PA-DSS implementation guide - mbs. · PDF file... Set up database logging 13 At the head...

Microsoft Dynamics AX 2012 R3

Cumulative Update 11

PA-DSS

implementation

guide This document describes the requirements

that you must follow to implement Microsoft

Dynamics AX 2012 and Payment Services for

Microsoft Dynamics ERP in a manner that

complies with the Payment Card Industry

(PCI) Data Security Standard version 3.2.

White paper

January 2017

Send feedback.

www.microsoft.com/dynamics/ax

mailto:[email protected]

http://www.microsoft.com/dynamics/ax/

PA-DSS implementation guide 2

Contents

Get the latest release of this guide 5

For more information 5

Part 1: Setup 6

Install the software 6

All computers: Maintain security 6

All computers: Prepare for monitoring of event logs 7

All Windows 10 computers: Disable the Microsoft-Windows-WinINet-Capture event log 8

All computers: Set up auditing of file access, object access, and audit policy changes 8

Enable auditing of file access, object access, and audit policy changes 8

Audit access to system folders and files 9

Required services and protocols 10

Dependent hardware 10

Communication and database computers: Open the firewall 11

Open Windows Firewall 11

At the head office: Set up the password policy 12

At the head office: Set up database logging 13

At the head office: Enable SQL Server trace logging 14

Obtain a Payment Services for Microsoft Dynamics ERP subscription 15

Partner: In Partner Portal, create a Payment Services account for the retailer 15

Retailer: In Customer Portal, set up a merchant account with a payment provider 15

Partner: In Partner Portal, activate the payment provider 16

Retailer: In Customer Portal, test the payment service 17

At the head office: Set up payment processing and hardware devices for stores 18

Set up payment processing 18

Set up devices in the Retail module 20

Configure a terminal ID for specific registers 20

Set up payment methods for payment processing 20

Enable tender types and card types for specific stores 21

Send payment processing changes to the stores 21

Test payment processing 22

Store computers: Set up the password policy 22

Store computers: Set up password-protected screen savers 23


Store computers: Turn off System Restore 23

Store computers: Turn off Internet Explorer Automatic Crash Recovery 24

In Microsoft Dynamics AX, set up Payment services in Accounts receivable 24

In Microsoft Dynamics AX, set up Payment services in online stores 25

Store computers: Set up group policies to enable a kiosk session (optional) 26

Part 2: Features that facilitate PCI compliance 40

Protect stored cardholder data 40

Audit logging 41

Provide secure authentication features 41

Store user names, passwords, and authentication 41

Set up a new store user (manager or cashier) in Microsoft Dynamics AX 42

Data storage and deletion 43

Versioning methodology 43

Data transmissions 44

Payment data flow diagrams 45

Flow of payment data in Retail Modern POS when the full integration model is used 45

Flow of payment data in Retail Modern POS when the semi-integrated model is used 47

Flow of payment data in Retail Enterprise POS when the semi-integrated model is used 49

Flow of payment data in Retail Enterprise POS when the full integration model is used 50

Flow of payment data in Microsoft Dynamics AX Accounts receivable and call center 51

Flow of payment data in an e-Commerce Sample Web Storefront 53

Part 3: Connection limitations 54

Internet connections 54

Protect wireless connections 54

Remote access 55

Non-console administrative access 55

Part 4: Audit logging 56

Monitor Microsoft Dynamics AX activity 56

View information about user sign-in and user sign-out 56

View the audit trail 56

View the SQL Server trace log files 57

Monitor Retail POS activity 57


Monitor event logs 58

Part 5: Software updates and support 59

Software updates 59

Troubleshooting and support 59

Support personnel access the customer’s desktop 60

Support personnel travel to the customer’s place of business 60

Distribution of hotfixes 60

Appendix A: Version history 61


PA-DSS implementation guide

You must follow the requirements in this guide to implement Microsoft Dynamics AX 2012 and Payment Services for

Microsoft Dynamics ERP (the integrated payment solution from Microsoft) in a manner that complies with the

Payment Card Industry (PCI) Data Security Standard version 3.2.

Note: AX 2012 includes Microsoft Dynamics AX for Retail.

The requirements in this guide represent best practices that should be implemented even if you are not required to

comply with the PCI Data Security Standard.

This guide is intended for and disseminated to customers, Microsoft Certified Partners, resellers, and integrators who

are deploying AX 2012 in a retail organization where electronic credit card and debit card payments are accepted,

and where AX 2012 is used as the payment application. As a payment application, AX 2012 is subject to the PCI

Payment Application Data Security Standard (PA-DSS). The contents of this guide reflect that standard.

Important:

● Although this guide is made available to Microsoft customers, some of the steps in it are technical and should be

completed only by a Microsoft Certified Partner. Implementation by anyone other than a Microsoft Certified

Partner could be considered cause for concern by PCI Security Standards Council assessors, and could

compromise the security of both cardholder and proprietary information.

● AX 2012 has been validated for PCI compliance only with Payment Services for Microsoft Dynamics ERP, the

integrated payment solution from Microsoft. If you intend to use AX 2012 with another payment solution or

modify the out-of-box integrated payment solution, you must obtain separate compliance validation.

Get the latest release of this guide

This guide is reviewed annually, whenever a service pack or hotfix for AX 2012 is released, and whenever an update

to one of the Data Security Standards is released. For information about what has changed, see Appendix A: Version

history, later in this guide. To obtain the most up-to-date copy of this guide, go to

http://go.microsoft.com/fwlink/?LinkId=275035.

For more information

To read the full text of the PCI Data Security Standard or the PCI PA-DSS, go to http://www.pcisecuritystandards.org.

Microsoft provides training materials to our partners, resellers, and integrators to help them implement AX 2012. For

more information, go to http://go.microsoft.com/fwlink/?LinkID=188800.

http://go.microsoft.com/fwlink/?LinkId=275035

http://www.pcisecuritystandards.org/

http://go.microsoft.com/fwlink/?LinkID=188800


Part 1: Setup

For PCI compliance, you must complete all the procedures in this part of the guide.

Install the software

To deploy AX 2012 in a manner that is PCI-compliant, follow the instructions in the Microsoft Dynamics AX 2012

Upgrade Guide, which is available for download at http://go.microsoft.com/fwlink/?LinkID=221465.

Important:

● For maximum security, AX 2012 must be installed in the Program Files folder or a location that has similar access

control protections.

● Requirement 8.5.8 of the PCI Data Security Standard specifies that group, shared, and generic accounts (for

example, the system administrator [sa] account for access to the database) must be disabled or removed.

All computers: Windows Lifecycle Policy

The Microsoft Lifecycle Policy gives you consistent and predictable guidelines for the availability of support

throughout the life of a product. You should review Microsoft support lifecycle policy

(https://support.microsoft.com/en-us/help/14085) to understand phases of the Support Lifecycle for Business,

Developer, Consumer and Multimedia Software, such as extended support will continue to provide Security Updates.

All computers: Maintain security

You must install security hotfixes and service packs as soon as they become available. For best results, turn on

Automatic Updates.

Strong cryptography must be used together with Transport Layer Security (TLS) 1.2 or above only.

1 If you are running Windows 7, Windows Embedded POSReady 7, Windows 8.1, Windows 10, Windows Server

2012, Windows Server 2012 R2, or Windows Server® 2008 R2, click Start, type regedit in the search box, and

then press Enter.

2 In the Registry editor, navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.

3 Create the registry keys and sub-keys for the following areas. If a registry key doesn’t exist, right-click the

Protocols key, and then enter a new key.

Key Subkeys

SSL 2.0 Client

Server

SSL 3.0 Client

Server


https://support.microsoft.com/en-us/help/14085


Key Subkeys

TLS 1.0 Client

Server

TLS 1.2 Client

Server

4 Create DWORD (32-bit) values for the following keys. To create a new DWORD, go to the key, right-click it, and

then click Edit > New >DWORD (32-bit) value.

Key DWORD name DWORD value

SSL 2.0 > Server Enabled 0

SSL 2.0 > Client Enabled 0

SSL 3.0 > Server Enabled 0

SSL 3.0 > Client Enabled 0

TLS 1.0 > Server Enabled 0

TLS 1.0 > Client Enabled 0




TLS 1.2 > Server DisabledByDefault 0


TLS 1.2 > Client DisabledByDefault 0

5 In the Registry editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.

6 Create a new DWORD (32-bit) value. Set the value name to SchUseStrongCrypto and the value to 1.

7 In the Registry editor, go to

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319.

8 Create a new DWORD (32-bit) value. Set the value name to SchUseStrongCrypto and the value to 1.

All computers: Prepare for monitoring of event logs

The event logging capabilities that are built into Microsoft Windows help you comply with Requirements 10.2 and

10.3 of the PCI Data Security Standard. Complete the following procedure on all computers to configure the

retention period for event logs.

Important: You should not disable event logging. Otherwise, your system will not comply with the PCI Data Security

Standard.



2012, Windows Server 2012 R2, or Windows Server 2008 R2, click Start, type Event Viewer in the search box, and

then press Enter.

2 If the Windows Logs folder is available, expand it, right-click Security, and then click Properties.

3 In the Maximum log size field, type 102400.

4 Select Overwrite events as needed, and then click OK.

All Windows 10 computers: Disable the Microsoft-Windows-

WinINet-Capture event log

If you are running Windows 10, you must disable event log WinINet (Microsoft-Windows-WinINet-Capture) >

Capture/Analytic.

1 If you are running Windows 10, click Start, type Event Viewer in the search box, and then press Enter.

2 Expand Applications and Services Logs > Microsoft > WinINet (Microsoft-Windows-WinINet-Capture),

right-click Capture/Analytic, and then click Properties.

3 In the Enable logging field, clear the check box.

4 Click OK.

All computers: Set up auditing of file access, object access, and

audit policy changes

All access to computers, servers, and databases by Dynamics AX 2012 must be controlled via unique user IDs

and secure authentication that complies with the PCI Data Security Standard.

To audit changes that are made to the computer’s audit policy, and access to log files and system objects, complete

both the following procedures on all computers.

Notes:

● In an implementation of AX 2012 that uses Payment Services for Microsoft Dynamics ERP, no cardholder data is

stored, and users cannot change the flow or security of cardholder data. Nevertheless, you must complete the

procedures in this section to comply with Requirements 10.2 and 10.3 of the PCI Data Security Standard, and to

help make organizational data more secure.

● For domain computers, work with the domain administrator to make sure that local audit policies are not

overwritten by less stringent domain policies.

● For information about how to view and manage log files, see Part 4: Audit logging, later in this guide.

Enable auditing of file access, object access, and audit policy changes


2012, Windows Server 2012 R2, or Windows Server 2008 R2, click Start, type Local Security Policy in the search

box, and then press Enter.

2 Expand the Local Policies folder, and then click Audit Policy.


3 Double-click Audit account logon events, select both the Success and Failure check boxes, and then click OK.

4 Double-click Audit account management, select both the Success and Failure check boxes, and then click OK.

5 Double-click Audit object access, select both the Success and Failure check boxes, and then click OK.

6 Double-click Audit policy change, select both the Success and Failure check boxes, and then click OK.

Audit access to system folders and files

Use the following procedure to turn on folder and file auditing. The folders that you must audit vary by operating

system.

