HelpCenter

V5 PCI Implementation Guide
Updated

 

Purpose

The purpose of this article is to outline the requirements and procedures that are necessary for an Operator to securely implement 365 kiosks in a PCI DSS (Payment Card Industry Data Security Standard) compliant manner. It also includes information about security controls used by 365 Retail Markets.

 

Operator PCI Implementation Guide

The succeeding sections outline the Operator's responsibilities for securely implementing 365 kiosks.

Networks

365 kiosks require a persistent, "always-on" network connection to the internet. The Operator is responsible for providing the internet connection and following this guide to ensure it is implemented in a PCI compliant manner. Our V5-specific network requirements can be found here.

V5 & dining Point of Sale kiosks typically include a hardware firewall (router).

Important!

Under no circumstances should an Operator remove, factory reset, or change 365's secure firewall configurations.

If a factory reset is performed unintentionally, please contact 365 Support at (888) 365-6282.

 

Wireless Devices

Third-party wireless or Wi-Fi devices are not supported and cannot be connected to the kiosk environment.

 

Corporate VS Dedicated Networks

365's V5 kiosks require network connectivity for credit card processing and receiving updates. Operators have two primary options for establishing network connectivity at most client locations: corporate or independent dedicated networks (DSL, OptConnect).

Many corporate environments (offices, hospitals, etc.) contain existing networks to provide internet connectivity throughout a building or campus. These corporate networks often restrict the types of information that can be transmitted through them. Corporate networks are typically managed by  dedicated local IT team member(s) or by a network administration management service who can advise on the feasibility of allowing a kiosk to operate on their existing internet connection.

A dedicated network is a completely separate, independent network that operators can install which circumvents many challenges that a corporate network may present. A dedicated network could consist of a DSL line, 4G/5G cellular modem, or other dedicated high-speed connection such as fiber or cable. As the kiosk owner, the operator is responsible for organizing and setting up this new, dedicated service to be installed into the client’s environment.

Corporate Network*

Dedicated Network**

Pros Pros
Internet service already in place. No additional cost to the operator. No need to ask client IT staff to open access or run wiring to a new location.
Network is typically very fast and stable. The operator owns the network, and therefore requires less coordination to ensure PCI best practices are being followed.
Managed by dedicated personnel with knowledge of troubleshooting and secure networking protocols. If cellular is chosen, operators have the added mobility to move the kiosk and internet together on an as-needed basis.
Cons Cons
The operator may need to coordinate with the  client IT staff or network administrator to ensure correct and secure settings/requirements are implemented. The operator needs to organize, implement, and pay for internet service.
Wiring is typically ran to a single location, making kiosk mobility challenging. Network connectivity (especially cellular) may be slower than a corporate network.
The operator is responsible for ensuring the corporate network follows PCI standards, which often requires more coordination with client IT staff. When service is interrupted or requires maintenance (power surge, severe weather, modem resets, connection stability), the Operator is responsible for responding in-person to troubleshoot the outage.
  May require an Operator resource with IT and networking knowledge to ensure best practices in this guide are followed (365 staff is available to assist with secure network setup).

*If the Operator chooses to use a corporate network, it is the Operator's responsibility to ensure this guide is followed by the client network administrator. Be sure to supply a copy of this guide - as well as our Network Requirements Guide - early on in the implementation process. Pay special attention to the Networks section.

**If the Operator chooses to use a dedicated network, it is the Operator's responsibility to ensure the best practices outlined in this guide are followed.

 

Network Segmentation for Corporate Networks

When deploying a kiosk using a corporate network, segmenting the kiosk into a secure card data business environment is required. Network segmentation is a strategy intended to simplify PCI DSS compliance of your network, and to help you protect your business from hackers. At the most basic level, there are three zones representing three levels of risk:

  • Untrusted Environment - Network connections that anonymous people have access to be considered “untrusted.” They should have no network access to your business computers and POS equipment. Business computers should never be connected directly to this zone. Common untrusted networks are the internet connection itself, customer wireless internet access, and visitor network connections. This is the highest risk zone because anybody can connect to it anonymously.

  • Non-Card Data Business Environment - Systems not used for payment processing but are still business owned fit into this segment. These are systems that can be used for email, web browsing, and other higher risk activity that you would never want to perform on your payment processing systems. On occasion, these systems will almost certainly become infected with malware and viruses. Once a computer in this zone is infected, the hacker or infection will spread to other systems if they’re not protected by a firewall. Note that if any systems in this zone handle credit card data, that data is being put at risk. This is a medium risk zone due to risk of occasional infection. By segmenting these systems into their own zone, the breach is contained. The hacker, malware, or virus doesn’t reach your firewall protected payment processing zone.

