Secure Suite 4 MICROS 3700 or 9700 PA-DSS Implementation … suite 4...Secure Suite 4 MICROS 3700 or...

Join us for treats Thursday, Month Day, at 3:00 p.m. in the kitchen.

PA-DSS Implementation Guide

Copyright © 2019 Shift4 Payments, LLC. All rights reserved.

Secure Suite 4 MICROS 3700 or 9700

Secure Suite 4 MICROS 3700 or 9700 PA-DSS Implementation Guide

© 2019 Shift4 Payments, LLC. All rights reserved. Version 1.8 External Use NDA Page 2 of 28

Copyright Notice Shift4 Payments 1491 Center Crossing Road Las Vegas, NV 89144 702.597.2480

www.shift4.com [email protected]

Document Title: Secure Suite 4 MICROS 3700 or 9700 PA-DSS Implementation Guide

Publication Date: 01/15/2019

Copyright © 2019 Shift4 Payments, LLC. All rights reserved worldwide. *Universal Transaction Gateway® (UTG)®, Lighthouse Transaction Manager, 4Go®, i4Go®, and 4Word® are covered by one or more of the following U.S. Pat. Nos.: 7770789; 7841523; 7891563; 8328095; 8688589; 8690056; 9082120; 9256874; 9495680. All trademarks, service marks, product names, and logos are the property of their respective owners. Shift4 Payments may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. The furnishing of this document does not give any license to these patents, trademarks, copyrights, or other intellectual property except as expressly provided in any written license agreement from Shift4 Payments. All graphics are property of Shift4 Payments. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means without prior written permission of Shift4 Payments. The contents of this publication are the property of Shift4 Payments. Shift4 Payments reserves the right to revise this document and to periodically make changes to the content thereof without any obligation or notification to any organization of such revisions or changes unless required to do so by prior written agreement. Notice of Confidentiality This document contains information that is proprietary to Shift4 Payments. It carries the Shift4 Payments classification “External Use NDA.” It is provided for the sole purpose of specifying instructions for Shift4 Payments products. The recipient agrees to maintain this information in confidence and not reproduce or otherwise disclose this information. Please refer to the signed Bilateral Non-Disclosure and Confidentiality Agreement for additional agreements and expectations. Notice to Governmental End Users

If any Shift4 Payments product is acquired under the terms of a Department of Defense contract: use, duplication, or disclosure by the US Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of 252.227.7013. Civilian agency contract: use, reproduction, or disclosure is subject to 52.227-19 (a) through (d) and restrictions set forth in the accompanying end user agreement. Unpublished rights reserved under the copyright laws of the United States.




WARNING! Shift4 Payments must be held harmless for loss or compromise of cardholder data if the user disables or otherwise makes configuration state changes to the Shift4 Payments technology or integrated third party payment application that are not specified in the certification letter. In addition, any ability to store cardholder data subsequent to the initial authorization, encrypted or not, must be disabled in all locations.

Security Best Practices While Shift4 Payments products provide ironclad security of cardholder data when properly configured, there are other security best practices that must be enforced by the merchant to ensure cardholder data security. Review the following merchant responsibilities and refer to the PCI Security Standards Council web site at www.pcisecuritystandards.org for more information.

WARNING! This section must not be construed as a roadmap or guide to PCI DSS compliance. See the PCI Security Council web site at www.pcisecuritystandards.org for complete guidelines.

Environmental Requirements for Installing or Upgrading Payment Applications Before installing payment applications in your environment, you must ensure you are installing applications on clean hard disk drives with no latent files occupying unallocated free space.

If you are installing a payment application on a repurposed system or hard disk drive, you should first take steps to ensure the system is clean. There are several tools available for this purpose.

WARNING! Some of those system cleaning tools will erase everything, including the operating system.

http://www.pcisecuritystandards.org/

http://www.pcisecuritystandards.org/



Host System Guidelines From a security best practices perspective, Shift4 Payments recommends the following guidelines be followed in a Windows environment:

• The paging [swap] file must be set to a static size and the minimum and maximum sizes must be manually configured to be the same size.

Note: After configuring the paging [swap] file, Shift4 Payments recommends securely cleaning up your free space. This ensures any sensitive data stored by other applications used prior to, or in conjunction with Shift4 Payments' products is removed. There are several products available for this purpose.

Although paging is a normal process performed by the Windows operating system, it can be oconsidered a security risk if not properly controlled.

Windows security prevents users from logging in and browsing the page file, but there is nothing oto stop a user from booting an alternate operating system to circumvent Windows security and browse the page file.

• Memory dump files must be disabled.

An attacker could invoke an abnormal termination of the payment application or the host osystem, perhaps with a buffer-overflow attack or with a simple request for the system to output a full memory dump, and can scan the crash dump files for sensitive data that would normally be encrypted. Tools such as Windows memory image toolkits, which may include aeskeyfind or rsakeyfind utilities, will also output any encryption keys if found in memory.

As memory dumps are part of an operating system’s design, it’s unlikely that a security update owould fix or prevent this type of attack.

