PA-DSS Implementation Guide - AVImark · PA-DSS Implementation Guide. ... The PA-DSS Certification is intended to ensure that the McAllister Payment Solutions ... AVImark. . MPS

McAllister Payment Solutions Inc. is a registered ISO/MSP with First National Bank of Omaha

PA-DSS Implementation Guide


2

Table of Contents Revision Information ....................................................................................................... 3 Executive Summary ........................................................................................................ 3 Application Summary .................................................................................................. 4 Typical Network Implementation ................................................................................. 4 Dataflow Diagram ....................................................................................................... 5

Difference between PCI-DSS Compliance and PA-DSS Validation ................................ 7 The 12 Requirements of the PCI-DSS: ........................................................................ 8

Considerations for the Implementation of Payment Application in a PCI-DSS Compliant Environment ................................................................................................................... 9 Sensitive Credit Card Data requires special handling .................................................. 9 Remove Historical Credit Card Data ......................................................................... 10 Set up Good Access Controls ................................................................................... 10 Properly Train and Monitor Admin Personnel ............................................................ 16 Key Management Roles & Responsibilities ............................................................... 16 PCI-DSS Compliant Remote Access ......................................................................... 17 Use SSH, VPN, or SSL/TLS for encryption of administrative access ......................... 19 Log settings must be compliant ................................................................................. 18 PCI-DSS Compliant Wireless settings ....................................................................... 19 Data Transport Encryption ........................................................................................ 20 PCI-DSS Compliant Use of Email ............................................................................. 20 Network Segmentation .............................................................................................. 20 Never store cardholder data on internet-accessible systems..................................... 20 Use SSL for Secure Data Transmission .................................................................... 22 PCI-DSS Compliant Delivery of Updates ................................................................... 21

Maintain an Information Security Program .................................................................... 22 Payment Application Initial Setup & Configuration ..................................................... 23


3

Revision Information

Name Title Date of Update Summary of Changes

LeeAnn Weyand

Product Manager

12/01/08 Creation

LeeAnn Weyand LeeAnn Weyand

Product Manager Product Manager

02/03/10 12/13/10

Addition of Windows 7 to list of operating systems. Addition of installation instructions for the VeriFone MX850 on a Windows 7 operating system. Addition of notations regarding Windows 7 and all processing hardware. Addition of instructions for installing Windows 7 64-bit driver for the VeriFone MX850.

Executive Summary McAllister Payment Solutions version 2009.0.0 has been PA-DSS (Payment Application Data Security Standard) certified. For the PA-DSS assessment, we worked with the following PCI SSC approved Payment Application Qualified Security Assessor (PAQSA):

Coalfire Systems, Inc. 150 Nickerson Street Suite 106 Seattle, WA 98109 This document also explains the Payment Card Industry (PCI) initiative and the Payment Application Data Security Standard (PA-DSS) guidelines. The document then provides specific installation, configuration, and on-going management best practices for using McAllister Payment Solutions as a PA-DSS Certified application operating in a PCI-DSS Compliant environment. PCI Security Standards Council Reference Documents: The following documents provide additional detail surrounding the PCI SSC and related security programs (PA-DSS, PCI-DSS, etc):

♦ Payment Applications Data Security Standard https://www.pcisecuritystandards.org/tech/pa-dss.htm

♦ PCI-DSS https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm

♦ Open Web Application Security Project (OWASP) http://www.owasp.org


4

Application Summary

Name: McAllister Payment Solutions Specific File Version

Numbers: 2009.0.0

Credit Card Server: Element Express Back Office: N/A

Setup: N/A Operating Systems: 2003 Server Standard, 2008 Server Standard, Vista Ultimate, Vista Business,

XP Pro, Windows 7 Ultimate, Windows 7 Professional Code base DB engine: BTree Filer version 5.57 Application Description: Integrated Credit Card Processing Application Environment: Microsoft Windows

Application Target Clientele: Veterinarian Clinics

Typical Network Implementation


5

Dataflow Diagram


6

♦ Communication with Element Express is conducted over the internet using SSL:


7

Difference between PCI-DSS Compliance and PA-DSS Validation As a software vendor, our responsibility is to be “PA-DSS Certified.” We have performed an assessment and certification compliance review with our independent assessment firm, to ensure that our platform does conform to industry best practices when handling, managing and storing payment related information. PA-DSS is the standard against which McAllister Payment Solutions has been tested, assessed, and certified. PCI-DSS Compliance is then later obtained by the merchant, and is an assessment of your actual server (or hosting) environment.


