Gasboy PA-DSS User Manual

CFN Series

CFN III Fuel Management
System PA-DSS
Implementation Guide

Version 3.6

MDE-4870A

Computer Programs and Documentation

All Gasboy computer programs (including software on diskettes and within memory chips) and documentation are copyrighted by, and shall remain the property of, Gasboy. Such
computer programs and documents may also contain trade secret information. The duplication, disclosure, modification, or unauthorized use of computer programs or
documentation is strictly prohibited, unless otherwise licensed by Gasboy.

Federal Communications Commission (FCC) Warning

This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency
energy, and if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense. Changes or modifications not expressly
approved by the manufacturer could void the user’s authority to operate this equipment.

Approvals

Gasboy, Greensboro, is an ISO 9001:2000 registered facility.
Underwriters Laboratories (UL):

UL File# Products listed with UL

MH4314
MH10581 Key con t r o l u n i t , M o d e l G K E - B S e r i e s

All dispensers and self-contained pumping
units

Card reader terminals, Models 1000, 1000P
Site Controller, Model 2000S CFN Series
Data entry terminals, Model TPK-900 Series
Fuel Point Reader System

National Conference of Weights and Measures (NCWM) - Certificate of Compliance (CoC):

Gasboy pumps and dispensers are evaluated by NCWM under the National Type Evaluation Program (NTEP). NCWM has issued the following CoC:

CoC# Product Model # CoC# Product Model # CoC# Product Model #

95-179 Dispenser

95-136 Dispenser 9800 Series 91-057 Controller

9100 Retail Series, 8700
Series, 9700 Series

California Air Resources Board (CARB):

Executive Order # Product

G-70-52-AM Balance Vapor Recovery
G-70-150-AE VaporVac

91-019 Dispenser

9100 Commercial
Series

1000 Series FMS,
2000S-CFN Series

05-002 Atlas

8700K, 8800K,
9100K, 9200K, 9800K

Patents

Gasboy products are manufactured or sold under one or more of the following US patents:

Dispensers

5,257,720

Point of Sale/Back Office Equipment

D335,673

Trademarks

Non-registered trademarks

Atlas™
Consola™
Infinity™

Registered trademarks

ASTRA
Fuel Point
Gasboy
Keytrol
Slimline

Additional US and foreign patents pending.

®

®

®

®

®

Additional US and foreign trademarks pending.

Other brand or product names shown may be
trademarks or registered trademarks of their
respective holders.

This document is subject to change without notice.
E-mail: literature@gasboy.com · Internet: http://www.gasboy.com
© 2010 GASBOY. All Rights Reserved.

Table of Contents

Table of Contents

1 – Introduction 1

Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

PA-DSS and PCI-DSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Certification Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Abbreviations and Acronyms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

2 – Getting Started 3

Physical Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

System Report and Other Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Installations and Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Purge Transaction Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Delete System Security Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Re-encrypting Historic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Removing System Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

CFN III User Passwords and Permission Levels . . . . . . . . . . . . . . . . . . . .5

Windows XPE Users and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Disabling and Enabling Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . .7

CFN III Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

3 – Recurring Operations 9

Data Retention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

4 – Maintenance and Troubleshooting 11

Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Gathering Sensitive Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Backup Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Updating Windows XPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

MDE-4870A CFN III Fuel Management System PA-DSS Implementation Guide Version 3.6 · June 2010 Page i

Table of Contents

5 – Prohibited Interfaces 13

Wireless Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Direct Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Transmission of Data over Public Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Appendix A: PCI Password Requirements A-1

Glossary Glossary-1

Page ii MDE-4870A CFN III Fuel Management System PA-DSS Implementation Guide Version 3.6 · June 2010

Purpose Introduction

1 – Introduction

Purpose

This document provides information required to install and operate the CFN III in a manner
compliant with Payment Application - Data Security Standard (PA-DSS) version 1.2.

Failure to comply with the information in this document could put the merchant in violation of
PA-DSS and possibly Payment Card Industry (PCI-DSS) compliance.