For Windows 7, Windows Embedded POSReady 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2012, or

Windows Server 2008, you must audit the following folders:

● C:\Windows\System32\winevt\Logs.

● The folder where AX 2012 is installed (by default, C:\Program Files\Microsoft Dynamics AX or, on a 64-bit

computer, C:\Program Files (x86)\Microsoft Dynamics AX). See the note in step 8 of the procedure.

● The Microsoft SQL Server data directory (by default, C:\Program Files\Microsoft SQL Server\<instance

name>\MSSQL\Log).

Complete this procedure for each folder in the previous list.

1 In Windows Explorer, right-click the folder name, and then click Properties.

2 On the Security tab, click Advanced.

Note: If the Security tab is not available, on the Tools menu, click Folder Options, and then, on the View tab,

clear the Use simple file sharing check box.

3 Click the Auditing tab. If you receive a security message, click Continue.

4 Click Add.

5 In the Enter the object name to select field, type Everyone, and then click Check Names.

6 If the name is valid, click OK.

7 In the Apply onto field, make sure that This folder, subfolders and files is selected.

8 In the Access list, select both the Successful and Failed check boxes for the following privileges, and then click

OK:

● Create files/write data

● Create folders/append data

● Delete subfolders and files

● Delete

● Read permissions

● Change permissions

Note: Do not enable Read permissions for the folder where Microsoft Dynamics AX for Retail POS is installed (by

default, C:\Program Files\Microsoft Dynamics AX\60\Retail POS).

9 If the previous settings provide more auditing than is otherwise set up for the folder, select the Replace all

existing inheritable auditing entries check box, and then click OK.

10 Click OK in the remaining dialog boxes.


Required services and protocols

The following table lists the services and protocols that are required by Microsoft Dynamics AX for Retail and its

components.

Retail components Required services and protocols

Retail Headquarters Dynamics AX 2012

Commerce Data Exchange: Async Server ● Internet Information Services

● SQL Server

(Default port: 1433)

Commerce Data Exchange: Synch Service ● Windows Sockets

● Internet Protocol security (IPsec)


● SQL Server


● Dynamics AX .NET Business Connector

Commerce Data Exchange: Real-time Service ● Microsoft .NET Remoting


● Internet Information Services

● Dynamics AX .NET Business Connector

Retail Enterprise POS SQL Server


Retail POS Offline Sync Service Microsoft Sync Framework 2.1

Retail POS Database Utility SQL Server


Retail Modern POS SQL Server


Retail hardware station Internet Information Services

Dependent hardware

The following Pin Transaction Security (PTS)-terminals can be used for AX 2012:

● VeriFone Mx925/Mx915, PTS-approval 4-10110

● Equinox Payment L5200, L5300, PTS-approval


Communication and database computers: Open the firewall

To establish communications between computers in the organization, open the firewall on any communications

server and on store database computers, as described in the following table.

Type of computer Open the firewall to these programs

Head office communications server ● Synch Service

● Real-time Service

Store communications server ● SQL Server, to enable connections to the message

database

● Synch Service

Store database server SQL Server

Store register with its own local database SQL Server, but only if Synch Service is on a different

computer

Notes:

● Instead of opening the firewall to Synch Service and Real-time Service, you might prefer to open the firewall to

the TCP ports that these programs use. In this case, you must know the port numbers that you specified when

you deployed the services. By default, the port numbers are 1433 for SQL Server, 16750 for Synch Service, and

1239 for Real-time Service.

● If you are using multiple instances of Synch Service on a single computer, we recommend that you open the

firewall to specific port numbers instead.

● Depending on the settings of your firewall, you might also have to open the firewall to outbound traffic on client

and register computers. To determine whether this step is required, consult your network administrator.

● The instructions in the rest of this section are for Windows Firewall. If you are using another firewall, see the

firewall documentation for more information.

Open Windows Firewall

To open Windows Firewall to a program on Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server

2012, or Windows Server 2012 R2, use the New Rule Wizard to create a rule that manages the connections that the

allowed program can receive. You can use the default settings for each rule, but you must provide the path of the

program and a name for the rule.

Program Typical program path Suggested rule name

SQL Server C:\Program Files\Microsoft SQL

Server\<instance

name>\MSSQL\Binn\Sqlservr.exe

SQL Server <instance name>

Async Server (if installed) C:\Program Files (x86)\Microsoft

Dynamics AX\60\CDX\Async Server

Commerce Data Exchange Async

Server


Program Typical program path Suggested rule name

Real-time Service (if installed) C:\Program Files (x86)\Microsoft

Dynamics AX\60\CDX\Real-time

Services

Commerce Data Exchange Real-time

Service

Note: On a 64-bit operating system, Async Server and Real-time Service are in the Program Files (x86) folder path

instead.

1 Sign in to the computer as a Windows Administrator.

2 Click Start, type wf.msc in the search box, and then press Enter.

3 Click Inbound Rules.

4 To create a new rule, click New Rule, select Program, and then complete the New Inbound Rule Wizard.

5 Repeat step 4 for the other programs that should be allowed through the firewall.

At the head office: Set up the password policy

Requirement 8.5.8 of the PCI Data Security Standard specifies that group, shared, and generic accounts must not be

used, and it provides test procedures for verifying that these accounts are not used.

Requirements 8.5.9 through 8.5.14 specify password and account security regulations for people who have

administrative access to the payment application. To comply with these requirements, contact the domain

administrator to establish group policies for the domain that meet the minimum requirements that are described in

the following table.

Policy Security setting

Enforce password history 4 passwords remembered

Maximum password age 90 days

Minimum password length 7 characters

Password must meet complexity requirements Enabled

Account lockout duration 30 minutes

Account lockout threshold 6 invalid sign-in attempts

Notes:

● Users of AX 2012 are subject to Active Directory Domain Services (AD DS) security policies. Therefore, users of AX

2012 are subject to the same password policy as domain users.

● You cannot install AX 2012 on a computer that is not part of the domain.

● These policies meet the minimum requirements of Requirements 8.5.9 through 8.5.14. You can use more stringent

settings.

● For more information about how to manage password policy via group policies, see Working with Group Policy

objects.

http://technet.microsoft.com/en-us/library/cc731212.aspx

http://technet.microsoft.com/en-us/library/cc731212.aspx


At the head office: Set up database logging

By modifying the audit trail in AX 2012, you can enable logging of the following events in the head office database:

● Changes to the audit trail settings – These settings are stored in the DATABASELOG table for the head office

and in the RetailFunctionalityProfile table for Retail components.

● Changes to the payment processing configuration – These settings are stored in the RetailHardwareProfile

table for both the head office and Retail store components.

● The creation, deletion, or modification of cashier user accounts and permissions – These settings are stored

in the RetailStaffPermissionGroup table for the head office and in the RetailStaffTable table for Retail

components.

Note: Although the logging of activity in the head office database is related to Requirements 10.2 and 10.3 of the

PCI Data Security Standard, it is beyond the scope of the PCI requirements because, in an implementation of AX 2012

that uses Payment Services for Microsoft Dynamics ERP, no cardholder data is stored, and users cannot change the

cardholder data flow or the security of cardholder data. Therefore, the following procedure is included in this guide

as an optional best practice that helps make organizational data more secure.

1 To set up logging in the head office database, click System administration > Setup > Database > Database log

setup.

2 Create the following new entries by following the wizard.

Table name Actual system name

POS functionality profile RetailFunctionalityProfile

POS hardware profiles RetailHardwareProfile

Component Item ID RetailStaffLoginLog

Staff permission group RetailStaffPermissionGroup

Staff RetailStaffTable

Audit trail setup SysDatabaseLogTableSetup

3 Click System administration > Setup > Licensing > Licensing configuration.

4 Under Administration, select the Electronic signature check box, and then click OK. If you are prompted to

synchronize tables, click Yes.

Notes:

● This procedure sets up logging on Insert, Delete, Update, and Rename Key actions. To view or modify this setup,

click System administration > Setup > Database > Database log setup.

● For each change to one of these tables, AX 2012 records the user who performed the action, the table that was

modified, the action that was taken, the attribute that was changed, the time and date of the action, and the ID of

the record that was modified or added. For each Update action, Dynamics AX also records both the previous

settings and the new settings.


● By default, any user who has database access can query a database log by using .NET Business Connector, X++,

or alerts, or by using direct database access. To help protect data, restrict permissions on the SysDatabaseLog

table. For more information, see Manage table and field access and Table Properties.

● For information about how to view logged actions, see Monitor AX 2012 activity, later in this guide.

At the head office: Enable SQL Server trace logging

To monitor access to the audit log, enable SQL Server trace logging by using the AxRetailTrace.sql file.

Notes:

● AxRetailTrace.sql is included in the AX 2012 download package and can be found in the RetailSecurityGroups

subfolder of the folder where you extracted the installation files.

● Although this procedure is related to Requirements 10.2 and 10.3 of the PCI Data Security Standard, it is beyond

the scope of the PCI requirements because, in an implementation of AX 2012 that uses Payment Services for

Microsoft Dynamics ERP, no cardholder data is stored, and users cannot change the cardholder data flow or the

security of cardholder data. Therefore, the following procedure is included in this guide as an optional best

practice that helps make organizational data more secure.

1 Copy AxRetailTrace.sql to the computer where the head office database is located.

2 Open Microsoft SQL Server Management Studio, and connect to the instance of SQL Server that is used in the AX

2012 deployment.

3 On the File menu, point to Open, click File, browse to and select the .sql file, and then click OK.

4 Click Execute.

Notes:

● The trace log files are located in the Log directory for the instance. SQL Server trace log files have a maximum size

of 100 MB. When the size of a log file exceeds this limit, a new log file is created by using a date-based

numbering scheme.

● For information about how to view and manage log files, see Part 4: Audit logging, later in this guide.

● A commented section at the end of the AxRetailTrace.sql script file contains the code for performing several

operations that are related to trace logging. These operations include manually starting and stopping the trace,

viewing the contents of the AX 2012 log tables, viewing the trace detail, and disabling the automatic start of

tracing. To complete one of these operations, copy the code for the operation into a new query file, modify the

script as described in the comments, and then click Execute.

http://technet.microsoft.com/en-us/library/aa834466.aspx

http://msdn.microsoft.com/en-us/library/aa871620.aspx


Obtain a Payment Services for Microsoft Dynamics ERP

subscription

You can configure AX 2012 with Payment Services for Microsoft Dynamics ERP to process credit card and debit card

transactions at retail point of sale (POS) registers, in online stores, and in the Accounts receivable module in AX

2012. For more information about Payment Services for Microsoft Dynamics ERP, go to

http://go.microsoft.com/fwlink/?LinkID=188806.

Payment Services accepts various payment types, and you can select among several payment providers.

The process for setting up Payment Services consists of several tasks. Some of these tasks are performed by the

retailer, and others are performed by a Microsoft Dynamics AX partner. The tasks are performed in this order:

1 Partner: In Partner Portal, create a Payment Services account for the retailer.

2 Retailer: In Customer Portal, set up a merchant account with a payment provider.

3 Partner: In Partner Portal, activate the payment provider.

4 Retailer: In Customer Portal, test the payment service.

Note: When partners work with payment accounts for customers, they must use the customer’s Microsoft account

instead of their own Microsoft account.