8

Obtaining “PCI-DSS Compliance” is the responsibility of the merchant and your hosting provider, working together, using PCI-DSS compliant server architecture with proper hardware & software configurations and access control procedures. The PA-DSS Certification is intended to ensure that the McAllister Payment Solutions will help you achieve and maintain PCI-DSS Compliance with respect to how McAllister Payment Solutions handles user accounts, passwords, encryption, and other payment data related information. The Payment Card Industry (PCI) has developed security standards for handling cardholder information in a published standard called the PCI-DSS Data Security Standard (DSS). The security requirements defined in the DSS apply to all members, merchants, and service providers that store, process or transmit cardholder data. The PCI-DSS requirements apply to all system components within the payment application environment which is defined as any network device, host, or application included in, or connected to, a network segment where cardholder data is stored, processed or transmitted.

The 12 Requirements of the PCI-DSS:

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect Stored Data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security


9

Considerations for the Implementation of McAllister Payment Solutions in a PCI-DSS Compliant Environment The following areas must be considered for proper implementation in a PCI-DSS Compliant environment:

♦ Sensitive Credit Card Data requires special handling

♦ Remove Historical Credit Card Data

♦ Set up Good Access Controls

♦ Properly Train and Monitor Admin Personnel

♦ Key Management Roles & Responsibilities

♦ PCI-DSS Compliant Remote Access

♦ Use SSH, VPN, or SSL/TLS for encryption of administrative access

♦ Log settings must be compliant

♦ PCI-DSS Compliant Wireless settings

♦ Data Transport Encryption

♦ PCI-DSS Compliant Use of Email

♦ Network Segmentation

♦ Never store cardholder data on internet-accessible systems

♦ Use SSL for Secure Data Transmission

♦ Delivery of Updates in a PCI-DSS Compliant Fashion

Sensitive Credit Card Data requires special handling Keep in mind the following guidelines when dealing with sensitive Credit Card data:

♦ Neither McAllister Payment Solutions nor AVImark stores any type of cardholder data, but this type of information does have the potential of being stored by AVImark users within the many free-form text areas throughout the AVImark application.


10

♦ If sensitive authentication were ever to be stored, the following guidelines would need to be followed in order to remain PCI-DSS compliant:

• Collect sensitive authentication data only when needed to solve a specific problem

• Store such data only in specific, known locations with limited access

• Collect only the limited amount of data needed to solve a specific problem

• Encrypt sensitive authentication data while stored

• Securely delete such data immediately after use.

Remove Historical Credit Card Data Delete any magnetic stripe data, card validation values or codes, and PINs or PIN block data stored on previous versions of the software.

♦ No previous versions of McAllister Payment Solutions have ever stored any magnetic stripe data, card validation codes, PINs, or PIN blocks.

♦ Although neither McAllister Payment Solutions nor AVImark stores any magnetic stripe data, card validation codes, PINs, or PIN blocks, this type of information does have the potential of being stored by AVImark users within the many free-form text areas throughout the AVImark application.

♦ An internal utility is available to securely wipe any credit card data which may have been stored within any of the free-form text areas of AVImark. Access to this tool will only be made available to an administrator by contacting the McAllister Payment Solutions technical support at 877-838-9273.

Set up Good Access Controls The PCI-DSS requires that access to all systems in the payment processing environment be protected through use of unique users and complex passwords. Unique user accounts indicate that every account used is associated with an individual user with no use of generic group accounts used by more than one user. Additionally any default accounts provided with operating systems, databases and/or devices should be removed/disabled/renamed as soon as possible, or at least should have PCI-DSS compliant complex passwords and should not be used. Examples of default administrator accounts include “administrator” (Windows systems), “sa” (SQL/MSDE), and “root” (UNIX/Linux).


11

The PCI-DSS standard requires the following password complexity for compliance (often referred to as using “strong passwords”):

♦ Passwords must be at least 7 characters

♦ Passwords must include both numeric and alphabetic characters

♦ Passwords must be changed at least every 90 days

♦ New passwords can not be the same as the last 4 passwords PCI-DSS user account requirements beyond uniqueness and password complexity are as follows:

♦ If an incorrect password is provided 6 times the account should be locked out

♦ Account lock out duration should be at least 30 min. (or until an administrator resets it)

♦ Sessions idle for more than 15 minutes should require re-entry of username and password to reactivate the session.

♦ Do not use group, shared, or generic user accounts These same account and password criteria must also be applied to any applications or databases included in payment processing to be PCI-DSS compliant. McAllister Payment Solutions, as tested during our PA-DSS audit, meets, or exceeds these requirements. McAllister Payment Solutions must require unique usernames and complex passwords for all administrative access and for all access to cardholder data. [Note: These password controls are not intended to apply to employees who only have access to one card number at a time to facilitate a single transaction. These controls are applicable for access by employees with administrative capabilities, for access to servers with cardholder data, and for access controlled by the application.] Control access, via unique username and PCI-DSS-compliant complex passwords, to any PCs, servers, and databases with McAllister Payment Solutions and cardholder data. Customers and resellers/integrators are advised that changing “out of the box” installation settings for unique user IDs and secure authentication will result in non-compliance with PCI DSS. McAllister Payment Solutions requires unique usernames and complex passwords for administrative access.


