The purpose of this article is to outline the requirements and procedures that are necessary for an Operator to securely implement 365 Retail Markets PicoMarket, PicoCooler, and NanoMarket devices in a PCI DSS (Payment Card Industry Data Security Standard) compliant manner. It also includes information about security controls used by 365 Retail Markets.
Operator PCI Implementation Guide
The succeeding sections outline the Operator's responsibilities for securely implementing 365 Pico and NanoMarket devices.
The Pico/NanoMarket devices require a persistent, "always-on" network connection to the internet. The Operator is responsible for providing the internet connection and following this guide to ensure it is implemented in a PCI compliant manner. Our Pico/NanoMarket-specific network requirements can be found here.
If you are not comfortable creating a network following this guide, or cannot validate the client’s network follows PCI DSS guidelines, 365 Retail Markets offers several solutions to assist with network connectivity. Contact your account manager for more information on ordering a PCI DSS compliant firewall (router) or “Connect Kit”.
Under no circumstances should an Operator remove, factory reset, or change 365's secure firewall configurations.
If a factory reset is performed unintentionally, please contact 365 Support at (888) 365-6282.
The Pico/NanoMarket devices support the usage of a SIM card to provide a dedicated cellular network connection. This option provides a simple and secure means to ensure your device is segmented in a Card Data Business Environment from other devices and remains PCI compliant.
Network Connectivity Options
Pico/NanoMarket devices support both wired and wireless networks if the network is configured as a Card Data Business Environment. Never connect your device to an Untrusted Environment or Non-Card Data Business Environment. For example, never connect your devices to a “guest” Wi-Fi network.
Corporate Versus Dedicated Networks
A Pico/NanoMarket not utilizing a SIM card has two primary options for establishing network connectivity at most client locations: Corporate or Dedicated Networks.
Corporate Networks (E.g. Secure Client Network) are the secure building network to provide internet connectivity throughout a building.These Corporate Networks often restrict the types of information that can be transmitted on them. Corporate Networks are typically managed by a dedicated team member who can advise on the feasibility of allowing your market to operate on their existing Internet connection.
Dedicated Networks (E.g. OptConnect, DSL) are completely separate networks that operators would install which circumvents many challenges that a Corporate Network may present. A Dedicated Network could consist of a DSL line, 4G/5G cellular modem, or other dedicated high-speed connection. As the market owner, the Operator would need to organize this dedicated service to be installed into the client’s environment.
Internet service already in place. No additional cost to the operator.
No need to ask client IT staff to open access or run wiring to a new location
Network is typically very fast compared to DSL or cellular Internet service
The operator owns the network, and therefore requires less coordination to ensure PCI best practices are being followed
Typically managed by dedicated personnel at the client location with knowledge of troubleshooting and secure networking
If cellular is chosen, you have the added mobility to move the market and internet together as needed
The operator may need to coordinate and implement the correct and secure settings with the client IT staff/network administrator
The operator needs to organize, implement and pay for Internet service
Wiring is typically run to a single location, making market mobility challenging.
Network connectivity (especially cellular) may be slower than a corporate network
The operator is responsible for ensuring the corporate network follows PCI standards, which often requires more coordination with client IT staff
When service is interrupted (power surge modem needs reset) the operator is responsible to respond to troubleshoot the outage.
May require an operator resource with IT and networking knowledge to ensure the best practices are outlined in this guide. (365 Retail staff are available to assist with secure network setup.)
*If the operator chooses to use a corporate network, it is the operator’s responsibility to ensure this guide is followed by the client network administrator. Be sure to supply them a copy of this guide early in the implementation process, and instruct them to pay special attention to the Networks section.
**If the operator chooses to use a dedicated network, it is your responsibility to ensure the best practices outlined in this guide are followed.
Network Segmentation for Corporate Networks
For deploying on a corporate network, segmenting the market point-of-sale device into a secure, card-data business environment is required. Network segmentation is a strategy intended to simplify PCI DSS compliance of your network, and to help you protect your business from hackers. At the most basic level, there are three zones, representing three levels of risk: untrusted environments, non-card data business environments, and card data business environments.
- Untrusted Environment – Network connections that anonymous people have access to can be considered “untrusted.” They should have no network access to your business computers and POS equipment. Business computers should never be connected directly to this zone. Common untrusted networks are the internet connection itself, customer wireless internet access, and visitor network connections. This is the highest risk zone because anybody can connect to it anonymously.