While it is unlikely the dump file will be needed to diagnose an error and restore the system, the odump file may also contain unencrypted PAN and sensitive authentication data.

• Hibernation must be disabled.

Hibernation is a power-saving state designed for workstations and laptops. Hibernation captures oeverything in memory (RAM) and writes it to your hard disk as the hiberfil.sys file when the system goes to sleep. If you have 1GB of memory, the hiberfil.sys will be about 1GB. Like swap files, hibernation files may contain a significant amount of sensitive information.

Sleep is also a power-saving state that allows a computer to quickly resume full-power operation o(typically within several seconds) when you want to start working again. Putting your computer into the sleep state is like pausing a DVD player - the computer immediately stops what it is doing and is ready to start again when you want to resume working.

The difference between sleep and hibernation is sleep puts your work and settings in memory oand draws a small amount of power, and hibernation puts your open documents and programs on your hard disk and then turns off your computer.

Hybrid sleep is a combination of sleep and hibernate - it puts any open documents and programs oin memory and on your hard disk and then puts your computer into a low-power state so that you can quickly resume your work. That way, if a power failure occurs, Windows can restore your



work from your hard disk. When hybrid sleep is turned on, putting your computer into sleep automatically puts your computer into hybrid sleep. Hybrid sleep is typically turned on by default on desktop computers.

Once again, any time data is written to disk there is a risk that latent data is permanently left obehind.

• Restore points must be disabled on all relevant platforms.

System Restore is a Windows feature that helps you undo changes made to a computer’s ooperating system files. The restore process attempts to return the computer to a saved configuration from an earlier point in time.

When a computing system is restored to an earlier state, important updates such as new oantimalware definitions and security patches may be removed. You may also rollback an otherwise compliant payment application to a vulnerable state.

Networking Guidelines Secure Suite 4 MICROS 3700 or 9700 must be installed in a trusted network segment, not the DMZ, to avoid exposing data to corruption or theft. Shift4 Payments recommends that all servers and stations be located on a dedicated subnet and protected from the Internet by a firewall.

Wireless Implementations Shift4 Payments recommends avoiding the use of wireless networks because they are generally less secure than wired networks. However, in the event that wireless networks must be used, the following guidelines are recommended to ensure compliance with PCI DSS Requirement 4.1.1:

1. Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use strong encryption. This can be achieved by using WPA2/AES instead of WPA. Never use WEP.

2. Change the default service set identifier (SSID) on the wireless router.

3. Configure your wireless router to never broadcast the SSID.

4. Use static, RFC 1918 and RFC 4193 compliant IP addresses on all wireless nodes.

5. Enable MAC address filtering on the wireless router to guard against IP spoofing.

6. Set up the wireless router’s access control list (ACL) to whitelist only the wireless nodes (IP and MAC address pairs) that are allowed to connect. Deny connection requests by all others.

7. All other wireless access points not part of the payment system must be logically segregated from the cardholder trusted network segment by a firewall.

Remote Access Never install hardware or software that is not required, such as remote access mechanisms. If it must be installed, remote access to the cardholder data environment (CDE), which includes the payment application, must be restricted to only those individuals that require access to do their job. Remote access to the CDE must also be authenticated with multi-factor authentication in accordance with PCI DSS Requirement 8.3. Ensure all remote users have unique user names and passwords. Remote access activity by vendors and contractors must be monitored. Deactivate their user accounts when not in use in accordance with PCI DSS 12.3.9.



System Privileges Administrative access is required to install all Shift4 Payments products in the Shift4 branch of the installation directory, with “directory create” permissions, “file change” permissions, and complete “read/write” permissions for the HKEY_LOCAL_MACHINE\SOFTWARE\Shift4 Corporation folder in the Registry.

Default Passwords Passwords for user accounts must be strong strings of at least seven alphanumeric characters, which is the PCI DSS minimum. Eight or more characters with numbers, a mix of uppercase and lowercase letters, and special characters would be considered a strong password. Never use dictionary words or the user name for passwords. Refer to PCI DSS Requirement 8.2 for all password minimum security standards. Do not use vendor-provided, default passwords. Doing so will render your system vulnerable and violate PCI DSS Requirement 2.

Log Data PCI DSS Requirement 10 requires that all log data be retained for a minimum of 12 months. Configure all log settings to ensure compliance. It may be necessary to incorporate an offline storage procedure (tape, DVD, etc.) to reduce the amount of disk space used to store log data and still comply with the PCI DSS logging requirement.

Prior Data Sanitization All files retaining sensitive cardholder data must be deleted after Secure Suite 4 MICROS 3700 or 9700 has been successfully installed and configured. Most of the sensitive information is found in old log files and journals. The logging and journal features in the system must also be modified to prevent the creation of new, non-secure records. Once the logging features are disabled, Secure Suite 4 MICROS 3700 or 9700 creates new, secure records of card-processing activity.

