HelpCenter

Explore
PicoMarket, PicoCooler, and NanoMarket PCI Implementation Guide
Updated

 

Purpose

The purpose of this article is to outline the requirements and procedures that are necessary for an Operator to securely implement 365 Retail Markets PicoMarket, PicoCooler, and NanoMarket devices in a PCI DSS (Payment Card Industry Data Security Standard) compliant manner. It also includes information about security controls used by 365 Retail Markets.

Operator PCI Implementation Guide

The succeeding sections outline the Operator's responsibilities for securely implementing 365 Pico and NanoMarket devices.

 

Networks

The Pico/NanoMarket devices require a persistent, "always-on" network connection to the internet. The Operator is responsible for providing the internet connection and following this guide to ensure it is implemented in a PCI compliant manner. Our Pico/NanoMarket-specific network requirements can be found here.

If you are not comfortable creating a network following this guide, or cannot validate the client’s network follows PCI DSS guidelines, 365 Retail Markets offers several solutions to assist with network connectivity. Contact your account manager for more information on ordering a PCI DSS compliant firewall (router) or “Connect Kit”.

Important!

Under no circumstances should an Operator remove, factory reset, or change 365's secure firewall configurations.

If a factory reset is performed unintentionally, please contact 365 Support at (888) 365-6282.

 

 

SIM Cards

The Pico/NanoMarket devices support the usage of a SIM card to provide a dedicated cellular network connection. This option provides a simple and secure means to ensure your device is segmented in a Card Data Business Environment from other devices and remains PCI compliant

 

Network Connectivity Options

Pico/NanoMarket devices support both wired and wireless networks if the network is configured as a Card Data Business Environment. Never connect your device to an Untrusted Environment or Non-Card Data Business Environment. For example, never connect your devices to a “guest” Wi-Fi network. 

Corporate Versus Dedicated Networks

A Pico/NanoMarket not utilizing a SIM card has two primary options for establishing network connectivity at most client locations: Corporate or Dedicated Networks

 

Corporate Networks (E.g. Secure Client Network) are the secure building networks that provide internet connectivity throughout a building.These Corporate Networks often restrict the types of information that can be transmitted on them. Corporate Networks are typically managed by a dedicated team member who can advise on the feasibility of allowing your market to operate on their existing Internet connection. 

Dedicated Networks (E.g. OptConnect, DSL) are completely separate networks that operators would install which circumvents many challenges that a Corporate Network may present. A Dedicated Network could consist of a DSL line, 4G/5G cellular modem, or other dedicated high-speed connection. As the market owner, the Operator would need to organize this dedicated service to be installed into the client’s environment. 

Corporate Network* Dedicated Network**
Pros Pros
Internet service already in place. No additional cost to the operator. No need to ask client IT staff to open access or run wiring to a new location
Network is typically very fast compared to DSL or cellular Internet service The operator owns the network, and therefore requires less coordination to ensure PCI best practices are being followed
Typically managed by dedicated personnel at the client location with knowledge of troubleshooting and secure networking protocols If cellular is chosen, you have the added mobility to move the market and internet together as needed
Cons Cons
The operator may need to coordinate and implement the correct and secure settings with the client IT staff/network administrator The operator needs to organize, implement and pay for Internet service
Wiring is typically run to a single location, making market mobility challenging. Network connectivity (especially cellular) may be slower than a corporate network
The operator is responsible for ensuring the corporate network follows PCI standards, which often requires more coordination with client IT staff When service is interrupted (power surge modem needs reset) the operator is responsible to respond to troubleshoot the outage.
  May require an operator resource with IT and networking knowledge to ensure the best practices are outlined in this guide. (365 Retail staff are available to assist with secure network setup.)

*If the operator chooses to use a corporate network, it is the operator’s responsibility to ensure this guide is followed by the client network administrator. Be sure to supply them a copy of this guide early in the implementation process, and instruct them to pay special attention to the Networks section.

**If the operator chooses to use a dedicated network, it is your responsibility to ensure the best practices outlined in this guide are followed.

Network Segmentation for Corporate Networks

For deploying on a corporate network, segmenting the market point-of-sale device into a secure, card-data business environment is required. Network segmentation is a strategy intended to simplify PCI DSS compliance of your network, and to help you protect your business from hackers. At the most basic level, there are three zones, representing three levels of risk: untrusted environments, non-card data business environments, and card data business environments. 