12

♦ Do not use administrative accounts for application logins (e.g., don’t use the “sa” account for application access to the database).

♦ Assign strong passwords to these default accounts (even if they won’t be used), and then disable or do not use the accounts.

♦ Assign strong application and system passwords whenever possible.

♦ Create PCI-DSS-compliant complex passwords to access the McAllister Payment Solutions, per PCI Data Security Standard 8.5.8 through 8.5.15

♦ Control access, via unique username and PCI-DSS-compliant complex passwords, to any PCs, servers, and databases with McAllister Payment Solutions and cardholder data.

Creating Unique Usernames and PCI-DSS Strong Passwords within Windows:

♦ Local User to Windows Server 2003

Click the <Start> button, click <Settings> then <Control Panel>, if you are in

the Classic View, click "Switch to Category View", click the <Administrative

Tools"> icon then <Computer Management>

In the left window pane, expand <Local Users and Groups>

Again in the left window pane, expand <Users> then right-click in the right

window pane and click <New User>.

• Enter the User name for the new account

• Enter the Full name for the new account

• Enter a description for the new account

• Enter a password the new account

• Re-enter the same password to confirm

Choose the appropriate options for the new account:

User must change password at next login (check)

User cannot change password (do not check)

Password never expires (do not check)

Account is disabled (do not check)

Click the <Create> button

Click the <Close> button


13

♦ Active Directory User to Windows Server 2003



Tools"> icon then click the <Active Directory Users and Computers> icon. In

the left window pane, click <Users> then right-click in the right window pane and

click <New User>.

• Enter the first name for the new account

• Enter the initials for the new account

• Enter the last name for the new account

• Edit the full name for the account (if necessary)

• Enter a user logon name


• Enter the domain for the new account or select it from the drop-down list

Click the <Next> button

• Enter the password for the new account


• Choose the appropriate options for the new account:

• User must change password at next login (check)

• User cannot change password (do not check)

• Password never expires (do not check)

• Account is disabled (do not check)

• Click the <Next> button

• Click the <Finish> button

♦ Windows XP Professional


14



Tools"> icon then <Computer Management>

In the left window pane, expand <Local Users and Groups>

Again in the left window pane, expand <Users> then right-click in the right

window pane and click <New User>.

• Enter the User name for the new account

• Enter the Full name for the new account

• Enter a description for the new account

• Enter a password the new account


Choose the appropriate options for the new account:

User must change password at next login (check)

User cannot change password (do not check)

Password never expires (do not check)

Account is disabled (do not check)

Click the <Create> button

Click the <Close> button

♦ Windows XP Professional

Open Microsoft Management Console by clicking the <Start button>, then type

mmc into the Search box, and press <Enter>. If you are prompted for an

administrator password or confirmation, type the password or provide

confirmation.

In the left pane of Microsoft Management Console, click <Local Users and

Groups>.

If <Local Users and Groups> isn’t listed you will need to install the snap-in by

following these steps:

• In Microsoft Management Console, click the File menu, and then click

Add/Remove Snap-in.

• Click <Local Users and Groups>, and then click <Add>.

• Click Local computer, and then click Finish.

• Click OK.


15

• Click the Users folder.

• Click Action, and then click New User.

• Type the appropriate information in the dialog box, and then click Create.

• When you are finished creating user accounts, click Close.

♦ Windows Password Policy

To comply with the PCI-DSS policies the following information should be reviewed and options should be set accordingly. Do not use group, shared, or generic accounts and passwords. Open the control panel by clicking the <Start Button>, then< Control Panel>, then <Administrative Tools> then <Local Security Policy> Expand <Account Policies>, click <Password Policy> Under Password Policy you will have six options. Of these six options you will need to edit the following four.

• Enforce password history

• Maximum password age

• Minimum password length

• Password must meet complexity requirements

Enforce password history should be set to no less than 4 passwords remembered.

• To change this setting, click Enforce password history and set the <Keep password history for:> number to 4 or greater

Maximum password age should be set to no greater than 90 days.

• To change this setting, click Maximum password age and set the <Password will expire in:> number to 90 or less

Minimum password length should be set to no less than 7 characters.

• To change this setting, click Minimum password length and set the <Password must be at least:> number to 7 or greater

Password must meet complexity requirements should be enabled.