File Integrity Monitoring The PCI DSS Requirement 11.5 states: Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Appendix A - 3700 and Appendix B - 9700 of this document are designed to provide the necessary Secure Suite 4 MICROS 3700 or 9700 file information to set up file integrity monitoring in compliance with PCI DSS standards.

Please see the applicable appendix for a complete list of the currently installed files by the Secure Suite 4 MICROS installer.

System-Level Object Logging (PA-DSS Requirement 4.2.7)

PA-DSS requirement 4.2.7: A payment application must provide an audit trail to reconstruct the following events: Creation and deletion of system-level objects within or by the application.

A system-level object is defined as anything on a system component that is required for its operation, including but not limited to application executable and configuration files, system configuration files, static and shared libraries & DLL‹s, system executables, device drivers and device configuration files, and added third-party components.

An Audit Trail or Audit Log, is defined as a chronological record of system activities. It provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.



In order to meet this requirement it is necessary to set up auditing for the “Everyone” Group on the objects detailed in the File Integrity Monitoring Section.

Server 2003 R2

To enable Object Access Auditing:

1. Click Start, point to Administrative Tools, and then click Local Security Policy.

2. Select Local Policies. 3. In the console tree, click Audit Policy.

o Security Settings/Local Policies/Audit Policy

4. In the results pane, double-click Audit object access.

5. Select the Success check box.

To apply auditing policy settings for a local file or folder

1. Open Windows Explorer.

2. Right-click the file or folder that you want to audit, click Properties, and then click the Security tab.

3. Click Advanced, and then click the Auditing tab.

4. Click Add. In Enter the object name to select, type “Everyone”, and then click OK.

5. In the Apply onto box, click the location where you want auditing to take place.

6. In the Access box, indicate what actions you want to audit by selecting the appropriate check boxes:

To audit activity on a registry key:

1. Open Registry Editor.



2. Click the key you want to audit.

3. On the Edit menu, click Permissions.

4. Click Advanced, and then click the Auditing tab.

5. Type Everyone.

6. Under Access, select or clear the Successful and Failed check boxes for the activities that you want to audit or to stop auditing:

File created by user in application directory event



File deleted by user in application directory event chain



PA-DSS Requirements and Responsibility Matrix The following matrix represents your guide to PA-DSS implementation.

WARNING! This matrix must not be construed as a road map to PCI DSS or PA-DSS compliance or a guarantee that Shift4 Payments will render a merchant PCI DSS or PA-DSS compliant.

PA-DSS Requirement Responsible Party Details

1. Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data

Aligns with PCI DSS Requirement 3.2

Shift4 Payments

The Shift4 Driver ensures that magnetic stripe, CVV2, and PIN block data are deleted from memory after processing and cannot be recovered.

Merchant

The merchant is responsible for deleting any sensitive authentication data that was stored by MICROS prior to installation of the Shift4 Driver utilizing the Shift4 Secure Wipe Tool: Shred and Delete Utility.

Shred and Delete can be run from Start > Programs > Shift4 Corporation > Secure Suite 4 MICROS [3700 or 9700] > Shred & Delete Utility or it can be downloaded from:

www.shift4.com/downloads/shredanddelete.exe

1.1.5. Do not store sensitive authentication data on vendor systems. If any sensitive authentication data (pre-authorization data) must be used for debugging or troubleshooting purposes…


Shift4 Payments

When debugging and/or troubleshooting an issue for a merchant, Shift4 Payments Customer Service will direct the merchant to email the application trace file to [email protected].

The trace file does not contain sensitive authentication data and/or cardholder data because that information is not written to the trace file by Shift4 Payments applications.

Local operating procedures require the deletion of all trace files when closing a support case because the data is no longer needed.

mailto:[email protected]




2.1 Software vendor must provide guidance to customers regarding secure deletion of cardholder data after expiration of customer-defined retention period.


N/A

The Shift4 Driver does not store post-authorization cardholder data. All cardholder data is maintained in Shift4 Payments’ PCI DSS compliant data center and is automatically purged based on customer-defined data retention policies.

2.2 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.


N/A The Shift4 Driver masks the PAN in the log files to the last 4 digits by replacing the preceding characters with X.

2.3 Render PAN unreadable anywhere it is stored, including data on portable digital media, backup media, and in logs…


Shift4 Payments

The Shift4 Driver masks the PAN in the log files to the last 4 digits by replacing the preceding characters with X.

2.4 Payment application must protect keys used to secure cardholder data against disclosure and misuse.


N/A The Shift4 Driver does not store post-authorization cardholder data.

2.5 Payment application must implement key management processes and procedures for cryptographic keys used for encryption of cardholder data.



2.6 Provide a mechanism to render irretrievable any cryptographic key material or cryptogram stored by previous versions of the payment application…






3.1 The payment application must support and enforce the use of unique user IDs and secure authentication for all administrative access and for all access to cardholder data…

Aligns with PCI DSS Requirements 8.1 and 8.2

N/A

The Shift4 Driver does not generate or manage user accounts for authentication within the application. All Authentication credentials are generated, managed and passed to the Shift4 Driver by the host computer’s native authentication.