  • Untrusted Environment – Network connections that anonymous people have access to can be considered “untrusted.” They should have no network access to your business computers and POS equipment. Business computers should never be connected directly to this zone. Common untrusted networks are the internet connection itself, customer wireless internet access, and visitor network connections. This is the highest risk zone because anybody can connect to it anonymously.
  • Non-Card Data Business Environment – Systems not used for payment processing but are still business-owned fit into this segment. These are systems that can be used for email, web browsing, and other higher-risk activities that you would never want to perform on your payment processing systems. On occasion, these systems will almost certainly become infected with malware and viruses. Once a computer in this zone is infected, the hacker or infection will spread to other systems if they are not protected by a firewall. Please note, if any systems in this zone handle credit card data, that data is being put at risk. This is a medium-risk zone due to the risk of occasional infection. By segmenting these systems into their own zone, the breach is contained. The hacker, malware, or virus doesn’t reach your firewall-protected payment processing zone.
  • Card Data Business Environment – Systems used for payment processing fit into this segment. These systems should only be used for POS activity and should NEVER be used for any other reason. Should these computers become infected with malware or viruses, sophisticated hacking tools can potentially steal sensitive data such as credit cards. This is the lowest-risk zone because it’s protected from the other two zones and high-risk activities such as web browsing and email do not occur inside it. The chance that hackers, malware, or viruses spread to these systems is minimal.

In summary, to segment your network for security, you should:

  • Protect both business environments from the untrusted environment
  • Protect your card data business environment from the non-card business environment

Best Practices for Dedicated Networks

  • Always change vendor supplied passwords on DSL or cellular modems. Do not leave default passwords on any of your network devices. 
  • Keep your network devices (modems, switches, routers) in a secure, locked area.
  • Disable unnecessary Wi-Fi broadcasts when using a wired network.
  • Upgrade the firmware on your devices regularly. Manufactures often deploy security patches to their devices. You are responsible for ensuring your device firmware stays up to date.
  • Use a dedicated network for your Card Data Business Environment. Do not use it for any purposes other than those critical to your business. This includes only the services outlined in the Technical Network Requirements document.

Cellular Network

Cell.PNG

 

Wireless Network

Wireless.PNG

 

Wired Network

Wired.PNG

 

Physical Security

Operators are responsible for the physical security of devices, routers, switches, modems, and peripherals.

  • The Pico/NanoMarket device must always remain secured in place unless service is being performed.

  • Network devices external to the Pico/NanoMarket device must be kept in a locked, secure environment.

  • Use DVR recording, and regularly review.

  • Devices must be inspected regularly for tampering. For more information see our Physical Security Audit guide.
    • Inspect the card reader. Does it look natural? Does it appear that it has been altered?
    • Gently pull on the card reader. Be sure that no foreign device has been installed on top.
    • Inspect the Pico/NanoMarket device.  Has it been damaged?  Are the screws in place?  Is the molding, bezel, and mounting intact? Any unfamiliar devices or cables connected?

 

Access Controls

Operators are responsible for onboarding and offboarding employee access to the Pico/NanoMarket device environment.  This includes documented processes for:  

  • Creating accounts and assigning appropriate permissions to employees with access to the Pico/NanoMarket device environment (ADM, driver login, etc.)
  • Revoking accounts when employees are terminated or quit. 
  • Regular audits of accounts to ensure access is still appropriate.

Secure Disposal

Pico/NanoMarket devices must be securely disposed of when they are no longer in service.  Physically destroying the hard drive and memory modules with a hammer or drill will ensure no sensitive data remains intact. Be sure to follow appropriate safety measures when destroying media.  If you are not comfortable destroying the media yourself, please ship the devices back to 365 who will securely destroy them for no cost.   

Employee Training

Operators must organize and complete security awareness training for all individuals with access to the Pico/NanoMarket device environment upon hire and annually thereafter and must document the completion of training. This is best accomplished as part of a comprehensive cyber security awareness training program.

365 Retail Markets Security Controls

This section outlines many of the controls 365 Retail Markets has in place to protect sensitive data.

