HelpCenter

Explore
International - V5 PCI Implementation Guide
Updated

Purpose

This document will guide an Operator through securely implementing 365 kiosks in a PCI-compliant manner. It also includes information about security controls used by 365 Retail Markets. Please contact security@365smartshop.com with any questions related to this guide. 

 

Networks

The kiosk requires a persistent “always on” network connection to the internet. The Operator is responsible for providing the internet connection and following this guide to ensure it is implemented in a PCI-compliant manner. 

V5 kiosks and dining POS (ReadyTouch) typically include a hardware firewall (router). Under no circumstances should an operator remove the hardware firewall or change 365’s secure firewall configurations. This includes doing a factory reset. If a factory reset is performed unintentionally, please contact 365 Support to remotely re-apply the secure configurations. 

 

Wireless Networks

Third-party wireless or Wi-Fi (802.11x) wireless devices are not supported and cannot be connected to the Card Data Environment.

Corporate Versus Dedicated Networks

The 365 V5 Kiosk requires network connectivity for credit card processing and receiving updates. Operators have two primary options for establishing network connectivity at most client locations: corporate networks and dedicated networks.

Many corporate environments (offices, hospitals, etc.) contain existing networks to provide Internet connectivity throughout a building. These corporate networks often restrict the types of information that can be transmitted. Corporate networks are typically managed by a dedicated team member or members who can advise on the feasibility of allowing your kiosk to operate on their existing Internet connection.

For the purposes of this document, a dedicated network constitutes a completely separate network that operators would install, circumventing many challenges that a corporate network may present. A dedicated network could consist of a DSL line, 3G/4G Wireless card, or other dedicated high-speed connection. As the kiosk owner, the operator would need to organize this new, dedicated service to be installed into the client’s environment.

If the operator chooses to use a corporate network, it is the operator’s responsibility to ensure this guide is followed by the client network administrator. Be sure to supply them with a copy of this guide early in the implementation process, paying special attention to the Networks section.

If the operator chooses to use a dedicated network, it is your responsibility to ensure the best practices outlined in this guide are followed.

 

Corporate Network

Dedicated Network

Pros

Pros

Internet service is already in place. No additional cost to the operator.

No need to ask client IT staff to open access or run wiring to a new location

The network is typically very fast compared to DSL or cellular Internet service

The operator owns the network and therefore requires less coordination to ensure PCI best practices are being followed

Typically managed by dedicated personnel at the client location with knowledge of troubleshooting and secure networking protocols

If cellular is chosen, you have the added mobility to move the kiosk and internet together as needed

Cons

Cons

The operator may need to coordinate and implement the correct and secure settings with the client IT staff/network administrator

The operator needs to organize, implement and pay for Internet service

Wiring is typically run to a single location, which can create market mobility challenges.

Network connectivity (especially cellular) may be slower than a corporate network

The operator is responsible for ensuring the corporate network follows PCI standards which often requires more coordination with client IT staff

When service is interrupted (power surge, modem needs reset) the operator is responsible to respond to troubleshoot the outage.

 

May require an operator resource with IT and networking knowledge to ensure the best practices are outlined in this guide. (365 Retail staff is available to assist with secure network setup)

 

Network Segmentation for Corporate Networks

For deploying on a corporate network, segmenting the kiosk into a secure card data business environment is required. Network segmentation is a strategy intended to simplify PCI DSS compliance of your network and to help you protect your business from hackers.

At the most basic level, there are three zones representing three levels of risk.

  1. Untrusted Environment – Network connections that anonymous people have access to are considered “untrusted.” They should have no network access to your business computers and POS equipment. Business computers should never be connected directly to this zone. Common untrusted networks are the internet connection itself, customer wireless internet access, and visitor network connections. This is the highest risk zone because anybody can connect to it anonymously.
  2. Non-Card Data Business Environment – Systems not used for payment processing, but are still business-owned fit into this segment. These are systems that can be used for email, web browsing, and other higher-risk activity that you would never want to perform on your payment processing systems. On occasion, these systems will almost certainly become infected with malware and viruses. Once a computer in this zone is infected, the hacker or infection will spread to other systems if they’re not protected by a firewall. Note that if any systems in this zone handle credit card data, that data is being put at risk. This is a medium-risk zone due to the risk of occasional infection. By segmenting these systems into their own zone, the breach is contained. The hacker, malware, or virus doesn’t reach your firewall-protected payment processing zone.
  3. Card Data Business Environment – Systems used for payment processing fit into this segment. These systems should only be used for POS activity and should NEVER be used for any other reason. Should these computers become infected with malware or viruses, sophisticated hacking tools can potentially steal sensitive data such as credit cards. This is a low-risk zone because it’s protected from the other two zones and high-risk activities such as web browsing and email do not occur inside it. The chance that hackers, malware, or viruses will be spread to these systems is minimal.