Partner: In Partner Portal, create a Payment Services account for the retailer

1 Sign in to Partner Portal by using your Microsoft account email address and password.

2 Click Customer List, and then click New Customer to add the retailer.

3 Select the retailer in the list, click Add Service, and then create a Payment Services account for the retailer.

4 In the Add Service form, in the Purpose of account field, select Production.

5 Click Service List, select the payment service that you created in step 3, and then click Send Activation to send

an invitation to the retailer.

The retailer receives this invitation by email.

Retailer: In Customer Portal, set up a merchant account with a payment provider

1 In the invitation email message from your Microsoft Dynamics AX partner, click the invitation link to Payment

Services, and then sign in by using your Microsoft account email address and password.

2 Under Payment settings, click Payment providers.

3 Compare the payment providers, read their terms, and then click Sign up now for the provider that you want.

● If you select First Data (EMPS), your contact information is automatically sent to First Data Merchant Services

(FDMS). FDMS will contact you to process the application.

● If you select CyberSource, your contact information is automatically sent to CyberSource. CyberSource will

contact you to process the application.

● If you select another provider, follow the provider’s instructions to submit an application.

4 Sign in to Customer Portal by using your Microsoft account email address and password.

5 Click Service list, select the check box for the payment service, and then click Change Partner.





6 In the Change support partner form, select the partner in the list, select the Grant service access to the

selected partner check box, and then click Change Partner.

Note: If you do not find your partner in the list, tell your partner to register as a partner for online services for

Microsoft Dynamics ERP. For more information, see the Partner Portal Provisioning Guide.

7 Sign out of Customer Portal.

The payment provider will contact you to process your application and set up a merchant account for you. The

process of setting up a merchant account typically includes performing a credit check, discussing terms of service,

and signing a contract with the payment provider. This process might take several days. This process does not

involve any actions in AX 2012. After your merchant account is set up with the payment provider, the payment

provider provides the settings for the merchant account to you. Provide the settings for the merchant account to

your Microsoft Dynamics AX partner.

Partner: In Partner Portal, activate the payment provider

1 Sign in to Partner Portal by using your Microsoft account email address and password.

2 In the Customer list, select the customer, and then click the link in the Services column.

3 Select the service, and then click Open Service.

4 Under Payment Settings, click Payment Methods.

5 Under Payment Provider Accounts, select an account, and then, under Actions, click Activate.

The Payment Services website displays the Payment Provider Account Activation form.

6 Depending on the payment provider, follow one of these steps:

● First Data – Use the following guidelines to enter the merchant account information that you received from

the retailer and the payment provider, and then click Activate:

● AcquirerBin – Enter the acquirer Bank Identification Number (BIN).

● AgentBankNumber – Enter the agent number.

● AgentChainNumber – Enter the chain number.

● City – Enter the city of the merchant.

● Country / Region Code – Enter the three-letter country/region code, such as USA or CAN.

● Email – Enter the email address that was provided to the payment provider.

● LanguageCode – Enter the two-letter language code, such as 00 for US English.

● LocationNumber – Enter the location number.

● MerchantAbaNumber – If the payment provider does not provide a value, leave this field blank.

● MerchantCategoryCode – Enter the merchant category, which is also known as the Standard Industry

Code (SIC). The payment provider provides this value.

● MerchantId – Enter the merchant number.

● MerchantName – Enter the name of the merchant.

● Postal Code – Enter the postal code of the merchant.

● Reimbursement – If the payment provider does not provide a value, leave the field blank.

● ServicePhoneNumber – Enter 8884777877.

● SettlementAgentNumber – If the payment provider does not provide a value, leave the field blank.

https://mbs.microsoft.com/downloads/partner/SoftwarePlusServices/Partner_Portal_Provisioning_Guide.pdf



● SharingGroup – If the payment provider does not provide a value, leave the field blank.

● MerchantState – Enter the state or province of the merchant, such as WA for Washington.

● StoreNumber – Enter the store number.

● Street Address – Enter the street address of the merchant.

● TerminalId – Enter the terminal number of the merchant.

● VNumber – Enter the V number. The V number is seven digits and starts with 7.

● First Data/Express Merchant Processing Solutions (EMPS) – Use the following guidelines to enter the

merchant account information that you received from the retailer and the payment provider, and then click

Activate:

● DOPSIdentifier – Enter DOPSIdentifier.

● DOPSPassword – Enter DOPSPassword.

● MerchantCategoryCode – Enter the merchant category code, which is also known as the MCC code. The

payment provider provides this value.

● MerchantCity – Enter the city of the merchant.

● MerchantCountryCode – Enter the two-letter country/region code, such as US or CA.

● MerchantId – Enter the merchant ID. If there are two merchant IDs, do not enter Nashville MID.

● MerchantName – Enter the name of the merchant.

● MerchantPostalCode – Enter the postal code of the merchant.

● MerchantStateOrProvince – Enter the state or province of the merchant.

● MerchantStatus – Enter 1.

● MerchantStreetAddress – Enter the street address of the merchant.

● ServicePhoneNumber – Enter 8884777877.

● StoreNumber – If the payment provider does not provide a value, leave this field blank.

● TerminalId – Enter the terminal ID of the merchant.

● CyberSource – Use the following guidelines to enter the merchant account information that you received

from the retailer and the payment provider, and then click Activate:

● MerchantId – If the payment provider does not provide a value, enter MerchantId.

● RawProvisionData – Enter any value, such as 123abc.

● Note: You must have two CyberSource accounts: one for transactions where the card is present and one

for transactions where the card is not present. Both accounts must be activated in the CyberSource live

environment.

● PayPal – No action is required. A merchant account is automatically activated after the payment provider

creates and activates it.

7 Under Accepted Payment Methods, select the payment provider to use for each payment method.

8 Click Save and Close.

Retailer: In Customer Portal, test the payment service


2 Click Dashboard, and then click the Payment Services account.

3 Under Places, click Manage payments, and then click New Payment.



4 Under Card Information, enter the required information. This information includes a minimum payment amount,

such as $1.00.

5 Under Billing Address, enter the required information, and then click Process Payment.

6 Repeat steps 3 through 5 for each type of credit card that you accept in your stores.


8 Contact the payment provider for each test transaction, and make sure that the transactions are processed

correctly. Also verify that the correct transaction fees are assessed, as specified in your payment provider

agreement.

9 Sign in to Customer Portal, click Dashboard, and then click the same Payment Services account that you clicked

in step 2.

10 Under Places, click Manage payments, and then select and refund each test transaction.

At the head office: Set up payment processing and hardware

devices for stores

In AX 2012, the only time that store employees have access to card numbers is at the time of sale, when the cashier

swipes the card. Payment information is sent directly from Retail POS to the processor at that time, and transactions

are settled immediately. Payment information in the AX 2012 database is limited to the customer’s name, the

payment amount, the card type, and the last four digits of the card number. The entire primary account number

(PAN) is never stored.

Set up payment processing

After auditing and other security measures are in place, the store can begin to accept card payments. To set up

payment processing, follow these steps.

1 Obtain a Payment Services for Microsoft Dynamics ERP subscription by following the instructions earlier in this

guide, and associate the subscription with the retail organization’s merchant account.

2 Click Retail > Setup > POS > Profiles > Hardware profiles, and then, in the left pane, select the hardware

profile for the store.

3 On the EFT service FastTab, in the EFT service field, select Payment Connector.

4 In the Merchant account ID field, enter the merchant account ID that you received from the payment provider.

5 In the Service account ID field, enter the service account ID that you received from the payment provider.

6 In the Microsoft account field, enter the same Microsoft account email address that was used to set up the

merchant account in Customer Portal.

7 In the Microsoft account password field, enter the password for the Microsoft account.

8 In the Supported currencies field, enter currency codes for the currencies that the payment service supports.

Separate the currency codes by semicolons, without spaces. For example, enter USD;CAD.

9 In the Supported payment methods field, enter the payment methods that the payment service accepts.

Separate the payment methods by semicolons, without spaces. For example, enter Visa;AmericanExpress;Debit.

10 Copy the contents of the Public key field.




12 Under Organization settings, click User management, and then, in the New group, click System User.

13 In the Public key field, enter the public key that you copied in step 10, and then click Save.

14 In the User management list, click the first name or last name of the system user that you created in step 13, and

then click Edit.

15 Under Services and Roles, select Payment Administrators in the Available Roles list, use the right arrow button

to add the role to the Selected Roles list, and then click Save.


17 Associate a hardware profile with each register to enable payment processing and so that you can select devices.

For more information, see Set up devices in the Retail module.

18 Set up payment methods to use payment processing. For more information, see Set up payment methods for

payment processing.

19 Enable one or more payment processing tender types for each store. For more information, see Enable tender

types and card types for specific stores.

20 Turn on payment processing at stores by running scheduled jobs. For more information, see Send payment

processing changes to the stores.

21 Configure Accounts receivable for payment processing to support customer orders. For more information, see In

AX 2012, set up Accounts receivable for Payment Services.

Notes:

● These steps are not specifically required for PCI compliance. However, if you skip them, the store cannot use

AX 2012 to process the payments that are subject to the PCI Data Security Standard. The steps are described in

more detail later in this section.

● By using Payment Services for Microsoft Dynamics ERP, you can easily and securely accept and process credit and

debit card payments in your applications, online, from the head office, and in your stores. The PCI-certified service

lets you select among several payment providers and seamlessly incorporates multiple payment options without

requiring additional software or integration.

● When AX 2012 is used in the United States and Canada, the only processor that it communicates with is Payment

Services for Microsoft Dynamics ERP. This communication is configured in the Retail module, and then the

settings are sent down to the stores. During authorization and settlement, these settings are used to identify the

organization’s subscription and its associated merchant account. No cardholder data is included.

Important: AX 2012 has been validated for PCI compliance only with Payment Services for Microsoft Dynamics ERP.

If you intend to use AX 2012 with another payment solution, you must obtain separate compliance validation.


Set up devices in the Retail module

To complete this procedure, you must obtain the actual device names from the store. You can view device names on

the register by viewing the appropriate device class (MSR, PINPad, or POSPrinter) in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\OLEforRetail\ServiceOPOS

1 Click Retail > Setup > POS > Profiles > Hardware profiles.

2 In the list, select the correct profile.

3 Configure hardware devices, such as receipt printers, magnetic stripe readers (MSRs), and personal identification

number (PIN) pad devices. On the tab for each device, in the Device name field, type the appropriate device

name. A description for the device is optional.

Notes:

● In the hardware profile, you must use the same device names that you use when you configure the actual devices

on each terminal.

● If you have registers where payment processing will not occur, consider using a hardware profile that does not

have payment processing configured.

● You must create a separate hardware profile for each combination of devices that is used in the stores. If similar

devices are named differently on different registers or in different stores, you must create additional hardware

profiles.

Configure a terminal ID for specific registers

To enable payment processing and select devices, you must associate the hardware profile with each register.

1 Click Retail > Setup > POS > POS Registers.

2 Double-click the register to modify.

3 On the General tab, in the Hardware profile field, select the appropriate profile. Then, in the EFT POS register

number field, type one of the terminal IDs that you received from the payment provider.

Note: Some payment providers refer to electronic funds transfer (EFT) POS register numbers as terminal IDs.

