Purpose
This document explains the basic security PCI DSS compliance information for 365 Retail Markets utilizing ReadyTouch POS markets (POS devices). It also includes information about security controls used by 365 Retail Markets. Please contact security@365smartshop.com with any questions related to this document.
Operator PCI Implementation Guide
This section outlines the Operator’s responsibilities in securely implementing ReadyTouch POS markets.
Networks
The POS device requires a persistent “always on” network connection to the internet for credit card processing and receiving updates. The Operator is responsible for providing the internet connection, and for following this guide to ensure it is implemented in a PCI-compliant manner.
V5 & Dining Point of Sale kiosks typically include a hardware firewall (router). Under no circumstances should an Operator change 365’s secure firewall configurations. This includes doing a factory reset. If a factory reset is performed unintentionally, please contact 365 Support to remotely re-apply the secure configurations.
Wireless Networks
Third-party wireless or Wi-Fi wireless devices are not supported and cannot be connected to the Card Data Environment.
Corporate Versus Dedicated Networks
The 365 ReadyTouch POS device requires network connectivity for credit card processing and receiving updates. Operators have two primary options for establishing network connectivity at most client locations: corporate networks and dedicated networks.
Many corporate environments (offices, hospitals, etc.) contain existing networks to provide Internet connectivity throughout a building. These corporate networks often restrict the types of information that can be transmitted. Corporate networks are typically managed by a dedicated team member or members who can advise on the feasibility of allowing your market to operate on their existing Internet connection. The use of the provided Meraki Z series firewall/router ensures the scope for PCI compliance remains within the contained network.
For the purposes of this document, a dedicated network constitutes a completely separate network that operators would install, which circumvents many challenges that a corporate network may present. A dedicated network could consist of a DSL line, 4G/5G Wireless card, or other dedicated high-speed connection. As the market owner, the operator would need to organize this new, dedicated service to be installed into the client’s environment.
If the operator chooses to use a corporate network it is the operator’s responsibility to ensure this guide is followed by the client network administrator. Be sure to supply them with a copy of this guide early in the implementation process paying special attention to the Networks section.
If the operator chooses to use a dedicated network, it is your responsibility to ensure the best practices outlined in this guide are followed.
Corporate Network |
Dedicated Network |
Pros |
Pros |
Internet service is already in place. No additional cost to the operator. |
No need to ask client IT staff to open access or run wiring to a new location |
The network is typically very fast compared to DSL or cellular Internet service |
The operator owns the network and therefore requires less coordination to ensure PCI best practices are being followed |
Typically managed by dedicated personnel at the client location with knowledge of troubleshooting and secure networking protocols |
If cellular is chosen, you have the added mobility to move the market POS devices and internet together as needed |
Cons |
Cons |
The operator may need to coordinate and implement the correct and secure settings with the client IT staff/network administrator |
The operator needs to organize, implement and pay for Internet service |
Wiring is typically run to a single location, which can create market mobility challenges. |
Network connectivity (especially cellular) may be slower than a corporate network |
The operator is responsible for ensuring the corporate network follows PCI standards which often requires more coordination with client IT staff |
When service is interrupted (power surge, modem needs reset) the operator is responsible to respond to troubleshoot the outage. |
|
May require an operator resource with IT and networking knowledge to ensure the best practices are outlined in this guide. (365 Retail staff is available to assist with secure network setup) |
Network Segmentation for Corporate Networks
For deploying on a corporate network, segmenting the POS devices into a secure card data business environment is required. Network segmentation is a strategy intended to simplify PCI DSS compliance of your network and to help you protect your business from hackers.
At the most basic level, there are three zones representing three levels of risk:
- Untrusted Environment – Network connections that anonymous people have access to are considered “untrusted.” They should have no network access to your business computers, and POS Business computers should never be connected directly to this zone. Common untrusted networks are the internet connection itself, customer wireless internet access, and visitor network connections. This is the highest risk zone because anybody can connect to it anonymously.
- Non-Card Data Business Environment – Systems not used for payment processing but are still business-owned fit into this segment. These are systems that can be used for email, web browsing, and other higher-risk activity that you would never want to perform on your payment processing systems. On occasion, these systems will almost certainly become infected with malware and viruses. Once a computer in this zone is infected, the hacker or infection will spread to other systems if they’re not protected by a firewall. Note that if any systems in this zone handle credit card data, that data is being put at risk. This is a medium-risk zone due to the risk of occasional infection. By segmenting these systems into their own zone, the breach is contained. The hacker, malware, or virus doesn’t reach your firewall-protected payment processing zone.
