How it Works
Verifone
Loading...
PCI PA DSS
User manual
15 pgs403.64 Kb0

Verifone PCI PA DSS User manual

© 2018 Verifone Inc.
All rights reserved. Copying and/or redistribution of this information in whole
or in part without the express permission of Verifone Inc. prohibited
PCI PA DSS
Guide
PBMUECR 03.21.003.xxxxx
Version 3.2(Release)
Date: 2018-07-05
PCI PA DSS Implementation Guide: PBMUECR 03.21.003.xxxxx
Author Sergejs Melnikovs E-mail sergejs.melnikovs@verifone.com
Date: 2018-07-05
Version 3.2 Page 2 (15)
© 2019 Verifone Inc.
All rights reserved. Copying and/or redistribution of this information in whole
or in part without the express permission of Verifone Inc. prohibited
Contents
Contents ........................................................................................................................................................ 2
1. Introduction ........................................................................................................................................... 3
1.1 Purpose ............................................................................................................................................ 3
1.2 Document Use .................................................................................................................................. 3
1.3 References ....................................................................................................................................... 4
1.4 Update History .................................................................................................................................. 4
1.5 Terminology and abbreviations ........................................................................................................ 5
2 SUMMARY OF PCI DSS REQUIREMENTS ........................................................................................ 6
2.1 PA-DSS Req. 1.1.4: Historical data deletion .................................................................................... 6
2.2 PA-DSS Req. 1.1.5: Securely delete any sensitive data used for debugging or troubleshooting ... 6
2.3 PA-DSS Req. 2.1: Purging cardholder data ..................................................................................... 6
2.4 PA-DSS Req. 2.2: Mask PAN when displayed ................................................................................ 7
2.5 PA-DSS Req. 2.3: Render PAN unreadable anywhere it is stored .................................................. 7
2.6 PA-DSS Req. 2.4: Protect keys........................................................................................................ 7
2.7 PA-DSS Req. 2.5: Implement key management processes and procedures .................................. 7
2.8 PA-DSS Req. 2.6: Provide a mechanism to render irretrievable any cryptographic key material ... 8
2.9 PA-DSS Req. 3.1: Unique user IDs and secure authentication ....................................................... 8
2.10 PA-DSS Req. 3.2: Unique user IDs and secure authentication for access to servers etc. .............. 8
2.11 PA-DSS Req. 4.1: Implement automated audit trails ....................................................................... 9
2.12 PA-DSS Req. 4.4: Facilitate centralized logging .............................................................................. 9
2.13 PA-DSS Req. 5.4.4: Application versioning methodology ............................................................... 9
2.14 PA-DSS Req. 6.1: Securely implement wireless technology ........................................................... 9
2.15 PA-DSS Req. 6.2: Secure transmission of cardholder data over wireless networks ..................... 10
2.16 PA-DSS Req. 6.3: Provide instructions for secure use of wireless technology ............................. 10
2.17 PA-DSS Req. 7.2.3: Instructions for customers about secure installation and updates ................ 11
2.18 PA-DSS Req. 8.2: Must only use secure services, protocols and other components ................... 11
2.19 PA-DSS Req. 9.1: Store cardholder data only on servers not connected to the Internet .............. 11
2.20 PA-DSS Req. 10.1: Implement two-factor authentication for remote access to payment
application ............................................................................................................................................... 12
2.21 PA-DSS Req. 10.2.1: Securely deliver remote payment application updates ............................... 12
2.22 PA-DSS Req. 10.2.3: Securely implement remote access software ............................................. 12
2.23 PA-DSS Req. 11.1: Secure transmissions of cardholder data over public networks ..................... 12
2.24 PA-DSS Req. 11.2: Encrypt cardholder data sent over end-user messaging technologies .......... 13
2.25 PA-DSS Req. 12.1, 12.1.1 and 12.2: Secure all non-console administrative access .................... 13
Annexes ....................................................................................................................................................... 14
A1 Terminal files ..................................................................................................................................... 14
A2 Application Version Numbering policy ............................................................................................... 14
A3 Instances where PAN is displayed .................................................................................................... 15
A4 Application components and used protocols ..................................................................................... 15
PCI PA DSS Implementation Guide: PBMUECR 03.21.003.xxxxx
Author Sergejs Melnikovs E-mail sergejs.melnikovs@verifone.com
Date: 2018-07-05
Version 3.2 Page 3 (15)
© 2019 Verifone Inc.