16

• To change this setting, click Password must meet complexity requirements and set it to <Enabled>.

Next, expand <Account Lockout Policy>. You will see three options. Of these three options you will edit the following options:

• Account lockout duration

• Account lockout threshold

Account lockout duration should be set to no less than 30 minutes.

• To change this setting, click Account lockout duration and set the <Account lockout duration:> number to 30 or greater

Account lockout threshold should be set to no less than six attempts.

• To change this setting, click Account lockout threshold and set the <Account lockout threshold:> number to 6 or more

Enable screensavers and them to lock the computer after 15 minutes of idle time. To do this <right click> on your desktop and choose <properties> (Windows Vista users) click <Personalize> click on <screensaver> choose a screensaver of your choice. Under the screensaver menu check the box that reads <Wait: XX minutes (XX represents the amount of time.) On resume, display logon screen>. Where XX represents the time, set the time to no greater than 15 minutes.

Properly Train and Monitor Admin Personnel It is your responsibility to institute proper personnel management techniques for allowing admin user access to credit cards, site data, etc. You can control whether each individual admin user can see credit cards (or only last 4). In most systems, security breach is the result of unethical personnel. So pay special attention to whom you trust into your admin site and who you allow to view full decrypted payment information.

Key Management Roles & Responsibilities


17

McAllister Payment Solutions data is encrypted using Triple DES. A 128-bit LMD encrypted key is dynamically generated which automatically re-encrypts any previous cryptographic material, and requires no management, routine maintenance, or updating by administrative personnel.

PCI-DSS Compliant Remote Access McAllister Payment Solutions requires remote access to the payment processing environment to be secure. Access should be authenticated using a two-factor authentication mechanism (username/ password and an additional authentication item such as a token or certificate) as well as use a firewall or a personal firewall product. In the case of vendor remote access accounts, in addition to the standard access controls, vendor accounts should only be active while access is required to provide service. Access rights should include only the access rights required for the service rendered. McAllister Payment Solutions requires special care for remote access environments that use third-party remote access software such as Remote Desktop (RDP)/Terminal Server, pcAnywhere, etc. to access other hosts within the MPS payment processing environment. To be compliant, every such session must be encrypted with at least 128-bit encryption (in addition to satisfying the requirement for two-factor authentication required for users connecting from outside the payment processing environment). For RDP/Terminal Services this means using the high encryption setting on the server, and for pcAnywhere it means using symmetric or public key options for encryption. Additionally, the PCI user account and password requirements will apply to these access methods as well.

• Change default settings (such as usernames and passwords) on remote access software.

• Allow connections only from specific IP and/or MAC addresses

• Use strong authentication and complex passwords for logins

• Enable encrypted data transmission

• Enable account lockouts after a certain number of failed login attempts

• Require that remote access take place over a VPN as opposed to allowing connections directly from the internet

• Enable logging for auditing purposes

• Restrict access to customer passwords to authorized personnel


18

• Establish customer passwords according to PCI-DSS requirements (see Password Policy document)

Use SSH, VPN, or SSL/TLS for encryption of administrative access If non-console administrator access is used, the use of SSH, VPN, or SSL/TLS for encryption is required.

PCI-DSS Compliant Log Settings MPS logs each program event, storing the user performing the action, the time and date of the event, the result code and message, machine identifier, site location, host id and transaction id if applicable. This logging is not configurable. While an instance of the log object can be created manually, there are two exposed function, LogResponse and WriteLogEntry, which will instantiate the object, populate the data properties and write the log entry to file. All fields within TLogRecord are encrypted before data is stored in memory or written to file through the read/write property methods of the TLogEntry class. While all log data stored is encrypted, no transaction details or personal data is stored. The transaction id is the only data which could be used to identify or otherwise utilize the stored information. Log file access is performed by the TLogRecord class through the exposed functions ReadLogEntry and WriteLogEntry of the TLogFile class. Each log record is 384 bytes wide containing 11 separate, encrypted, fields:

All data stored on disk is encrypted using the Triple DES algorithm. A standardized hash key is used to encrypt or decrypt all data communication to or from disk. The unique site key to encrypt transaction data for processing is not used due to log events that occur before MPS is initialized by the client program.

Action TransID BatchID HostID Response ResponseMsg Date Time Username MachineID SiteID

String[32]; String[32]; String[32]; String[32]; String[32]; String[64]; String[32]; String[32]; String[32]; String[32]; String[32];


19

PCI-DSS Compliant Wireless settings McAllister Payment Solutions requires the encryption of cardholder data transmitted over wireless connections. The following items identify the standard requirements for wireless connectivity to the MPS payment processing environment:

• Firewall/port filtering services should be placed between wireless access points and the MPS payment processing environment with rules established restricting access.