The Shift4 Driver does not provide access to cardholder data.

3.2 Software vendor must provide guidance to customers that all access to PCs, servers, and databases with payment applications must require a unique user ID and secure authentication.

Aligns with PCI DSS Requirements 8.1 and 8.2

Merchant

The merchant must control access to the systems running the Shift4 Driver using unique user IDs and passwords in accordance with PCI DSS Requirement 8.

3.3 Secure all payment application passwords (including passwords for user and application accounts) during transmission and storage.

Aligns with PCI DSS Requirement 8.2.1

N/A The Shift4 Driver does not maintain a database of users, so there is no storage or transmission of passwords by the Shift4 Driver.

3.4 Payment application must limit access to required functions/resources and enforce least privilege for built-in accounts…

Aligns with PCI DSS Requirement 7 N/A The Shift4 Driver does not use built-in accounts.

4.1 At the completion of the installation process, the “out of the box” default installation of the payment application must log all user access…


Merchant

The Shift4 Driver automatically generates log files that record the swipe information and the communication with the UTG. The merchant must ensure that they provide individual operating system account profiles to their employees and must have a way to verify who was logged in to the system and what time they were logged in.




4.2 Payment application must provide automated audit trails to reconstruct the following events…

Aligns with PCI DSS Requirements 10.2

Merchant

Since the Shift4 Driver does not store cardholder data, this generally does not apply. However, PA-DSS Requirement 4.2.7 requires the merchant to implement Windows Object Level Auditing and File Integrity Monitoring; refer to Microsoft for implementation instructions specific to your Windows version.

The "Appendix A - 3700" and "Appendix B - 9700" sections in this document list files that must be monitored.

4.3 Payment application must record at least the following audit trail entries for each event…


Merchant

The merchant is responsible to record all audit trail entries for all system components for each event listed in PA-DSS Requirements 4.3.1 through 4.3.6.

Automated transaction audit trail information is maintained in Lighthouse Transaction Manager.

4.4. Payment application must facilitate centralized logging.


Shift4 Payments

The Shift4 Driver locally writes events to the trace file. This file does not contain sensitive authentication data and/or cardholder data.

Merchant The merchant is responsible for monitoring the trace file and for all other centralized logging requirements.

5.1 The software vendor has defined and implemented a formal process for secure development of payment applications…


Shift4 Payments

The Shift4 Driver has been developed in accordance with the Shift4 Payments Software Development Life Cycle and secure coding best practices.

5.2 Develop all payment applications to prevent common coding vulnerabilities in software-development processes.


N/A The Shift4 Driver is not a web application.




5.3 Software vendor must follow change control procedures for all application changes. Change-control procedures must follow the same software development processes as new releases (as defined in PA-DSS Requirement 5.1), and include the following…


Shift4 Payments

Change controls for the Shift4 Driver are in accordance with the Shift4 Payments Change Control policy.

5.4 The payment application vendor must document and follow a software-versioning methodology as part of their system development lifecycle.

Shift4 Payments

5.5 Risk assessment techniques are used to identify potential application security design flaws and vulnerabilities during the software-development process.


Shift4 Payments

Risk assessment is embedded into Shift4 Payments’ Software Development Life Cycle through the analysis of process flows, related data, and constructs.

5.6 Software vendor must implement a process to document and authorize the final release of the application and any application updates.


Shift4 Payments

Formal reviews and multi-tier approval gates are incorporated into Shift4 Payments’ Software Development Life Cycle.

6.1 For payment applications using wireless technology, change wireless vendor defaults…

Aligns with PCI DSS Requirements 1.2.3 & 2.1.1

Shift4 Payments

The Shift4 Driver does not require the use of wireless technologies.

Merchant

Shift4 Payments strongly recommends that merchants do not use any wireless connections for credit card transaction processing. If the merchant requires the use of wireless devices, the use of strong encryption technology for authentication and transmission is also required in accordance with PCI DSS Requirement 2.1.1. DO NOT USE WEP.

6.2 For payment applications using wireless technology, payment application must facilitate use of industry best practices…


Merchant Refer to PA-DSS Requirement 6.1 details.




7.1 Test payment applications to address vulnerabilities and maintain payment application updates Aligns with PCI DSS Requirement 6.4

Shift4 Payments

The Shift4 Driver has been developed in accordance with the Shift4 Payments Software Development Life Cycle and secure coding best practices.

7.2 Software vendors must establish a process for timely development and deployment of security patches and upgrades.


Shift4 Payments

The Shift4 Driver patches and upgrades are developed in accordance with the Shift4 Payments Software Development Life Cycle and secure coding best practices. Merchants are notified of patches and upgrades via 4sight, the Shift4 Payments newsletter. Patches and upgrades are delivered in installer packages available through the merchant portal.