Related Documents

Document
Number

PA-DSS – Requirements Version 1.2

MDE-4739 CFN III PCI Secure Controller Software Installation/Upgrade CFN Series Networks, Card

MDE-4871 CFN III Manager’s Manual for Windows® XP Embedded

MDE-4872 CFN III Configuration Manual for Windows XP Version 3.6 CFN Series Controllers and POS
MDE-4873 CFN Series Site Controller III Start-up Manual for CFN III

Document Title GOLD Library

Version 3.6

Version 3.6 and Later

PA-DSS and PCI-DSS

PA-DSS is a series of requirements that apply to any payment application that stores,
processes, or transmits card holder data as part of the transaction process. CFN III falls under
this requirement and therefore must comply with PA-DSS. Many of the requirements under
PA-DSS are handled automatically by CFN III. However, there are certain requirements that
must be maintained by the merchant in order to run in a compliant manner. Each of the
merchant requirements will be covered in this document.

Handlers, and Pump Interface
CFN Series Controllers and POS

CFN Series Controllers and POS

PCI-DSS is a series of requirements that apply to the entire payment environment at a
merchant location. PA-DSS covers only a portion of that environment. It does not cover all
aspects of PCI-DSS. It is the responsibility of the merchant to ensure that their overall
payment environment is operated and maintained in a manner compliant with the PCI-DSS.

For more information on specific requirements of PCI-DSS or PA-DSS, refer to the PCI
Security Standards Council website http://www.pcisecuritystandards.org.

MDE-4870A CFN III Fuel Management System PA-DSS Implementation Guide Version 3.6 · June 2010 Page 1

Introduction Certification Status

Certification Status

CFN III version 3.6A was evaluated by K3DES in July 2009, and certified as compliant under
PA-DSS version 1.2.

Abbreviations and Acronyms

Term Description

ASC Authorized Service Contractor
CFN Cash Flow Network
DES Data Encryption Standard
PA-DSS Payment Application - Data Security Standard
PCI-DSS Payment Card Industry - Data Security Standard
PIN Personal Identification Number
POS Point Of Sale
SC Site Controller
TIP Transaction In Process
USB Universal Serial Bus

Page 2 MDE-4870A CFN III Fuel Management System PA-DSS Implementation Guide Version 3.6 · June 2010

Physical Security Getting Started

2 – Getting Started

Physical Security

The merchant is responsible for ensuring that the CFN III is physically secure.

System Security

Physical access to the Site Controller system must be limited to only those that use the Site
Controller. If modular Profit Point POS systems are used, then the Site Controller is best
controlled in a locked back room, with restricted access. If using Integral Profit Point POS
system, the system must only be accessible by those using the system. If it is not possible to
maintain the system in a secure area, the area must have adequate coverage by available
security cameras so that unauthorized access can be recorded and used to determine any cause
of physical security breaches.

System Report and Other Logs

Though the system log is secure from exposing any sensitive card information, it is a good
practice to keep the log printer in a secure area. It is possible that some bank host systems
require card account information to be listed on a report or log for back office purpo ses. When
the reports are used for holding account information it is the responsibility of the site manager
or store owner to secure the reports from unauthorized access.

Installations and Upgrades

To upgrade the CFN payment system from a non-compliant version of 3.4 or earlier, to a
secure PCI-compliant version, refer to MDE-4739 CFN III PCI Secure Controller Software
Installation/Upgrade Instructions.

The integrity of software upgrades is guaranteed because only software created by Gasboy®
will operate on the CFN III board set. Software created without the unique Gasboy
development system will typically fail checksum. However, in the event that the software
passes that test, the system will not boot or operate.

Purge Transaction Records

After the installation is complete, the embedded payment controller transaction table must be
purged of any information left in memory, which may retain previous card information. This is
a mandatory procedure in order to meet PCI requirements and cannot be skipped. This process
must be executed before the site is allowed to start processing card data. It would be best to
proceed with this process right after the table sizing is finalized.

MDE-4870A CFN III Fuel Management System PA-DSS Implementation Guide Version 3.6 · June 2010 Page 3