• Use of appropriate encryption mechanisms such as VPN, SSL/TPS at 128 bit, and/or WPA

• Vendor supplied defaults (administrator username/password, SSID, and SNMP community values) should be changed

• Access point should restrict access to known authorized devices (using MAC Address filtering)

If using MPS payment processing with wireless technology, the payment application must facilitate use of industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.

Payment applications using wireless technology must facilitate the following regarding use of WEP:

• For new wireless implementations, it is prohibited to implement WEP after March 31, 2009.

• For current wireless implementations, it is prohibited to use WEP after June 30, 2010.

If you install McAllister Payment Solutions into a wireless environment, use compliant wireless settings, per PCI Data Security Standard 1.4, 2.1.1 and 4.1.1: 1.4 Installing personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network. 2.1.1 For wireless environments, change wireless vendor defaults, including but not limited to, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable. 4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.


20

Data Transport Encryption The PCI-DSS requires the use of strong cryptography and encryption techniques with at least a 128 bit encryption strength (either at the transport layer with SSL or IPSEC; or at the data layer with algorithms such as RSA or Triple-DES) to safeguard sensitive cardholder data during transmission over public networks (this includes the Internet and Internet accessible DMZ network segments).

♦ Refer to the Dataflow diagram for an understanding of the flow of encrypted data associated with McAllister Payment Solutions.

PCI-DSS Compliant Use of End-User Messaging Technologies McAllister Payment Solutions does not have functionality for sending of PANs via email, instant messaging, or chat. This functionality is not configurable. Additionally, PCI-DSS requires that cardholder information is never sent via end-user messaging technologies without strong encryption of the data. McAllister Payment Solutions does not transmit card information via e-mail. The use of a properly installed 128 bit SSL certificate, available from your hosting provider, meets this requirement. McAllister Payment Solutions should then be configured to “go secure” on any page that involves sensitive data (login pages, account pages, cart pages, payment pages, etc).

Network Segmentation The PCI-DSS requires that firewall services be used (with NAT or PAT) to segment network segments into logical security domains based on the environmental needs for internet access. Traditionally, this corresponds to the creation of at least a DMZ and a trusted network segment where only authorized, business-justified traffic from the DMZ is allowed to connect to the trusted segment. No direct incoming internet traffic to the trusted application environment can be allowed. Additionally, outbound internet access from the trusted segment must be limited to required and justified ports and services.

♦ Refer to the standardized Network diagram for an understanding of the flow of encrypted data associated with McAllister Payment Solutions.

Never store cardholder data on internet-accessible systems Never store cardholder data on Internet-accessible systems (e.g., web server and database server must not be on same server.)


21

Use SSL for Secure Data Transmission Use SSL for secure data transmission in accordance with PCI-DSS requirement 4.1: 4.1 Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI-DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM), and general packet radio service (GPRS). 4.1.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:

• Use with a minimum 104-bit encryption key and 24 bit-initialization value

• Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or SSL/TLS

• Rotate shared WEP keys quarterly (or automatically if the technology permits)

• Rotate shared WEP keys whenever there are changes in personnel with access to keys

• Restrict access based on media access code (MAC) address.

PCI-DSS Compliant Delivery of Updates Updates to McAllister Payment Solutions can be delivered either by CD or by electronic download. Both methods are accomplished only at the request of the merchant. The electronic download of MPS updates follow a secure chain of trust ensuring the download has not been modified in-transit by the generation of a Microsoft Authenticode Digital ID. This ID certifies that the files downloaded have not been altered during the download process. As a development company, we keep abreast of the relevant security concerns and vulnerabilities in our area of development and expertise. We learn of these vulnerabilities from our back-end-processor, Element Payment Services, which is a PCI-DSS Security Council member. They are our security experts that make certain we are kept aware of any new security concerns that arise within the credit card industry. Once we identify a relevant vulnerability, we work to develop & test a patch that helps protect Payment Application against the specific, new vulnerability. We attempt to


22

publish a patch within 10 days of the identification of the vulnerability. We will then contact vendors and dealers to encourage them to install the patch. Typically, merchants are expected to respond quickly to and install available patches within 30 days. McAllister Payment Solutions never generates “patches” for our application. Any corrections/changes are included within an entirely new build of our application. During the update process, a new MPS.EXE is downloaded and stored within a temporary folder where the Trust Verify Check is executed. If the MPS.EXE passes the check, it is installed and update procedure continues. If the check fails, the user is shown a message indicating this fact, and the temporary folder is deleted.