However, in Retail POS, terminal ID refers to the terminal number that is shown on the General tab. The terminal

number and the EFT POS register number do not have to match, but both numbers must be unique for each

terminal.

4 Repeat steps 2 and 3 for other registers. When you have finished associating hardware profiles with registers,

close the form.

Set up payment methods for payment processing

Payment methods are the types of tender that the store accepts. In this case, the payment methods are credit cards

and debit cards. Card types are the specific credit cards that are accepted for a card tender type. For more

information about the steps in this procedure, see AX 2012 2012 Help.

1 Click Retail > Setup > Payment methods > Payment methods.

2 On the toolbar, click New.


3 In the new row, type a unique number and description for the new payment method. Then, in the Default

function column, click the arrow, and select Card.

4 Close the form.

5 Click Retail > Setup > Payment methods > Card types.

6 On the toolbar, click New.

7 In the new row, type a unique ID and name for the new card type. Then, in the Card types column, click the

arrow, and select the appropriate option.

8 While the new row is still selected, click Card number.

9 Create a verification mask for the card type by entering the range of digits that all cards of this type begin with.

For example, Visa card numbers begin with 4. Therefore, to verify that cards that are accepted as the Visa card

type are really Visa cards, you can create a mask value of 4.

10 Close the Card number form.

11 Close the Card type form.

Enable tender types and card types for specific stores

1 Click Retail > Common > Retail channels > Retail stores.

2 Select a store, and then, on the Setup tab, click Payment methods.

3 On the toolbar, click New, and then, on the General tab, in the Payment method field, select a payment method.

The information for the selected payment method is filled in automatically.

4 While the row for the new payment method is still selected, click Card setup.

5 On the toolbar, click New, and then, in the Card ID field, select the card type for this payment method.

6 Select the new card setup, and then, on the General tab, select the Check expiration date check box.

7 Close the Card setup form.

8 Close the Payment method form.

9 Repeat steps 3 through 8 for any other payment methods for this store.

Send payment processing changes to the stores

Payment processing changes do not take effect until the associated scheduled jobs are run and the information that

is included in the jobs is sent down to the stores. This procedure describes how to run the jobs manually.

1 Click Retail > Periodic > Data distribution > Create actions. The preactions that were generated when you

changed the payment processing settings are converted into actions, or jobs.

2 Click Retail > Periodic > Data distribution > Distribution schedule.

3 To send down the payment processing and device settings in the hardware profile, select the 1090 Registers job,

and then click Run directly.

4 To send down the payment methods, card types, and card numbers, select the 1070 Stores and tenders job, and

then click Run scheduler job directly.


Test payment processing

You can test payment processing by processing card transactions in test mode.

1 In a register or store database, in the POSHARDWAREPROFILE table, change the value in the EFTTESTMODE

column to 1.

2 Process a card transaction.

3 Verify that the transaction went through by visiting the Payment Services payment portal at

https://payments.dynamicsonline.com/Home/Dashboard.aspx.

Note: You can test payment processing only if Retail POS is running in production mode.

Store computers: Set up the password policy

Requirements 8.5.9 through 8.5.14 of the PCI Data Security Standard specify password and account security

regulations for people who have access to the payment application. To comply with these requirements, the

password policy on each store computer where Retail POS is installed must meet the minimum requirements that are

described in the following table.

Policy Security setting

Enforce password history 4 passwords remembered

Maximum password age 90 days

Minimum password length 7 characters

Password must meet complexity requirements Enabled

Account lockout duration 30 minutes

Account lockout threshold 6 invalid sign-in attempts

Notes:

● These policies meet the minimum requirements of Requirements 8.5.9 through 8.5.14. You can use more stringent

settings.

● For more information about how to set up a Windows account for each store user, see the Microsoft Dynamics AX

2012 Upgrade Guide, which is available for download at http://go.microsoft.com/fwlink/?LinkID=221465.

1 Follow one of these steps, depending on the operating system that you are running:

● If you are running Windows Embedded POSReady 2009, click Start, click Control Panel, switch to Classic

View, double-click Administrative Tools, and then double-click Local Security Policy.

● If you are running Windows 7, Windows Embedded POSReady 7, Windows 8, Windows 8.1, Windows Server

2008, or Windows Server 2012, click Start, type Local Security Policy in the search box, and then press Enter.

2 Expand Account Policies, and then click Password Policy.

3 To modify a policy, right-click the policy, and then click Properties.

https://payments.dynamicsonline.com/Home/Dashboard.aspx



4 Click Account Lockout Policy.

5 To modify a policy, right-click the policy, and then click Properties.

Store computers: Set up password-protected screen savers

At each register, set up a screen saver that appears when the register is idle, and that requires that cashiers enter the

password for their Windows user account to regain access to Retail POS.

1 In the C:\Windows\System32 folder, locate the screen saver (.scr) file to use.


2008 R2, Windows Server 2012, or Windows Server 2012 R2, click Start, type mmc in the search box, and then

press Enter.

3 On the File menu, click Add/Remove Snap-in.

4 Select Group Policy Object Editor, click Add, click Finish, and then click Close or OK.

5 Expand Local Computer Policy, expand User Configuration, expand Administrative Templates, expand

Control Panel, and then click Personalization (on Windows 7) or Display (on other operating systems).

6 Double-click Force specific screen saver (on Windows 7) or Screen Saver executable name (on other operating

systems), select Enabled, type the path and name of the screen saver (.scr) file that you selected in step 1, and

then click OK.

7 Double-click Password protect the screen saver, select Enabled, and then click OK.

8 Double-click Screen Saver timeout, select Enabled, type 900 or a smaller value, and then click OK.

Note: By completing this procedure on each computer in the store, you help satisfy Requirement 8.5.15 of the PCI

Data Security Standard. According to this requirement, 900 seconds (15 minutes) is the maximum time that the

register can be idle before it must be locked. You can specify a shorter time if you prefer.

Store computers: Turn off System Restore

System Restore is a Windows feature that restores your computer’s system files to the state that they were in at an

earlier time. However, the restore points that this feature saves are not considered secure by the PCI Security

Standards Council.

1 On the Start menu, right-click Computer, and then click Properties.

2 Click System protection.

3 Select the C: drive, click Configure, select Turn off system protection, and then click OK.


Store computers: Turn off Internet Explorer Automatic Crash

Recovery

The Automatic Crash Recovery (ACR) feature of Internet Explorer can help prevent the loss of work and productivity

in the unlikely event that the browser stops responding. However, data that this feature saves for a crash recovery is

not considered secure by the PCI Security Standards Council.


2008 R2, Windows Server 2012, or Windows Server 2012 R2, click Start, type Internet Explorer in the search box,

and then press Enter.

2 On the Tools menu, click Internet options.

3 On the Advanced tab, in the Browsing section, clear the Enable automatic crash recovery check box, click OK,

and then close the browser window.

In AX 2012, set up Payment services in Accounts receivable

1 Click Accounts receivable > Setup > Payment > Payment services.

2 In the Payment services form, click New, and then, in the Payment service field, enter a name for the payment

service.

3 In the Payment connector field, select Dynamics Payment Connector.

4 Under Payment service account, enter the following information:

● In the Merchant account ID field, enter the merchant account ID that you received from the payment

provider.

● In the Service account ID field, enter the service account ID that you received from the payment provider.

● In the Microsoft account field, enter the same Microsoft account email address that was used to set up the


● In the Microsoft account password field, enter the password for the Microsoft account.

● In the Supported currencies field, enter currency codes for the currencies that the payment service supports.

Separate the currency codes by semicolons, without using spaces. For example, enter USD;CAD.

● In the Supported payment methods field, enter the payment methods that the payment service accepts.

Separate the payment methods by semicolons, without spaces. For example, enter

Visa;AmericanExpress;Debit.

Note: Information is entered automatically in the Assembly name, Environment, Portal URL, and Public key

fields. AX 2012 automatically generates the public key to encrypt the data that is sent to the payment service.






then click Edit.






12 In AX 2012, in the Payment services form, click Validate.

AX 2012 confirms that the validation is successful.

13 Click Credit card types, and then add all the credit cards that you accept.

In Dynamics AX 2012, set up Payment services in online stores

1 Click Retail > Retail channels > Online stores.

2 Select an online store, and then, on the Action Pane, click Edit.

3 On the Payment accounts FastTab, in the Connectors field, select Dynamics Payment Connector.

4 Click Add, and then, under Details, enter the following information:

● In the Merchant account ID field, enter the merchant account ID that you received from the payment

provider.

● In the Service account ID field, enter the service account ID that you received from the payment provider.

● In the Microsoft account field, enter the same Microsoft account email address that was used to set up the


● In the Microsoft account password field, enter the password for the Microsoft account.

● In the Supported currencies field, enter currency codes for the currencies that the payment service supports.

Separate the currency codes by semicolons. For example, enter USD;CAD.

● In the Supported payment methods field, enter the payment methods that the payment service accepts.

Separate the payment methods by semicolons.

Note: Information is entered automatically in the Assembly name, Environment, Portal URL, and Public key

fields. AX 2012 automatically generates the public key to encrypt the data that is sent to the payment service.






then click Edit.






Store computers: Set up group policies to enable a kiosk session

(optional)

We recommend that you apply the following restrictions for Retail POS users:

● Restrict access to Control Panel.

● Restrict access to removable drives.

● Restrict access to command executing shells.

● Restrict access to application management.

The following group policies can help you enable a kiosk mode session. You can adjust these policies to fit your

requirements. Before you set up a kiosk, assess any security implications, or talk to a specialist.

Setting State Comment Path

Enable screen saver Disabled No \Control Panel\Personalization

Allow DFS roots to be published Disabled No \Shared Folders

Allow shared folders to be

published

Disabled No \Shared Folders

Add Search Internet link to Start

Menu

Disabled No \Start Menu and Taskbar

Show Quick Launch on Taskbar Disabled No \Start Menu and Taskbar

Show the Apps view automatically

when the user goes to Start


Show “Run as different user”

command on Start


Add the Run command to the Start

Menu


Show Start on the display the user

is using when they press the

Windows logo key


Show Windows Store apps on the

taskbar


Turn off shell protocol protected

mode

Disabled No \Windows Components\File

Explorer

Turn on menu bar by default Disabled No \Windows Components\Internet

Explorer



Turn on Script Execution Disabled No \Windows Components\Windows

PowerShell

Hide the “Add a program from CD-

ROM or floppy disk” option

Enabled No \Control Panel\Add or Remove

Programs

Hide the “Add programs from

Microsoft” option


Programs

Hide the “Add programs from your

network” option


Programs

Hide Add New Programs page Enabled No \Control Panel\Add or Remove

Programs

Remove Add or Remove Programs Enabled No \Control Panel\Add or Remove

Programs

Hide the Set Program Access and

Defaults page


Programs

Hide Change or Remove Programs

page


Programs

Go directly to Components Wizard Enabled No \Control Panel\Add or Remove

Programs

Remove Support Information Enabled No \Control Panel\Add or Remove

Programs

Hide Add/Remove Windows

Components page


Programs

Disable the Display Control Panel Enabled No \Control Panel\Display

Hide Settings tab Enabled No \Control Panel\Display

Prevent changing color scheme Enabled No \Control Panel\Personalization

Prevent changing theme Enabled No \Control Panel\Personalization

Prevent changing visual style for

windows and buttons

Enabled No \Control Panel\Personalization

Prohibit selection of visual style

font size


Prevent changing color and

appearance




Prevent changing desktop

background


Prevent changing desktop icons Enabled No \Control Panel\Personalization

Prevent changing mouse pointers Enabled No \Control Panel\Personalization

Prevent changing screen saver Enabled No \Control Panel\Personalization

Prevent changing sounds Enabled No \Control Panel\Personalization

Prevent addition of printers Enabled No \Control Panel\Printers

Prevent deletion of printers Enabled No \Control Panel\Printers

Hide “Set Program Access and

Computer Defaults” page

Enabled No \Control Panel\Programs

Hide “Get Programs” page Enabled No \Control Panel\Programs

Hide “Installed Updates” page Enabled No \Control Panel\Programs

Hide “Programs and Features”