- Non-Card Data Business Environment – Systems not used for payment processing but are still business-owned fit into this segment. These are systems that can be used for email, web browsing, and other higher-risk activities that you would never want to perform on your payment processing systems. On occasion, these systems will almost certainly become infected with malware and viruses. Once a computer in this zone is infected, the hacker or infection will spread to other systems if they are not protected by a firewall. Please note, if any systems in this zone handle credit card data, that data is being put at risk. This is a medium-risk zone due to the risk of occasional infection. By segmenting these systems into their own zone, the breach is contained. The hacker, malware, or virus doesn’t reach your firewall-protected payment processing zone.
- Card Data Business Environment – Systems used for payment processing fit into this segment. These systems should only be used for POS activity and should NEVER be used for any other reason. Should these computers become infected with malware or viruses, sophisticated hacking tools can potentially steal sensitive data such as credit cards. This is the lowest-risk zone because it’s protected from the other two zones and high-risk activities such as web browsing and email do not occur inside it. The chance that hackers, malware, or viruses spread to these systems is minimal.
In summary, to segment your network for security, you should:
- Protect both business environments from the untrusted environment
- Protect your card data business environment from the non-card business environment
Best Practices for Dedicated Networks
- Always change vendor supplied passwords on DSL or cellular modems. Do not leave default passwords on any of your network devices.
- Keep your network devices (modems, switches, routers) in a secure, locked area.
- Disable unnecessary Wi-Fi broadcasts when using a wired network.
- Upgrade the firmware on your devices regularly. Manufactures often deploy security patches to their devices. You are responsible for ensuring your device firmware stays up to date.
- Use a dedicated network for your Card Data Business Environment. Do not use it for any purposes other than those critical to your business. This includes only the services outlined in the Technical Network Requirements document.
Operators are responsible for the physical security of devices, routers, switches, modems, and peripherals.
- The Pico/NanoMarket device must always remain secured in place unless service is being performed.
- Network devices external to the Pico/NanoMarket device must be kept in a locked, secure environment.
- Use DVR recording, and regularly review.
- Devices must be inspected regularly for tampering. For more information see our Physical Security Audit guide.
- Inspect the card reader. Does it look natural? Does it appear that it has been altered?
- Gently pull on the card reader. Be sure that no foreign device has been installed on top.
- Inspect the Pico/NanoMarket device. Has it been damaged? Are the screws in place? Is the molding, bezel, and mounting intact? Any unfamiliar devices or cables connected?
Operators are responsible for onboarding and offboarding employee access to the Pico/NanoMarket device environment. This includes documented processes for:
- Creating accounts and assigning appropriate permissions to employees with access to the Pico/NanoMarket device environment (ADM, driver login, etc.)
- Revoking accounts when employees are terminated or quit.
- Regular audits of accounts to ensure access is still appropriate.
Pico/NanoMarket devices must be securely disposed of when they are no longer in service. Physically destroying the hard drive and memory modules with a hammer or drill will ensure no sensitive data remains intact. Be sure to follow appropriate safety measures when destroying media. If you are not comfortable destroying the media yourself, please ship the devices back to 365 who will securely destroy them for no cost.
Operators must organize and complete security awareness training for all individuals with access to the Pico/NanoMarket device environment upon hire and annually thereafter and must document the completion of training. This is best accomplished as part of a comprehensive cyber security awareness training program.
365 Retail Markets Security Controls
This section outlines many of the controls 365 Retail Markets has in place to protect sensitive data.
Security of Device
PicoMarket, PicoCooler and NanoMarket devices utilize a secure, direct, real-time connection to the card processor when items are checked out. The transactions are card present or contactless EMV, with no cardholder data stored for later use. Transactions are needed to complete the purchase of items from the self-service, stand-alone, kiosks and mini-retail shops where 365 Retail Markets provide their services. All data is encrypted by the card reader at the time of card swipe: 365 Retail Markets does not have access to the encryption keys and cannot decrypt this encrypted cardholder data. Therefore, 365 Retail Markets does not store, processes, or transmit the primary account number (PAN). PAN data is encrypted during transmission, but 365 Retail Markets does not have access to the keys for it.
Credit Card Data
365 Retail Markets is PCI DSS certified. Heartland Payment Systems is a PCI DSS certified gateway, and supports advanced security features, such as hardware card encryption, card tokenization, and EMV technology.