 

In summary, to segment your network for security, you should:

  • Protect both business environments from the untrusted environment
  • Protect your card data business environment from the non-card business environment

 

Best Practices for Dedicated Networks

  • Always change vendor-supplied passwords on DSL or cellular modems. Do not leave default passwords on any of your network devices. 
  • Keep your network devices (modems, switches, routers) in a secure, locked area
  • Disable all Wi-Fi broadcasts from modems
  • Upgrade the firmware on your devices regularly. Manufacturers often deploy security patches to their devices. You are responsible to ensure your device firmware stays up to date.
  • A dedicated network is your Card Data Business Environment. Do not use it for any purposes other than those critical to your business. This includes only the services outlined in the International Kiosk Technical Network Requirements document. 

 

V5 International Kiosk Wiring/Network Diagram

 

A diagram of the V5 International Kiosk Wiring and Network

Physical Security 

Operators are responsible for the physical security of kiosks, routers, switches, modems, and peripherals. 

  • The kiosk enclosure must always remain locked unless service is being performed
  • The security plates used to protect the kiosk firewall must remain intact and always secured
  • Network devices external to the kiosk enclosure must be kept in a locked, secure environment
  • Keys to access the kiosk enclosure (and other secure environments) must only be provided to trusted employees. A proper chain of custody process for keys should be in place. 
  • Devices must be inspected regularly for tampering:
    • Inspect the card reader. Does it look natural? Does it appear that it has been altered? 
    • Gently pull on the card reader. Be sure that no foreign device has been installed on top.
    • Inspect the kiosk enclosure. Has it been damaged? Are the locks and screws still in place?
    • Inspect the kiosk CPU. Are any unfamiliar USB devices connected?
  • Use DVR recording and regularly review. 

If you suspect a physical compromise, contact 365 Support immediately to perform an Incident Response. 

 

Access Controls 

Operators are responsible for onboarding and offboarding employee access to the kiosk environment. This includes documented processes for: 

  • Creating accounts and assigning appropriate permissions to employees with access to the kiosk environment (ADM, kiosk driver log-in, etc.) 
  • Revoking accounts when employees are terminated or quit. 
  • Regular audits of accounts to ensure access is still appropriate. 

 

Secure Disposal 

Kiosk CPUs and card readers must be securely disposed of when they are no longer in service. Physically destroying the hard drive and memory modules with a hammer or drill will ensure no sensitive data remains intact. Be sure to follow appropriate safety measures when destroying media. If you are not comfortable destroying the media yourself, please ship the devices back to 365, who will securely destroy them at no cost. 

 

Employee Training 

Operators must organize and complete security awareness training for all individuals with access to the kiosk environment upon hire and annually thereafter. This training must be documented upon completion. This is best accomplished as part of a comprehensive cyber security awareness training program. 

 

Security of Devices

V5 Kiosks utilize a secure direct real-time connection to the card processor when items are checked out. The transactions are card present, with no cardholder data stored for later use. Transactions are needed to complete the purchase of items from the self-service, stand-alone, kiosks, and mini-retail shops where 365 Retail Markets provides its services. All data is encrypted by the card reader at the time of card swipe, 365 Retail Markets does not have access to the encryption keys and cannot decrypt this encrypted cardholder data. This dramatically reduces the scope as 365 Retail Markets does not store, process, and/or transmit (PAN data encrypted during transmission, but 365 Retail Markets does not have access to keys – hence not in scope) 

 

Credit Card Data

365 Retail Markets is PCI DSS Certified. Nayax Solution for Cashless Payments is PCI DSS Certified and supports advanced security features, like hardware card encryption at swipe, card tokenization, and EMV technology.