page

Enabled No \Control Panel\Programs

Hide the Programs Control Panel Enabled No \Control Panel\Programs

Hide “Windows Features” Enabled No \Control Panel\Programs

Hide “Windows Marketplace” Enabled No \Control Panel\Programs

Turn off automatic learning Enabled No \Control Panel\Regional and

Language Options\Handwriting

personalization

Hide Regional and Language

Options administrative options

Enabled No \Control Panel\Regional and

Language Options

Hide and disable all items on the

desktop

Enabled No \Desktop

Remove the Desktop Cleanup

Wizard

Enabled No \Desktop

Hide Internet Explorer icon on

desktop

Enabled No \Desktop

Remove Computer icon on the

desktop

Enabled No \Desktop

Remove My Documents icon on

the desktop

Enabled No \Desktop



Hide Network Locations icon on

desktop

Enabled No \Desktop

Remove Properties from the

Computer icon context menu

Enabled No \Desktop


Documents icon context menu

Enabled No \Desktop

Do not add shares of recently

opened documents to Network

Locations

Enabled No \Desktop

Remove Recycle Bin icon from

desktop

Enabled No \Desktop


Recycle Bin context menu

Enabled No \Desktop

Don’t save settings at exit Enabled No \Desktop

Turn off Aero Shake window

minimizing mouse gesture

Enabled No \Desktop

Prevent adding dragging dropping

and closing the Taskbar’s toolbars

Enabled

Prohibit adjusting desktop toolbars Enabled No \Desktop

Force Start to be either full screen

size or menu size

Enabled No \Start Menu and Taskbar

Go to the desktop instead of Start

when signing in


Turn off personalized menus Enabled No \Start Menu and Taskbar

Lock the Taskbar Enabled No \Start Menu and Taskbar

Turn off notification area cleanup Enabled No \Start Menu and Taskbar

Remove Balloon Tips on Start

Menu items


Prevent users from customizing

their Start Screen


Remove common program groups

from Start Menu




Remove Favorites menu from Start

Menu


Remove Search link from Start

Menu


Remove frequent programs list

from the Start Menu


Remove Games link from Start

Menu


Remove Help menu from Start

Menu


Turn off user tracking Enabled No \Start Menu and Taskbar

Remove All Programs list from the

Start menu


Remove Network Connections

from Start Menu


Remove pinned programs list from

the Start Menu


Do not keep history of recently

opened documents


Remove Recent Items menu from

Start Menu


Do not use the search-based

method when resolving shell

shortcuts


Do not use the tracking-based

method when resolving shell

shortcuts


Remove Run menu from Start

Menu


Remove Default Programs link

from the Start menu.


Remove Documents icon from Start

Menu




Remove Music icon from Start

Menu


Remove Network icon from Start

Menu


Remove Pictures icon from Start

Menu


Do not search communications Enabled No \Start Menu and Taskbar

Remove Search Computer link Enabled No \Start Menu and Taskbar

Remove See More Results / Search

Everywhere link


Do not search for files Enabled No \Start Menu and Taskbar

Do not search Internet Enabled No \Start Menu and Taskbar

Do not search programs and

Control Panel items


Remove programs on Settings

menu


Prevent changes to Taskbar and

Start Menu Settings


Remove Downloads link from Start

Menu


Remove Homegroup link from

Start Menu


Remove Recorded TV link from

Start Menu


Remove user’s folders from the

Start Menu


Remove Videos link from Start

Menu


Force classic Start Menu Enabled No \Start Menu and Taskbar

Remove Clock from the system

notification area


Prevent grouping of taskbar items Enabled No \Start Menu and Taskbar



Do not display any custom toolbars

in the taskbar


Remove access to the context

menus for the taskbar


Hide the notification area Enabled No \Start Menu and Taskbar

Prevent users from uninstalling

applications from Start


Remove user folder link from Start

Menu


Remove user name from Start

Menu


Remove links and access to

Windows Update


Remove the “Undock PC” button

from the Start Menu


Remove Notifications and Action

Center


Disable showing balloon

notifications as toasts.


Remove the Security and

Maintenance icon


Remove the networking icon Enabled No \Start Menu and Taskbar

Remove the battery meter Enabled No \Start Menu and Taskbar

Remove the volume control icon Enabled No \Start Menu and Taskbar

Turn off feature advertisement

balloon notifications


Do not allow pinning Store app to

the Taskbar


Do not allow pinning items in Jump

Lists


Do not allow pinning programs to

the Taskbar




Do not display or track items in

Jump Lists from remote locations


Turn off automatic promotion of

notification icons to the taskbar


Lock all taskbar settings Enabled No \Start Menu and Taskbar

Prevent users from adding or

removing toolbars


Prevent users from rearranging

toolbars


Do not allow taskbars on more

than one display


Turn off all balloon notifications Enabled No \Start Menu and Taskbar

Remove pinned programs from the

Taskbar


Prevent users from moving taskbar

to another screen dock location


Prevent users from resizing the

taskbar


Turn off taskbar thumbnails Enabled No \Start Menu and Taskbar

Remove Task Manager Enabled No \System\Ctrl+Alt+Del Options

Code signing for device drivers Enabled No \System\Driver Installation

Turn off Windows Update device

driver search prompt

Enabled No \System\Driver Installation

Disallow selection of Custom

Locales

Enabled No \System\Locale Services

Disallow changing of geographic

location


Disallow user override of locale

settings


CD and DVD: Deny read access Enabled No \System\Removable Storage Access

CD and DVD: Deny write access Enabled No \System\Removable Storage Access

Floppy Drives: Deny read access Enabled No \System\Removable Storage Access



Floppy Drives: Deny write access Enabled No \System\Removable Storage Access

Removable Disks: Deny read access Enabled No \System\Removable Storage Access

Removable Disks: Deny write

access

Enabled No \System\Removable Storage Access

All Removable Storage classes:

Deny all access

Enabled No \System\Removable Storage Access

Tape Drives: Deny read access Enabled No \System\Removable Storage Access

Tape Drives: Deny write access Enabled No \System\Removable Storage Access

WPD Devices: Deny read access Enabled No \System\Removable Storage Access

WPD Devices: Deny write access Enabled No \System\Removable Storage Access

Prevent access to the command

prompt

Enabled No \System

Prevent access to registry editing

tools

Enabled No \System

Prevent the wizard from running. Enabled No \Windows Components\Add

features to Windows 10

Turn off Program Compatibility

Assistant

Enabled No \Windows Components\Application

Compatibility

Search, Share, Start, Devices and

Settings don’t appear when the

mouse is pointing to the upper-

right corner of the screen

Enabled No \Windows Components\Edge UI

Disable help tips Enabled No \Windows Components\Edge UI

Turn off tracking of app usage Enabled No \Windows Components\Edge UI

Do not show recent apps when the

mouse is pointing to the upper-left

corner of the screen


Prevent users from replacing the

Command Prompt with Windows

PowerShell in the menu they see

when they right-click the lower-left

corner or press the Windows logo

key+X




Turn off switching between recent

apps


Turn on or off details pane Enabled No \Windows Components\File

Explorer\Explorer Frame Pane

Turn off Preview Pane Enabled No \Windows Components\File

Explorer\Explorer Frame Pane

Do not display the Welcome Center

at user logon

Enabled No \Windows Components\File

Explorer

Turn on Classic Shell Enabled No \Windows Components\File

Explorer

Remove CD Burning features Enabled No \Windows Components\File

Explorer

Remove DFS tab Enabled No \Windows Components\File

Explorer

Hide these specified drives in My

Computer


Explorer

No Entire Network in Network

Locations


Explorer

Remove File menu from File

Explorer


Explorer

Do not allow Folder Options to be

opened from the Options button

on the View tab of the ribbon


Explorer

Remove Hardware tab Enabled No \Windows Components\File

Explorer

Hides the Manage item on the File

Explorer context menu


Explorer

Remove Shared Documents from

My Computer


Explorer

Remove “Map Network Drive” and

“Disconnect Network Drive”


Explorer

Remove the Search the Internet

“Search again” link


Explorer



Remove Security tab Enabled No \Windows Components\File

Explorer

Remove Search button from File

Explorer


Explorer

Remove File Explorer’s default

context menu


Explorer

Prevent access to drives from My

Computer


Explorer

Turn off Windows+X hotkeys Enabled No \Windows Components\File

Explorer

No Computers Near Me in

Network Locations


Explorer

Request credentials for network

installations


Explorer

Prevent users from adding files to

the root of their Users Files folder.