All rights reserved. Copying and/or redistribution of this information in whole
or in part without the express permission of Verifone Inc. prohibited
1. Introduction
1.1 Purpose
The Payment Card Industry Data Security Standard (PCI-DSS) defines a set of requirements for the configuration, operation, and security of payment card transactions in your business. If you use Verifone PBMUECR merchant unit application in your business to store, process, or transmit payment card information, this standard and this guide apply to you.
The requirements are designed for use by assessors conducting onsite reviews and for merchants who must validate compliance with the PCI DSS.
Failure to comply with these standards can result in significant fines if a security breach should occur. For more details about PCI DSS, please see the following link:
http://www.pcisecuritystandards.org
This guide is updated whenever there are changes in PBMUECR software that affect PCI DSS and is also reviewed annually and updated as needed to reflect changes in the PBMUECR as well as the PCI standards. Guidelines how to download the latest version of this document could be found on the following web site
http://www.verifone.lv/
The Payment Card Industry has also set the requirements for software applications that store, process or transmit cardholder data. These requirements are defined by the Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS). In order to facilitate for you to get a PCI DSS assessment the Verifone software application has been approved by PCI to comply with the PCI PA-DSS requirements.
Note: This guide refers to PBMUECR software versions on the PCI web site “List of Validated Payment Applications” that have been validated in accordance with PCI PA-DSS. If you cannot find
the version of your PBMUECR application on that list please contact our helpdesk at Verifone Baltic in order to upgrade your terminal.
http://www.pcisecuritystandards.org/
1.2 Document Use
This PA-DSS Implementation Guide contains information for proper use of the Verifone PBMUECR merchant unit application. Verifone Baltic SIA does not possess the authority to state that a merchant may be deemed “PCI Compliant” if information contained within this document is followed. Each merchant is responsible for creating a PCI-compliant environment. The purpose of this guide is to provide the information needed during installation and operation of the PBMUECR merchant unit application in a manner that will support a merchant’s PCI DSS compliance efforts.
Note 1: Both the System Installer and the controlling merchant must read this document. Hence, the Implementation Guide should be distributed to all relevant payment application users (customers, resellers and integrators)
Note 2: This document must also be used when training ECR integrators/resellers at initial workshops.
PCI PA DSS Implementation Guide: PBMUECR 03.21.003.xxxxx
Author Sergejs Melnikovs E-mail sergejs.melnikovs@verifone.com
Date: 2018-07-05
Version 3.2 Page 4 (15)
© 2019 Verifone Inc.
All rights reserved. Copying and/or redistribution of this information in whole
or in part without the express permission of Verifone Inc. prohibited
1.3 References
(1) Payment Card Industry – Payment Application Data Security Standard v3.2 (2) Payment Card Industry – Data Security Standard v3.2 (3) Terminal Audit Log v1.7 (4) Verifone Baltic – Terminal Software Version Numbering Specification v1.4.1
1.4 Update History
Ver.