  • Card Data Business Environment - Systems used for payment processing fit into this segment. These systems should only be used for POS activity and should NEVER be used for any other reason. Should these computers become infected with malware or viruses, sophisticated hacking tools can potentially steal sensitive data such as credit cards. This is a low risk zone because it’s protected from the other two zones and high-risk activities such as web browsing and email do not occur inside it. The chance that hackers, malware, or viruses spread to these systems is minimal.

In summary, to segment your network for security you should:

  • Protect both business environments from the untrusted environment.
  • Protect your card data business environment from the non-card business environment.

 

Best Practices for Dedicated Networks

  • Always change vendor-supplied passwords on DSL or cellular modems. Do not leave default passwords on any of your network devices.
  • Keep your network devices (modems, switches, routers) in a secure, locked area.
  • Disable all Wi-Fi broadcasts from modems.
  • Upgrade the firmware on your devices regularly. Manufacturers often deploy security patches to their devices. You are responsible for ensuring your device firmware stays up to date.
  • A dedicated network is your Card Data Business Environment. Do not use it for any purposes other than those which are critical to your business. This includes only the services outlined in the Network Requirements Guide document.

 

V5 Kiosk with Cellular

V5_Kiosk_with_Cellular.PNG

V5 Kiosk with Ethernet

V5_Kiosk_with_Ethernet.PNG

Physical Security

Operators are responsible for the physical security of kiosks & their peripheral devices, as well as any routers, switches, and modems at the client's site.

  • The kiosk enclosure must always remain locked unless service is actively being performed.

  • The security plates used to protect the kiosk firewall must remain intact and always secured.

  • Network devices external to the kiosk enclosure must be kept in a locked, secure environment.

  • Keys to access the kiosk enclosure (and other secure environments) must only be provided to trusted employees. A proper chain of custody process for keys should in place.

  • Devices must be inspected regularly for tampering:
    • Inspect the card reader. Does it look natural/normal? Does it appear that it has been altered?
    • Gently pull on the card reader. Be sure that no foreign device has been installed over the top of the original reader.
    • Inspect the kiosk's outside enclosure. Has it been damaged? Are the locks and screws still in place?
    • Inspect the kiosk CPU. Are there any unfamiliar USB devices connected.
    • Inspect the rest of the inside of the kiosk's enclosure. Are there any unfamiliar devices installed?

  • Use DVR recording, and regularly review footage.

 

 

Access Controls

Operators are responsible for onboarding and offboarding employee access to the kiosk management environment(s). This includes documented processes for the following:

  • Creating accounts and assigning appropriate permissions to employees with access to the kiosk environment(s) such as the kiosk driver login and cashier/staff accounts in ADM.
  • Revoking accounts when employees are terminated or resign.
  • Regular audits of accounts to ensure access is still appropriate.

 

Secure Disposal

Kiosk CPUs and card readers must be securely disposed of when they are no longer in service. Physically destroying the hard drive and memory modules with a hammer or drill will ensure no sensitive data remains intact. Be sure to follow appropriate safety measures when destroying media. If you are not comfortable destroying the media yourself, please ship the devices back to 365 who will securely destroy them at no cost.

 

Employee Training

Operators must organize and complete security awareness training for all individuals with access to the kiosk environment upon hire and annually thereafter, and must also document the completion of the aforementioned training. This is best accomplished as part of a comprehensive cyber-security awareness training program.

 

365 Retail Markets Security Controls

The succeeding sections outline many of the controls 365 Retail Markets has in place to protect sensitive data.

Security of Device

V5 Kiosks utilize a secure, direct real-time connection to the card processor when items are checked out. The transactions are card present, with no cardholder data stored for later use. Transactions are needed to complete the purchase of items from self-service, stand-alone kiosks and mini-retail shops where 365 Retail Markets provide their services. All data is encrypted by the card reader at time of card swipe, and 365 Retail Markets does not have access to the encryption keys and cannot decrypt this encrypted cardholder data. This dramatically reduces the scope as 365 Retail Markets does not store, process, and/or transmit the PAN (PAN data is encrypted during transmission, but 365 Retail Markets does not have access to keys – hence not in scope).