 

Card Holder Data Processing

Nayax

The service provides secure transmission of data through GSM, CDMA, GPRS, Ethernet, or Wi-Fi. The solution can interface with a wide range of vending devices through DEX, DDCMP, RS232, and several other industry-standard protocols. Nayax’s solution is EMVCo and is PCI DSS certified. The AMIT is the main device that is responsible for sending information from the kiosk to the Nayax back-end system. Since the software is vulnerable to intrusions, this technology is hardware-based and encryption of the card data happens upon swipe at the card reader. The POS software never sees the card data. Tokenization allows merchants to store a value that represents a card number for future processing. These tokens are referred to as multi-use tokens since they can be used over and over as a reference to the original card data. TLS 1.2 and a select suite of ciphers is the minimum requirement for using the service.

More information on the EMVCo certification can be found at https://www.emvco.com/approved-registered/approved-products/

Nayax’s PCI DSS status information can be found at https://www.visa.com/splisting/searchGrsp.do

 

Remote Access

All remote access systems require MFA with location-based restrictions.

  • TeamViewer is used for Remote Viewing
  • Putty (SSH) is used for Command Line Scripts
  • DashWeb is used for Software Updates, Real-Time Analytics, Notifications
  • Meraki Z3 is used for VPN connection which provides an encrypted connection

 

Patching

  • CentOS systems are mirrored from production repositories hosted at AWS
  • Ubuntu systems are patched from Canonical Landscape

 

Data Storage and Encryption

The unencrypted credit card PAN is never stored by 365 Retail Markets. For non-CHD data:

  • AWS (Amazon Web Services) is where all data from the kiosks is stored.
  • RDS Encryption is used for all data at rest.
  • TLS 1.2 over an IPSEC VPN tunnel is used for data in transit.
  • Additional Certificates for AWS can be found here: https://aws.amazon.com/certification/

 

Endpoint Security 

  • Cisco Endpoint Protection - Advanced Malware Protection 

 

Security Audits and Scans 

  • A PCI DSS audit is performed annually by an independent third-party QSA. 
  • ASV scans are performed quarterly. 
  • Penetration tests are performed yearly. 

 

Secure Code Analysis 

  • Dynamic Application Security Testing (DAST) via Veracode 
  • Static Application Security Testing (SAST) via Veracode 

 

Business Resiliency – DR/BC 

  • Disaster Recovery plans tested annually 
  • RTO and RPO are outlined in the table below 

Description 

Recovery Process/
Method 

RTO 

RPO 

Consumer Impact 

Operator Impact 

Normal Operations 

None 

N/A 

N/A 

None 

None 

Primary DB Server Failure 

Failover to backup 

30mins 

15mins 

None 

Operator portal not available for the duration of recovery 

Primary App Server Failure 

Failover to backup 

15mins 

15mins 

None 

None 

Primary DB & App Server Failure 

Failover to respective backups 

30mins 

15mins 

None 

Operator portal not available for the duration of recovery 

Natural Calamity impacting the entire AWS Oregon region 

Recover from backups to AWS Ohio region 

24hrs 

15mins - 24hrs 

None 

Operator portal not available for the duration of recovery 

 

Privacy, Biometrics, and Terms & Conditions Policies

Depending on your jurisdiction, market users may be entitled to exercise certain individual rights. 365 Retail Markets is committed to upholding the privacy rights of users within the European Union and principles laid out in the General Data Protection Regulation (GDPR).

These policies can be located at https://365retailmarkets.com/consumer-policy.

 

PCI-DSS Responsibility Matrix 

The matrix below outlines each PCI requirement and the party responsible for compliance. 

 

PCI Requirement 1:

Install and maintain a firewall configuration to protect cardholder data. 

365 Responsibility:

  • Encrypt cardholder data at the point of sale, and securely transmit it to the processor. 
  • All POS contain a PCI-DSS-compliant firewall with secure configurations. 

Operator Responsibility:

  • Do not change the security configurations of the kiosk firewall
  • Do not physically remove the kiosk firewall

 

PCI Requirement 2:

Do not use vendor-supplied defaults for system passwords and other security parameters. 

365 Responsibility 

  • Encrypt cardholder data at the point of sale, and securely transmit it to the processor. 
  • The MSRs are secured against any logical access and are locked down by the manufacturer. 
  • Within the POS systems, all systems are hardened according to industry standards and managed by 365. 

Operator Responsibility 

  • Do not change the security configurations of the kiosk firewall. 

 

PCI Requirement 3:

Protect stored cardholder data. 

365 Responsibility 

  • Cardholder data is not stored by the MSR devices. 