Maintain an Information Security Program In addition to the preceeding security recommendations, a comprehensive approach to assessing and maintaining the security compliance of the McAllister Payment Solutions environment is necessary to protect the organization and sensitive cardholder data. The following is a very basic plan every merchant/service provider should adopt in developing and implementing a security policy and program:

♦ Read the PCI-DSS in full and perform a security gap analysis. Identify any gaps between existing practices in your organization and those outlined by the PCI-DSS requirements.

♦ Once the gaps are identified, determine the steps to close the gaps and protect cardholder data. Changes could mean adding new technologies to shore up firewall and perimeter controls, or increasing the logging and archiving procedures associated with transaction data.

♦ Create an action plan for on-going compliance and assessment.

♦ Implement, monitor and maintain the plan. Compliance is not a one-time event. Regardless of merchant or service provider level, all entities should complete annual self-assessments using the PCI-DSS Self Assessment Questionnaire.

♦ Call in outside experts as needed.

MPS Instructional Documentation Maintenance

♦ The McAllister Payment Solutions PA-DSS Implementation Guide and training materials are distributed to all relevant MPS merchants in the following methods:

• As an electronic version distributed with all required processing

hardware.


23

• As an electronic version distributed with all update CDs

distributed.

• As an electronic version distributed with all electronic downloads of updates.

• As an electronic version available on the McAllister Payment Solutions website, www.mcallisterpaymentsolutions.com.

♦ The McAllister Payment Solutions PA-DSS Implementation Guide covers all PA-DSS requirements.

♦ The McAllister Payment Solutions PA-DSS Implementation Guide is

reviewed on an annual basis and updated as needed to document all major and minor changes to MPS.

♦ The McAllister Payment Solutions PA-DSS Implementation Guide is

reviewed on an annual basis and updated as needed to document

changes to the PA-DSS requirements.

McAllister Payment Solutions Initial Setup & Configuration

Processing Hardware Configuration

♦ VeriFone MX850 All-In-One Device: Before connecting the MX850

to your PC, the MX850 Driver CD will need to be installed.

o Insert the CD into your CD-drive, and wait for the WinZip Self-Extractor window to auto-prompt.

o Select Unzip to extract the driver


24

o Once the driver is extracted, connect the MX850 to a USB port. As soon as the device is connected, Windows will automatically

detect the device and driver and perform the installation.

o Should Windows not successfully perform the driver installation, locate the driver that is appropriate for your operating system (Windows 7 64-Bit, or Windows 7 32-Bit, Vista, XP, 2000) within

your C-drive and execute it by double-clicking it. The installation of the driver will then begin.

NOTE: If installing the Windows 7 64-Bit driver, you will be required to reboot your computer before completing the installation of the VeriFone MX850.

o Once the device is installed, the corresponding COM port will

need to be obtained. Select the Start button…Control Panel or Start button…Settings…Control Panel.

o Double-click on the System option within the Control Panel

o Select the Hardware tab, then the Device Manager button

o Within the Device Manager window, expand the plus sign (+)

next to the Ports (COM and LPT) option and note the COM number listed beside the Communications Port option.


25

o Keep the COM port that is listed for MX800 Family POS Terminal for use later in these instructions.

NOTE: If using either the 32 or 64-Bit versions of Windows 7 and

the appropriate driver does not initially install properly, follow the steps listed below to temporality disable the User Account Control (UAC).

o Select the Start button…Control Panel…User Accounts or Start

button…Settings…Control Panel…User Accounts. o From within the User Accounts, select the link Change User Account

Control Settings.

o Move the slide bar down until Never Prompt is displayed.

o Restart Windows for the changes to be applied.

o Repeat the driver installation instructions listed above and again

restart Windows.

♦ Magtek Card Swipe: The card swipe has a USB connection that will need to be connected to the AVImark server or workstation which will be processing credit card payments.

o Connecting this device to a USB connection will display a brief

RED light then immediately change to GREEN. Once the green light is displayed, the installation is complete.

♦ VeriFone PINPad 1000SE: This device is available with a Serial or USB connection that will need to be connected to the AVImark server

or workstation which will be processing credit card payments. NOTE: The USB VeriFone PINPad 1000SE is currently only available with

the use of Windows Vista. This device will not currently function with Windows 2000 or XP.

o If using a USB PINPad:

� Insert the CD into your CD-drive, and wait for the WinZip Self-Extractor window to auto-prompt.


26

� Select Unzip to extract the driver � Once the driver is extracted, connect the 4 pin “phone

handset” end of your USB cable into the corresponding connector on the VeriFone device.

� Plug the USB end of the cable into an available USB port

on the computer.

� In a few moments, the PINPad should be detected. Windows will then present you with the “Found New

Hardware Wizard”. (If, for some reason, the device is not recognized and the Wizard does not start, check the section below on “Debugging the driver installation”.)