8.1 The payment application must be able to be implemented into a secure network environment. Application must not interfere with use of devices, applications, or configurations required for PCI DSS compliance…

Aligns with PCI DSS Requirements 1, 3, 4, 5, and 6

Shift4 Payments

The Shift4 Driver will not interfere with the installation of patches, anti-malware protection, firewall configurations, or any other device, application, or configuration required for PCI DSS compliance.

Merchant The merchant is responsible for implementing the Shift4 Driver in an internal, private, trusted network segment.

8.2 The payment application must only use or require use of necessary and secure services, protocols, daemons, components, and dependent software and hardware…


Shift4 Payments

The Shift4 Driver does not require the use of unnecessary and insecure services and protocols.

8.3 The payment application must not require use of services or protocols that preclude the use of or interfere with normal operation of multi-factor authentication technologies for securing remote access to the payment application that originates from outside the customer environment.


Shift4 Payments

The Shift4 Driver will not interfere with the operation of multi-factor authentication technologies used for securing remote access to the payment application.




9. Cardholder data must never be stored on a server connected to the Internet.


Shift4 Payments

The Shift4 Driver does not store post-authorization cardholder data.

Merchant The merchant must not store cardholder data on the Shift4 Driver machine. The Shift4 Driver must be installed inside the trusted network, never the DMZ.

10.1 Multi-factor authentication must be used for all remote access to the payment application that originates from outside the customer environment.


Shift4 Payments

The Shift4 Driver will not interfere with multi-factor authentication technologies.

Merchant The merchant is responsible for incorporating multi-factor authentication for remote access to the network as specified in PA-DSS Requirement 10.1.

10.2 Any remote access into the payment application must be performed securely, as follows:


Merchant The merchant is responsible for incorporating multi-factor authentication for remote access to the network.




10.2.1 If payment application updates are delivered via remote access into customers’ systems, software vendors must tell customers to turn on remote-access technologies only when needed for downloads…

Aligns with PCI DSS Requirements 1 and 12.3.9

Shift4 Payments

When remote support by Shift4 Payments is necessary, the customer will receive a one-time use session key from Shift4 Payments’ remote support tool which is hosted by Shift4 Payments.

The customer will then use that session key to download and install remote connection software on their system.

Through an outbound connection from the customer’s system to Shift4 Payments, the customer will enable remote support.

After the support session is terminated by Shift4 Payments or the customer, the remote connection software on the customer’s system automatically uninstalls itself.

A remote connection to the customer’s system is no longer possible unless a new, one-time session key is issued and the remote connection software is reinstalled.

10.2.2 If vendors or integrators/resellers can access customers’ payment applications remotely, a unique authentication credential must be used for each customer.

Aligns with PCI DSS Requirements 8.5.1

Shift4 Payments

A one-time use session key is generated for remote access as described in PA-DSS requirement 10.2.1 above.

10.2.3 Remote access to customers’ payment applications by vendors, integrators/resellers, or customers must be implemented securely…

Aligns with PCI DSS Requirements 2, 8 and 10

Merchant

The Shift4 Driver does not have remote access capability on its own. If the customer elects to install remote access software on the system running the Shift4 Driver, the merchant is responsible for maintaining secure user access control and multi-factor authentication.

Do NOT access the web server from outside the cardholder environment.




11.1 If the payment application sends, or facilitates sending, cardholder data over public networks, the payment application must support use of strong cryptography and security…

Note: SSL and early TLS are not considered strong cryptography. Payment applications must not use, or support the use of, SSL or early TLS…


Shift4 Payments

The Shift4 Driver communicates directly with the UTG. The UTG encrypts cardholder data before transmitting it over public networks via a secure connection to Shift4 Payments’ Lighthouse Transaction Manager using Shift4 Payments’ Derived Unique Key Per Transaction with Moving Target Encryption.

The Shift4 Driver utilizes multiple encryption keys for transport/processing but does not store post-authorization cardholder data.

The encryption key for the communication between the Shift4 Driver and the UTG utilizes a shared secret passphrase.

The encryption key for communication between secure library and the driver is randomly generated by the driver and changes every time the driver is restarted.

The encryption key for communication between 4Go and the UTG is randomly generated by the UTG and changes every time the UTG is restarted.

It is recommended that the Shift4 Driver and the UTG be installed on the same network and the communication between the Shift4 Driver and the UTG does not cross public networks.

Merchant The Shift4 Driver must not be configured to send cardholder data over public networks.

11.2 If the payment application facilitates sending of PANs by end-user messaging technologies…


N/A The Shift4 Driver does not facilitate the transmission of PANs by end-user messaging technologies.




12.1 Secure all non-console administrative access.

Aligns with PCI DSS Requirement 2.3 Merchant

The merchant is responsible for encrypting all other non-console administrative access to the host running the Shift4 Driver.

12.2 Use multi-factor authentication for all personnel with non-console administrative access.


Merchant

The Shift4 Driver does not support non-console administrative access on its own. The merchant is responsible for maintaining secure user access control through use of multi-factor authentication to the host system.

13. Maintain a PA-DSS Implementation Guide for customers, resellers, and integrators. .

Shift4 Payments

Shift4 Payments provides this guide that facilitates the implementation of PA-DSS requirements.

