Copyright 2009 Intuit, Inc. All rights reserved. Redistributed by Retail Pro International, LLC under license.
Retail Pro International, LLC
400 Plaza Dr., Suite 200
Folsom, CA 95630 USA
USA 1-800-738-2457
International +1-858-550-3355
www.retailpro.com
Trademarks
Retail Pro and the Retail Pro logo are registered trademarks and/or registered service marks in the United States and other countries. Oracle
and Oracle 9i are registered trademarks and/or registered service marks of Oracle Corporation. All rights reserved. Other parties trademarks
or service marks are the property of their respective owners and should be treated as such.
03/30/2009
05/26/2009
Various updates.
08/28/2009
Table of Contents
About this Guide ..................................................................................................................1
Introduction..........................................................................................................................4
About Retail Pro and PCI Data Security Standards.......................................................4
Installing Retail Pro .............................................................................................................5
Do Not Place Application Server and Web Server on Same Server or in DMZ ...........5
Firewalls.........................................................................................................................5
Configuring Retail Pro.........................................................................................................6
Setting up Employee Security........................................................................................6
Assigning Employee Security Permission ...................................................................10
Requiring Strong (Complex) Passwords......................................................................15
Application Audit Logging ..........................................................................................18
Configuring Retail Pro Preferences .............................................................................20
Storing Authentication Information...................................................................................22
Do Not Store Sensitive Authentication Data after Authorization................................22
Delete Non-PCI Compliant Auth Data and Crypt Keys ..............................................25
Sanitizing Card Numbers in Retail Pro 8.....................................................................25
Sanitizing Card Numbers in Retail Pro 9.....................................................................30
Logging the Viewing of Credit Card Numbers in V9..................................................33
Viewing Group Membership/Permission Lists in V9..................................................35
Logging the Viewing of Card Numbers in V8.............................................................37
Logging Changes to V8 See Card Number Permission ...........................................38
Securely Handling Customer Data Used for Debugging.............................................40
Other PA-DSS/PABP Compliance Measures....................................................................42
Protect Wireless Transmissions ...................................................................................42
Facilitate Secure Remote Software Updates................................................................43
Facilitate Secure Remote Access to Application .........................................................44
Use strong cryptography and encryption techniques ...................................................44
Never Send Unencrypted Personal Access Numbers by E-mail .................................44
Never Use Default Administrative Accounts for Application Logon .........................45
Changing the Default Sysadmin Password ..................................................................45
Protecting Cardholder Data................................................................................................46
Dont Store Full Magnetic Stripe/CVV2 Data.............................................................46
Protect Stored Data ......................................................................................................47
Provide Secure Password Features ..............................................................................48
2009 Retail Pro International, LLC All rights reserved.
2
Introduction
About Retail Pro and PCI Data Security Standards
When customers offer a credit card/bankcard at the point of sale, over the Internet, on the phone,
or through the mail, they need to know that their account information is safe. The Payment Card
Industry (PCI) Data Security Standards have been developed to address security and the risks
associated when full magnetic stripe data or CVV2 values are stored during or after the
authorization process by payment software applications. Visa developed the Payment Application
Best Practices (PABP) to assist software developers and application providers in deploying secure
software programs and help merchants to fully comply with PCI standards.
The security requirements for PCI compliance apply to all system and network components,
server, or application that is included in or connected to the cardholder data environment. The
cardholder data environment is that part of the network that possesses cardholder data or sensitive
authentication data.
Note: Adequate network segmentation, which isolates systems that store, process, or transmit
cardholder data from those that do not, may reduce the scope of the cardholder data environment.
PA-DSS/PABP Requirements
Description
9.0
3.4, 4.2
Storing Authorization
Data
Other PA-DSS/PABP
Compliance Measures
Never install Retail Pro in the DMZ or any other zone that is directly routable to the
Internet.
Make sure the database server and web server are on different servers.
Firewalls
Firewalls are computer devices that control computer traffic allowed into and out of a companys
network, as well as traffic into more sensitive areas within a companys internal network. A
firewall examines all network traffic and blocks those transmissions that do not meet the specified
security criteria. Often, seemingly insignificant paths to and from the Internet can provide
unprotected pathways into key systems. Firewalls are a key protection mechanism against
unauthorized access.
