Data Security

The Payment Card Industry (PCI) Data Security Standard was created by major credit card companies to safeguard consumer information. Visa, MasterCard, American Express, and other credit card associations mandate that merchants and service providers who accept credit cards meet certain minimum standards of security when they store, process and transmit cardholder data.

It is the customer's responsibility to comply with the PCI laws; however, Abacus feels that it should be proactive in helping its customers meet these new, more stringent standards.

PCI compliance depends on three components:
» Software Version
» Settings within the software
» Infrastructure and security of the network

Verify that your software version and software settings are CISP compliant. Please remember the infrastructure and security of your network is your responsibility, but Abacus can also provide services to assist you with the security of your network if you would like.

Is Your Current Version of Aloha CISP Compliant?

To find out if your version of aloha meets the current CISP/FACTA standards, check your version. To do so, open the Help section of Aloha Manager.
(In Aloha Manager, go to Help > About and the version and key number will be there.)

CISP Compliant Versions

Independent security consultants have recently audited Aloha POS v6.4 and v6.5 and these versions have been validated as conforming to the PA DSS requirements.

Version Expiration
Check to see if your software is up to date or about to expire. Here's why you should upgrade.

Radiant expects these versions to appear on the list of validated payment applications published by the Payment Card Industry Security Standards Council (PCS SSC) in late June or early July. As a reminder, previously validated versions of the Aloha POS expire on the following dates:

Abacus strongly encourages customers to adopt the most recent market ready Aloha releases as they become available. If your version is no longer CISP compliant, Abacus strongly recommends that you call us at (727) 524-017 to assist you in upgrading your version of Aloha.

Aloha PCI Settings

Install Aloha® version 6.4, the latest PABP validated version of Aloha available. Versions later than 6.4 inherit the security enhancements of this version.

Configure printer output to mask the card number and omit the expiration date.

In Maintenance > Store Settings > Credit Card group > Voucher Printing 2 tab:
» Select Only show last 4 digits on all vouchers from the ‘Credit
   Card Number Mask’ drop-down list.
» Select Suppress Expiration dates.

Create secure payment card tenders.

In Maintenance > Payments > Tenders > Type tab:
» Select Use Magnetic Card ONLY.
» Clear Print Expiration.

You may want to allow your managers to enter a card number manually without encountering the Manager Approval screen by selecting ‘Manual Card #’ on the Financial tab for the manager access level.

On the Identification tab:
» Clear Print on Check.

On the Security Verifications tab, if you are authorizing and settling direct to
Amex:
» Select Enter Security Code.
» Select All Cards, if you require a security code for all transactions of
   this card type, not just transactions entered manually.
» Type ‘4’ in # of Digits.
» Type ‘CCV#’ in Prompt.

On the Security Verifications tab, for processors who support AVS (currently
Visanet, BA Merchant Services, and RBS Lynk):
» Select Enter Address Verification Code.
» Select All Cards, if you require a zip code for all transactions of this
card type, not just transactions entered manually.
» Type ‘5’ in # of Digits.
» Select Numeric Only.
» Type ‘Zip Code’ in Prompt.

You may want to allow your managers to override the entry of the security code and address verification code, by selecting ‘Override Security Verification’ on the Financial 2 tab for the manager access level.

Require each employee to use passwords for accessing the Front-of-House terminals and set them to expire regularly.

In Maintenance > Store Settings > Security group > POS Password Settings tab:
» Select Required.
» Type a number in Min Password Digits. Abacus recommends at least 7
   digits.

In Maintenance > Labor > Job Codes > Job Code tab:
» Select Uses Password.
» Select Password Expires.
» Type at least ‘90’ in Renew after ____ Days.

Configure alternate security devices for use on the FOH terminals, such as fingerprint scanners, when installed.

Activate fingerprint scanners in Maintenance > Hardware > Terminals > Readers tab.

Configure back office security levels that provide no more access than
required for each employee type, in Maintenance > Labor > Back Office Security Levels.

You must use a unique user name and complex, expiring password to access Aloha Manager, unless a ‘super-key’ is available. For Aloha v6.4, the
Alt-X login method is no longer available. For Aloha versions earlier than
v6.4, you must manually disable the ‘Alt-X’ login method. (Refer to RKS ID
6298.)

Add the DelTrack command line to Winhook to remove sensitive card data.

Run DelTrack, preferably within Winhook as part of the End-of-Day (EOD) process, to ensure you are not storing sensitive card data for longer than the recommended number of days.

Stop EDC event logging.
in Maintenance > Store Settings > System group > Aloha Settings tab.

Network Configuration

» Verify Windows® is configured to purge the paging file each time you
   restart the BOH file server. Information about how to do this is available in
   the Microsoft® Knowledge Base.

» Disable the ‘Guest’ user in Control Panel. Procedures for doing this vary
   slightly from one operating system to another.

» Reconfigure all Aloha data and program directories relevant to remove the
   ‘Everyone’ user from them. Verify their configuration permits access only
   by the system administrator or other authorized accounts.

» Install antivirus software, and obtain updates for it routinely and often. (Do
   not use Norton version 7 and higher)

» Change all default passwords in routers, remote administrative software, or
   other third-party hardware or software, as appropriate.

» Install Aloha(QS) in a secondary directory beneath the root, as in
   C:\Bootdrv\Aloha(QS).

» Configure Aloha EDC to use an alternate path, outside the BootDrv share,
   to prevent network access to the EDC files. Accomplish this by creating a
   new environment variable (EDCProcPath) and moving the contents of the
   current EDC folder to the new location. (Refer to RKS ID 8755.)

» Ensure procedures are in place to prevent opening a direct Internet
   connection from any computer on the Aloha network.

» Create a Windows user account specifically for use in the Aloha network,
   independent of any other network requirements.

» Configure CtlSvr, EDCSvr, RFSSvr, and any other Aloha related service,
   devices, and BOH user accounts to use the network user account created
   specifically for this purpose.

» Disable Remote Desktop on routers, BOH servers, and POS terminals, if
   this remote access tool is not used to support the site. Abacus
   strongly recommends using Command Center as the single means of
   remote access for Aloha POS systems, to ensure the highest level of site
   security.

» Disable the System Restore feature in Windows.

Abacus. You can count on us.