Explorer

Turn off Accelerators Enabled No \Windows Components\Internet

Explorer\Accelerators

File menu: Disable closing the

browser and Explorer windows

Enabled No \Windows Components\Internet

Explorer\Browser menus

File menu: Disable Save As... menu

option



File menu: Disable Save As Web

Page Complete



File menu: Disable New menu

option



File menu: Disable Open menu

option



Help menu: Remove ‘Send

Feedback’ menu option



Help menu: Remove ‘For Netscape

Users’ menu option





Help menu: Remove ‘Tip of the

Day’ menu option



Help menu: Remove ‘Tour’ menu

option



Turn off Shortcut Menu Enabled No \Windows Components\Internet


Hide Favorites menu Enabled No \Windows Components\Internet


Disable Open in New Window

menu option



Turn off Print Menu Enabled No \Windows Components\Internet


Turn off the ability to launch report

site problems using a menu option



Disable Save this program to disk

option



Tools menu: Disable Internet

Options... menu option



View menu: Disable Full Screen

menu option



View menu: Disable Source menu

option



Turn off Developer Tools Enabled No \Windows Components\Internet

Explorer\Toolbars

Turn off toolbar upgrade tool Enabled No \Windows Components\Internet

Explorer\Toolbars

Hide the Command bar Enabled No \Windows Components\Internet

Explorer\Toolbars

Hide the status bar Enabled No \Windows Components\Internet

Explorer\Toolbars

Disable customizing browser

toolbars


Explorer\Toolbars



Disable customizing browser

toolbar buttons


Explorer\Toolbars

Turn off add-on performance

notifications


Explorer

Do not allow users to enable or

disable add-ons


Explorer

Disable changing Advanced page

settings


Explorer

Turn off Favorites bar Enabled No \Windows Components\Internet

Explorer

Prevent per-user installation of

ActiveX controls


Explorer

Turn off Reopen Last Browsing

Session


Explorer

Turn off Tab Grouping Enabled No \Windows Components\Internet

Explorer

Prevent managing the phishing

filter


Explorer

Turn off Managing SmartScreen

Filter for Internet Explorer 8


Explorer

Prevent managing SmartScreen

Filter


Explorer

Turn off the Security Settings

Check feature


Explorer

Enforce full-screen mode Enabled No \Windows Components\Internet

Explorer

Disable Import/Export Settings

wizard


Explorer

Prevent Internet Explorer Search

box from appearing


Explorer

Turn off Quick Tabs functionality Enabled No \Windows Components\Internet

Explorer



Turn off tabbed browsing Enabled No \Windows Components\Internet

Explorer

Disable changing Automatic

Configuration settings


Explorer

Disable changing Temporary

Internet files settings


Explorer

Disable changing Calendar and

Contact settings


Explorer

Disable changing certificate

settings


Explorer

Disable changing default browser

check


Explorer

Disable changing color settings Enabled No \Windows Components\Internet

Explorer

Disable changing connection

settings


Explorer

Disable changing font settings Enabled No \Windows Components\Internet

Explorer

Disable changing language

settings


Explorer

Disable changing link color settings Enabled No \Windows Components\Internet

Explorer

Disable changing Messaging

settings


Explorer

Prevent managing pop-up

exception list


Explorer

Turn off pop-up management Enabled No \Windows Components\Internet

Explorer

Disable changing Profile Assistant

settings


Explorer

Prevent changing proxy settings Enabled No \Windows Components\Internet

Explorer



Disable changing ratings settings Enabled No \Windows Components\Internet

Explorer

Turn off the auto-complete feature

for web addresses


Explorer

Turn off suggestions for all user-

installed providers


Explorer

Turn off the quick pick menu Enabled No \Windows Components\Internet

Explorer

Search: Disable Find Files via F3

within the browser


Explorer

Search: Disable Search

Customization


Explorer

Turn off ability to pin sites in

Internet Explorer on the desktop


Explorer

Turn off the offer to update to the

latest version of Windows

Enabled No \Windows Components\Store

Turn off the Store application Enabled No \Windows Components\Store

Prohibit New Task Creation Enabled No \Windows Components\Task

Scheduler

Part 2: Features that facilitate PCI compliance

This part of the guide describes some of the features in AX 2012 that facilitate merchant compliance with the PCI

Data Security Standard.

Protect stored cardholder data

AX 2012 provides the following capabilities to help protect cardholder data:

● For the storage of cardholder data:

● AX 2012 does not store sensitive authentication data.

● AX 2012 does not store PANs.

● AX 2012 stores truncated PANs (the last four digits) and cardholder names.


● For the display of cardholder data:

● Retail Modern POS and Retail Enterprise POS display masked PANs (the first six and last four digits) on the

following pages:

● Payment screen

● Sales receipt

● The AX 2012 client displays cardholder names, truncated PANs (the last four digits), and expiration dates in the

following forms:

● Accounts receivable – Customer credit cards form

● Call center – Enter customer payment information form

Audit logging

Logging of PCI-relevant activity at the register is automatic. For more information, see Monitor Retail POS activity,

later in this guide.

Provide secure authentication features

AX 2012 provides the following secure authentication features.

Store user names, passwords, and authentication

● Stores and cashiers have no administrative access, and no access to reports. They have access to card numbers

only when a card is swiped.

● Users of AX 2012 are subject to AD DS security policies. Therefore, users of AX 2012 are subject to the same

password policy as domain users.

● Employee user names and passwords are set up in the Retail module of AX 2012. Only approved AX 2012 users

have access to these features.

● AX 2012 does not provide any default accounts or passwords. Instead, a unique user name and password are

required for every user, even the user who sets up the software.

● Customers and integrators/resellers must comply with PA-DSS Requirements 3.1.1 through 3.1.11 when they

manage authentication credentials and create strong authentication for all application-level and user accounts

that have administrative access, and all accounts that have access to cardholder data, as follows:

● PA-DSS Requirement 3.1.1: You must not use any default administrative accounts for AX 2012.

● PA-DSS Requirement 3.1.2: You must enforce the changing of all default application passwords for all

accounts that are generated or managed. This requirement applies to all accounts, such as user accounts,

application and service accounts, and accounts that the vendor uses for support purposes.

● PA-DSS Requirement 3.1.3: You must assign unique IDs for user accounts.

● PA-DSS Requirement 3.1.4: You must use a user name and password to authenticate every user.

● PA-DSS Requirement 3.1.5: You must not require or use any group, shared, or generic accounts and

passwords.


● PA-DSS Requirement 3.1.6: You must require that passwords meet the following standards:

● They must have a minimum length of seven characters.

● They must contain both numeric and alphabetic characters.

● Alternatively, passwords/phrases must have complexity and strength that is at least equivalent to the

preceding parameters.

● PA-DSS Requirement 3.1.7: You must require changes to user passwords at least one time every 90 days.

● PA-DSS Requirement 3.1.8: You must require that new passwords differ from the last four passwords that

the user used.

● PA-DSS Requirement 3.1.9: You must limit repeated access attempts by locking out user accounts after no

more than six sign-in attempts.

● PA-DSS Requirement 3.1.10: You must set the lockout duration to a minimum of 30 minutes, or until an

administrator enables the user ID.

● PA-DSS Requirement 3.1.11: If a payment application session has been idle for more than 15 minutes, AX

2012 must require that the user reauthenticate to reactivate the session.

● Activities that are related to setting up new employees, deleting employees, and changing employee user names

or passwords are logged. For more information, see Monitor AX 2012 activity, later in this guide.

● When cashiers sign in to Retail POS at the store, their employee user names and passwords are securely

authenticated by either Real-time Service or Synch Service, depending on employee settings. Cashier passwords

are always hashed (obscured).

Set up a new store user (manager or cashier) in AX 2012

1 Click Retail > Common > Workers.

2 Click Hire new worker, and then type the new cashier’s name.

3 Enter information about the employee on the tabs, as required.

4 In the Worker form, click the Retail link, and then select a layout ID and a language for the employee.

5 In the Employment type field, select Cashier, and then, in the Name on receipt field, type a name.

6 In the Password field, type the employee’s password.

7 Click POS permissions, and then select a position for the cashier.

Important: When you set up Windows user accounts for employees, and when you set up employee accounts in AX

2012, you must use a “least privilege” approach. In other words, you must grant employees only those privileges that

they require to perform their duties. For example, although trusted management personnel might require

Administrator privileges on store computers, employee sign-in accounts must belong to a group that does not have

these privileges.

For more information about user accounts for employees, see the Microsoft Dynamics AX 2012 Upgrade Guide, which

is available for download at http://go.microsoft.com/fwlink/?LinkID=221465.



Data storage and deletion

Several requirements in the PCI Data Security Standard are related to the protection of sensitive cardholder data.

These requirements call for the safe storage, encryption, and removal of cardholder information, such as magnetic

stripe data, card validation codes (CVCs)/Card Verification Values (CVVs), PINs, and PIN blocks. In particular,

Requirements 1.3 and 1.3.4 prohibit the storage of cardholder data on servers that are connected to the Internet. The

database server cannot also be a web server.

AX 2012 helps merchants comply with the PCI Data Security Standard that are related to data storage and retention

in the following ways:

● PANs are not retained. Therefore, no periodic purging is required. This behavior helps satisfy Requirement 3.1 of

the PCI Data Security Standard.

● Sensitive authentication data is never retained, cannot be reproduced from within the program, and is not

available in log files or debug files.

● Credit card numbers are tokenized and secured by the connector for Payment Services, and are never sent to

AX 2012 as plain text. Tokens expire 120 days after the last time they were used.

● Card numbers are truncated after authorization, so that only the last four digits remain. Card numbers on both

printed and journaled receipts are always truncated.

● Like this release of AX 2012, the previous release (Microsoft Dynamics AX for Retail) did not retain any sensitive

authentication data. Compliance with Requirement 3.2 of the PCI Data Security Standard does not require the

removal of historical data.

● Because cardholder data is not retained, no encryption is required. Therefore, periodic deletion of the encryption

key is not required. This behavior helps satisfy Requirement 3.6 of the PCI Data Security Standard.

Versioning methodology

The Microsoft Dynamics AX versioning methodology consists of three elements that are grouped into a major and

minor version.

● The first two elements define the major version:

a A four-digit year, which is determined by the last year that the application received a significant feature

update.

b A release number, which consists of an “R” and then up to two numeric digits for the release number. The

release number is based on the current release number that is being validated.

● The third element is the minor version, which represents a minor change. The minor version number consists of

“CU” (which stands for “Cumulative Update”) and then up to two numeric digits.

All elements are separated by spaces.

For Microsoft Dynamics AX 2012 R3 CU11, the versions are as follows:

● 2012 R3 is the major version. The application received its last significant feature update in 2012, and this release is

the third release.

● CU11 is the minor version. In this case, the cumulative update is for the eleventh minor change.


The values in the versioning methodology are incremented as follows:

● Major – The value is incremented when there is major release and a new PA-DSS validation.

● Minor – The value is incremented when there are new hotfix updates that are not related to security or PA-DSS.

No wildcards are used in the versioning methodology.

Data transmissions

All AX 2012 transmissions of cardholder data, whether over a private network or a public network, are secured by the

use of TLS 1.2. This behavior helps satisfy Requirement 4.1 of the PCI Data Security Standard.

AX 2012 does not allow or facilitate the transmission of PANs via email or other end-user messaging technologies.

Any such transmission that occurs must be encrypted to satisfy Requirement 4.2 of the PCI Data Security Standard.

Important:

● Strong cryptography and security protocols must be used for data transmission over public networks.

● Only trusted keys and/or certificates can be accepted.

● You must use only secure versions and secure implementations of security protocols.

● You must prevent fallback to an insecure version or configuration. (For example, if TLS is used, the application

must not allow fallback to Secure Sockets Layer [SSL]).

● You must use appropriate encryption strength for the encryption methodology.


Payment data flow diagrams

Flow of payment data in Retail Modern POS when the full integration model is used

Figure 1 shows the flow payment data in Retail Modern POS when the full integration model is used.

1a. Track, PIN

via swipe or EMV

2a. PAN,

Name, Track,

PIN

via HTTPS

(AES256 TLS

1.2);

Token returns

Internet

1b. Track, PIN

via swipe or

EMV

2b. Pan, Name, Track, PIN,

via HTTPS (AES256 TLS 1.2);

Returns token

2b.Token,

no CHD

3b. Token, no

CHD

Only during

offline

3a. Token,

no CHD

3b. token, no

CHD

Retail Hardware Station

Payment Connector

AS7 PA-DSS

Retail Modern POS

Payment Connector

SQL

Retail Modern POSOffline database

1a. PAN, name,

expiry and card

validation codes/

values manually

input

1b. Track, PIN

Via swipe, EMV

1a. Track, PIN,

via swipe or EMV

3b. Token, no

CHD

Dynamics AX

Retail Server

Payment Gateway(not in scope)

SQL

Retail Channel Database

3a. Token,

no CHD

3b. token, no

CHD

2a. Token,

no CHD2a. Token,

no CHD

Details

1 Retail Modern POS, which includes Retail Hardware Station, receives cardholder data through the following

channels:

a For Retail Modern POS:

● Track or track-equivalent data via PIN pad for card-present credit transactions

● PIN-based transactions via PIN pad for debit transactions

● PAN, expiration date, and CVCs/CVVs that are manually entered via the POS user interface


b For Retail Hardware Station:

● Track or track-equivalent data via PIN pad for card-present credit transactions

● PIN-based transactions via PIN pad for debit transactions

2 Retail Modern POS, which includes Retail Hardware Station, processes a payment transaction in one of the

following ways:

a Retail Modern POS creates authorization requests and sends them to a payment gateway (AES256 TLS 1.2) via

a payment connector. The payment connector is provided by the third-party payment solution provider and is

installed on the same computer. Authorization requests include track or track-equivalent data, PIN blocks,

PANs, expiry information, and CVCs/CVVs. Retail Modern POS receives an authorization reply that includes a

card token and a transaction approval message.

b Retail Hardware Station creates authorization requests and sends them to a payment gateway (AES256

TLS 1.2) via a payment connector. The payment connector is provided by a third-party payment solution

provider and is installed on the same computer. Authorization requests include track or track-equivalent data,

PIN blocks, PANs, expiry information, and CVCs/CVVs. Retail Hardware Station receives an authorization reply

that includes the truncated PAN (first six and last four digits), card token, and transaction approval message.

