The purpose of this article is to outline the requirements and procedures that are necessary for an Operator to securely implement 365 kiosks in a PCI DSS (Payment Card Industry Data Security Standard) compliant manner. It also includes information about security controls used by 365 Retail Markets.
Operator PCI Implementation Guide
The succeeding sections outline the Operator's responsibilities for securely implementing 365 kiosks.
365 kiosks require a persistent, "always-on" network connection to the internet. The Operator is responsible for providing the internet connection and following this guide to ensure it is implemented in a PCI compliant manner. Our V5-specific network requirements can be found here.
V5 & dining Point of Sale kiosks typically include a hardware firewall (router).
Under no circumstances should an Operator remove, factory reset, or change 365's secure firewall configurations.
If a factory reset is performed unintentionally, please contact 365 Support at (888) 365-6282.
Third-party wireless or Wi-Fi devices are not supported and cannot be connected to the kiosk environment.
Corporate VS Dedicated Networks
365's V5 kiosks require network connectivity for credit card processing and receiving updates. Operators have two primary options for establishing network connectivity at most client locations: corporate or independent dedicated networks (DSL, OptConnect).
Many corporate environments (offices, hospitals, etc.) contain existing networks to provide internet connectivity throughout a building or campus. These corporate networks often restrict the types of information that can be transmitted through them. Corporate networks are typically managed by dedicated local IT team member(s) or by a network administration management service who can advise on the feasibility of allowing a kiosk to operate on their existing internet connection.
A dedicated network is a completely separate, independent network that operators can install which circumvents many challenges that a corporate network may present. A dedicated network could consist of a DSL line, 4G/5G cellular modem, or other dedicated high-speed connection such as fiber or cable. As the kiosk owner, the operator is responsible for organizing and setting up this new, dedicated service to be installed into the client’s environment.
|Internet service already in place. No additional cost to the operator.||No need to ask client IT staff to open access or run wiring to a new location.|
|Network is typically very fast and stable.||The operator owns the network, and therefore requires less coordination to ensure PCI best practices are being followed.|
|Managed by dedicated personnel with knowledge of troubleshooting and secure networking protocols.||If cellular is chosen, operators have the added mobility to move the kiosk and internet together on an as-needed basis.|
|The operator may need to coordinate with the client IT staff or network administrator to ensure correct and secure settings/requirements are implemented.||The operator needs to organize, implement, and pay for internet service.|
|Wiring is typically ran to a single location, making kiosk mobility challenging.||Network connectivity (especially cellular) may be slower than a corporate network.|
|The operator is responsible for ensuring the corporate network follows PCI standards, which often requires more coordination with client IT staff.||When service is interrupted or requires maintenance (power surge, severe weather, modem resets, connection stability), the Operator is responsible for responding in-person to troubleshoot the outage.|
|May require an Operator resource with IT and networking knowledge to ensure best practices in this guide are followed (365 staff is available to assist with secure network setup).|
*If the Operator chooses to use a corporate network, it is the Operator's responsibility to ensure this guide is followed by the client network administrator. Be sure to supply a copy of this guide - as well as our Network Requirements Guide - early on in the implementation process. Pay special attention to the Networks section.
**If the Operator chooses to use a dedicated network, it is the Operator's responsibility to ensure the best practices outlined in this guide are followed.
Network Segmentation for Corporate Networks
When deploying a kiosk using a corporate network, segmenting the kiosk into a secure card data business environment is required. Network segmentation is a strategy intended to simplify PCI DSS compliance of your network, and to help you protect your business from hackers. At the most basic level, there are three zones representing three levels of risk:
- Untrusted Environment - Network connections that anonymous people have access to be considered “untrusted.” They should have no network access to your business computers and POS equipment. Business computers should never be connected directly to this zone. Common untrusted networks are the internet connection itself, customer wireless internet access, and visitor network connections. This is the highest risk zone because anybody can connect to it anonymously.
- Non-Card Data Business Environment - Systems not used for payment processing but are still business owned fit into this segment. These are systems that can be used for email, web browsing, and other higher risk activity that you would never want to perform on your payment processing systems. On occasion, these systems will almost certainly become infected with malware and viruses. Once a computer in this zone is infected, the hacker or infection will spread to other systems if they’re not protected by a firewall. Note that if any systems in this zone handle credit card data, that data is being put at risk. This is a medium risk zone due to risk of occasional infection. By segmenting these systems into their own zone, the breach is contained. The hacker, malware, or virus doesn’t reach your firewall protected payment processing zone.
