This guide provides details that define how to properly deploy the Point-of-Rental Expert 2016 application within your environment to help you achieve PCI DSS compliance. Following the guidelines within this guide does NOT make you PCI DSS compliant, nor does it guarantee your network's security. It is your responsibility to ensure that your hardware and network systems are secure from internal as well as external threats. While this guide will go over the requirements you will need to follow for the implementation of Point-of-Rental Expert 2016 that will help you achieve PCI DSS compliance, it is solely your responsibility to ensure the proper implementation of the application.
Point-of-Rental Software makes no claims on the security of your network, nor of your level of PCI DSS compliance.
This guide is distributed to all internal Point-of-Rental Software customer support staff and to all customers of the Point-of-Rental Expert 2016 application. Updates to this guide will be delivered to each customer's registered point of contact with a summary of changes discussing possible impacts to your deployment or environment. These same updates are available through the Company support site for registered customers. All of Company customer support staff are trained on any updates to the application and implementation guide prior to the release of the application. Should further explanation be required, customers may contact support at: 800-944-7368.
Point-of-Rental Expert 2016 is a Point-of-Sale (POS) solution for small retailers and is not intended to be used by issuers or organizations performing issuing services. The application supports an application/database model for deployment, with the application operating in a Windows Server environment or PC environment. Distribution of the software includes the Point-of-Rental Expert 2016 software and the Microsoft Jet database.
Note: The Point-of-Rental Expert 2016 software does not store sensitive authentication data (magnetic stripe data (located on the back of a card, contained in a chip, or elsewhere)) or card verification values or codes (the three-digit or four-digit card-validation code printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data)).
Data Capture and Removal
Point-of-Rental Software Expert stores historical tokens which can be processed again later. Magnetic swipe data is not stored within the Point-of-Rental Software Expert 2016 application nor is it transferred across the payment network. All swiped and manually keyed credit cards are encrypted from end-to-end. The Point-of-Rental Software Expert software does not store, and may not be configured to store, sensitive authentication data (magnetic stripe data (located on the back of a card, contained in a chip, or elsewhere)), card verification values or codes (the three-digit or four-digit card-validation code printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data)).
The application automatically purges historical credit card tokens after one year. VeriFone PAYware Connect purges dormant credit card tokens after six months.
Cryptographic Materials
Point-of-Rental Software Expert does not allow the merchant to store cardholder data. Encryption and decryption keys are automatically generated as they are administered by VeriFone PAYware Connect. If you, as the merchant, decide to retain cardholder data in an electronic means outside of the application using third party methods, you must ensure that you meet PCI DSS requirements for the secure storage of this data and adhere to the cryptographic key management guidelines identified in the latest PCI DSS standard.
Data Purging
As previously stated, the Point-of-Rental Software Expert software does store cardholder data (not sensitive authentication data (magnetic stripe data (located on the back of a card, contained in a chip, or elsewhere), card verification values or codes (the three-digit or four-digit card-validation code printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data))) and may be configured to not store cardholder data. As such, Point-of-Rental Software Expert software purges cardholder data from the application yearly. However, as you may decide to retain cardholder data outside of the Point-of-Rental Software Expert software using third party means (Excel spread sheet, written hardcopy, etc.), you must understand that any cardholder data collected by you exceeding the defined retention period must be purged based upon business, legal, and/or regulatory requirements in order for you to achieve and meet your own PCI DSS compliance requirements.
Historical Data
Point-of-Rental Software Expert version 2010 is the initial version of the application that met the Payment Application Data Security Standards (PA-DSS). As such, previous versions could have historical data (Primary Account Numbers). Customers with these versions should upgrade to the latest version.
This section describes the proper deployment for the Point-of-Rental Software Expert application and its underlying systems supporting the application and its database. It is imperative that these directions be followed, as they are designed to enable you to achieve PCI DSS compliance. Following the guidelines within this section does NOT make you PCI DSS compliant, nor does it guarantee your network's security. It is your responsibility to ensure that your hardware and network systems are secure from internal as well as external threats. While this guide will go over the requirements you will need to follow for the implementation of Point-of-Rental Software Expert that will help you achieve PCI DSS compliance, it is solely your responsibility to ensure the proper implementation of the application.
Point-of-Rental Software makes no claims on the security of you network, nor of your level of PCI DSS compliance.