Retail Hardware Station then forwards the truncated PAN, card token, and transaction approval message to

Retail Modern POS.

3 One of the following events occurs:

a From Retail Modern POS, the card token, cardholder name, and truncated PAN are sent back to Microsoft

Dynamics AX Retail Server. Retail Server stores only the last four digits of the truncated PAN in the retail

channel database.

b If Retail Server cannot be reached, the last four digits of the truncated PAN, and the card token, are stored in

the Retail Modern POS offline database. After the connection is restored, the truncated PAN and card token

are sent to the Retail Server and stored in the retail channel database, and the data is deleted from the Retail

Modern POS offline database.


Flow of payment data in Retail Modern POS when the semi-integrated model is used

Figure 2 shows the flow of payment data in Retail Modern POS when the semi-integrated model is used.

Internet

2b.Token, no CHD

3b. Token, no CHD

Only during offline

3a. Token, no CHD

3b. token, no CHD

SQL

Retail Modern POS offline database

1b. Track, PIN, Name,

via swipe, EMV;Token returns

3b. Token, no CHD

Retail Hardware Station

Payment Connector

AS7 PA-DSS

Retail Modern POS

Payment Connector

2a.Token, no CHD2b.Token,

no CHD

1a. Track, PIN, Name,

via swipe, EMV;Token returns

1b.make a

payment

1a.make a

payment

Dynamics AX Retail Server


1a.Track, Name, PIN, visa swipe or EMV,

or PAN, expiry & cardvalidation codes/values

manually input

1b.Track, Name, PIN, visa swipe or EMV,

or PAN, expiry & cardvalidation codes/values

manually input

SQL


3a. Token, no CHD

3b. token, no CHD

1b. Token, no CHD

1a. Token, no CHD


Details

1 Either Retail Modern POS (1a) or Retail Hardware Station (1b) sends the payment request to the PIN pad that is

asking for a payment. No cardholder data is involved at this point. The PIN pad asks for the payment through the

following channel:

● Track or track-equivalent data for card-present credit transactions, which include EMV

● PIN-based transactions for debit

● PAN, expiry information, and CVCs/CVVs that are manually entered via PIN pad

The PIN pad sends the authorization request to a payment gateway (AES256 TLS 1.2) and receives the

authorization reply that has no cardholder data. Authorization requests include track or track-equivalent data, PIN

blocks, PANs, expiry information, and CVCs/CVVs.

2 The PIN pad truncates the PAN, and sends the truncated PAN (first six and last four digits), card token, and

transaction approval message directly to Retail Modern POS (2a), or to Retail Hardware Station, which forwards

the data to Retail Modern POS (2b).

3 One of the following events occurs:

a From Retail Modern POS, only the card token and truncated PAN are sent back to Retail Server. Retail Server

stores only the card token and truncated PAN (last four digits) in the retail channel database.

b If Retail Server cannot be reached, the truncated PAN (last four digits) and card token are stored in the Retail

Modern POS offline database. After the connection is restored, the truncated PAN, cardholder name, and card

token are sent back to Retail Server and stored in the retail channel database, and the data is deleted from the

Retail Modern POS offline database.


Flow of payment data in Retail Enterprise POS when the semi-integrated model is

used

Figure 3 shows the flow of payment data in Retail Enterprise POS when the semi-integrated model is used.

Internet

1. Track, PIN, Name

via swipe, EMV, or PAN, Name, expiry & card

validation codes/values;

Token returns

2.Token, no CHD

1.make a payment


1.Track, PIN, via swipe or EMV,

or PAN, Name, expiry & cardvalidation codes/values

manually input

Retail Enterprise POS

1. Token, no CHD

SQL


3. Token, no CHD

Details

1 Retail Enterprise POS sends the payment request to the PIN pad that is asking a payment. No cardholder data is

involved at this point. The PIN pad asks for the payment through the following channel:



● PAN, expiry information, and CVCs/CVVs that are manually entered via PIN pad


The PIN pad sends the authorization request to a payment gateway (AES256 TLS 1.2) and receives the

authorization reply. Authorization requests include track or track-equivalent data, PIN blocks, PANs, expiry

information, and CVCs/CVVs.

2 The PIN pad sends the truncated PAN (first six and last four digits), card token, and transaction approval message

to Retail Enterprise POS.

3 The card token, cardholder name, and truncated PAN (last four digits) are stored in the retail channel database.

Flow of payment data in Retail Enterprise POS when the full integration model is used

Figure 4 shows the flow of payment data in the Retail Enterprise POS when the full integration model is used.

Internet

2. Track, Name, PIN

via swipe or EMV

3. Pan, Name, Track, PIN,via HTTPS;

Token returns

2. Track, Name, PIN

Via swipe, EMV1.make a payment


Retail Enterprise POS

3. Token, no CHD


4. Token, no CHD


Details

1 Retail Enterprise POS requests that a payment device make a payment.

2 The customer performs a card-present credit or debit transaction on a payment device that is connected to Retail

Enterprise POS.



3 Retail Enterprise POS sends cardholder data (track or track-equivalent data, and PIN block) to the payment

gateway (AES256 TLS 1.2) for authorization. Retail Enterprise POS receives an authorization response and a card

token.

4 Retail Enterprise POS stores the card token, cardholder name, and truncated PAN (last four digits) in the retail

channel database.

Flow of payment data in AX 2012 Accounts receivable and Call Center

Figure 5 shows the flow of payment data in Accounts receivable and Call Center.

Dynamics AX client

Internet

2..Token,

no CHD

Dynamics AX Application Object

Server

Payment Connector

4.

Capture,

void a

payment

with token

SQL

Dynamics AX Database

3.Token,

no CHD


1.PAN, name, expiry & card

validation codes/values

manually input

Payment Connector

1. Token,

no CHD

1.PAN, name, expiry & card

validation codes/values;

Returns a token

or authorization reply


Details

1 Cardholder data, which includes the PAN, name, expiration date, and CVV2, is entered manually in the AX 2012

client. The CVV2 is optional. The client sends cardholder data (which includes the PAN, name, expiration date, and

CVV2) to the payment gateway’s payment accepting website for payment authorization and/or tokenization.

2 The client receives a card token and an authorization reply from the payment gateway, and sends the card token

and truncated PAN (last four digits) to the AX 2012 Application Object Server (AOS) service.

3 The card token, cardholder name, and truncated PAN (the last four digits) are stored in the AX 2012 database.

4 The payment connector uses the card token and truncated PAN (last four digits) to perform other payment

operations, such as void or capture.


Flow of payment data in an e-Commerce Sample Web Storefront

Figure 6 shows the flow of payment data in an e-Commerce Sample Web Storefront.

AS7 PA - DSS

Internet

Dynamics AX Application Object Server

Payment Connector

5. Capture,

void a payment

with token

SQL

Dynamics AX Database

2.Token, no CHD

4. token, no CHD

E-Commerce website


1.PAN, name, expiry & cardvalidation codes/values

manually input

2.PAN, name, expiry & cardvalidation codes/values;

Returns a token or authorization reply

1.PAN, name, expiry & cardvalidation codes/values

manually input

SQL


3.Token, no CHD

E-Commerce browser client

Inte

rnet

2. Token, no CHD

Details

1 Cardholder data, which includes the PAN, name, expiration date, and CVCs/CVVs, is entered manually in an e-

Commerce web client. CVCs/CVVs are optional. The e-Commerce web client sends cardholder data (which

includes the PAN, name, expiration date, and CVCs/CVVs) to the e-Commerce website.

2 The e-Commerce website sends cardholder data (which includes the PAN, name, expiration date, and CVCs/CVVs)

to a payment gateway for payment authorization and/or tokenization.

3 The e-Commerce website receives a card token and an authorization reply, and stores the card token, cardholder

name, and truncated PAN (last four digits) to the retail channel database for the e-Commerce website.


4 The card token and truncated PAN (last four digits) are transmitted from the e-Commerce database to the AX

2012 database.

5 The payment connector uses the card token and truncated PAN (last four digits) to perform other payment

operations, such as void or capture.

Part 3: Connection limitations

Internet connections

AX 2012 does not require a web server. A perimeter network, which is also known as a DMZ (demilitarized zone) and

a screened subnet, can be used to separate the Internet from systems that transmit cardholder data. Cardholder data

is never stored, even on the internal network and the perimeter network. The database server should never be on a

web server, or on a perimeter network that contains a web server, and AX 2012 does not require these

configurations. This behavior helps satisfy Requirement 1.3 of the PCI Data Security Standard.

Protect wireless connections

AX 2012 does not require or support wireless connections.

If wireless connections are part of the store’s local area network (LAN), even if they are not used with AX 2012, you

must install a firewall and use compliant wireless settings, as described in Requirements 1.2.3, 2.1.1, 4.1.1, and 6.1 of

the PCI Data Security Standard. Here are some specific requirements:

● Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure

these firewalls to deny or control any traffic from the wireless environment into the cardholder data environment.

● Change wireless vendor default settings. These settings include, but are not limited to, default wireless encryption

keys, passwords, and Simple Network Management Protocol (SNMP) community strings.

● Make sure that wireless device security settings are enabled for strong encryption technology for authentication

and transmission.

● Use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and

transmission.

● Make sure that procedures for changing wireless encryption keys and passwords are followed whenever someone

who has knowledge of the keys/passwords leaves the company or changes positions. These keys/passwords

include SNMP strings.

● Make sure that you configure firewalls to deny traffic between the wireless environment and the cardholder data

environment. If such traffic is required for business purposes, configure the firewalls to permit only authorized

traffic between the environments.

Note: For new wireless implementations, implementation of Wired Equivalent Privacy (WEP) has been prohibited.


Important:

● Encryption keys must be changed from their default settings at installation. They must also be changed whenever

someone who has knowledge of the keys leaves the company or changes positions.

● Default SNMP community strings on wireless devices must be changed.

● Default passwords/passphrases on access points must be changed.

● Firmware on wireless devices must be updated to support strong encryption for authentication and transmission

over wireless networks.

● Other security-related default settings for the wireless vendor must be changed, if applicable.