- Card Data Business Environment - Systems used for payment processing fit into this segment. These systems should only be used for POS activity and should NEVER be used for any other reason. Should these computers become infected with malware or viruses, sophisticated hacking tools can potentially steal sensitive data such as credit cards. This is a low risk zone because it’s protected from the other two zones and high-risk activities such as web browsing and email do not occur inside it. The chance that hackers, malware, or viruses spread to these systems is minimal.
In summary, to segment your network for security you should:
- Protect both business environments from the untrusted environment.
- Protect your card data business environment from the non-card business environment.
Best Practices for Dedicated Networks
- Always change vendor-supplied passwords on DSL or cellular modems. Do not leave default passwords on any of your network devices.
- Keep your network devices (modems, switches, routers) in a secure, locked area.
- Disable all Wi-Fi broadcasts from modems.
- Upgrade the firmware on your devices regularly. Manufacturers often deploy security patches to their devices. You are responsible for ensuring your device firmware stays up to date.
- A dedicated network is your Card Data Business Environment. Do not use it for any purposes other than those which are critical to your business. This includes only the services outlined in the Network Requirements Guide document.
V5 Kiosk with Cellular
V5 Kiosk with Ethernet
Operators are responsible for the physical security of kiosks & their peripheral devices, as well as any routers, switches, and modems at the client's site.
- The kiosk enclosure must always remain locked unless service is actively being performed.
- The security plates used to protect the kiosk firewall must remain intact and always secured.
- Network devices external to the kiosk enclosure must be kept in a locked, secure environment.
- Keys to access the kiosk enclosure (and other secure environments) must only be provided to trusted employees. A proper chain of custody process for keys should in place.
- Devices must be inspected regularly for tampering:
- Inspect the card reader. Does it look natural/normal? Does it appear that it has been altered?
- Gently pull on the card reader. Be sure that no foreign device has been installed over the top of the original reader.
- Inspect the kiosk's outside enclosure. Has it been damaged? Are the locks and screws still in place?
- Inspect the kiosk CPU. Are there any unfamiliar USB devices connected.
- Inspect the rest of the inside of the kiosk's enclosure. Are there any unfamiliar devices installed?
- Use DVR recording, and regularly review footage.
Operators are responsible for onboarding and offboarding employee access to the kiosk management environment(s). This includes documented processes for the following:
- Creating accounts and assigning appropriate permissions to employees with access to the kiosk environment(s) such as the kiosk driver login and cashier/staff accounts in ADM.
- Revoking accounts when employees are terminated or resign.
- Regular audits of accounts to ensure access is still appropriate.
Kiosk CPUs and card readers must be securely disposed of when they are no longer in service. Physically destroying the hard drive and memory modules with a hammer or drill will ensure no sensitive data remains intact. Be sure to follow appropriate safety measures when destroying media. If you are not comfortable destroying the media yourself, please ship the devices back to 365 who will securely destroy them at no cost.
Operators must organize and complete security awareness training for all individuals with access to the kiosk environment upon hire and annually thereafter, and must also document the completion of the aforementioned training. This is best accomplished as part of a comprehensive cyber-security awareness training program.
365 Retail Markets Security Controls
The succeeding sections outline many of the controls 365 Retail Markets has in place to protect sensitive data.
Security of Device
V5 Kiosks utilize a secure, direct real-time connection to the card processor when items are checked out. The transactions are card present, with no cardholder data stored for later use. Transactions are needed to complete the purchase of items from self-service, stand-alone kiosks and mini-retail shops where 365 Retail Markets provide their services. All data is encrypted by the card reader at time of card swipe, and 365 Retail Markets does not have access to the encryption keys and cannot decrypt this encrypted cardholder data. This dramatically reduces the scope as 365 Retail Markets does not store, process, and/or transmit the PAN (PAN data is encrypted during transmission, but 365 Retail Markets does not have access to keys – hence not in scope).
Credit Card Data
365 Retail Markets is PCI DSS certified. Both Heartland Payment Systems and Apriva LLC are PCI DSS certified gateways and support advanced security features like hardware card encryption, card tokenization, and EMV technology.