See www.visa.com/splisting/searchGrsp.do for more information.
Card Holder Data Processing
Heartland operates as a payment gateway service. TLS 1.2 and a select suite of ciphers are the minimum requirement for using the service.
Heartland supports multiple methods of securing transmitted and stored data. The primary options are Heartland End-to-End Encryption (E3) and Heartland’s Enterprise Tokenization Service (ETS). These options can be used together or independently.
E3 encrypts card data at the point of entry in a hardware solution, such that the POS never handles data in the clear. Tokenization allows merchants to store a value that represents a card number for future processing. These tokens are referred to as multi-use tokens, since they can be used over and over as a reference to the original card data.
Portico supports two methods of encryption for securing PAN and track information: Heartland E3, and AES using DUKPT.
Heartland E3 is an implementation of the Voltage Identity-Based Encryption methodology offered by Heartland to allow card data to be encrypted from the moment it is obtained at the POS and throughout Heartland processing. Since software is vulnerable to intrusions, this technology is hardware-based. Using E3 hardware, the POS software never sees card data. It also allows the card data to remain encrypted throughout all of Heartland’s and 365’s systems. This not only removes intrusion threats, it also greatly reduces the PCI scope of 365’s POS.
All device management systems require Multi-Factor Authentication (MFA) with location-based restrictions.
- ADM management portal is used for log review, market/device management and notifications.
- Meraki Z3 can be used for VPN connection which provides an encrypted connection.
Data Storage and Encryption
The unencrypted credit card PAN is never stored by 365 Retail Markets. For non-CHD data:
- AWS (Amazon Web Services) is where all data from the Pico/NanoMarket devices are stored
- RDS Encryption is used for all data at rest
- TLS 1.2 is used for data in transit
- Additional Certificates for AWS can be found at aws.amazon.com/certification
Security Audits and Scans
- A PCI DSS audit is performed annually by an independent third party QSA.
- ASV scans are performed quarterly.
- Penetration tests are performed yearly.
Secure Code Analysis
- Dynamic Application Security Testing (DAST) via Veracode.
- Static Application Security Testing (SAST) via Veracode.
Business Resiliency - DR/BC
- Disaster Recovery plans tested annually.
- RTO and RPO outlined in the table below:
|2||Primary DB Server Failure||Failover to backup||30 minutes||15 minutes||None||Operator portal not available for the duration of the recovery process.|
|3||Primary App Server Failure||Failover to backup||15 minutes||15 minutes||None||None|
|4||Primary DB & App Server Failure||Failover to respective backups||30 minutes||15 minutes||None||Operator portal not available for the duration of the recovery process.|
|5||Natural Calamity impacting the entire AWS Oregon region.||Recover from backups to AWS Ohio region||24 hours||15 minutes - 24 hours||None||Operator portal not available for the duration of the recovery process.|
Privacy, Biometrics and Terms and Conditions Policies
- These policies can be located at 365retailmarkets.com/consumer-policy
PCI-DSS Responsibility Matrix
|Requirement 1: Install and maintain a firewall configuration to protect cardholder data.||
|Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.||
If network equipment was NOT supplied by 365:
If using 365 Supplied Firewall/Router:
|Requirement 3: Protect stored cardholder data.||
|Requirement 4: Encrypt transmission of cardholder data across open, public networks.||
|Requirement 5: Use and regularly update anti-virus software or programs.||
|Requirement 6: Develop and maintain secure systems and applications.||
|Requirement 7: Restrict access to sensitive cardholder data.||
If network equipment was NOT supplied by 365:
If using 365 supplied Firewall/Router:
|Requirement 8: Identify and authenticate access to system components.||
If network equipment was NOT supplied by 365:
If using supplied Firewall/Router:
|Requirement 9: Restrict physical access to cardholder data.||
|Requirement 10: Track and monitor all access to network resources and cardholder data.||
|Requirement 11: Regularly test security systems and processes.||
|Requirement 12: Maintain a policy that addresses information security for employees and contractors.||
|06222022||06/22/22||Grammar, Punctuation, etc.|
Further Reading on the Pico Platform
- US/Canada PicoMarket Operator Guide
- International - PicoMarket - Operator Guide
- US/Canada PicoCooler Operator Guide
- International - PicoCooler - Operator User Guide
- NanoMarket Product Overview