Remote access

AX 2012 does not provide features that allow or facilitate remote connections into the payment environment, and

Microsoft does not support such connections. If you choose to use a remote connection, you must use multi-factor

authentication (user name and password, plus an additional authentication item, such as a token), as required by

Requirement 8.3 of the PCI Data Security Standard.

If partners or resellers use remote access software, security features must be implemented and used. Here are some

examples of remote access security features:

● Change default settings in the remote access software (for example, change default passwords, and use unique

passwords for each user).

● Allow connections only from specific (known) IP/MAC addresses.

● Use strong authentication, and establish user password policies, according to Requirement 8 of the PCI Data

Security Standard.

● Enable encrypted data transmission, according to Requirement 4.1 of the PCI Data Security Standard.

● Enable account lockout after a specific number of failed sign-in attempts, according to Requirement 8.5.13 of the

PCI Data Security Standard.

● Configure the system so that a remote user must establish a virtual private network (VPN) connection via a

firewall before access is allowed.

● Enable logging.

● Restrict access to user passwords to authorized reseller/integrator personnel.

Non-console administrative access

Non-console administrative access to AX 2012 is not supported and could prevent PCI compliance. If you choose to

use non-console administrative access, you must implement and use multi-factor authentication and encrypt the

connection by using Secure Shell (SSH), VPN, or TLS, as required by Requirement 2.3 of the PCI Data Security

Standard.


Part 4: Audit logging

To comply with Requirement 10 of the PCI Data Security Standard, you must enable logging as described in the

following sections of this guide:

● All computers: Prepare for monitoring the event logs

● All computers: Set up auditing of file access, object access, and audit-policy changes

● At the head office: Set up database logging

You must monitor and manage the log files that are produced.

Monitor AX 2012 activity

At the head office, audit logged information according to the schedule that is described in Requirement 10 of the

PCI Data Security Standard.

Note: Although the procedures in this section are related to Requirement 10 of the PCI Data Security Standard, they

are beyond the scope of the PCI requirement because, in an implementation of AX 2012 that uses Payment Services

for Microsoft Dynamics ERP, no cardholder data is stored, and users cannot change the cardholder data flow or the

security of cardholder data. Therefore, the following procedures are included in this guide as optional best practices

that help make organizational data more secure.

View information about user sign-in and user sign-out

View the user log in AX 2012 to see sign-in information for each authorized user.

1 Click System administration > Inquiries > Users > User log. The sign-in dates and times that are shown are

also the dates and times when the log was initialized.

2 To view the date and time when a particular user signed out, select the sign-in event that you are interested in,

and then click the General tab.

View the audit trail

Use the database log in AX 2012 to view changes to the tables that you selected for auditing, as described in At the

head office: Set up database logging, earlier in this guide.

1 Click System administration > Inquiries > Database > Database log.

2 Select the record to view, and then click the History tab.


View the SQL Server trace log files

Monitor the SQL Server trace log files to see which users accessed the log files. Each entry in the trace log file

includes the user who signed in to access data, the type of event, the specific database query that was used to access

data (this information indicates whether data was read or modified), the date and time of access, the success or

failure of the operation, the origination of the event (client application), and the identity or name of the resource

(database table) that was accessed.

1 In SQL Server Management Studio, on the File menu, point to New, and then click Query with Current

Connection.

2 In the right pane, type the following text. Replace C:\<path> with the actual location of the trace file and <date>

with the date string of the correct trace file.

select * FROM ::fn_trace_gettable('C:\<path>\pos_trace_pmt_<date>.trc', default)

3 On the Query menu, click Execute.

The results of the query provide the audit log.

Note: The SQL Server trace log files are saved in a secure location that only administrators can access. Typically, the

path of the files is C:\Program Files\Microsoft SQL Server\<instance name>\MSSQL\Log.

Monitor Retail POS activity

Activity in Retail POS is logged in the AX.RetailTransactionTable table in the store or register offline database. This

table provides logging of the events that must be monitored for PCI compliance. These events are as follows:

● Employee sign-in and sign-out

● Failed sign-in attempts

Note: The logging can be modified only at the head office, via changes to the functionality profile for each terminal.

Confirm that Audit logging is still assigned to each functionality profile in the Functionality profile form (Retail >

Setup > POS > Profiles > Functionality profiles).

Important: You should not disable logging. Otherwise, your system will not comply with the PCI Data Security

Standard.

At the store, events are logged in the AX.RetailTransactionTable, AX.RetailAuthenticationLog, and AX.RetailLog

tables. For each event in the table, the following information is logged:

● The type of event

● The date and time when the event occurred

● The origination of the event (store and terminal)

● For sign-in events, the ID of the cashier who signed in. This cashier is associated with all events after the sign-in

event, until a sign-out event occurs.

Logged events in stores are transmitted to the central back office and stored in the RetailTransactionTable,

RetailAuthenticationLog, and RetailLog tables.


In the back-office database, use a query in SQL Server Management Studio to view the RetailTransactionTable table.

For each event in the table, the following information is logged:



● The origination of the event (store and terminal)

● For sign-in events, the ID of the cashier who signed in. This cashier is associated with all events after the sign-in

event, until a sign-out event occurs.

Important: AX 2012 facilitates centralized logging by sending all audit logs to the central AX 2012 database. You

must configure the P-Job to include the RetailAuthenticationLog and RetailLog tables.

Monitor event logs

You must monitor the event logs on every computer in the AX 2012 system. You can view Windows user sign-in and

sign-out events, and other user management events, from the Windows event log. When access to files and system

objects is audited, you can also use the event log to monitor access to the auditing files themselves.

The event log also shows initialization of the log file in AX 2012. This initialization is indicated by the event for AOS

startup, because logging is turned on when the AOS service is running. The event is Event ID 149, “Object Server

<server name>: Ready for operation.”

1 If you are running Windows 7, Windows Embedded POSReady 7, Windows 8.1, Windows Server 2008 R2,

Windows Server 2012, or Windows Server 2012 R2, click Start, type Event Viewer in the search box, and then

press Enter.

2 If the Windows Logs folder is available, expand it, and then click Security.

Each event has a unique event ID, and Windows Event Viewer provides a filter tool that makes it easier to view

occurrences of specific events. The following table identifies the event IDs that are logged, based on corresponding

operations in Windows.

For each event, the following information is logged and can be viewed in Event Viewer:

● The Windows user account that was involved in the operation



● The success or failure of the operation

● The origination of the event

● The identity or name of any affected data, component, or resource

● The user group that a user was added to or removed from, if this information is appropriate

Operation Event ID

Windows Embedded POSReady 7, Windows 7, Windows 8.1, Windows Server 2012, Windows Server

2012 R2, or Windows Server 2008 R2

Logon attempt 4776


Operation Event ID

Logon success 4624

Logon failure 529, 535, 539

Logoff 538

User password reset 4724

User account created 4720

User account disabled 4725

User account deleted 4726

User account added 4728

User account changed 4738

User account locked out 4740

Member added to user group 4732

Member removed from user group 4733

Object access (update or deletion of monitored files) None

File modified and saved 4663

Audit policy changed None

Domain policy changed 4739

Event Viewer Security log cleared 1102

Part 5: Software updates and support

Software updates

Updates to AX 2012 are not delivered via remote connection. Instead, updates are either downloaded from a secure

website, at the merchant’s specific request, or installed from a CD. Software updates must not be downloaded via

remote connection. The integrity of patches and updates is maintained via code signing of all releases of patch or

update code.

Troubleshooting and support

AX 2012 does not enable the collection or storage of sensitive authentication data for troubleshooting purposes.

This section outlines the process that Microsoft and its Certified Partners must follow when an AX 2012 customer

requires troubleshooting of a specific problem. This process is designed to help guarantee the security of sensitive


information in the database (such as employee passwords and payment-related data) and helps satisfy

Requirement 3.2 of the PCI Data Security Standard. Support personnel must collect only the limited amount of data

that they require to solve the specific problem that is being reported.

The remaining paragraphs in this section describe the process that Microsoft support personnel and the AX 2012

product team follow. Microsoft Certified Partners must implement support processes and tools with that have

security measures in place. Here are some of these measures:

● Collect sensitive authentication data only when it is required in order to solve a specific problem.

● Store such data only in specific, known locations that have limited access.

● Collect only the limited amount of data that is required in order to solve a specific problem.

● Securely delete such data immediately after it is used.

● Encrypt sensitive authentication data while it is stored. (AX 2012 stores no sensitive data. Sensitive data refers to

any data that might be stored via third-party add-ins or other sources.)

When a customer contacts Microsoft Technical Support, the support engineer creates a record of the issue and

initiates an investigation. The product team then attempts to reproduce the issue on test databases and, if this step

is required, by using test credit card accounts. If the issue cannot be reproduced on test databases, support

personnel use one of the following processes, depending on the situation:

● Support personnel access the customer’s desktop.

● Support personnel obtain a copy of the store database. (The copy contains no sensitive cardholder data.)

● Support personnel travel to the customer’s place of business.

In all scenarios, access to the database is restricted to the following support personnel: Escalation Engineers, Support

Escalation Engineers, Tech Leads, and Team or Service Delivery Managers.

Support personnel access the customer’s desktop

With the customer’s specific approval, a support engineer can use Microsoft Skype for Business to access the

customer’s desktop and investigate the issue directly. The support engineer does not have access to the customer’s

card number or card data.

Support personnel travel to the customer’s place of business

The support engineer investigates the issue on-site, and the customer’s data never leaves the store.

Distribution of hotfixes

When a resolution becomes available for a reported issue, a hotfix is released. Hotfixes are distributed via secure

download from the Microsoft website at the customer’s specific request.


Appendix A: Version history

The following table summarizes the changes that have been made to this guide since it was originally published in

January 2012.

Product version PA-DSS listing Change data PA-DSS version

The information has been updated

for the release of Microsoft

Dynamics AX 2012.

Reference #: 12-01.00087.013 January 2012 2.0



Dynamics AX 2012 R2.

Reference #: 12-06.00087.014 September 2013 2.0



Dynamics AX 2012 R3.

Reference #: 14-01.00087.016 May 2014 2.0



Dynamics AX 2012 R3 CU8.

Reference #: 14-01.00087.017 October 2014 2.0




Reference #: 14-01.00087.017 December 2015 2.0




Pending January 2017 3.2

Send feedback.

Microsoft Dynamics is a line of integrated, adaptable business

management solutions that enables you and your people to make

business decisions with greater confidence. Microsoft Dynamics works

like and with familiar Microsoft software, automating and streamlining

financial, customer relationship, and supply chain processes in a way

that helps you drive business success.

United States and Canada toll-free: (888) 477-7989

Worldwide: (1) (701) 281-6500

www.microsoft.com/dynamics

© 2017 Microsoft Corporation. All rights

reserved.

This document is provided “as-is.”

Information and views expressed in this

document, including URL and other

Internet Web site references, may

change without notice. You bear the risk

of using it.

Some examples are for illustration only

and are fictitious. No real association is

intended or inferred.

This document does not provide you

with any legal rights to any intellectual

property in any Microsoft product. You

may copy and use this document for

your internal, reference purposes.

mailto:[email protected]

http://www.microsoft.com/dynamics/

Date post:	05-Mar-2018
Category:	Documents
Upload:	phungkhanh
View:	221 times
Download:	3 times