Purpose
This document will guide an Operator through securely implementing 365 kiosks in a PCI-compliant manner. It also includes information about security controls used by 365 Retail Markets. Please contact security@365smartshop.com with any questions related to this guide.
Networks
The kiosk requires a persistent “always on” network connection to the internet. The Operator is responsible for providing the internet connection and following this guide to ensure it is implemented in a PCI-compliant manner.
V5 kiosks and dining POS (ReadyTouch) typically include a hardware firewall (router). Under no circumstances should an operator remove the hardware firewall or change 365’s secure firewall configurations. This includes doing a factory reset. If a factory reset is performed unintentionally, please contact 365 Support to remotely re-apply the secure configurations.
Wireless Networks
Third-party wireless or Wi-Fi (802.11x) wireless devices are not supported and cannot be connected to the Card Data Environment.
Corporate Versus Dedicated Networks
The 365 V5 Kiosk requires network connectivity for credit card processing and receiving updates. Operators have two primary options for establishing network connectivity at most client locations: corporate networks and dedicated networks.
Many corporate environments (offices, hospitals, etc.) contain existing networks to provide Internet connectivity throughout a building. These corporate networks often restrict the types of information that can be transmitted. Corporate networks are typically managed by a dedicated team member or members who can advise on the feasibility of allowing your kiosk to operate on their existing Internet connection.
For the purposes of this document, a dedicated network constitutes a completely separate network that operators would install, circumventing many challenges that a corporate network may present. A dedicated network could consist of a DSL line, 3G/4G Wireless card, or other dedicated high-speed connection. As the kiosk owner, the operator would need to organize this new, dedicated service to be installed into the client’s environment.
If the operator chooses to use a corporate network, it is the operator’s responsibility to ensure this guide is followed by the client network administrator. Be sure to supply them with a copy of this guide early in the implementation process, paying special attention to the Networks section.
If the operator chooses to use a dedicated network, it is your responsibility to ensure the best practices outlined in this guide are followed.
Corporate Network |
Dedicated Network |
Pros |
Pros |
Internet service is already in place. No additional cost to the operator. |
No need to ask client IT staff to open access or run wiring to a new location |
The network is typically very fast compared to DSL or cellular Internet service |
The operator owns the network and therefore requires less coordination to ensure PCI best practices are being followed |
Typically managed by dedicated personnel at the client location with knowledge of troubleshooting and secure networking protocols |
If cellular is chosen, you have the added mobility to move the kiosk and internet together as needed |
Cons |
Cons |
The operator may need to coordinate and implement the correct and secure settings with the client IT staff/network administrator |
The operator needs to organize, implement and pay for Internet service |
Wiring is typically run to a single location, which can create market mobility challenges. |
Network connectivity (especially cellular) may be slower than a corporate network |
The operator is responsible for ensuring the corporate network follows PCI standards which often requires more coordination with client IT staff |
When service is interrupted (power surge, modem needs reset) the operator is responsible to respond to troubleshoot the outage. |
|
May require an operator resource with IT and networking knowledge to ensure the best practices are outlined in this guide. (365 Retail staff is available to assist with secure network setup) |
Network Segmentation for Corporate Networks
For deploying on a corporate network, segmenting the kiosk into a secure card data business environment is required. Network segmentation is a strategy intended to simplify PCI DSS compliance of your network and to help you protect your business from hackers.
At the most basic level, there are three zones representing three levels of risk.
- Untrusted Environment – Network connections that anonymous people have access to are considered “untrusted.” They should have no network access to your business computers and POS equipment. Business computers should never be connected directly to this zone. Common untrusted networks are the internet connection itself, customer wireless internet access, and visitor network connections. This is the highest risk zone because anybody can connect to it anonymously.
- Non-Card Data Business Environment – Systems not used for payment processing, but are still business-owned fit into this segment. These are systems that can be used for email, web browsing, and other higher-risk activity that you would never want to perform on your payment processing systems. On occasion, these systems will almost certainly become infected with malware and viruses. Once a computer in this zone is infected, the hacker or infection will spread to other systems if they’re not protected by a firewall. Note that if any systems in this zone handle credit card data, that data is being put at risk. This is a medium-risk zone due to the risk of occasional infection. By segmenting these systems into their own zone, the breach is contained. The hacker, malware, or virus doesn’t reach your firewall-protected payment processing zone.
