review logs for all system components at
least daily. Log reviews should include
those servers that perform security
functions like IDS and authentication (AAA)
servers (e.g RADIUS).
10.7 Retain your audit trail history for a period
that is consistent with its effective use, as
well as legal regulations.
An audit history usually covers a period of at
least one year, with a minimum of 3 months
available online.
Requirement 11: Regularly test security systems and processes
Vulnerabilities are continually being discovered by hackers/researchers and introduced by new software.
Systems, processes, and custom software should be tested frequently to ensure security is maintained over
time and through changes.
11.1 Test security controls, limitations, network
connections, and restrictions routinely to
make sure they can adequately identify or
stop any unauthorized access attempts.
Where wireless technology is deployed,
use a wireless analyzer periodically to
identify all wireless devices in use.
49
11.2 Run internal and external network
vulnerability scans at least quarterly and
after any significant change in the network
(e.g., new system component installations,
changes in network topology, firewall rule
modifications, product upgrades).
Note that external vulnerability scans must be
performed by a scan vendor qualified by the
payment card industry.
11.3 Perform penetration testing on network
infrastructure and applications at least
once a year and after any significant
infrastructure or application upgrade or
modification (e.g., operating system
upgrade, sub-network added to
environment, web server added to
environment).
11.4 Use network intrusion detection systems,
host-based intrusion detection systems,
and/or intrusion prevention systems to
monitor all network traffic and alert
personnel to suspected compromises.
Keep all intrusion detection and prevention
engines up to date.
11.5 Deploy file integrity monitoring to alert
personnel to unauthorized modification of
critical system or content files, and perform
critical file comparisons at least daily (or
more frequently if the process can be
automated).
Critical files are not necessarily those
containing cardholder data. For file integrity
monitoring purposes, critical files are usually
those that do not regularly change, but the
modification of which could indicate a system
compromise or risk of compromise. File
integrity monitoring products usually come
pre-configured with critical files for the related
operating system. Other critical files, such as
those for custom applications, must be
evaluated and defined by the merchant or
service provider.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for employees
and contractors.
A strong security policy sets the security tone for the whole company, and lets employees know what is
expected of them. All employees should be aware of the sensitivity of data and their responsibilities for
protecting it.
50
12.1 Establish, publish, maintain, and
disseminate a security policy that:
12.1.1 Addresses all requirements in this
specification.
12.1.2 Includes an annual process that identifies
threats, and vulnerabilities, and results in a
formal risk assessment
12.1.3 Includes a review at least once a year and
updates when the environment changes.
12.2 Develop daily operational security
procedures that are consistent with
requirements in this specification (e.g.,
user account maintenance procedures, log
review procedures)
12.3 Develop usage policies for critical
employee-facing technologies, such as
modems and wireless, to define proper use
of these technologies for all employees
and contractors. Ensure these usage
policies require:
12.3.1 Explicit management approval
12.3.2 Authentication for use of the technology
12.3.3 A list of all such devices and personnel
with access
12.3.4 Labeling of devices with owner, contact
information, and purpose
12.3.5 Acceptable uses of the technology
12.3.6 Acceptable network locations for these
technologies
12.3.7 A list of company-approved products
12.3.8 Automatic disconnect of modem sessions
after a specific period of inactivity
12.3.9 Activation of modems for vendors only
when needed by vendors, with immediate
deactivation after use.
12.3.10 When accessing cardholder data remotely
via modem, disable storage of cardholder
data onto local hard drives, floppy disks or
other external media. Also disable cut-andpaste,
and print functions during remote
access.
12.4 Ensure the security policy and procedures
clearly define information security
responsibilities for all employees and
contractors.
12.5 Assign to an individual or team the
following information security management
responsibilities:
51
52
12.5.1 Establish, document, and distribute
security policies and procedures
12.5.2 Monitor and analyze security alerts and
information, and distribute to appropriate
personnel
12.5.3 Establish, document, and distribute
security incident response and escalation
procedures to ensure timely and effective
handling of all situations
12.5.4 Administer user accounts, including
additions, deletions, and modifications
12.5.5 Monitor and control all access to data.
12.6 Make all employees aware of the
importance of cardholder information
security
12.6.1 educate employees (e.g., through posters,
letters, memos, meetings, and
promotions).
12.6.2 require employees to acknowledge in
writing they have read and understood the
company’s security policy and procedures.
12.7 Screen potential employees to minimize
the risk of attacks from internal sources.
For those employees who only have
access to one card number at a time to
facilitate a transaction, such as store
cashiers, this requirement is a
recommendation only.
12.8 Contractually require all third parties with
access to cardholder data to adhere to
payment card industry security
requirements. At a minimum, the
agreement should address:
12.8.1 Acknowledgement that the 3rd party is
responsible for security of cardholder data
in their possession.
12.8.2 Ownership by each Payment Card brand,
Acquirer, and Merchants of cardholder
data and acknowledgement that such data
can ONLY be used for assisting these
parties in completing a transaction,
supporting a loyalty program, providing
fraud control services, or for others uses
specifically required by law.
12.8.3 Business continuity in the event of a major
disruption, disaster or failure.
12.8.4 Audit provisions that ensure that Payment
Card Industry representative, or a Payment
Card Industry approved third party, will be
provided with full cooperation and access
to conduct a thorough security review after
a security intrusion. The review will validate
compliance with the Payment Card
Industry Data Security Standard for
protecting cardholder data.