� Check the radio button indicating that you want to “Install

from a list or specific location” and click NEXT. � Check the radio button indicating “Don’t search. I will

choose the driver…” and click NEXT.

� Click the “Have Disk” button and “Browse” to the location where you placed the .INF file extracted from the .ZIP in the section above.

� Select the file “verifone_PP1000SE usb-uart.inf” to

OPEN then click OK.

� At this point you may get warnings that “This driver is not digitally signed” and/or “has not passed Windows Logo testing”. Just ignore it and click NEXT and “Continue

Anyway”.

� Finally, click “Finish” and your driver should now be installed and functional.


27

� Once you have installed the driver, the corresponding COM port will need to be obtained. Select the Start

button…Control Panel or Start button…Settings…Control Panel.

� Double-click on the System option within the Control

Panel

� Select the Hardware tab, then the Device Manager button

� Within the Device Manager window, expand the plus sign (+) next to the Ports (COM and LPT) option and note the COM number listed beside the Communications

Port option.

� Keep the COM port that is listed for PP1000SE – PCI PIN Pad for use later in these instructions.

o If using a Serial PINPad

� Connect the Serial connector of the PINPad cable into the serial port on the appropriate computer.

� Connect the “phone handset” end of your serial cable into

the corresponding connector on the VeriFone device.

� Plug the power supply cord into the socket at the base of

the serial connector. (see image below)


28

� Plug the power supply into an AC wall outlet. � Once you have the PINPad connected to the computer,

the corresponding COM port will need to be obtained. Select the Start button…Control Panel or Start

button…Settings…Control Panel.

� Double-click on the System option within the Control Panel

� Select the Hardware tab, then the Device Manager button


29

� Within the Device Manager window, expand the plus sign (+) next to the Ports (COM and LPT) option and note

the COM number listed beside the Communications Port option.

� Keep this COM port for use later in these instructions.

♦ Topaz Signature Capture Devices All Models: All models of the Topaz devices must first have the included Topaz Systems INC CD

installed. Inserting the CD will auto-display an install menu:

NOTE: This CD will only need to be installed on the AVImark computers that will be used to process credit cards through

AVImark.

o Selecting the option Install SigPlus eSignatures (must

be installed first) will begin the installation.

o Follow all on-screens prompts to the display indicating you must choose the Topaz device you have received. The appropriate model number can be located on the

back of the device.


30

o Please select one of the three options listed below and proceed:

� Siglite 1x5 (T-S460 or T-S461) � Siglite LCD 1x5 (T-L460)

� SignatureGem LCD 1x5 (T-L462)

o Once you have selected the appropriate device, the

appropriate type of connection will need to be selected.

From this display, select the HSB (USB type).

o The Topaz device will be active upon completing this installation.


31

AVImark Setup

♦ Once your MPS account has been approved and opened, the MPS

feature will need to be activated from within AVImark. ♦ Log into AVImark using an Administrator password (access to security

option System-wide Authority)

♦ Select the Advanced Options tool bar button and search for Process Credit. This will display the option Process Credit Transaction Using which will need to be set to MPS.

♦ From the AVImark CID, press and hold the Ctrl and Shift keys while

selecting the Utilities menu option. A Setup MPS option will be displayed at the very bottom of the Utilities menu.

♦ Select this Setup MPS option to display the MPS Login window.

♦ From the MPS Login window, the following information is required:

o Username:

� Require a minimum of at least six characters

o Password: According to the PCI-DSS security standards

� Require a minimum length of at least eight characters

� Require both numeric and alphabetic characters

� Require a new password that is not the same as any of the last four passwords used

o Email:

� This email address will be used to send a temporary MPS password to should your MPS username and/or password ever be lost or forgotten.

o Security Question and Your Answer:

� This question and answer will be used as a security

measure should the MPS username and/or password ever

be lost or forgotten, and a temporary password is needed.


32

� Before the MPS username and/or password can be reset

and a temporary password emailed, the user will be required to supply the correct answer to the security

question.

♦ The Email Setup information will be required in order for a temporary

MPS password to be sent should the MPS username and/or password ever be lost or forgotten.

o SMTP Server:

o SMTP Port:

o Username: This username will only be needed if the SMTP server requires a user to login before email can be sent.

o Password: This password will only be needed if the SMTP server requires a user to login before email can be sent.

♦ Selecting OK on the MPS Login window will save the MPS settings and

display a message indicating:”MPS is now setup. Please restart AVImark for changed to take effect.”

♦ When restarting AVImark, a user-login (administrator or non-administrator) must be used before the installation of MPS will be

completed. ♦ Once AVImark is restarted, you are ready to proceed to the MPS

Setup instructions listed below.