- Card Data Business Environment – Systems used for payment processing fit into this segment. These systems should only be used for POS activity and should NEVER be used for any other reason. Should these computers become infected with malware or viruses, sophisticated hacking tools can potentially steal sensitive data such as credit cards. This is a low-risk zone because it’s protected from the other two zones and high-risk activities such as web browsing and email do not occur inside it. The chance that hackers, malware, or viruses will be spread to these systems is minimal.
In summary, to segment your network for security, you should:
- Protect both business environments from the untrusted environment
- Protect your card data business environment from the non-card business environment
Best Practices for Dedicated Networks
- Always change vendor-supplied passwords on DSL or cellular modems. Do not leave default passwords on any of your network devices.
- Keep your network devices (modems, switches, routers) in a secure, locked area
- Disable all Wi-Fi broadcasts from modems
- Upgrade the firmware on your devices regularly. Manufacturers often deploy security patches to their devices. You are responsible to ensure your device firmware stays up to date.
- A dedicated network is your Card Data Business Environment. Do not use it for any purposes other than those critical to your business. This includes only the services outlined in the International Kiosk Technical Network Requirements document.
V5 International Kiosk Wiring/Network Diagram
Physical Security
Operators are responsible for the physical security of kiosks, routers, switches, modems, and peripherals.
- The kiosk enclosure must always remain locked unless service is being performed
- The security plates used to protect the kiosk firewall must remain intact and always secured
- Network devices external to the kiosk enclosure must be kept in a locked, secure environment
- Keys to access the kiosk enclosure (and other secure environments) must only be provided to trusted employees. A proper chain of custody process for keys should be in place.
- Devices must be inspected regularly for tampering:
- Inspect the card reader. Does it look natural? Does it appear that it has been altered?
- Gently pull on the card reader. Be sure that no foreign device has been installed on top.
- Inspect the kiosk enclosure. Has it been damaged? Are the locks and screws still in place?
- Inspect the kiosk CPU. Are any unfamiliar USB devices connected?
- Use DVR recording and regularly review.
If you suspect a physical compromise, contact 365 Support immediately to perform an Incident Response.
Access Controls
Operators are responsible for onboarding and offboarding employee access to the kiosk environment. This includes documented processes for:
- Creating accounts and assigning appropriate permissions to employees with access to the kiosk environment (ADM, kiosk driver log-in, etc.)
- Revoking accounts when employees are terminated or quit.
- Regular audits of accounts to ensure access is still appropriate.
Secure Disposal
Kiosk CPUs and card readers must be securely disposed of when they are no longer in service. Physically destroying the hard drive and memory modules with a hammer or drill will ensure no sensitive data remains intact. Be sure to follow appropriate safety measures when destroying media. If you are not comfortable destroying the media yourself, please ship the devices back to 365, who will securely destroy them at no cost.
Employee Training
Operators must organize and complete security awareness training for all individuals with access to the kiosk environment upon hire and annually thereafter. This training must be documented upon completion. This is best accomplished as part of a comprehensive cyber security awareness training program.
Security of Devices
V5 Kiosks utilize a secure direct real-time connection to the card processor when items are checked out. The transactions are card present, with no cardholder data stored for later use. Transactions are needed to complete the purchase of items from the self-service, stand-alone, kiosks, and mini-retail shops where 365 Retail Markets provides its services. All data is encrypted by the card reader at the time of card swipe, 365 Retail Markets does not have access to the encryption keys and cannot decrypt this encrypted cardholder data. This dramatically reduces the scope as 365 Retail Markets does not store, process, and/or transmit (PAN data encrypted during transmission, but 365 Retail Markets does not have access to keys – hence not in scope)
Credit Card Data
365 Retail Markets is PCI DSS Certified. Nayax Solution for Cashless Payments is PCI DSS Certified and supports advanced security features, like hardware card encryption at swipe, card tokenization, and EMV technology.