Name
Date
Comments
1.0
Sergejs Melnikovs
2013-05-23
First release
1.1
Sergejs Melnikovs
2013-07-09
Added application version on title page
1.2
Sergejs Melnikovs
2013-07-17
Added notes in chapter 3 and software dependences in chapter 2.3.1
1.3
Sergejs Melnikovs
2014-07-17
Annual review, minor changes according to PBMUECR version 02.21.002 functionality. Added description of version numbering methodology
2.0
Sergejs Melnikovs
2015-06-25
Document rebranding. Updated according to PCI DSS & PCI PA DSS version
3.1 requirements
2.1
Sergejs Melnikovs
2015-11-23
Minor update, updated document restriction
2.2
Sergejs Melnikovs
2017-07-15
Annual review/update
3.0
Sergejs Melnikovs
2018-07-18
Added support for PBMUECR version 04.21.004.xxxxx Document redesign to improve readability
3.1
Sergejs Melnikovs
2018-10-17
Updated according to QSA recommendations.
3.2
Sergejs Melnikovs
2019-07-05
Extended explanation about wireless communication supported by the applications,
IG for 04.21.004.xxxxx moved to a separate document.
PCI PA DSS Implementation Guide: PBMUECR 03.21.003.xxxxx
Author Sergejs Melnikovs E-mail sergejs.melnikovs@verifone.com
Date: 2018-07-05
Version 3.2 Page 5 (15)
© 2019 Verifone Inc.
All rights reserved. Copying and/or redistribution of this information in whole
or in part without the express permission of Verifone Inc. prohibited
1.5 Terminology and abbreviations
3DES
Triple DES common name for the Triple Data Encryption Algorithm
AES
Advances encryption standard
Cardholder Data
PAN, Expiration Date, Cardholder Name and Service Code.
CVV2
Card Verification Value, also called CVC2, is a three or four digit value printed on the back of the card but not encoded on the magnetic stripe or the chip. Supplying this code in a transaction is intended to verify that the card is present at the point of sale when PAN is entered manually or when a voice referral is performed.
ECR
Electronic Cash Register
HSM
Hardware security module
Magnetic Stripe Data
Track data read from the magnetic stripe, magnetic-stripe image on the chip, or elsewhere.
PBMUECR Application
Terminal Merchant Unit Application for use in Baltic States (Estonia, Latvia, Lithuania)
PBMUECR Terminal
Terminal with installed PBMUECR Application
PA DSS
Payment Application Data Security Standard is a standard for validation of payment applications that store, process or transmit payment card data. Applications that comply with PA-DSS have built in protection of card data and hereby facilitates for retailers to comply with PCI-DSS.
PAN
Primary Account Number. PAN, also called card number, is part of the magnetic stripe data and is also printed or embossed on the card. PAN can also be stored in the chip of the card.
PCI DSS
Payment Card Industry Data Security Standard. Retailers that use applications to store, process or transmit payment card data are subject to the PCI-DSS standard.
PCI PTS
Payment Card Industry PIN Transaction Security
PED
PIN Entry Device
POS
Point of sale
Sensitive Authentication Data
Magnetic Stripe Data, CAV2/CVC2/CVV2/CID, PINs/PIN-block.
Service Code
A three-digit code from the magnetic stripe data defining (1) Interchange and technology, (2) Authorization processing and (3) Range of services and PIN requirements.
SNMP
Simple Network Management Protocol is a network protocol. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.
SSH
Secure Shell (SSH) is a network protocol that allows data to be exchanged using a secure channel between two networked devices.
SSL
Secure Sockets Layer is a commonly used method to protect transmission across public networks.
SYSLOG
Syslog is a standard for computer data logging.
TCP
Transmission Control Protocol is one of the core protocols of the Internet protocol suite.
TLS
Acronym for “Transport Layer Security.” Designed with goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL. In this document TLS refers on TLS version 1.2
TMS
Terminal management system
TRSM
Tamper resistant security module
UDP
User Datagram Protocol is one of the core protocols of the Internet protocol suite.
WEP
Wired Equivalent Privacy, a wireless network security standard. Sometimes erroneously called "Wireless Encryption Protocol"
WPA and WPA2
Wi-Fi Protected Access is a certification program created by the Wi-Fi Alliance to indicate compliance with the security protocol created by the Wi­Fi Alliance to secure wireless computer networks.
Loading...
+ 10 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use