When installing Retail Pro, make sure the firewall does the following:
Denies all traffic from untrusted networks and hosts, except for protocols necessary for
the cardholder data environment
Restricts connections between publicly accessible servers and any system component
storing cardholder data, including any connections from wireless networks
2. Enter your User Name and Password, select a Language and then click Login.
Result: Security Administrator launches. By default, the Users tabbed page is selected.
7. Select the System node to the display the list of system-related security permissions. Select or
clear the checkbox for the System Preferences permission, as necessary.
A user assigned this permission can change the setting for encrypting stored credit card
numbers (System Preferences > Point of Sale > EFT), so it should be strictly controlled.
8. Select the POS node to display the list of POS-related security permissions. Select or clear the
EFT See card number permission, as necessary.
If selected, group members can see the full card number when performing EFT transactions.
If cleared, group members will see only the last four digits of the card number. The rest of the
numbers will display as xxxx
9. Select File > Save or click the Save button.
10. Select File > Exit to close Security Administrator.
2009 Retail Pro International, LLC All rights reserved.
11
Card/Hide Card
Card/Hide Card
Have passwords expire and require change at least every 90 days (with a grace period
before expiration), and prevent previous passwords from being reused for a given period
of time. The new password cannot be the same as any of the last four passwords.
Lock the user account after a pre-specified number of login attempts (not more than six
attempts), with a lockout duration of 30 minutes or until an administrator enables the
user.
Require the user to re-enter the password to reactivate a terminal that has been idle for
more than 15 minutes.
Non-alphanumeric (e.g. !, $, %)
You define settings for individual groups, and the settings then apply to all members of the group.
To enable strong passwords (v8)
1. Launch Security Administrator (SecAdmin.exe) from the \Retail\SecAdmin\ folder.
2. Select the Groups tab.
3. Select the group with which you want to work, and then select the Policy tab.
Result: A list of user security features is displayed.
4. Double click the Enforce Strong Password field, or select the field and press <F4>.
Result: The Enforce Strong Password dialog is displayed.
5. Select Enable, and then click OK.
6. Click the Save button and then exit Security Administrator.
Result: Members of the group are now subject to strong password requirements.
For PCI compliance, you must enable user account auditing options. When these options are set,
anytime a user tries to log on (successful or unsuccessful), makes changes to passwords, or edits
security groups, Retail Pro will log the activity. These activities can then be viewed using the
appropriate Audit report.
To set user account auditing (v8):
1. Launch Security Administrator (SecAdmin.exe) from the \Retail\SecAdmin\ folder.
2. Select the Groups tab.
3. Select the group with which you want to work, and then select the Policy tab.
4. Result: A list of user security features is displayed.
5. Double click the Account Auditing field, or select the field and press <F4>.
Result: The Account Auditing dialog is displayed.
6. Select Enable Account Auditing, select the events to audit, and then click OK.
Event
Description
7. Click the Save button (<Alt+S>), and then exit Security Administrator.
2009 Retail Pro International, LLC All rights reserved.
18
6. Select Enable Account Auditing, select the events to audit, and then click OK. The available
events are:
Event
Description
If selected, Retail Pro will store the entire card number in an encrypted format on database
records.
If not selected, Retail Pro will store only the last four digits of the card number (prefixed with
twelve zeroes) in an encrypted format. Because the first 12 digits are zeroes and the last four
digits are encrypted, this setting also is PCI compliant.
Important! Please note that both settings are PCI compliant. Without storing credit card data,
you cant associate credit cards with customers, and some of the features in receipts wont work
without the credit card number. However, if card numbers are not stored, then the system can
never be hacked and the numbers stolen. This may impact insurance rates for the company, and
possibly processor costs.
Reference: See Appendix B. Preferences of the Retail Pro 8 Users Guide for more information
on Retail Pro Preferences.
If selected, Retail Pro will store the entire card number in an encrypted format on database
records.
If not selected, Retail Pro will store only the last four digits of the card number (prefixed with
twelve zeroes) in an encrypted format. Because the first 12 digits are zeroes and the last four
digits are encrypted, this setting also is PCI compliant.
Important! Please note that both settings are PCI compliant. Without storing credit card data,
you cant associate credit cards with customers, and some of the features in receipts wont work
without the credit card number. However, if card numbers are not stored, then the system can
never be hacked and the numbers stolen. This may impact insurance rates for the company, and
possibly processor costs.
