PCI Compliance Configuration

To ensure PCI compliance there are several configuration options within BE that must be configured for security, and to ensure that no unmasked card numbers are stored or recorded in BE either within the database or as memory variables. These options are considered below.

For PCI Compliance the EFTLink Interface must be used with BE. The BE direct interfaces which do not use EFTLink are not considered to be PCI compliant.

POS to Server Communication Methods

BE offers both fixed port IP and HTTP connectivity between the POS and back end server but the fixed port IP is the only method recommended for PCI compliance. If HTTP absolutely must be used, then the ‘Encrypted Communications’ option must be enabled.

Encrypting Communications

The following setting will encrypt the data sent between clients and services. By default there is no encryption of the data between clients and services.

The following setting should be added under the Miscellaneous section of the Dynamic.ini file on all machines where BE services are run:

EncryptComms=T

This setting does not need to be set on machines where only the client applications run. When a client connects to the encrypted server, it will detect the encryption and automatically adjust itself to use the encryption.

Encrypting Database Connection Strings and User Passwords

The following setting will encrypt the user passwords stored within the database. In addition the setting will encrypt the connection string to the database stored within the Dynamic.ini on machines where the services are installed. By default there is no encryption of the user passwords or database connection string.

The following setting should be added under the Miscellaneous section of the Dynamic.ini file on all machines where BE client applications and services are run:

Encrypt=T

Password Masking Characters

The following setting will mask any card numbers returned to BE according to the selected card masking style.

This is configured through the System Settings (which can be accessed by running the module DATAENTRYBASIC.EXE SYSTEM), and amending the option Masking Type within the EFTLink panel on the POS 3 tab. There are two available masking styles, Last 4 Characters and First 6, Last 4 Characters. For PCI Compliance we recommend having a Masking Type of Last 4 Characters.

Note: For PCI Compliance card numbers returned to BE from the EFT Payment system MUST already be masked.

Force Users to Change BE Passwords Regularly

The following settings will force users of specific security groups to change their passwords at regular intervals. This is aimed specifically at Back Office users with reporting access to the transactional data.

This functionality is only available from release 5.21.

Password Change Frequency Configuration

The following settings will determine how frequently (specified in days) the user must change their password, and how many days prior to expiry the user will be prompted to change their password. By default the password will expire after 90 days, and the user will be prompted to change their password 14 days before it expires.

This is configured through the System Settings (which can be accessed by running the module DATAENTRYBASIC.EXE SYSTEM), and amending the options Password expires after and Prompt change password within the Security panel on the System tab.

Security Group Configuration

The following settings will the security groups whose users will be prompted to change their passwords regularly. By default no security groups are configured to change their passwords. For PCI Compliance we advise that all security groups whose users are back office users are configured to prompt for their passwords to be changed regularly.

This is configured through the Security Groups maintenance (which can be accessed by running the module DATAENTRYBASIC.EXE SECURITYGROUP), and checking the option Force Password Change for the required security groups.

Preventing Processing of Swipe Card Requests from EFTLink

The following setting will prevent BE from processing any Swipe Card requests from EFTLink, and prevent BE from inadvertently reading card number information. By default Swipe Card requests will be processed by BE.

This is configured through the System Settings (which can be accessed by running the module DATAENTRYBASIC.EXE SYSTEM), and checking the option Interface adheres to PCI Compliance Rules within the EFTLink panel on the POS 3 tab.

Note: For PCI Compliance EFTLink should be configured to use the Card Reader core, to manage the reading of swipe cards.

This functionality is only available from release 5.19.

Supported Anti-Virus Software for PCI Compliance

Anti-virus software must be deployed on all systems that could be affected by malicious software.

MICROS can confirm that McAfee Enterprise v8.5.0i is proven to run within the same environment as BE without conflicts or issues.

Please refer to the advice of your PCI Consultant for Anti- Virus Software recommendations.

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)