 

Credit Card Data

365 Retail Markets is PCI DSS certified. Both Heartland Payment Systems and Apriva LLC are PCI DSS certified gateways and support advanced security features like hardware card encryption, card tokenization, and EMV technology.

mceclip0.png

 

Card Holder Data Processing

Heartland

Heartland operates as a payment gateway service. TLS 1.2 and a select suite of ciphers is the minimum requirement for using the service. Heartland supports multiple methods of securing transmitted and stored data. The primary options are Heartland End-to-End Encryption (E3) and Heartland’s Enterprise Tokenization Service (ETS). These options can be used together or independently. E3 encrypts card data at the point of entry in a hardware solution such that the POS never handles data in the clear. Tokenization allows merchants to store a value that represents a card number for future processing. These tokens are referred to as multi-use tokens since they can be used over and over as a reference to the original card data. Portico supports two methods of encryption for securing PAN and track information: Heartland E3 and AES using DUKPT. Heartland E3 is an implementation of the Voltage Identity-Based Encryption methodology offered by Heartland to allow card data to be encrypted from the moment it is obtained at the POS and throughout Heartland processing. Since software is vulnerable to intrusions, this technology is hardware based. Using E3 hardware, the POS software never sees card data. It also allows the card data to remain encrypted throughout all of Heartland’s and 365’s systems. This not only removes intrusion threats; it also greatly reduces the PCI scope of 365’s POS. AES using DUKPT key management is provided for 365 by the ID TECH card reader. This technology offers near end-to-end encryption. TDES using DUKPT key management offers end-to-end encryption using ANSI X9.24 part 1 standard.

 

Apriva

Apriva operates as a payment gateway service. Apriva provides wireless (cellular), wired (PSTN), and internet payment transaction services for merchant clients. Merchant clients connect to Apriva’s application server tier by the communications channels, and application servers interact with database servers that contain stored cardholder data. These systems then communicate transactions to other processing entities, which return authorization messages that Apriva provides to the merchant customer. TLS 1.2 and a select suite of ciphers is the minimum requirement for using the service. AES using DUKPT key management is provided for 365 by the ID TECH card reader. This technology offers near end-to-end encryption. TDES using DUKPT key management offers end-to-end encryption using ANSI X9.24 part 1 standard. Apriva stores the PAN encrypted in a SQL database.

 

Remote Access

  • TeamViewer is used for Remote Viewing & Remote Control of devices/kiosks.
  • Putty (SSH) is used for Command Line Scripts.
  • DashWeb is used for Software Updates, Real Time analytics, and Notifications.
  • Meraki Z3 facilitates a VPN connection which provides an encrypted connection to the kiosks.

 

Patching

  • CentOS systems are mirrored from production repositories hosted at AWS (Amazon Web Services).
  • Ubuntu systems are patched from Canonical Landscape or Ubuntu package repos

 

Data Storage and Encryption

For non-CHD data:

  • AWS (Amazon Web Services) is where all data from the kiosks is stored.
  • RDS Encryption is used for all data at rest.
  • TLS 1.2 over an IPSEC VPN tunnel is used for data in transit.
  • Additional Certificates for AWS can be found here: https://aws.amazon.com/certification/.

 

Endpoint Security

  • Cisco Endpoint Protection - Advanced Malware Protection

 

Security Audits & Scans

  • A PCI DSS audit is performed annually by an independent third party QSA.
  • ASV scans are performed quarterly.
  • Penetration tests are performed yearly.

 

Secure Code Analysis

  • Dynamic Application Security Testing (DAST) via Veracode.
  • Static Application Security Testing (SAST) via Veracode.

 

Business Resiliency - DR/BC

  • Disaster Recovery plans tested annually.
  • RTO and RPO outlined in the table below:

#

Description

Recovery Process/Method

RTO

RPO

Consumer Impact

Operator Impact

1 Normal Operations None N/A N/A None None
2 Primary DB Server Failure Failover to backup 30 minutes 15 minutes None Operator portal not available for the duration of the recovery process.
3 Primary App Server Failure Failover to backup 15 minutes 15 minutes None None
4 Primary DB & App Server Failure Failover to respective backups 30 minutes 15 minutes None Operator portal not available for the duration of the recovery process.
5 Natural Calamity impacting the entire AWS Oregon region. Recover from backups to AWS Ohio region 24 hours 15 minutes - 24 hours None Operator portal not available for the duration of the recovery process.