- Card Data Business Environment – Systems used for payment processing fit into this segment. These systems should only be used for POS activity and should NEVER be used for any other reason. Should these computers become infected with malware or viruses, sophisticated hacking tools can potentially steal sensitive data such as credit cards. This is a low-risk zone because it’s protected from the other two zones, and high-risk activities such as web browsing and email do not occur inside it. The chance that hackers, malware, or viruses will be spread to these systems is minimal.
In summary, to segment your network for security, you should:
- Protect both business environments from the untrusted environment
- Protect your card data business environment from the non-card business environment
Best Practices for Dedicated Networks
- Always change vendor-supplied passwords on DSL or cellular modems. Do not leave default passwords on any of your network devices.
- Keep your network devices (modems, switches, routers) in a secure, locked area
- Disable all Wi-Fi broadcasts from modems
- Upgrade the firmware on your devices regularly. Manufacturers often deploy security patches to their devices. You are responsible to ensure your device firmware stays up to date.
- A dedicated network is your Card Data Business Environment. Do not use it for any purposes other than those critical to your business. This includes only the services outlined in the Technical Network Requirements document for your market equipment.
ReadyTouch/365 Dining POS Network
- It is important to keep in mind that every 365Dining location is different and may not include all pieces of hardware or include all features mentioned.
- Please note that the Meraki series firewall/router is always between the POS and the connection to the corporate-provided network or dedicated network connection to the WAN (internet).
Physical Security
Operators are responsible for the physical security of POS devices, routers, switches, modems, and peripherals.
- The POS device must always remain in a secure area
- Network devices external to the POS device must be kept in a locked, secure environment
- All devices must be inspected regularly for tampering:
- Inspect the card reader. Does it look natural? Does it appear that it has been altered?
- Gently pull on the card reader. Be sure that no foreign device has been installed on top.
- Inspect the POS device. Has it been damaged?
- Inspect the POS device for unfamiliar USB devices connected.
If you suspect a physical compromise, contact 365 Support immediately to perform an Incident Response.
Access Controls
Operators are responsible for onboarding and offboarding employee access to the POS device environment. This includes documented processes for:
- Creating accounts and assigning appropriate permissions to employees with access to the POS device environment (ADM, manager login, etc.)
- Revoking accounts when employees are terminated or quit
- Regular audits of accounts to ensure access is still appropriate
Secure Disposal
POS devices must be securely disposed of when they are no longer in service. Physically destroying the hard drive and memory modules with a hammer or drill will ensure no sensitive data remains intact. Be sure to follow appropriate safety measures when destroying media. If you are not comfortable destroying the media yourself, please ship the device(s) back to 365, who will securely destroy them at no cost.
Employee Training
Operators must organize and complete security awareness training for all individuals with access to the POS device environment upon hire, and annually thereafter. This training must be documented upon completion. This is best accomplished as part of a comprehensive cyber security awareness training program.
365 Retail Markets Security Controls
Security of Device
ReadyTouch POS devices utilize a secure, direct, real-time connection to the card processor when items are checked out. The transactions are card present, with no cardholder data stored for later use. Transactions are needed to complete the purchase of items from the POS devices and mini-retail shops where 365 Retail Markets provide its services. All data is encrypted by the card reader at the time of card swipe; 365 Retail Markets does not have access to the encryption keys and cannot decrypt this encrypted cardholder data. This dramatically reduces the scope, as 365 Retail Markets does not store, process, or transmit the PAN (PAN data is encrypted during transmission, but 365 Retail Markets does not have access to keys – hence not in scope)
Credit Card Data
365 Retail Markets is PCI DSS certified. Apriva LLC provides the PCI-DSS-certified gateways and supports advanced security features, like hardware card encryption, card tokenization, and EMV technology.
Learn more at http://www.visa.com/splisting/searchGrsp.do
Card Holder Data Processing
Apriva
Apriva operates as a payment gateway service. Apriva provides wireless (cellular), wired (PSTN), and internet payment transaction services for merchant clients. Merchant clients connect to Apriva’s application server tier by the communications channels, and application servers interact with database servers that contain stored cardholder data. These systems then communicate transactions to other processing entities, which return authorization messages that Apriva provides to the merchant customer. TLS 1.2 and a select suite of ciphers is the minimum requirement for using the service. AES using DUKPT key management is provided for 365 by the Magtek card reader, which supports magstripe payments. Alternatively, the Ingenico IPP320 card reader supports magstripe, contactless and EMV-type payments. These technologies offer near end-to-end encryption. TDES using DUKPT key management offers end-to-end encryption using ANSI X9.24 part 1 standard. Apriva stores the PAN encrypted in a SQL database.