Shift4 Payments performs a review of this document at least annually and updates the guide to keep it current with software changes.

14. Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators

Shift4 Payments

All Shift4 Payments personnel with PA-DSS responsibility receive training in PA-DSS and are verified annually.

Shift4 Payments performs a review of training material at least annually and makes updates to keep it current with PA-DSS.



Appendix A - 3700 Appendix A contains matrixes that list the currently installed files by the Secure Suite 4 MICROS 3700 installer. This matrix assumes a default install directory of C:\MICROS which can be changed by the customer during installation.

Secure Suite 4 MICROS 3700 Version Files and Objects Included in the

Installer

Changes on Version Upgrade

Changes on Configuration Change

All Versions - Common Files

C:\MICROS\RES\POS\BIN\CaDOTN.cnt Yes Yes No

C:\MICROS\RES\POS\BIN\CaDOTN.dll Yes Yes No

C:\MICROS\RES\POS\BIN\CaDOTN.hlp Yes Yes No

C:\MICROS\RES\POS\BIN\S4Crypto.dll Yes Yes No

C:\MICROS\RES\POS\BIN\Shift4MicrosConfigUtility.exe Yes Yes No

C:\MICROS\RES\POS\BIN\ShredAndDelete.exe Yes Yes No

C:\MICROS\RES\POS\ETC\CaDOTN.cfg Yes Yes No

C:\MICROS\RES\POS\ETC\CaDOTN.info Yes Yes No

C:\MICROS\RES\POS\ETC\CaDOTN.param Yes Yes Yes

3.0 and 3.1 - Common Files

C:\MICROS\RES\POS\ETC\CaDOTN.isl Yes Yes No

C:\MICROS\RES\POS\ETC\PMS#.isl

(where # is the number of the DOTNscr interface) Yes Yes No

C:\MICROS\RES\POS\Shift4\UTGStub.exe Yes Yes No

C:\MICROS\DISKLESS\ULTRA\UTGStub.txt Yes Yes No

C:\MICROS\DISKLESS\ULTRA\SecLibEx.txt Yes Yes No

C:\MICROS\DISKLESS\ECLIPSE\UTGStub_E.txt Yes Yes No

C:\MICROS\DISKLESS\ECLIPSE\SecLibExE.txt Yes Yes No

C:\MICROS\RES\POS\BIN\SecurLib.dll Yes Yes No




Installer



C:\MICROS\NetSetup\Shift4\ETC\CaDOTN.cfg Yes Yes No

C:\MICROS\NetSetup\Shift4\ETC\CaDOTN.info Yes Yes No

C:\MICROS\NetSetup\Shift4\ETC\SecLibNet.cfg Yes Yes No

C:\MICROS\NetSetup\Shift4\ETC\CaDOTN.param Yes Yes Yes

C:\MICROS\NetSetup\Shift4\ETC\CaDOTN.isl Yes Yes No

C:\MICROS\NetSetup\Shift4\ETC\PMS#.isl


C:\MICROS\NetSetup\Shift4\BIN\S4Crypt.dll Yes Yes No

C:\MICROS\NetSetup\Shift4\BIN\SecureLib.dll Yes Yes No

3.0 - Specific Files C:\MICROS\Documentation\SecureSuite3700_Lib_v3r0.pdf Yes Yes No

3.1 - Specific Files C:\MICROS\Documentation\SecureSuite3700_Lib_v3r1.pdf Yes Yes No

3.2 and Above - Common Files

C:\MICROS\RES\POS\BIN\S4SecurePayment.dll Yes Yes No

C:\MICROS\RES\POS\BIN\S4GoConfig.exe Yes Yes No

C:\MICROS\RES\POS\ETC\Win32.CaDOTN.isl Yes Yes No

C:\MICROS\RES\POS\ETC\PMS#.isl Yes Yes No

3.2 - Specific Files C:\MICROS\Documentation\SecureSuite3700_4Go_v3r2.pdf Yes Yes No

4.x - Specific Files

(where x is any number)

C:\MICROS\Documentation\Secure Suite 4 MICROS 3700 PA-DSS Implementation Guide.pdf Yes Yes No

C:\MICROS\Documentation\Secure Suite 4 MICROS 3700 Version 4 Technical Installation Guide.pdf Yes Yes No

5.x - Specific Files

(where x is any number)

C:\MICROS\Documentation\Secure Suite 4 MICROS 3700 PA-DSS Implementation Guide.pdf Yes Yes No

C:\MICROS\Documentation\Secure Suite 4 MICROS 3700 Version 5 Technical Installation Guide.pdf Yes Yes No




Installer



HKEY_LOCAL_MACHINE\SOFTWARE\Shift4 Corporation Yes Yes Yes

Workstation Specific Files This matrix assumes a default install directory of C:\MICROS which can be changed by the customer during installation.

