HelpCenter

365Dining / ReadyTouch PCI Implementation Guide
Updated

 

Purpose

This document explains the basic security PCI DSS compliance information for 365 Retail Markets utilizing ReadyTouch POS markets (POS devices). It also includes information about security controls used by 365 Retail Markets. Please contact security@365smartshop.com with any questions related to this document.

 

Networks

The POS device requires a persistent “always on” network connection to the internet for credit card processing and receiving updates. The Operator is responsible for providing the internet connection, and for following this guide to ensure it is implemented in a PCI-compliant manner.

V5 & Dining Point of Sale kiosks typically include a hardware firewall (router). Under no circumstances should an Operator change 365’s secure firewall configurations. This includes doing a factory reset. If a factory reset is performed unintentionally, please contact 365 Support to remotely re-apply the secure configurations.

 

Wireless Networks

Third-party wireless or Wi-Fi wireless devices are not supported and cannot be connected to the Card Data Environment. 

 

Corporate Versus Dedicated Networks

The 365 ReadyTouch POS device requires network connectivity for credit card processing and receiving updates. Operators have two primary options for establishing network connectivity at most client locations: corporate networks and dedicated networks. 

Many corporate environments (offices, hospitals, etc.) contain existing networks to provide Internet connectivity throughout a building. These corporate networks often restrict the types of information that can be transmitted. Corporate networks are typically managed by a dedicated team member or members who can advise on the feasibility of allowing your market to operate on their existing Internet connection. The use of the provided Meraki Z series firewall/router ensures the scope for PCI compliance remains within the contained network. 

For the purposes of this document, a dedicated network constitutes a completely separate network that operators would install, which circumvents many challenges that a corporate network may present. A dedicated network could consist of a DSL line, 4G/5G Wireless card, or other dedicated high-speed connection. As the market owner, the operator would need to organize this new, dedicated service to be installed into the client’s environment. 

If the operator chooses to use a corporate network it is the operator’s responsibility to ensure this guide is followed by the client network administrator. Be sure to supply them with a copy of this guide early in the implementation process paying special attention to the Networks section. 

If the operator chooses to use a dedicated network, it is your responsibility to ensure the best practices outlined in this guide are followed. 

 

Corporate Network

Dedicated Network

Pros

Pros

Internet service is already in place. No additional cost to the operator. 

No need to ask client IT staff to open access or run wiring to a new location 

The network is typically very fast compared to DSL or cellular Internet service 

The operator owns the network and therefore requires less coordination to ensure PCI best practices are being followed 

Typically managed by dedicated personnel at the client location with knowledge of troubleshooting and secure networking protocols 

If cellular is chosen, you have the added mobility to move the market POS devices and internet together as needed 

Cons

Cons

The operator may need to coordinate and implement the correct and secure settings with the client IT staff/network administrator 

The operator needs to organize, implement and pay for Internet service 

Wiring is typically run to a single location, which can create market mobility challenges. 

Network connectivity (especially cellular) may be slower than a corporate network 

The operator is responsible for ensuring the corporate network follows PCI standards which often requires more coordination with client IT staff 

When service is interrupted (power surge, modem needs reset) the operator is responsible to respond to troubleshoot the outage. 

 

May require an operator resource with IT and networking knowledge to ensure the best practices are outlined in this guide. (365 Retail staff is available to assist with secure network setup) 

 

Network Segmentation for Corporate Networks

For deploying on a corporate network, segmenting the POS devices into a secure card data business environment is required. Network segmentation is a strategy intended to simplify PCI DSS compliance of your network and to help you protect your business from hackers.

At the most basic level, there are three zones representing three levels of risk:

  1. Untrusted Environment – Network connections that anonymous people have access to are considered “untrusted.” They should have no network access to your business computers, and POS Business computers should never be connected directly to this zone. Common untrusted networks are the internet connection itself, customer wireless internet access, and visitor network connections. This is the highest risk zone because anybody can connect to it anonymously. 
  2. Non-Card Data Business Environment – Systems not used for payment processing but are still business-owned fit into this segment. These are systems that can be used for email, web browsing, and other higher-risk activity that you would never want to perform on your payment processing systems. On occasion, these systems will almost certainly become infected with malware and viruses. Once a computer in this zone is infected, the hacker or infection will spread to other systems if they’re not protected by a firewall. Note that if any systems in this zone handle credit card data, that data is being put at risk. This is a medium-risk zone due to the risk of occasional infection. By segmenting these systems into their own zone, the breach is contained. The hacker, malware, or virus doesn’t reach your firewall-protected payment processing zone. 
  3. Card Data Business Environment – Systems used for payment processing fit into this segment. These systems should only be used for POS activity and should NEVER be used for any other reason. Should these computers become infected with malware or viruses, sophisticated hacking tools can potentially steal sensitive data such as credit cards. This is a low-risk zone because it’s protected from the other two zones, and high-risk activities such as web browsing and email do not occur inside it. The chance that hackers, malware, or viruses will be spread to these systems is minimal. 