 

Privacy, Biometrics, and Terms & Conditions Policies

 

PCI-DSS Responsibility Matrix

PCI Requirement

365 Responsibility

Operator Responsibility

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
  • Encrypt cardholder data at the point of sale, and securely transmit it to the processor.
  • Each point of sale contains a PCI-DSS compliant firewall (router) with secure configurations.
  • Do not change secure configurations of the kiosk firewall (router).
  • Do not physically remove kiosk firewall (router)
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Encrypt cardholder data at the point of sale, and securely transmit it to the processor.
  • The MSR's are secured against any logical access and are locked down by the manufacturer.
  • Within the POS systems, all systems are hardened according to the industry standards and managed by 365.
  • Do not change secure configurations of the kiosk firewall (router).
Requirement 3: Protect stored cardholder data.
  • Cardholder data is not stored by the MSR devices.
None
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
  • The MSR device encrypts cardholder data at the point of sale, and securely transmits it to the processor using strong encryption.
None
Requirement 5: Use and regularly update anti-virus software or programs.
  • The MSR device encrypts cardholder data at the point of sale, and securely transmits it to the processor following industry accepted standards.
  • Antimalware controls are installed on the systems and definitions are updated regularly.
None
Requirement 6: Develop and maintain secure systems and applications.
  • Applications are developed following secure SDLC principles.
  • Static and dynamic code analysis security scans are in place.
None
Requirement 7: Restrict access to sensitive cardholder data.
  • 365 does not store, process, and/or transmit unencrypted CHD (Cardholder data); all sensitive CHD is encrypted upon contact, and entities never have custody of the encryption keys.
  • All refunds are directly coordinated with the processor and do not require sensitive CHD.
None
Requirement 8: Identify and authenticate access to system components.
  • All 365 employees with computer access have unique ID's.
  • Access to network resources follow a least privilege model with location-based restrictions, SSO, MFA, and secure onboarding processes.
None
Requirement 9: Restrict physical access to cardholder data.
  • The MSR devices are secured within each kiosk.
  • 365 does not store and/or transmit unencrypted card data on the kiosk locally.
  • Do not physically remove the kiosk firewall (router).
  • Protect devices from tampering and substitution.
  • Maintain an inventory of all owned devices.
  • Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
  • Provide training for personnel to be aware of attempted tampering or replacement of devices.
  • Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas.
  • Restrict physical access to networking/communications hardware, and telecommunication lines.
  • Control physical access to kiosks and POS devices.
  • Destroy media when it is no longer needed for business or legal reasons.
  • Media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
  • Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented in use, and known to all affected parties.
Requirement 10: Track and monitor all access to network resources and cardholder data.
  • The MSR device encrypts cardholder data at the point of sale and securely transmits it to the processor. The MSR devices do not store cardholder data.
  • Access to network resources follow a least privilege model with location-based restrictions, SSO, MFA, and a secure onboarding process.
  • All systems have centralized logging.
None
Requirement 11: Regularly test security systems and processes.
  • The MSR device encrypts cardholder data at the point of sale, and securely transmits it to the processor.
  • Systems are regularly pen-tested and security scanned.
  • Incident response procedures are in place.
None
Requirement 12: Maintain a policy that addresses information security for employees and contractors.
  • As the Merchant of Record and Service Provider, a risk assessment for the provided services is maintained by 365.
  • Security awareness training is provided to all 365 employees with access to the MSR devices.
  • An incident response plan is in place to respond to any events related to a breach of security controls around the MSR devices.
  • 365 maintains an Information Security Policy that thoroughly outlines additional security controls. The policies are updated annually and re-published.
  • Operators must organize and complete security awareness training for all individuals with access to the MSR devices upon hire and annually thereafter, and must document the completion of this training.

 

Change Log
Version Date Change Log
09042019

9/4/2019

Original Draft
10222021 10/22/2020 Contact information updated to security@365smartshop.com.  Updates to sections: Credit Card Data and Credit Card Processing to include information on Heartland Payment Systems. Misc. typo fixes.
06172022 6/30/2022
  • Added sections: Physical Security, Secure Destruction, Employee Training, PCI-DSS Responsibility Matrix.
  • Updated sections:  Networks.
  • Re-formatted sections under new headers:  Operator PCI Implementation Guide and 365 Retail Markets Security Controls