Card Holder Data Processing
Nayax
The service provides secure transmission of data through GSM, CDMA, GPRS, Ethernet, or Wi-Fi. The solution can interface with a wide range of vending devices through DEX, DDCMP, RS232, and several other industry-standard protocols. Nayax’s solution is EMVCo and is PCI DSS certified. The AMIT is the main device that is responsible for sending information from the kiosk to the Nayax back-end system. Since the software is vulnerable to intrusions, this technology is hardware-based and encryption of the card data happens upon swipe at the card reader. The POS software never sees the card data. Tokenization allows merchants to store a value that represents a card number for future processing. These tokens are referred to as multi-use tokens since they can be used over and over as a reference to the original card data. TLS 1.2 and a select suite of ciphers is the minimum requirement for using the service.
More information on the EMVCo certification can be found at https://www.emvco.com/approved-registered/approved-products/
Nayax’s PCI DSS status information can be found at https://www.visa.com/splisting/searchGrsp.do
Remote Access
All remote access systems require MFA with location-based restrictions.
- TeamViewer is used for Remote Viewing
- Putty (SSH) is used for Command Line Scripts
- DashWeb is used for Software Updates, Real-Time Analytics, Notifications
- Meraki Z3 is used for VPN connection which provides an encrypted connection
Patching
- CentOS systems are mirrored from production repositories hosted at AWS
- Ubuntu systems are patched from Canonical Landscape
Data Storage and Encryption
The unencrypted credit card PAN is never stored by 365 Retail Markets. For non-CHD data:
- AWS (Amazon Web Services) is where all data from the kiosks is stored.
- RDS Encryption is used for all data at rest.
- TLS 1.2 over an IPSEC VPN tunnel is used for data in transit.
- Additional Certificates for AWS can be found here: https://aws.amazon.com/certification/
Endpoint Security
- Cisco Endpoint Protection - Advanced Malware Protection
Security Audits and Scans
- A PCI DSS audit is performed annually by an independent third-party QSA.
- ASV scans are performed quarterly.
- Penetration tests are performed yearly.
Secure Code Analysis
- Dynamic Application Security Testing (DAST) via Veracode
- Static Application Security Testing (SAST) via Veracode
Business Resiliency – DR/BC
- Disaster Recovery plans tested annually
- RTO and RPO are outlined in the table below
# |
Description |
Recovery Process/ |
RTO |
RPO |
Consumer Impact |
Operator Impact |
1 |
Normal Operations |
None |
N/A |
N/A |
None |
None |
2 |
Primary DB Server Failure |
Failover to backup |
30mins |
15mins |
None |
Operator portal not available for the duration of recovery |
3 |
Primary App Server Failure |
Failover to backup |
15mins |
15mins |
None |
None |
4 |
Primary DB & App Server Failure |
Failover to respective backups |
30mins |
15mins |
None |
Operator portal not available for the duration of recovery |
5 |
Natural Calamity impacting the entire AWS Oregon region |
Recover from backups to AWS Ohio region |
24hrs |
15mins - 24hrs |
None |
Operator portal not available for the duration of recovery |
Privacy, Biometrics, and Terms & Conditions Policies
Depending on your jurisdiction, market users may be entitled to exercise certain individual rights. 365 Retail Markets is committed to upholding the privacy rights of users within the European Union and principles laid out in the General Data Protection Regulation (GDPR).
These policies can be located at https://365retailmarkets.com/consumer-policy.
PCI-DSS Responsibility Matrix
The matrix below outlines each PCI requirement and the party responsible for compliance.
PCI Requirement 1:
Install and maintain a firewall configuration to protect cardholder data.
365 Responsibility:
- Encrypt cardholder data at the point of sale, and securely transmit it to the processor.
- All POS contain a PCI-DSS-compliant firewall with secure configurations.
Operator Responsibility:
- Do not change the security configurations of the kiosk firewall
- Do not physically remove the kiosk firewall
PCI Requirement 2:
Do not use vendor-supplied defaults for system passwords and other security parameters.
365 Responsibility
- Encrypt cardholder data at the point of sale, and securely transmit it to the processor.
- The MSRs are secured against any logical access and are locked down by the manufacturer.
- Within the POS systems, all systems are hardened according to industry standards and managed by 365.
Operator Responsibility
- Do not change the security configurations of the kiosk firewall.
PCI Requirement 3:
Protect stored cardholder data.