12.8.5 Termination provision that ensures that 3rd
party will continue to treat cardholder data
as confidential.
12.9 Implement an incident response plan. Be
prepared to respond immediately to a
system breach.
12.9.1 Create an incident response plan to be
used in the event of system compromise.
Ensure the plan addresses, at a minimum,
specific incident response procedures,
business recovery and continuity
procedures, data backup processes, roles
and responsibilities, and communication
and contact strategies (e.g., informing
Acquirers and credit card associations.).
12.9.2 Test the plan at least annually.
12.9.3 Designate specific personnel to be
available on a 24/7 basis to respond to
alerts.
12.9.4 Provide appropriate training to staff with
security breach response responsibilities.
12.9.5 Include alerts from intrusion detection,
intrusion prevention, and file integrity
monitoring systems.
12.9.6 Have a process to modify and evolve the
incident response plan according to
lessons learned and to incorporate industry
developments.
Out of scope
53
Glossary
Acquiring Bank A bank that provides credit card merchant
accounts and is responsible for submitting
credit card purchase information to the credit
card associations. Application Service
Provider (ASP)
Bank Card Association The organization is owned by financial
institutions that licenses a bank card program
or performs transaction processing for its
owners. The present day national card
associations, Mastercard International and Visa
International, perform four key functions:
licensing bank cards and service marks to card
issuing banks; authorizing transactions by
cardholders; settling interchange transactions
when the transaction processing bank (called
the Merchant Bank) is different from the card
issuer; and setting the Interchange rate, or the
transaction processing fee paid by association
members.
Firewall A network firewall protects a computer network
from unauthorized access. Network firewalls
may be hardware devices, software programs,
or a combination of the two.
Network firewalls guard an internal computer
network (home, school, business intranet)
against malicious access from the outside.
Network firewalls may also be configured to
limit access to the outside from internal users.
Many network routers include built-in firewall
support. The administrative interface of these
routers include configuration options for the
firewall. Router firewalls can be turned off
(disabled), or they can be set to filter certain
types of network traffic through so-called
firewall rules.
IPSec IPSec, or IP Security is a set of protocols
intended to secure Internet Protocol (IP)
communications. It is done by encrypting
and/or authenticating each IP packet in a data
stream. IPsec also includes protocols for
cryptographic key establishment.
Merchant A business or person providing goods and/or
services to a consumer. The merchant is the
account holder subscribing to a bank for the
purpose of processing credit card transactions.
Merchant Account An agreement between a credit card processor
that allows a business to accept credit cards,
debit cards, gift cards and other forms of
54
electronic payment. This is also widely known
as payment processing or credit card
processing.
Merchants, or business owners who receive
payment for their goods or services, must apply
for a merchant account
Merchant Processor A company that handles or provides
transaction or data processing services to
merchants
A Processor is the company that actually
routes an Authorization Request from a Point
of Sale device (such as a Verifone credit card
terminal) to Visa, MasterCard and American
Express etc. It then arranges for settlement to
the merchant.
Processors need to have a Sponsoring Bank in
order to gain access to the Visa and
MasterCard networks. When a Processor or
other entity has made such an arrangement
with a Sponsoring Bank to resell their services,
they are called an Agent of that bank.
Many banks are also their own processors,
while other banks will use a Third Party
Processor to handle this processing for them.
Network Segmentation A method of distributing network services to
logical devices. Since all network traffic flows
through a network, a segmented network
increases band-width utilization by keeping
network information (packets) in a localized
area. In security applications, it is used to
restrict the flow of data to only those devices
needing access to it. The more devices having
access to data that is not needed, increases
the risk to that data. In the realm of a Payment
Application Environment, the area that
cardholder information traverses and the
devices with access to that environment should
be limited as much as possible.
Payment Application Provider This is the company or dealer that provides the
hardware, software, or services to gather
cardholder information send it along to a
processor. It could be a Verifone Terminal, a
Point of Sale system or a web
application/shopping cart.
Payment Acceptance Environment The area where credit/debit transactions are
processed. This is both a physical as well as a
computer network environment. This is
anywhere a customer provides his card to an
employee, and everywhere the information on
that card is transmitted or stored (anything it
55
touches),
Payment Application Environment Same as Payment Application Environment
Service Provider
Software Vendors
SSL Secure Sockets Layer (SSL) is an industry
standard for secure communications. It was
developed by Netscape for transmitting private
documents quickly became a standard for both
web and data transport. SSL uses a
cryptographic system that uses two keys to
encrypt data − a public key known to everyone
and a private or secret key known only to the
recipient of the message
TCP/IP Transmission Control Protocol/Internet Protocol
IPSec
56
![[+][PDF] TOP TREND Auditing Information Systems: A Comprehensive Reference Guide [FREE]](https://img.yumpu.com/61313744/1/190x135/-pdf-top-trend-auditing-information-systems-a-comprehensive-reference-guide-free.jpg?quality=85 ?>)
![[+]The best book of the month Glannon Guide to Commercial and Paper Payment Systems: Learning Commercial and Paper Payment Systems Through Multiple-Choice Questions and Analysis (Glannon Guides) [PDF]](https://img.yumpu.com/61109925/1/190x135/-the-best-book-of-the-month-glannon-guide-to-commercial-and-paper-payment-systems-learning-commercial-and-paper-payment-systems-through-multiple-choice-questions-and-analysis-glannon-guides-pdf.jpg?quality=85 ?>)
Change language