Recommended Network Deployment
The typical Point-of-Rental Software Expert deployment consists of multiple workstations connecting via a Remote Desktop Connection into a Microsoft Windows Server, running Remote Desktop Services and hosting the Point-of-Rental Software Expert software. If you, the merchant, are using Point-of-Rental Software’ Integrated Credit Card Module then the application communicates with your processor over the Internet using HTTPS (TCP port 443) for authorization and payment capture. Therefore, an Internet connection is required. This Internet connection must be protected by a firewall, as the neither the application nor the database is permitted to be directly connected to the Internet, per PCI DSS requirements. The firewall must allow the outbound HTTPS (TCP port 443) access to your processor. However, the firewall must be configured to not allow any unfiltered Inbound Internet access to the workstations on the payment network or server supporting the Point-of-Rental Software Expert application. If you allow inbound Internet access to these systems, it will compromise your PCI DSS compliance. A simple diagram of a standard deployment where the Point-of-Rental Expert software is used to process credit cards is shown below. The merchant can choose not to process credit cards using this method (Point-of-Rental Software Expert Integrated Credit Card Module) but can still store credit card tokens, displaying only the encrypted PAN, meeting PA-DSS. Merchants can also disable storing of credit card tokens by navigating to Program Menu > Configuration > System Configurations > Parameters > Drawer and unchecking Save Credit Card Info.
Note: PCI DSS requires that cardholder data must not be stored on Internet accessible systems, nor can a server containing cardholder data be located within an Internet accessible network. A firewall must be deployed at each Internet connection and configured to prohibit "Inbound" Internet access to systems supporting the application and its supporting database.
Required Services, Protocol, and Dependent Software
The Point-of-Rental Software Expert software requires Microsoft's Remote Desktop Services in a multi-user environment.
The Point-of-Rental Expert 2016 software communicates over the TCP/IP protocol suite and does not rely on any other communication protocol for functionality. The application utilizes HTTPS (TCP port 443) to communicate with supported processors over the Internet for authorization and payment capture and utilizes TCP to communicate with VeriFone’s PAYware Connect gateway.
Note: Communication with the processor only requires Internet outbound HTTPS (TCP port 443) access. No Internet inbound access of any type is required for functionality. It is recommended that you disallow all Internet inbound access to the Application Payment Engine software. You are required by PCI DSS to disallow all Internet inbound access. Failure to do so will jeopardize your PCI DSS compliance.
As previously stated, the application only requires the use of the TCP/IP protocol and the HTTPS (TCP port 443) and TCP services for functionality. These are the only protocols and services enabled by default "out-of-the-box". No unnecessary or insecure services, daemons, protocols or components are enabled by default by the application on supporting systems or the application, nor are any required by the application to function properly.
Preventing Inadvertent Cardholder Data Capture
For your server (multi-user) and workstation (single-user) deployments hosting the Point-of-Rental Software Expert software, it is important that the following two (2) operating system settings be implemented to ensure that cardholder data is not captured by the operating system itself, as this may compromise your PCI DSS compliance.
You will want to disable memory page swapping to the hard drive. The following steps will show you how to tweak virtual memory settings in Windows by disabling (pagefile.sys).
1. Open Control Panel -> System and Maintenance -> System.
2. In the left “Tasks”, click on Advanced System Settings.
3. You should come to “Advanced” tab. In “Performance” section, click on Settings button.
4. Click on Advanced tab.
5. In the “Virtual Memory” section, click on Change button.
6. By default, “Automatically manage paging file size for all drives” setting is selected so that the Windows system can manage the paging file without a user being interrupted. If you want change the paging file size, move the pagefile.sys to another drive, or disable virtual memory paging, uncheck the check box of Automatically manage paging file size for all drives.
7. Select and highlight the appropriate drive that you want to change the paging file settings under the box of “Drive [Volume Label]“. For the workstations this would be the "C:" drive (the only drive available).
8. To disable paging file or virtual memory, simply click the "no paging file" radio button and then click the "OK" button.
The following steps will show you how to disable system restore points. This is critical as a system restore point may inadvertently capture cardholder data if it is not disabled and compromise your PCI DSS compliance.
1. Access your workstation's system properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message: "You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer. Do you want to turn off System Restore?", click Yes to confirm that you want to turn off System Restore
6. After a few moments, the System Properties dialog box closes.
Transmitting Cardholder Data
The Point-of-Rental Software Expert application transmits cardholder data over the Internet using 128-Bit SSLv3.0 for encryption to your processor. This is done by default and cannot be disabled. This secure, encrypted transmission is required for you to maintain PCI DSS compliance. This is the only means of transmitting cardholder data supported by the Point-of-Rental Software Expert software; the application does not support and/or facilitate sending of PANs by end-user messaging technologies.