365 Responsibility
- Cardholder data is not stored by the MSR devices.
Operator Responsibility
- None
PCI Requirement 4:
Encrypt transmission of cardholder data across open, public networks.
365 Responsibility
- The MSR device encrypts cardholder data at the point of sale and securely transmits it to the processor using strong encryption.
Operator Responsibility
- None
PCI Requirement 5:
Use and regularly update anti-virus software or programs.
365 Responsibility
- The MSR device encrypts cardholder data at the point of sale, and securely transmits it to the processor following industry-accepted standards.
- Antimalware controls are installed on the systems and definitions are updated regularly.
Operator Responsibility
- None
PCI Requirement 6:
Develop and maintain secure systems and applications
365 Responsibility
- Applications are developed following secure SDLC principles.
- Static and dynamic code analysis security scans are in place.
Operator Responsibility
- None
PCI Requirement 7:
Restrict access to cardholder data by business need-to-know
365 Responsibility
- 365 does not store, process, or transmit unencrypted CHD, all sensitive CHD data is encrypted upon contact, and entities never have custody of the encryption keys.
- All refunds are coordinated with the processor directly and do not require sensitive CHD.
Operator Responsibility
- None
PCI Requirement 8:
Identify and authenticate access to system components
365 Responsibility
- All 365 employees with computer access have unique IDs
- Access to network resources follows a least privilege model with location-based restrictions, SSO, MFA, and a secure onboarding process.
Operator Responsibility
- None
PCI Requirement 9:
Restrict physical access to cardholder data
365 Responsibility
- The MSR devices are secured within each kiosk.
- 365 does not store and/or transmit unencrypted card data on the kiosk locally.
Operator Responsibility
- Do not physically remove the kiosk firewall
- Protect devices from tampering and substitution
- Maintain an inventory of all owned devices
- Periodically inspect device surfaces to detect tampering (for example, the addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
- Provide training for personnel to be aware of attempted tampering or replacement of devices.
- Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas.
- Restrict physical access to networking/communications hardware and telecommunication lines.
- Control physical access to kiosks and POS devices.
- Destroy media when it is no longer needed for business or legal reasons.
- Media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
- Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.
PCI Requirement 10:
Track and monitor all access to network resources and cardholder data
365 Responsibility
- The MSR device encrypts cardholder data at the point of sale and securely transmits it to the processor. The MSR devices do not store cardholder data.
- Access to network resources follows a least privilege model with location-based restrictions, SSO, MFA, and a secure onboarding process.
- All systems have centralized logging.
Operator Responsibility
- None
PCI Requirement 11:
Regularly test security systems and processes
365 Responsibility
- The MSR device encrypts cardholder data at the point of sale and securely transmits it to the processor.
- Systems are regularly pen tested and security scanned.
- Incident response procedures are in place.
Operator Responsibility
- None
PCI Requirement 12:
Maintain a policy that addresses information security for employees and contractors.
365 Responsibility
- As the Merchant of Record and Service Provider, a risk assessment for the provided services is maintained by 365.
- Security awareness training is provided to all 365 employees with access to the MSR devices.
- An incident response plan is in place to respond to any events related to a breach of security controls around the MSR devices.
- 365 maintains an Information Security Policy that thoroughly outlines additional security controls. The policies are updated annually and re-published.
Operator Responsibility
- Operators must organize and complete security awareness training for all individuals with access to the MSR devices upon hire and annually thereafter and must document the completion of this training.
Change Log
Version |
Date |
Change Log |
08132018 |
08/13/2018 |
Original Draft |
03082022 |
03/08/2022 |
Added sections: Table of contents, Card Holder Data Processing; Nayax, Change log. Contact information updated to security@365smartshop.com. Updates to sections: Remote access, Best practices for dedicated networks, V5 kiosk wiring/network diagram. Miscellaneous: typo fixes, wording standardization, heading standardization, outdated diagram removal, helpful links to other resources added. |
08262022 |
08/26/2022 |
Updated for consistency with other Implementation docs. Added sections: Physical security, access control, employee training, secure disposal, Security of Devices, Endpoint Security, Security Scans and Audits, Secure Code analysis, Business Resiliency, and Responsibility Matrix. Formating updated for consistency. |