FreedomPay
FreedomPay is a P2PE solution provider, gateway, e-commerce, POS middleware platform provider, and drives services that require transmission and processing of clear-text CHD as a critical part of their business model. FreedomPay receives transmitted account data en route to its processors and stores the data in encrypted form in order to provide non-reversible, non-cryptographic, low-value index tokens to its merchants. These tokens are important to support the merchant’s card-on-file transactions while helping the merchant maintain a strong compliance and security posture with respect to the storage of cardholder data. The FreedomPay environment receives only P2PE-encrypted cardholder data through this data flow, originating in and encrypted by PTS v3.x or higher POI devices using encryption keys managed by FreedomPay. CHD is collected through Ingenico iUC285 or Ingenico Lane 3000 payment terminals. PIN data is also encrypted within the POIs using acquirer keys and transmitted as PIN blocks. FreedomPay does not hold the PIN encryption keys, and thus never decrypts PIN data. Card data received via P2PE is in a Microsoft SQL Server 2017 database cluster, with record-level encryption using AES 256-bit encryption. The connection to all processing platforms varies depending on the platform, but includes direct circuits, IPsec VPNs (minimum AES 128-bit cipher), and TLS 1.2 connections.
Device Management
All remote access systems require MFA with location-based restrictions.
- TeamViewer is used for Remote Viewing
- Putty (SSH) is used for Command Line Scripts
- DashWeb is used for Software Updates, Real-Time analytics, Notifications
- Meraki is used for VPN connection which provides an encrypted connection
Patching
- Systems are patched from Ubuntu Package repos or Canonical Landscape.
Data Storage and Encryption
The unencrypted credit card PAN is never stored by 365 Retail Markets. For non-CHD data:
- AWS (Amazon Web Services) is utilized
- RDS Encryption is used for all data at rest
- TLS 1.2 over an IPSEC VPN tunnel is used for data in transit
- Additional Certificates for AWS can be found at https://aws.amazon.com/certification/
Endpoint Security
- Cisco Endpoint Protection - Advanced Malware Protection
Security Audits and Scans
- A PCI DSS audit is performed annually by an independent third-party QSA
- ASV scans are performed quarterly
- Penetration tests are performed yearly
Secure Code Analysis
- Dynamic Application Security Testing (DAST) via Veracode
- Static Application Security Testing (SAST) via Veracode
Business Resiliency – DR/BC
- Disaster Recovery plans tested annually
- RTO and RPO are outlined in the table below
# |
Description |
Recovery Process/Method |
RTO |
RPO |
Consumer Impact |
Operator Impact |
1 |
Normal Operations |
None |
N/A |
N/A |
None |
None |
2 |
Primary DB Server Failure |
Failover to backup |
30mins |
15mins |
None |
Operator portal not available for the duration of recovery |
3 |
Primary App Server Failure |
Failover to backup |
15mins |
15mins |
None |
None |
4 |
Primary DB & App Server Failure |
Failover to respective backups |
30mins |
15mins |
None |
Operator portal not available for the duration of recovery |
5 |
Natural Calamity impacting the entire AWS Oregon region |
Recover from backups to AWS Ohio region |
24hrs |
15mins-24hrs |
None |
Operator portal not available for the duration of recovery |
Privacy, Biometrics, and Terms & Conditions Policies
These policies can be located at https://365retailmarkets.com/consumer-policy.
PCI-DSS Responsibility Matrix
The matrix below outlines each PCI requirement and the party responsible for compliance.
PCI Requirement |
365 Responsibility |
Operator Responsibility |
Requirement 1: Install and maintain a firewall configuration to protect cardholder data. |
|
|
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. |
|
Do not change the secure configurations of the device firewall. |
Requirement 3: Protect stored cardholder data. |
Cardholder data is not stored by the MSR devices. |
None |
Requirement 4: Encrypt transmission of cardholder data across open, public networks. |
The MSR device encrypts cardholder data at the point of sale and securely transmits it to the processor using strong encryption. |
None |
Requirement 5: Use and regularly update anti-virus software or programs. |
|
None |
Requirement 6: Develop and maintain secure systems and applications |
|
None |
Requirement 7: Restrict access to cardholder data by business need-to-know |
|
None |
Requirement 8: Identify and authenticate access to system components |
|
None |
Requirement 9: Restrict physical access to cardholder data |
|
|
Requirement 10: Track and monitor all access to network resources and cardholder data |
|
None |
Requirement 11: Regularly test security systems and processes |
|
None |
Requirement 12: Maintain a policy that addresses information security for employees and contractors. |
|
Operators must organize and complete security awareness training for all individuals with access to the MSR devices upon hire and annually thereafter and must document the completion of this training. |
Change Log
Version |
Date |
Change Log |
05202022 |
05/20/22 |
Original Draft |
08042022 |
08/04/22 |
Revised and added sections for consistency with other PCI implementation documents |
08102022 |
08/10/22 |
FreedomPay added to Card Holder Data Processing, network diagram updated |