Swiped, injected (EMV) and manually keyed credit card transactions all occur on a VeriFone MX9xx device. All transactions are encrypted on the device, then submitted to the gateway, VeriFone PAYware Connect to be authorized. Authorizations are encrypted and sent back to the device and the result is displayed on the device’s screen. Retrievals using the stored tokens are also encrypted and submitted without need to manually key the card number on a device.
Note: Understand that the transfer of cardholder data across public networks must be encrypted in order for you to maintain your PCI DSS compliance.
Point-of-Rental Software Expert does not require wireless connectivity.
If you choose to deploy a wireless network infrastructure to support communications between deployed systems, or you connect a wireless network to the environment supporting the Point-of-Rental Software Expert application, you must do so in a manner compliant with the current PCI DSS standards. The secure deployment of a wireless network is solely your responsibility. In order for you to achieve PCI DSS compliance, the following guidelines must be followed for deployment of a wireless network:
•wireless encryption keys must be changed from default at installation, and must be changed anytime anyone with knowledge of the keys leaves the company or changes positions;
•default SNMP community strings on wireless devices must be changed;
•default passwords/passphrases on access points must be changed;
•firmware on wireless devices must be updated to support strong encryption for authentication and transmission over wireless networks;
•other security-related wireless vendor defaults must be changed, if applicable; and
•wireless networks transmitting cardholder data or connected to the cardholder environment must use industry best practices to implement strong encryption for authentication and transmission.
If you have wireless network deployed within your environment and it is not part of your cardholder network, a firewall is required between any wireless networks and the cardholder data environment. The firewall must be configured to deny or control any traffic from the wireless environment into the cardholder data environment.
User Access controls are an important requirement for you to maintain your PCI DSS compliance. User access controls must be implemented at the system (O/S), database, and application level.
For the application, each user must have their own unique user ID. The application does not utilize any or require the use of default accounts. The application itself does not have any default accounts and an initial user ID must be setup during the installation. Individual users must not share accounts, as this compromises accountability, as all activity performed by a user of the application is tied to their individual user ID.
To create a new user within the application, access the "Operator ID" menu accessible through Program Menu > Security > Operator ID’s. Now, select "Add". This will bring up the new user window. You will need to fill out all required fields. This process will be performed for each new user created.
If the user is a remote user (multi-user environment) a Windows user account is required and the new user’s password makeup must meet the following conditions:
•Passwords must be a combination of numeric and alphanumeric characters and require at least seven characters (PCI DSS 8.2.3).
The following password controls are enforced on all user passwords (initial user and those created after installation):
•a minimum history of the last four (4) passwords is maintained (PCI DSS 8.2.5); and
•Passwords expire every ninety (90) days (PCI DSS 8.2.4).
The following user lockout and session controls are enforced on all user types (initial user and those created after installation):
•accounts are locked out after no more than six (6) failed login attempts (PCI DSS 8.1.6);
•a minimum lockout duration of thirty (30) minutes is enforced (PCI DSS 8.1.7); and
•a session time out after fifteen (15) minutes is enabled (PCI DSS 8.1.8).
A key feature of Point-of-Rental Software Expert to enable you to meet PCI DSS compliance is logging. Point-of-Rental Software Expert enables extensive logging for all user types. This logging is required for you to maintain your PCI DSS compliance and, as such, logging is enabled by default per PCI DSS and PA DSS requirements and may not be disabled or configured. For all log files, only the first digit and the last four (4) digits of the PAN are recorded.
Log File Location and Names
All log files are located within the Point-of-Rental Software Expert install directory (defined by you during the installation process). Every transaction is logged and is held in the customer and transaction history.
Viewing Log Files and Exporting
Point-of-Rental Software Expert log files may only be viewed through the Point-of-Rental Software Expert application. To view log files, an authorized user may access the "Transaction Edit" menu from the menu bar as well as the “Payment History” menu when inquiring a contract. Viewing the Check & Card report via Program Menu > End of Day Processing > Check & Card Report displays a particular day’s or date range of credit card transactions.
Note: Log files may not be modified by the user. Point-of-Rental Software Expert does not support an interface that allows for the direct user manipulation of log files.