In summary, to segment your network for security, you should: 

  • Protect both business environments from the untrusted environment 
  • Protect your card data business environment from the non-card business environment 

 

Best Practices for Dedicated Networks

  • Always change vendor-supplied passwords on DSL or cellular modems. Do not leave default passwords on any of your network devices. 
  • Keep your network devices (modems, switches, routers) in a secure, locked area 
  • Disable all Wi-Fi broadcasts from modems 
  • Upgrade the firmware on your devices regularly. Manufacturers often deploy security patches to their devices. You are responsible to ensure your device firmware stays up to date. 
  • A dedicated network is your Card Data Business Environment. Do not use it for any purposes other than those critical to your business. This includes only the services outlined in the Technical Network Requirements document for your market equipment. 

 

ReadyTouch/365 Dining POS Network

  • It is important to keep in mind that every 365Dining location is different and may not include all pieces of hardware or include all features mentioned. 
  • Please note that the Meraki series firewall/router is always between the POS and the connection to the corporate-provided network or dedicated network connection to the WAN (internet). 

A diagram describing the ReadyTouch/365 Dining POS Network

 

Physical Security

Operators are responsible for the physical security of POS devices, routers, switches, modems, and peripherals. 

  • The POS device must always remain in a secure area
  • Network devices external to the POS device must be kept in a locked, secure environment
  • All devices must be inspected regularly for tampering:
    • Inspect the card reader. Does it look natural? Does it appear that it has been altered? 
    • Gently pull on the card reader. Be sure that no foreign device has been installed on top. 
    • Inspect the POS device. Has it been damaged? 
    • Inspect the POS device for unfamiliar USB devices connected.

 

If you suspect a physical compromise, contact 365 Support immediately to perform an Incident Response. 

 

Access Controls

Operators are responsible for onboarding and offboarding employee access to the POS device environment. This includes documented processes for: 

  • Creating accounts and assigning appropriate permissions to employees with access to the POS device environment (ADM, manager login, etc.) 
  • Revoking accounts when employees are terminated or quit
  • Regular audits of accounts to ensure access is still appropriate

 

Secure Disposal

POS devices must be securely disposed of when they are no longer in service. Physically destroying the hard drive and memory modules with a hammer or drill will ensure no sensitive data remains intact. Be sure to follow appropriate safety measures when destroying media. If you are not comfortable destroying the media yourself, please ship the device(s) back to 365, who will securely destroy them at no cost.

 

Employee Training

Operators must organize and complete security awareness training for all individuals with access to the POS device environment upon hire, and annually thereafter. This training must be documented upon completion. This is best accomplished as part of a comprehensive cyber security awareness training program. 

 

365 Retail Markets Security Controls

Security of Device

ReadyTouch POS devices utilize a secure, direct, real-time connection to the card processor when items are checked out. The transactions are card present, with no cardholder data stored for later use. Transactions are needed to complete the purchase of items from the POS devices and mini-retail shops where 365 Retail Markets provide its services. All data is encrypted by the card reader at the time of card swipe; 365 Retail Markets does not have access to the encryption keys and cannot decrypt this encrypted cardholder data. This dramatically reduces the scope, as 365 Retail Markets does not store, process, or transmit the PAN (PAN data is encrypted during transmission, but 365 Retail Markets does not have access to keys – hence not in scope)

 

Credit Card Data

365 Retail Markets is PCI DSS certified. Apriva LLC provides the PCI-DSS-certified gateways and supports advanced security features, like hardware card encryption, card tokenization, and EMV technology.

