|
Data Security
 The
Payment Card Industry (PCI) Data Security Standard was created
by major credit card companies to safeguard consumer information. Visa, MasterCard, American Express, and other
credit card associations mandate that merchants and service
providers who accept credit cards meet certain minimum standards of security when they
store, process and transmit cardholder data.
It is the customer's responsibility to comply with the PCI laws;
however, Abacus feels that it should be proactive in helping its
customers meet these new, more stringent standards.
PCI compliance depends on three components:
»
Software Version
»
Settings within the software
»
Infrastructure and security of the network
Verify
that your software version and software settings are PCI DSS
compliant. Please remember the infrastructure and security of
your network is your responsibility, but Abacus can also provide
services to assist you with the security of your network if you
would like.
Is
Your Current Version of Aloha PCI DSS Compliant?
To find out if your version of aloha meets the current
PCI DSS /FACTA
standards, check your version. To do so, open the Help section
of Aloha Manager.
(In Aloha Manager, go to Help > About and the version and key
number will be there.)
PCI DSS
Compliant Versions
Independent security consultants have recently audited Aloha POS
v6.4 and v6.5 and these versions have been validated as
conforming to the PA DSS requirements.
|
Aloha POS v6.4 |
Received Report on
Validation in February, 2009 |
Validated against PA
DSS v1.1 |
|
Aloha POS v6.5 |
Received Report on
Validation in June, 2009 |
Validated against PA
DSS v1.2 |
Version
Expiration
Check to see if your
software is up to date or about to expire.
Here's why you should
upgrade.
Radiant expects these versions to appear on the list of
validated payment applications published by the Payment Card
Industry Security Standards Council (PCS SSC) in late June or
early July. As a reminder, previously validated versions of the
Aloha POS expire on the following dates:
POS version
number: |
Validated against
PABP/PA DSS
version: |
Deployment notes: |
Current validation
expires on: |
|
Aloha v5.3.15 |
Pre-PABP v1.3 |
Not recommended for new
deployments |
December 2, 2009 |
|
Aloha v6.1 |
PABP v1.3 |
Not recommended for new
deployments |
June 2, 2010 |
|
Aloha v6.2 |
PABP v1.4 |
Acceptable for new
deployments |
December 2, 2010 |
Abacus strongly encourages customers to adopt the most recent
market ready Aloha releases as they become available.
If your version is no longer PCI DSS compliant, Abacus strongly
recommends that you call us at (727) 524-017 to assist you in upgrading your version of
Aloha.
Aloha PCI
DSS Settings
Install Aloha® version 6.4, the latest PABP validated version of
Aloha available. Versions later than 6.4 inherit the security
enhancements of this version.
Configure printer output to mask the card number and omit the
expiration date.
In Maintenance > Store Settings > Credit Card group > Voucher
Printing 2 tab:
»
Select Only show last 4 digits on all vouchers from the
‘Credit
Card Number Mask’ drop-down list.
»
Select Suppress Expiration dates.
Create secure payment card tenders.
In Maintenance > Payments > Tenders > Type tab:
»
Select Use Magnetic Card ONLY.
»
Clear Print Expiration.
You may want to allow your managers to enter a card number
manually without encountering the Manager Approval screen by
selecting ‘Manual Card #’ on the Financial tab for the manager
access level.
On the Identification tab:
»
Clear Print on Check.
On the Security Verifications tab, if you are authorizing and
settling direct to
Amex:
»
Select Enter Security Code.
»
Select All Cards, if you require a security code for all
transactions of
this card type, not just transactions entered manually.
»
Type ‘4’ in # of Digits.
»
Type ‘CCV#’ in Prompt.
On the Security Verifications tab, for processors who support
AVS (currently
Visanet, BA Merchant Services, and RBS Lynk):
»
Select Enter Address Verification Code.
»
Select All Cards, if you require a zip code for all
transactions of this
card type, not just transactions entered manually.
»
Type ‘5’ in # of Digits.
»
Select Numeric Only.
»
Type ‘Zip Code’ in Prompt.
You may want to allow your managers to override the entry of the
security code and address verification code, by selecting
‘Override Security Verification’ on the Financial 2 tab for the
manager access level.
Require
each employee to use passwords for accessing the Front-of-House
terminals and set them to expire regularly.
In Maintenance > Store Settings > Security group > POS Password
Settings tab:
»
Select Required.
»
Type a number in Min Password Digits. Abacus recommends
at least 7
digits.
In Maintenance > Labor > Job Codes > Job Code tab:
»
Select Uses Password.
»
Select Password Expires.
»
Type at least ‘90’ in Renew after ____ Days.
Configure
alternate security devices for use on the FOH terminals, such as
fingerprint scanners, when installed.
Activate fingerprint scanners in Maintenance > Hardware >
Terminals > Readers tab.
Configure
back office security levels that provide no more access than
required for each employee type, in Maintenance > Labor > Back
Office Security Levels.
You must use a unique user name and complex, expiring password
to access Aloha Manager, unless a ‘super-key’ is available. For
Aloha v6.4, the
Alt-X login method is no longer available. For Aloha versions
earlier than
v6.4, you must manually disable the ‘Alt-X’ login method. (Refer
to RKS ID
6298.)
Add the
DelTrack command line to Winhook to remove sensitive card data.
Run DelTrack, preferably within Winhook as part of the
End-of-Day (EOD) process, to ensure you are not storing
sensitive card data for longer than the recommended number of
days.
Stop EDC
event logging.
in Maintenance > Store Settings > System group > Aloha Settings
tab.
Network Configuration
»
Verify Windows® is configured to purge the paging file each time
you
restart the BOH file server. Information about how to do this is
available in
the Microsoft® Knowledge Base.
»
Disable the ‘Guest’ user in Control Panel. Procedures for doing
this vary
slightly from one operating system to another.
»
Reconfigure all Aloha data and program directories relevant to
remove the
‘Everyone’ user from them. Verify their configuration permits
access only
by the system administrator or other authorized accounts.
»
Install antivirus software, and obtain updates for it routinely
and often. (Do
not use Norton version 7 and higher)
»
Change all default passwords in routers, remote administrative
software, or
other third-party hardware or software, as appropriate.
»
Install Aloha(QS) in a secondary directory beneath the root, as
in
C:\Bootdrv\Aloha(QS).
»
Configure Aloha EDC to use an alternate path, outside the
BootDrv share,
to prevent network access to the EDC files. Accomplish this by
creating a
new environment variable (EDCProcPath) and moving the contents of
the
current EDC folder to the new location. (Refer to RKS ID 8755.)
»
Ensure procedures are in place to prevent opening a direct
Internet
connection from any computer on the Aloha network.
»
Create a Windows user account specifically for use in the Aloha
network,
independent of any other network requirements.
»
Configure CtlSvr, EDCSvr, RFSSvr, and any other Aloha related
service,
devices, and BOH user accounts to use the network user account
created
specifically for this purpose.
»
Disable Remote Desktop on routers, BOH servers, and POS
terminals, if
this remote access tool is not used to support the site. Abacus
strongly recommends using Command Center as the single means of
remote access for Aloha POS systems, to ensure the highest level of
site
security.
»
Disable the System Restore feature in Windows.
To
contact us please email DataSecurity@abacuspos.com,
or to leave a message call 727-524-0177 ext.430 and
a representative will call you back within 24 hours.
Abacus. You can count on us.
|