Secure Suite 4 MICROS 3700 Workstation File

Included in the

Installer


Changes on Configuration

Change

NetSetup - Specific Files

(MICROS 3.2 Only)

C:\MICROS\NetSetup\Shift4\ETC\Win32.CaDOTN.isl

Yes Yes No

C:\MICROS\NetSetup\Shift4\ETC\PMS#.isl


C:\MICROS\NetSetup\Shift4\ETC\CaDOTN.info Yes Yes No

C:\MICROS\NetSetup\Shift4\ETC\CaDOTN.param Yes Yes Yes

C:\MICROS\NetSetup\Shift4\BIN\ S4SecurePayment.dll Yes Yes No

Win32 - Specific Files

(MICROS 3.2 and Above)

C:\MICROS\RES\CAL\Win32\Files\Micros\RES\POS\ETC\Win32.CaDOTN.isl Yes Yes No

C:\MICROS\RES\CAL\Win32\Files\Micros\RES\POS\ETC\PMS#.isl Yes Yes No

C:\MICROS\RES\CAL\Win32\Files\Micros\RES\POS\ETC\CaDOTN.info Yes Yes No

C:\MICROS\RES\CAL\Win32\Files\Micros\RES\POS\ETC\CaDOTN.param Yes Yes Yes

C:\MICROS\RES\CAL\Win32\Files\Micros\RES\POS\BIN\S4SecurePayment.dll Yes Yes No

WS4 - Specific Files


C:\MICROS\RES\CAL\WS4\Files\CF\Micros\ETC\WS4.CaDOTN.isl Yes Yes No

C:\MICROS\RES\CAL\WS4\Files\CF\Micros\ETC\PMS#.isl Yes Yes No

C:\MICROS\RES\CAL\WS4\Files\CF\Micros\ETC\CaDOTN.info Yes Yes No

C:\MICROS\RES\CAL\WS4\Files\CF\Micros\ETC\ CaDOTN.param Yes Yes Yes




Included in the

Installer



Change

C:\MICROS\RES\CAL\WS4\Files\CF\Micros\BIN\FourGoDCE.exe Yes Yes No

C:\MICROS\RES\CAL\WS4\Files\CF\Micros\BIN\FourGE.dll Yes Yes No

WS4LX - Specific Files

(MICROS 3.2.94.1611; 3.2.98.1726; 3.2.101.1895;

4.0; and Above)

C:\MICROS\RES\CAL\WS4LX\Files\CF\Micros\ETC\WS4.CaDOTN.isl Yes Yes No

C:\MICROS\RES\CAL\WS4LX\Files\CF\Micros\ETC\PMS#.isl


C:\MICROS\RES\CAL\WS4LX\Files\CF\Micros\ETC\CaDOTN.info Yes Yes No

C:\MICROS\RES\CAL\WS4LX\Files\CF\Micros\ETC\CaDOTN.param Yes Yes Yes

C:\MICROS\RES\CAL\WS4LX\Files\CF\Micros\BIN\FourGoDCE.exe Yes Yes No

C:\MICROS\RES\CAL\WS4LX\Files\CF\Micros\BIN\FourGE.dll Yes Yes No

WS5 - Specific Files

(MICROS 3.2.94.1611; 3.2.98.1726; 3.2.101.1895;

4.0; and Above)

C:\MICROS\RES\CAL\WS5\Files\CF\Micros\BIN\FourGoDCE.exe Yes Yes No

C:\MICROS\RES\CAL\WS5\Files\CF\Micros\BIN\FourGE.dll Yes Yes No

C:\MICROS\RES\CAL\WS5\Files\CF\Micros\ETC\WS4.CaDOTN.isl Yes Yes No

C:\MICROS\RES\CAL\WS5\Files\CF\Micros\ETC\PMS#.isl


C:\MICROS\RES\CAL\WS5\Files\CF\Micros\ETC\CaDOTN.info Yes Yes No

C:\MICROS\RES\CAL\WS5\Files\CF\Micros\ETC\CaDOTN.param Yes Yes No

WS5A - Specific Files


C:\MICROS\RES\CAL\WS5A\Files\CF\Micros\BIN\FourGoDCE.exe Yes Yes No

C:\MICROS\RES\CAL\WS5A\Files\CF\Micros\BIN\FourGE.dll Yes Yes No

C:\MICROS\RES\CAL\WS5A\Files\CF\Micros\ETC\WS4.CaDOTN.isl Yes Yes No

C:\MICROS\RES\CAL\WS5A\Files\CF\Micros\ETC\PMS#.isl


C:\MICROS\RES\CAL\WS5A\Files\CF\Micros\ETC\CaDOTN.info Yes Yes No




Included in the

Installer



Change

C:\MICROS\RES\CAL\WS5A\Files\CF\Micros\ETC\CaDOTN.param Yes Yes Yes



Appendix B - 9700 Appendix B contains a matrix that lists the currently installed files by the Secure Suite 4 MICROS 9700 installer. This matrix assumes a default install directory of C:\MICROS which can be changed by the customer during installation.