Security of Device

PicoMarket, PicoCooler and NanoMarket devices utilize a secure, direct, real-time connection to the card processor when items are checked out. The transactions are card present or contactless EMV, with no cardholder data stored for later use. Transactions are needed to complete the purchase of items from the self-service, stand-alone, kiosks and mini-retail shops where 365 Retail Markets provide their services. All data is encrypted by the card reader at the time of card swipe: 365 Retail Markets does not have access to the encryption keys and cannot decrypt this encrypted cardholder data. Therefore, 365 Retail Markets does not store, processes, or transmit the primary account number (PAN). PAN data is encrypted during transmission, but 365 Retail Markets does not have access to the keys for it.

Credit Card Data

365 Retail Markets is PCI DSS certified. Heartland Payment Systems is a PCI DSS certified gateway, and supports advanced security features, such as hardware card encryption, card tokenization, and EMV technology.

See www.visa.com/splisting/searchGrsp.do for more information. 

Screenshot of Visa's Search Service Providers, showing results for Heartland Payment Systems

 

Card Holder Data Processing

Heartland

Heartland operates as a payment gateway service. TLS 1.2 and a select suite of ciphers are the minimum requirement for using the service.

Heartland supports multiple methods of securing transmitted and stored data. The primary options are Heartland End-to-End Encryption (E3) and Heartland’s Enterprise Tokenization Service (ETS). These options can be used together or independently.

E3 encrypts card data at the point of entry in a hardware solution, such that the POS never handles data in the clear. Tokenization allows merchants to store a value that represents a card number for future processing. These tokens are referred to as multi-use tokens, since they can be used over and over as a reference to the original card data.

Portico supports two methods of encryption for securing PAN and track information: Heartland E3, and AES using DUKPT.

Heartland E3 is an implementation of the Voltage Identity-Based Encryption methodology offered by Heartland to allow card data to be encrypted from the moment it is obtained at the POS and throughout Heartland processing. Since software is vulnerable to intrusions, this technology is hardware-based. Using E3 hardware, the POS software never sees card data. It also allows the card data to remain encrypted throughout all of Heartland’s and 365’s systems. This not only removes intrusion threats, it also greatly reduces the PCI scope of 365’s POS.

 

Device Management

All device management systems require Multi-Factor Authentication (MFA) with location-based restrictions.

  • ADM management portal is used for log review, market/device management and notifications.
  • Meraki Z3 can be used for VPN connection which provides an encrypted connection.

Data Storage and Encryption

The unencrypted credit card PAN is never stored by 365 Retail Markets. For non-CHD data:

  • AWS (Amazon Web Services) is where all data from the Pico/NanoMarket devices are stored
  • RDS Encryption is used for all data at rest
  • TLS 1.2 is used for data in transit
  • Additional Certificates for AWS can be found at aws.amazon.com/certification

Security Audits and Scans

  • A PCI DSS audit is performed annually by an independent third party QSA.
  • ASV scans are performed quarterly.
  • Penetration tests are performed yearly.

Secure Code Analysis

  • Dynamic Application Security Testing (DAST) via Veracode.
  • Static Application Security Testing (SAST) via Veracode.

Business Resiliency - DR/BC

  • Disaster Recovery plans tested annually.
  • RTO and RPO outlined in the table below:
# Description Recovery Process/Method RTO RPO Consumer Impact Operator Impact
1 Normal Operations None N/A N/A None None
2 Primary DB Server Failure Failover to backup 30 minutes 15 minutes None Operator portal not available for the duration of the recovery process.
3 Primary App Server Failure Failover to backup 15 minutes 15 minutes None None
4 Primary DB & App Server Failure Failover to respective backups 30 minutes 15 minutes None Operator portal not available for the duration of the recovery process.
5 Natural Calamity impacting the entire AWS Oregon region. Recover from backups to AWS Ohio region 24 hours 15 minutes - 24 hours None Operator portal not available for the duration of the recovery process.

 

Privacy, Biometrics and Terms and Conditions Policies

PCI-DSS Responsibility Matrix

PCI Requirement 365 Responsibility Operator Responsibility
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
  • Encrypt cardholder data at the point of sale, and securely transmit it to the processor.
  • Ensure all 365 provided network equipment is PCI-DSS compliant with secure configurations.
  • Deploy devices into a segmented, dedicated Card Data Business Environment network according to this guide.
  • If using 365 supplied firewall, do not change secure configurations.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
  • The MSR device encrypts cardholder data at the point of sale, and securely transmits it to the processor following industry-accepted standards.
  • The MSR's are secured against any logical access and are locked down by the manufacturer.
  • Within the POS systems, all systems are hardened according to the industry standards and managed by 365.
If network equipment was NOT supplied by 365:
  • Always change vendor-supplied defaults and remove or disable unnecessary default accounts before connecting the Pico/Nano to the network.
  • Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.