Operator Responsibility 

  • None 

 

PCI Requirement 4:

Encrypt transmission of cardholder data across open, public networks. 

365 Responsibility 

  • The MSR device encrypts cardholder data at the point of sale and securely transmits it to the processor using strong encryption. 

Operator Responsibility 

  • None 

 

PCI Requirement 5:

Use and regularly update anti-virus software or programs. 

365 Responsibility 

  • The MSR device encrypts cardholder data at the point of sale, and securely transmits it to the processor following industry-accepted standards. 
  • Antimalware controls are installed on the systems and definitions are updated regularly. 

Operator Responsibility 

  • None 

 

PCI Requirement 6:

Develop and maintain secure systems and applications 

365 Responsibility 

  • Applications are developed following secure SDLC principles. 
  • Static and dynamic code analysis security scans are in place. 

Operator Responsibility 

  • None 

 

PCI Requirement 7:

Restrict access to cardholder data by business need-to-know 

365 Responsibility 

  • 365 does not store, process, or transmit unencrypted CHD, all sensitive CHD data is encrypted upon contact, and entities never have custody of the encryption keys. 
  • All refunds are coordinated with the processor directly and do not require sensitive CHD. 

Operator Responsibility 

  • None 

 

PCI Requirement 8:

Identify and authenticate access to system components 

365 Responsibility 

  • All 365 employees with computer access have unique IDs 
  • Access to network resources follows a least privilege model with location-based restrictions, SSO, MFA, and a secure onboarding process. 

Operator Responsibility 

  • None 

 

PCI Requirement 9:

Restrict physical access to cardholder data 

365 Responsibility 

  • The MSR devices are secured within each kiosk. 
  • 365 does not store and/or transmit unencrypted card data on the kiosk locally. 

Operator Responsibility 

  • Do not physically remove the kiosk firewall 
  • Protect devices from tampering and substitution 
  • Maintain an inventory of all owned devices 
  • Periodically inspect device surfaces to detect tampering (for example, the addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). 
  • Provide training for personnel to be aware of attempted tampering or replacement of devices. 
  • Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. 
  • Restrict physical access to networking/communications hardware and telecommunication lines. 
  • Control physical access to kiosks and POS devices. 
  • Destroy media when it is no longer needed for business or legal reasons. 
  • Media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media). 
  • Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. 

 

PCI Requirement 10:

Track and monitor all access to network resources and cardholder data 

365 Responsibility 

  • The MSR device encrypts cardholder data at the point of sale and securely transmits it to the processor. The MSR devices do not store cardholder data. 
  • Access to network resources follows a least privilege model with location-based restrictions, SSO, MFA, and a secure onboarding process. 
  • All systems have centralized logging.

Operator Responsibility 

  • None 

 

PCI Requirement 11:

Regularly test security systems and processes 

365 Responsibility 

  • The MSR device encrypts cardholder data at the point of sale and securely transmits it to the processor.
  • Systems are regularly pen tested and security scanned.
  • Incident response procedures are in place.

Operator Responsibility 

  • None 

 

PCI Requirement 12:

Maintain a policy that addresses information security for employees and contractors. 

365 Responsibility 

  • As the Merchant of Record and Service Provider, a risk assessment for the provided services is maintained by 365.
  • Security awareness training is provided to all 365 employees with access to the MSR devices. 
  • An incident response plan is in place to respond to any events related to a breach of security controls around the MSR devices.
  • 365 maintains an Information Security Policy that thoroughly outlines additional security controls. The policies are updated annually and re-published.

Operator Responsibility 

  • Operators must organize and complete security awareness training for all individuals with access to the MSR devices upon hire and annually thereafter and must document the completion of this training. 

 

Change Log

 

Version

Date

Change Log

08132018

08/13/2018

Original Draft

03082022

03/08/2022

Added sections: Table of contents, Card Holder Data Processing; Nayax, Change log. Contact information updated to security@365smartshop.com. Updates to sections: Remote access, Best practices for dedicated networks, V5 kiosk wiring/network diagram. Miscellaneous: typo fixes, wording standardization, heading standardization, outdated diagram removal, helpful links to other resources added.

08262022

08/26/2022

Updated for consistency with other Implementation docs. Added sections: Physical security, access control, employee training, secure disposal, Security of Devices, Endpoint Security, Security Scans and Audits, Secure Code analysis, Business Resiliency, and Responsibility Matrix. Formating updated for consistency.