Reference: See Appendix B. Preferences of the Retail Pro 9 Users Guide for more information
on Retail Pro Preferences.
When a customers credit card is swiped at point of sale in both v8 and v9, Retail Pro passes the
data in the magnetic stripe to the EFT processor (via the processor gateway). At no point is the
full stripe and CVV2 information stored in the Retail Pro database.
When displaying card numbers, Retail Pro masks account numbers. The first 12 digits are
displayed as asterisks (*). The last four digits are displayed.
When storing card numbers in the Retail Pro database, the only card information stored is
cardholder name, credit card name and type, credit card number, and expiration date.
Note: Retailers must make sure that the Retail Pro server on which cardholder data is stored is not
connected to the Internet.
PCI Data Security Standards require that payment applications mask the display of full credit card
data where appropriate (POS screens/printouts, logs, report screens, etc.).
Administrators and other relevant users can be assigned a security permission that allows them to
see the full card number by clicking a button.
Log files, debugging files, and other data sources to ensure that magnetic stripe data,
CVV values, and PINs are not stored on systems.
PA-DSS/PABP Requirement 1.1.6
See the Securely Handle Customer Files Used for Debugging section.
Location
\Retail\Rpro\SecurDoc
EFT_PCC_YYMMDD
or
EFT_RBS_YYMMDD
\Retail\Rpro\LogFiles
Polling Considerations
Polling does not encrypt or decrypt data. This is one reason why it is important to install a CISPcompliant version of Retail Pro at the Main station and at all Remote stations. If you run the
conversion tool at the Main, then poll with non-encrypted data from a Remote (either because you
dont have a CISP-compliant version installed, or because you have old polling transmissions
files generated from before the change was put in place), when they poll to the Main, the Main
will have both non-encrypted and encrypted receipts. The tool can be run again at the Main later,
but it is better to get all the CISP-compliant versions of Retail Pro running, and then run the
Credit Card Maintenance tool.
Run the conversion tool (CcMaintv2.exe) at each Retail Pro 8 installation where you want credit
card numbers encrypted.
The utility reads through your receipts, sales orders, and customer records and encrypts the
numbers. After conversion, only employees with sufficient security rights can view complete
credit card numbers.
Important! Run the utility from the command prompt only; do not manually open the
file.
CcMaintv2.exe
4. In the command prompt, change the directory to the drive where your Retail Pro installation
is located. For example, if your installation is on the C drive, type C: and press <Enter>.
6. To convert files, type ccmaintv2.exe WS:nn /txxxxx in the command prompt, and press
<Enter>. The nn is your two-digit workstation number; xxxxx is the list of parameters you
choose from the help list above.
For example, if you type in the command prompt ccmaintv2.exe WS:01 /tcrs the utility will
convert your customers, archived customers, and sales orders.
At the end of the conversion, a screen popup will display information about the number of
total files scanned and the number of files that have been processed.
Available parameters
The following is a list of all the parameters that you can use with the Credit Card Maintenance
Tool.
Parameter
Description
/?
Ws:##
Description
/t:c
/t:r
/t:s
/t:a
/t:i
/t:crsai
/u
/b:YYYYMMDD
/e:YYYYMMDD
/m:c
Mode = Clear
First 12 digits are changed to 1.
For example, 5454545454545454 becomes 1111111111115454.
/m:e
Mode = Encrypt
Ccmaintv2.exe will re-generate encryption keys and re-encrypt each and
every credit card it will find, regardless of whether it was already
encrypted or not.
This parameter takes a list of paths to ECM folders (i.e. those folders
where Ecm.exe and EcmProc.exe are located). If you have multiple ECM
installs pointing to the same 8-series data, you need to pass those paths
separated by a comma (no blank spaces in between), e.g.
"/c:d:\ecm,d:\ecm_extra,d:\ecm_backup".
You can surround the entire /C: parameter with quotation marks to make
sure it's all parsed as single parameter.
Re-encrypting all credit and debit card numbers for the entire database.
Description
Include
Select the Include checkbox to enable options for truncating credit card
numbers on sales orders.
If selected, credit card numbers are truncated so that only the last four digits are
stored in sales orders.
If selected, credit card expiration dates are removed from sales orders.