Learn more at http://www.visa.com/splisting/searchGrsp.do

A screenshot of the Visa Website, showing 1 record for Heartland Payment Systems LLC

 

Card Holder Data Processing

Apriva

Apriva operates as a payment gateway service. Apriva provides wireless (cellular), wired (PSTN), and internet payment transaction services for merchant clients. Merchant clients connect to Apriva’s application server tier by the communications channels, and application servers interact with database servers that contain stored cardholder data. These systems then communicate transactions to other processing entities, which return authorization messages that Apriva provides to the merchant customer. TLS 1.2 and a select suite of ciphers is the minimum requirement for using the service. AES using DUKPT key management is provided for 365 by the Magtek card reader, which supports magstripe payments. Alternatively, the Ingenico IPP320 card reader supports magstripe, contactless and EMV-type payments. These technologies offer near end-to-end encryption. TDES using DUKPT key management offers end-to-end encryption using ANSI X9.24 part 1 standard. Apriva stores the PAN encrypted in a SQL database.

 

FreedomPay 

FreedomPay is a P2PE solution provider, gateway, e-commerce, POS middleware platform provider, and drives services that require transmission and processing of clear-text CHD as a critical part of their business model. FreedomPay receives transmitted account data en route to its processors and stores the data in encrypted form in order to provide non-reversible, non-cryptographic, low-value index tokens to its merchants. These tokens are important to support the merchant’s card-on-file transactions while helping the merchant maintain a strong compliance and security posture with respect to the storage of cardholder data. The FreedomPay environment receives only P2PE-encrypted cardholder data through this data flow, originating in and encrypted by PTS v3.x or higher POI devices using encryption keys managed by FreedomPay. CHD is collected through Ingenico iUC285 or Ingenico Lane 3000 payment terminals. PIN data is also encrypted within the POIs using acquirer keys and transmitted as PIN blocks. FreedomPay does not hold the PIN encryption keys, and thus never decrypts PIN data. Card data received via P2PE is in a Microsoft SQL Server 2017 database cluster, with record-level encryption using AES 256-bit encryption. The connection to all processing platforms varies depending on the platform, but includes direct circuits, IPsec VPNs (minimum AES 128-bit cipher), and TLS 1.2 connections.

 

Device Management

All remote access systems require MFA with location-based restrictions.

  • TeamViewer is used for Remote Viewing
  • Putty (SSH) is used for Command Line Scripts
  • DashWeb is used for Software Updates, Real-Time analytics, Notifications
  • Meraki is used for VPN connection which provides an encrypted connection

 

Patching

  • Systems are patched from Ubuntu Package repos or Canonical Landscape.

 

Data Storage and Encryption

The unencrypted credit card PAN is never stored by 365 Retail Markets. For non-CHD data:

  • AWS (Amazon Web Services) is utilized
  • RDS Encryption is used for all data at rest
  • TLS 1.2 over an IPSEC VPN tunnel is used for data in transit
  • Additional Certificates for AWS can be found at https://aws.amazon.com/certification/

 

Endpoint Security 

  • Cisco Endpoint Protection - Advanced Malware Protection 

 

Security Audits and Scans 

  • A PCI DSS audit is performed annually by an independent third-party QSA
  • ASV scans are performed quarterly
  • Penetration tests are performed yearly

 

Secure Code Analysis 

  • Dynamic Application Security Testing (DAST) via Veracode 
  • Static Application Security Testing (SAST) via Veracode 

 

Business Resiliency – DR/BC 

  • Disaster Recovery plans tested annually 
  • RTO and RPO are outlined in the table below 

Description

Recovery Process/Method 

RTO 

RPO 

Consumer Impact 

Operator Impact 

Normal Operations 

None 

N/A 

N/A 

None 

None 

Primary DB Server Failure 

Failover to backup 

30mins 

15mins 

None 

Operator portal not available for the duration of recovery 

Primary App Server Failure 

Failover to backup 

15mins 

15mins 

None 

None 

Primary DB & App Server Failure 

Failover to respective backups 

30mins 

15mins 

None 

Operator portal not available for the duration of recovery 

Natural Calamity impacting the entire AWS Oregon region 

Recover from backups to AWS Ohio region 

24hrs 

15mins-24hrs 

None 

Operator portal not available for the duration of recovery 

 

Privacy, Biometrics, and Terms & Conditions Policies 

These policies can be located at https://365retailmarkets.com/consumer-policy

 

PCI-DSS Responsibilities 

Below are outlines of each PCI requirement and the party responsible for compliance.

 

PCI Requirement 1: 

Install and maintain a firewall configuration to protect cardholder data. 

365 Responsibility: 

  • Encrypt cardholder data at the point of sale, and securely transmit it to the processor.  
  • All POS contain a PCI-DSS-compliant firewall with secure configurations.  

Operator Responsibility:

  • Do not change the secure configurations of the device firewall.
  • Do not physically remove the device firewall.  