Card Holder Data Processing
Heartland operates as a payment gateway service. TLS 1.2 and a select suite of ciphers is the minimum requirement for using the service. Heartland supports multiple methods of securing transmitted and stored data. The primary options are Heartland End-to-End Encryption (E3) and Heartland’s Enterprise Tokenization Service (ETS). These options can be used together or independently. E3 encrypts card data at the point of entry in a hardware solution such that the POS never handles data in the clear. Tokenization allows merchants to store a value that represents a card number for future processing. These tokens are referred to as multi-use tokens since they can be used over and over as a reference to the original card data. Portico supports two methods of encryption for securing PAN and track information: Heartland E3 and AES using DUKPT. Heartland E3 is an implementation of the Voltage Identity-Based Encryption methodology offered by Heartland to allow card data to be encrypted from the moment it is obtained at the POS and throughout Heartland processing. Since software is vulnerable to intrusions, this technology is hardware based. Using E3 hardware, the POS software never sees card data. It also allows the card data to remain encrypted throughout all of Heartland’s and 365’s systems. This not only removes intrusion threats; it also greatly reduces the PCI scope of 365’s POS. AES using DUKPT key management is provided for 365 by the ID TECH card reader. This technology offers near end-to-end encryption. TDES using DUKPT key management offers end-to-end encryption using ANSI X9.24 part 1 standard.
Apriva operates as a payment gateway service. Apriva provides wireless (cellular), wired (PSTN), and internet payment transaction services for merchant clients. Merchant clients connect to Apriva’s application server tier by the communications channels, and application servers interact with database servers that contain stored cardholder data. These systems then communicate transactions to other processing entities, which return authorization messages that Apriva provides to the merchant customer. TLS 1.2 and a select suite of ciphers is the minimum requirement for using the service. AES using DUKPT key management is provided for 365 by the ID TECH card reader. This technology offers near end-to-end encryption. TDES using DUKPT key management offers end-to-end encryption using ANSI X9.24 part 1 standard. Apriva stores the PAN encrypted in a SQL database.
- TeamViewer is used for Remote Viewing & Remote Control of devices/kiosks.
- Putty (SSH) is used for Command Line Scripts.
- DashWeb is used for Software Updates, Real Time analytics, and Notifications.
- Meraki Z3 facilitates a VPN connection which provides an encrypted connection to the kiosks.
- CentOS systems are mirrored from production repositories hosted at AWS (Amazon Web Services).
- Ubuntu systems are patched from Canonical Landscape or Ubuntu package repos
Data Storage and Encryption
For non-CHD data:
- AWS (Amazon Web Services) is where all data from the kiosks is stored.
- RDS Encryption is used for all data at rest.
- TLS 1.2 over an IPSEC VPN tunnel is used for data in transit.
- Additional Certificates for AWS can be found here: https://aws.amazon.com/certification/.
- Cisco Endpoint Protection - Advanced Malware Protection
Security Audits & Scans
- A PCI DSS audit is performed annually by an independent third party QSA.
- ASV scans are performed quarterly.
- Penetration tests are performed yearly.
Secure Code Analysis
- Dynamic Application Security Testing (DAST) via Veracode.
- Static Application Security Testing (SAST) via Veracode.
Business Resiliency - DR/BC
- Disaster Recovery plans tested annually.
- RTO and RPO outlined in the table below:
|2||Primary DB Server Failure||Failover to backup||30 minutes||15 minutes||None||Operator portal not available for the duration of the recovery process.|
|3||Primary App Server Failure||Failover to backup||15 minutes||15 minutes||None||None|
|4||Primary DB & App Server Failure||Failover to respective backups||30 minutes||15 minutes||None||Operator portal not available for the duration of the recovery process.|
|5||Natural Calamity impacting the entire AWS Oregon region.||Recover from backups to AWS Ohio region||24 hours||15 minutes - 24 hours||None||Operator portal not available for the duration of the recovery process.|
Privacy, Biometrics, and Terms & Conditions Policies
- These policies can be located at https://365retailmarkets.com/consumer-policy.
PCI-DSS Responsibility Matrix
|Requirement 1: Install and maintain a firewall configuration to protect cardholder data.||
|Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.||
|Requirement 3: Protect stored cardholder data.||
|Requirement 4: Encrypt transmission of cardholder data across open, public networks.||
|Requirement 5: Use and regularly update anti-virus software or programs.||
|Requirement 6: Develop and maintain secure systems and applications.||
|Requirement 7: Restrict access to sensitive cardholder data.||
|Requirement 8: Identify and authenticate access to system components.||
|Requirement 9: Restrict physical access to cardholder data.||
|Requirement 10: Track and monitor all access to network resources and cardholder data.||
|Requirement 11: Regularly test security systems and processes.||
|Requirement 12: Maintain a policy that addresses information security for employees and contractors.||
|10222021||10/22/2020||Contact information updated to email@example.com. Updates to sections: Credit Card Data and Credit Card Processing to include information on Heartland Payment Systems. Misc. typo fixes.|