Unfilled/Filled SOs
Select which sales orders will have credit card numbers truncated. You can
select unfilled sales orders and/or filled sales orders. Unfilled sales orders have
a remaining quantity due. Filled sales orders do not have a remaining quantity
due.
Unfilled SO: Select a date range (in the Begin Date and End Date fields) of
unfilled sales orders to include.
Filled SO: Select a date range (in the Begin Date and End Date fields) of filled
sales orders to include.
Description
Include
Select the Include checkbox to enable options for truncating credit card
numbers on receipts. Select a date range (in the Begin Date and End Date
fields) of receipts to include.
If selected, credit card numbers are truncated so that only the last four digits are
stored on receipts.
Inactive customers
Secured customers
Global customers
Selection
Description
Include
Select the Include checkbox to enable options for truncating credit card
numbers on customer records. Select a date range (in the Begin Date and End
Date fields) of receipts to include.
If selected, credit card numbers are truncated on the selected records so that
only the last four digits are stored on receipts.
If selected, credit card expiration dates are removed from the selected customer
records.
Inactive Customers
Security Level
Global Customers
If selected, card numbers are truncated on customer records that are marked
as Global (available to all subsidiaries).
3. Locate the log entry that you want to view, and then double-click in the Comments field.
Result: A pop-up is displays the SID for the customer or receipt, and the last four digits of the
card number.
4. Click the X to close the pop-up.
This shows the contents of the Comments field to log a situation in which the Show Card
button was selected in the Receipts module.
Reference: See Chapter 9. Customer Management and Chapter 10. Recording Sales and Returns
of the Retail Pro 9 Users Guide.
Group- Employees List (displays list of employees and the security groups to which the
employee is assigned
Description
Group Name
Employee Name
Active Employee
Description
Group Name
Application Name
The name of the application for which the group has permission.
Application Area
The area of the application for which the group has permission.
Please note that there is no preference option for this high-security receipt type; the creation of
high-security receipts for the viewing of card numbers cannot be disabled.
Sample High Security Receipt Created by Viewing a Card Number:
A group that has the permission set is deleted; therefore, the permission is disabled for
members of the deleted group
A separate log entry is made for each member of the group. In this way, retailers have a record of
all changes to this security permission and the user(s) affected by the change.
Sample log file generated by changes to the See Card Number permission:
Description
Application
OSUser
AppUser
The name of the Retail Pro user who made the change.
HostName
Operation
Action
User
The Retail Pro user name of the employee (group member) whose permission status
was changed.
Employee
The name of the employee (group member) whose permission status was changed.
Group
The name of the user group to which the change was made.
Comment
Trust problems If your wireless LAN is part of your enterprise network, then a
compromise of your wireless LAN may lead to the compromise of your enterprise
network. An attacker with a rogue access point can fool a mobile station into
authenticating with the rogue access point, thereby gaining access to the mobile station.
The only protection against these types of attacks is an efficient authentication
mechanism.
Man-in-the-middle Packet spoofing (fake IP address) and impersonation are also valid
threats, whereby traffic is intercepted midstream and then redirected by an unauthorized
individual for malicious purposes.
WEP keys were changed from default at installation and are changed anytime anyone
with knowledge of the keys leaves the company or changes positions
Only turn on the modem when needed for downloads. Turn it off immediately after the
download is complete.
When accessing cardholder data via modem, do not store the data on local hard drives,
floppy disks, or other external media.
Nonaphanumeric (e.g. !, $, %)
Ensure all aspects of a computer or network of computers that involve cardholder data
should have the highest level of anti-virus software.
Limit access to computing resources and cardholder information to only those individuals
whose job requires such access.
Change default passwords and security settings. Hackers often use vendor default
passwords and other vendor default settings to compromise systems. These passwords
and settings are well known in hacker communities and easily determined via public
information. Always change the vendor-supplied defaults before you install a system on
the network (for example, passwords, Simple Network Management Protocol [SNMP]
community strings, and elimination of unnecessary accounts).
Note: Using Retail Pros security features will enable you to comply with the Dos and Donts
listed here.
Donts
Never store payment data on a web server or cache anywhere in memory related to a web
server. Payment data may only be stored in a separate, secure database, with at least one
external firewall.
Never store Card Identification (CID) information. (A CID may be maintained only to
obtain authorization, in order to process a payment.)
Never store track data from the magnetic stripe on the back of the Card.