 

PCI Requirement 2:

Do not use vendor-supplied defaults for system passwords and other security parameters. 

365 Responsibility:

  • Encrypt cardholder data at the point of sale, and securely transmit it to the processor. 
  • The MSRs are secured against any logical access and are locked down by the manufacturer. 
  • Within the POS systems, all systems are hardened according to industry standards and managed by 365. 

Operator Responsibility:

  • Do not change the secure configurations of the device firewall.  

 

PCI Requirement 3:

Protect stored cardholder data. 

365 Responsibility:

  • Cardholder data is not stored by the MSR devices. 

Operator Responsibility:

  • None 

 

PCI Requirement 4:

Encrypt transmission of cardholder data across open, public networks. 

365 Responsibility:

  •  The MSR device encrypts cardholder data at the point of sale, and securely transmits it to the processor using strong encryption. 

Operator Responsibility:

  • None 

 

PCI  Requirement 5:

Use and regularly update anti-virus software or programs. 

365 Responsibility:

  • The MSR device encrypts cardholder data at the point of sale, and securely transmits it to the processor following industry-accepted standards.  
  • Antimalware controls are installed on the systems and definitions are updated regularity. 

Operator Responsibility:

  • None 

 

PCI Requirement 6:

Develop and maintain secure systems and applications 

365 Responsibility:

  • Applications are developed following secure SDLC principles.   
  • Static and dynamic code analysis security scans are in place.  

Operator Responsibility:

  • None 

 

PCI Requirement 7:

Restrict access to cardholder data by business need-to-know 

365 Responsibility:

  • 365 does not store, process and/or transmit unencrypted CHD, all sensitive CHD data is encrypted upon contact, and entities never have custody of the encryption keys.  
  • All refunds are coordinated with the processor directly and do not require sensitive CHD.  

Operator Responsibility:

  • None 

 

PCI Requirement 8:

Identify and authenticate access to system components 

365 Responsibility:

  • All 365 employees with computer access have unique IDs  
  • Access to network resources follows a least privilege model with location-based restrictions, SSO, MFA, and secure onboarding process.   

Operator Responsibility: 

  • None 

 

PCI Requirement 9:

Restrict physical access to cardholder data 

365 Responsibility:

  • The MSR devices are secured within each kiosk.   
  • 365 does not store and/or transmit unencrypted card data on the kiosk locally.  

Operator Responsibility:

  • Do not physically remove the device firewall  
  • Protect devices from tampering and substitution  
  • Maintain an inventory of all owned devices 
  • Periodically inspect device surfaces to detect tampering (for example, the addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). 
  • Provide training for personnel to be aware of attempted tampering or replacement of devices. 
  • Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. 
  • Restrict physical access to networking/communications hardware and telecommunication lines. 
  • Control physical access to kiosks and POS devices. 
  • Destroy media when it is no longer needed for business or legal reasons.   
  • Media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).  
  • Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. 

 

PCI Requirement Requirement 10:

Track and monitor all access to network resources and cardholder data 

365 Responsibility:

  • The MSR device encrypts cardholder data at the point of sale and securely transmits it to the processor.   The MSR devices do not store cardholder data. 
  • Access to network resources follows a least privilege model with location-based restrictions, SSO, MFA, and secure onboarding process.   
  • All systems have centralized logging.    

Operator Responsibility:

  • None 

 

PCI Requirement 11:

Regularly test security systems and processes 

365 Responsibility:

  • The MSR device encrypts cardholder data at the point of sale and securely transmits it to the processor.    
  • Systems are regularly pen tested and security scanned.   
  • Incident response procedures are in place.  

Operator Responsibility:

  • None 

 

PCI Requirement 12:

Maintain a policy that addresses information security for employees and contractors. 

365 Responsibility:

  • As the Merchant of Record and Service Provider, a risk assessment for the provided services is maintained by 365.  
  • Security awareness training is provided to all 365 employees with access to the MSR devices.  
  • An incident response plan is in place to respond to any events related to a breach of security controls around the MSR devices.  
  • 365 maintains an Information Security Policy that thoroughly outlines additional security controls. The policies are updated annually and re-published.   

Operator Responsibility:

  • Operators must organize and complete security awareness training for all individuals with access to the MSR devices upon hire and annually thereafter and must document the completion of this training.  

 

Change Log

Version

Date

Change Log

05202022

05/20/22

Original Draft

08042022

08/04/22

Revised and added sections for consistency with other PCI implementation documents

08102022

08/10/22

FreedomPay added to Card Holder Data Processing, network diagram updated