From the log file viewing screen, a user may elect to print the log file.
The Point-of-Rental Software Expert application does not support remote access capabilities. However, the underlying Windows Operating System (O/S) does support remote access. You, as a merchant, may choose to utilize these remote access capabilities, but in order to maintain PCI DSS compliance only remote access technology supporting two-factor authentication may be used. Two-factor authentication consisting of something you have, know, or are is required for remote access in order for you to maintain your PCI DSS compliance. In addition to the use of two-factor authentication, it is important to remember that the remote access capability should only be enabled when needed and disabled when no longer required. Furthermore, your remote access software must provide for the following features or configuration settings:
•You must ensure changes are made to the default setting in the remote access software;
•Remotes access software must be configured to only allow access from specific IP addresses;
•Encrypted data transmissions such as IPSEC VPN, SSH, 128-Bit SSL v3.0 or must enforced;
•Access to customer passwords must be restricted to authorized personnel;
•Logging of remote access must be enabled;
•Systems must be configured so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed;
•Unique user IDs must be used for each user account;
•Authentication composed of passwords and two-factor authentication must be used for remote access;
•Remote access must not require or use any group, shared, or generic accounts or passwords;
•Passwords must change every ninety (90) days or less;
•Passwords must be a minimum of seven (7) characters;
•Passwords must contain both numeric and alphabetic characters;
•Password history of the last four (4) passwords must be kept and new passwords must be different than any of the last four (4) passwords;
•Account lockout must occur after six (6) invalid logon attempts;
•Remote access accounts must be locked out for no less than thirty (30) minutes or until reset by a system administrator; and
•Remote access sessions must timeout after no more than fifteen (15) minutes of inactivity.
Note: All remote non-console administrative access to the payment application or servers in the environment must be encrypted utilizing SSH, VPN, SSL/TLS or other encryption technology in order to maintain PCI DSS compliance
In the case of Point-of-Rental Software customer support, Point-of-Rental Software utilizes the application TeamViewer for remote access. This access is only enabled during the time of support and must be disabled after support is concluded. Company uses AES256 encryption for securing the connection and with authentication based on a unique RSA private/public key combination for each Customer Support Engineer, further secured by the use of RSA tokens for each engineer in order to access their assigned keys.
To use the TeamViewer, Company engineer will direct you to the TeamViewer website to download and run the client. Company engineer will have you run the TeamViewer remote access software and you will verbally provide the engineer with the Session ID and password. Using this information, the engineer will authenticate to your system and assist with troubleshooting any issues. Once troubleshooting is complete, you will exit the TeamViewer application, terminating any remote access. Company will never have access to your computers without you initiating connectivity first.
Note: It is imperative that you terminate the TeamViewer connection when requested so as not have a persistent remote-access point into your network. This is required in order for you to maintain your PCI DSS compliance.
Software upgrades are not automatically installed. Instead, you must retrieve updates via Point-of-Rental’s updater (Program Menu > Other Updates > Check for Updates). Afterwards the merchant can upgrade at their leisure. Should you need assistance in applying an update, you may contact Point-of-Rental Software support staff at: 800-944-7368.
Note: Remember, when the computer in use is connected via VPN or other high-speed connection, a firewall or personal firewall must be utilized to secure these "always-on" connections.
Customers may contact Point-of-Rental Software for support in troubleshooting their Point-of-Rental Software Expert application or for the reporting of issues with the application. Point-of-Rental Software support consists of phone and, when needed, remote access support. Company support may be contacted at:
Phone: 1-800-944-7368
Email: [email protected]
Note: Point-of-Rental Software will not collect sensitive authentication data (magnetic stripe data, card validation codes or values, and PINs or PIN block data) for any reason, even upon customer request. To do so may compromise Point-of-Rental Software Expert's PA DSS validation and, in return, your PCI DSS compliance.
If you, as a customer, decide to collect sensitive authentication data as part of your own troubleshooting process, you must adhere to the following guidelines or risk compromising your PCI DSS compliance:
•You must only perform the collection of sensitive authentication data when needed to solve a specific problem;
•You store such data in a specific, known location with limited access;
•You must perform collection of only the limited amount of data needed to solve a specific problem;
•You must provide for the encryption of sensitive authentication data as required upon storage; and
•You must perform secure deletion of such data immediately after use, using tools which utilize the DoD 5220.22-M military grade secure deletion process.