♦ If using a Dymo Labelwriter to print credit card signature slips, the following setup will need to be accomplished once the printer is installed and able to print a test page through Windows.

o The appropriate continuous-feed paper, which will be

used to print the credit card receipts, will need to be selected within the printer properties.


33

o Within the Properties window, selecting the Printing Preferences button…the Paper/Quality tab…Advanced button, will allow you to select the Continuous, Wide paper

size.

o Within AVImark, using the Option Maintenance tool bar

button , search for Signature. Set the located option


34

Print Signature Slip on Credit Card Transactions to TRUE.

o Accessing the AVImark Printer Setup through the

Utilities menu option, select the appropriate Dymo printer within the Receipt printer. The Quality of this printer will need to remain Letter Quality.

♦ If using a Topaz signature capture device to digitally capture and

retain your credit card authorizations, the following setup will be required once the installation of the Topaz device as mentioned earlier in these instructions is complete:

o Within AVImark, using the Option Maintenance tool bar button

, search for Topaz. Set the located option Enable the Topaz Signature Capture Device to TRUE.

MPS Setup

♦ Once the MPS feature has been activated within AVImark and AVImark

has been rebooted and logged into as mentioned above, a new icon

will be displayed within your system tray. Double-clicking on this

icon will display the MPS window.

♦ As soon as your MPS account is approved, you will receive an email to the address provided on your Merchant Application which will provide

access to required information specific to your clinic. This email will contain your user name (Merchant ID) and a temporary password.

♦ Logging onto the website www.coremanagementsystem.com will allow

you to create your permanent password and obtain the following

account information which will be used within AVImark:

o Acceptor ID o Account ID


35

o Account Token

♦ The above account information will be inserted into MPS.EXE by

accessing the Options button. ♦ Selecting the Options button will require the user to enter their MPS

username and password which was specified earlier within the AVImark setup instructions.

♦ The Acceptor ID, Account ID, and Account Token information

must be taken from the above mention website and copied into the corresponding MPS.EXE fields listed in the Options window.

♦ Additional options that will be used during the setup of MPS:

o Enable AVS Authorization: This option is used when a credit card is not present and must be hand-keyed. It enables the client’s street number and zip code to be

entered as added security and to lower the risk of fraud.

When this option is checked the hand-keyed window will display as in the example below:


36

o Attempt Dialup If Needed: This option is checked when a

dial-up internet connection is wished to be used as an automatic backup to a failed broadband connection. Selecting this option

will display a confirmation message at the time of processing if an internet connection cannot be located.

NOTE: Is this option is checked, the information included on

the Dialup tab will be required.

o On Account Type Mismatch: Select the desired response

when a swiped or hand-keyed card type does not match the selected card type.


37

♦ The processing hardware which was installed earlier will now need to be specified within the Devices tab of MPS.EXE.

o Since the processing hardware is workstation specific, the processing hardware which will be used on each AVImark

workstation will be required to be selected on each individual workstation.

o PIN Pad:

� VeriFone MX850: Selecting this device for the PIN Pad option will auto-select it for the Signature and Card Swipe options. Select the Settings button and specify the

appropriate COM port which was located earlier in these instructions. All other values can be left as default.

� VeriFone PIN Pad: Select the Settings button and

specify the COM port which was located earlier in these

instructions.

o Signature:

� VeriFone MX850: Selecting this device for the

Signature option will auto-select it for the PIN Pad and Card Swipe options. Select the Settings button and

specify the appropriate COM port which was located


38

earlier in these instructions. All other values can be left as default.

o Card Swipe:

� VeriFone MX850: Selecting this device for the Card

Swipe option will auto-select it for the PIN Pad and

Signature options. Select the Settings button and specify the appropriate COM port which was located

earlier in these instructions. All other values can be left as default.

� Magtek Card Swipe: Selecting this device will not require any settings to be specified.

♦ From within the MPS Options window, the Edit Login button can be

used to access the required MPS information specified during

activation of MPS.

♦ If the MPS username and/or password are ever lost or forgotten, contact the AVImark Technical Support for assistance with resetting

these pieces of information.

♦ If you are using the AVImark Site feature, each site can be setup within MPS to process credit cards to a unique merchant ID keeping all of your credit card transactions separate for each site.


39

o To setup the AVImark site feature to process using unique merchant IDs, with AVImark open, double-click the MPS icon

displayed in your system tray.

o Selecting the Site menu option will display all sites that are currently setup in AVImark. Selecting one of these sites, and open the Options window using the Options button to specify

the appropriate Acceptor ID, Account ID, and Account Token for this site.

o All options available within the General and Dialup tabs will be

specific to the selected site. The information selected within the

Devices tab will be workstation specific rather then site specific.

o Once all options have been set for the selected site, select OK to proceed to the setup of your next site.