If using 365 Supplied Firewall/Router:

  • Do not change secure configurations of Firewall/Router.
Requirement 3: Protect stored cardholder data. Cardholder data is not stored by the MSR devices. None
Requirement 4: Encrypt transmission of cardholder data across open, public networks. The MSR device encrypts cardholder data at the point of sale, and securely transmits it to the processor using strong encryption. None
Requirement 5: Use and regularly update anti-virus software or programs. The MSR device encrypts cardholder data at the point of sale, and securely transmits it to the processor following industry accepted standards. None
Requirement 6: Develop and maintain secure systems and applications.
  • Applications are developed following secure SDLC principles.
  • Static and dynamic code analysis security scans are in place.
None
Requirement 7: Restrict access to sensitive cardholder data.
  • 365 does not store, process, and/or transmit unencrypted CHD (Cardholder data); all sensitive CHD is encrypted upon contact, and entities never have custody of the encryption keys.
  • All refunds are directly coordinated with the processor and do not require sensitive CHD.
If network equipment was NOT supplied by 365:
  • Limit access to network components to individuals whose job requires such access.
  • Establish an access control system for network components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed

If using 365 supplied Firewall/Router:

  • Do not change secure configurations of Firewall/Router.
Requirement 8: Identify and authenticate access to system components.
  • All 365 employees with computer access have unique ID's.
  • Access to network resources follow a least privilege model with location-based restrictions, SSO, MFA, and secure onboarding processes.
If network equipment was NOT supplied by 365:
  • Assign all users a unique ID before allowing them to access network components.
  • Immediately revoke access for any terminated users.
  • Remove/disable inactive user accounts within 90 days.
  • Enforce MFA on network components.
  • Enforce strong password rules.
  • Do not use group, shared, or generic IDs, passwords, or other authentication methods on network equipment.

If using supplied Firewall/Router:

  • Do not change secure configurations of Firewall/Router.
Requirement 9: Restrict physical access to cardholder data.
  • The MSR devices are secured within each kiosk.
  • 365 does not store and/or transmit unencrypted card data on the kiosk locally.
  • Deploy devices into a segmented, dedicated Card Data Business Environment network according to this guide.
  • Protect devices from tampering and substitution.
  • Maintain an inventory of all owned devices.
  • Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
  • Provide training for personnel to be aware of attempted tampering or replacement of devices.
  • Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas.
  • Restrict physical access to networking/communications hardware, and telecommunication lines.
  • Control physical access to kiosks and POS devices.
  • Destroy media when it is no longer needed for business or legal reasons.
  • Media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
  • Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented in use, and known to all affected parties.
Requirement 10: Track and monitor all access to network resources and cardholder data.
  • The MSR device encrypts cardholder data at the point of sale and securely transmits it to the processor. The MSR devices do not store cardholder data.
  • Access to network resources follow a least privilege model with location-based restrictions, SSO, MFA, and a secure onboarding process.
  • All systems have centralized logging.
None
Requirement 11: Regularly test security systems and processes.
  • The MSR device encrypts cardholder data at the point of sale, and securely transmits it to the processor.
  • Systems are regularly pen-tested and security scanned.
  • Incident response procedures are in place.
None
Requirement 12: Maintain a policy that addresses information security for employees and contractors.
  • As the Merchant of Record and Service Provider, a risk assessment for the provided services is maintained by 365.
  • Security awareness training is provided to all 365 employees with access to the MSR devices.
  • An incident response plan is in place to respond to any events related to a breach of security controls around the MSR devices.
  • 365 maintains an Information Security Policy that thoroughly outlines additional security controls. The policies are updated annually and re-published.
Operators must organize and complete security awareness training for all individuals with access to the MSR devices upon hire and annually thereafter, and must document the completion of this training.

 

Change Log
Version Date Change Log
06062022

06/06/22

Original Draft
06222022 06/22/22 Grammar, Punctuation, etc.
07262022 07/26/22
  • Added sections: Cellular Networks, Physical Security, Secure Destruction, Employee Training, PCI-DSS Responsibility Matrix.
  • Updated sections:  Networks.
  • Re-formatted sections under new headers:  Operator PCI Implementation Guide and 365 Retail Markets Security Controls.