Secure Suite 4

MICROS 9700

Version

Files and Objects Included

in the Installer

Changes on Version

Upgrade


Change

2.5 and 2.8 - Common Files

C:\MICROS\LES\POS\9700\ETC\dotnscr.isl Yes Yes No

C:\MICROS\LES\POS\9700\ETC\SQLEMP Yes Yes No

C:\MICROS\LES\POS\9700\ETC\SQLEMPNO Yes Yes No

C:\MICROS\LES\POS\9700\ETC\dotnscr.param Yes Yes Yes

C:\MICROS\LES\POS\9700\BIN\ShredAndDelete.exe Yes Yes No

C:\MICROS\LES\POS\9700\BIN\SecureLib.dll Yes Yes No

C:\MICROS\LES\POS\9700\BIN\dotndrvutil.exe Yes Yes No

C:\MICROS\LES\POS\9700\BIN\s4Crypto.dll Yes Yes No

C:\MICROS\LES\POS\9700\BIN\dotndrv.exe Yes Yes No

C:\MICROS\LES\POS\9700\Documentation\SecureSuite9700_Lib_pre3.pdf Yes Yes No

C:\MICROS\LES\POS\9700\ETC\dotnscr.dat No No Yes


C:\MICROS\LES\POS\9700\BIN\CaDOTN.exe Yes Yes No

C:\MICROS\LES\POS\9700\BIN\S4cedStart.dll Yes Yes No

C:\MICROS\LES\POS\9700\BIN\s4Crypto.dll Yes Yes No

C:\MICROS\LES\POS\9700\BIN\S4GoConfig.exe Yes Yes No

C:\MICROS\LES\POS\9700\BIN\S4PasswordUtil.exe Yes Yes No

C:\MICROS\LES\POS\9700\BIN\ShredAndDelete.exe Yes Yes No



Secure Suite 4

MICROS 9700

Version


in the Installer

Changes on Version

Upgrade


Change

C:\MICROS\LES\POS\9700\BIN\Strings.ini Yes Yes Yes

C:\MICROS\LES\POS\9700\ETC\CaDOTN.isl Yes Yes No

C:\MICROS\LES\POS\9700\ETC\CaDOTN.param Yes Yes Yes

C:\MICROS\LES\POS\9700\ETC\CaDOTNReadMe.txt Yes Yes No

C:\MICROS\LES\POS\9700\ETC\SQLEMP.bat Yes Yes No

C:\MICROS\LES\POS\9700\ETC\SQLEMPNO.bat Yes Yes No

C:\MICROS\LES\POS\9700\4WayStop\S4SecurePayment.dll Yes Yes No

C:\MICROS\LES\POS\9700\4WayStop\S4WayStop.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\Win32\Packages\Shift4 4Go\S4WayStopSetup.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\Win32\Packages\Shift4 4Go\setup.dat Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4\Packages\Shift4 4Go\FourGoDCE.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4\Packages\Shift4 4Go\S4WayStopCE.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4\Packages\Shift4 4Go\setup.dat Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4LX\Packages\Shift4 4Go\FourGoDCE.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4LX\Packages\Shift4 4Go\S4WayStopCE.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4LX\Packages\Shift4 4Go\setup.dat Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5\Packages\Shift4 4Go\FourGoDCE.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5\Packages\Shift4 4Go\S4WayStopCE.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5\Packages\Shift4 4Go\setup.dat Yes Yes No

C:\MICROS\LES\POS\9700\Documentation\Secure Suite 4 MICROS 9700 Version 3 Technical Installation Guide.pdf Yes Yes No



Secure Suite 4

MICROS 9700

Version


in the Installer

Changes on Version

Upgrade


Change

C:\MICROS\LES\POS\9700\Documentation\Secure Suite 4 MICROS 9700 PA-DSS Implementation Guide.pdf Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4\Files\CF\PosClient\Sim\CaDOTN.param Yes Yes Yes

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4LX\Files\CF\PosClient\Sim\CaDOTN.param Yes Yes Yes

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5\Files\CF\PosClient\Sim\CaDOTN.param Yes Yes Yes

C:\MICROS\LES\POS\9700\Scripts\SAR\CaDOTN.isl Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\Win32\Packages\Shift4 4Go SAR\S4WayStopSetup.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\Win32\Packages\Shift4 4Go SAR\setup.dat Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\Win32\Files\Shift4\Param\CaDOTN.param Yes Yes Yes

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4\Packages\Shift4 4Go SAR\FourGoDCE.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4\Packages\Shift4 4Go SAR\S4WayStopCe.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4\Packages\Shift4 4Go SAR\S4cedStart.dll Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4\Packages\Shift4 4Go SAR\setup.dat Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4LX\Packages\Shift4 4Go SAR\FourGoDCE.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4LX\Packages\Shift4 4Go SAR\S4WayStopCe.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4LX\Packages\Shift4 4Go SAR\S4cedStart.dll Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS4LX\Packages\Shift4 4Go SAR\setup.dat Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5\Packages\Shift4 4Go SAR\FourGoDCE.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5\Packages\Shift4 4Go SAR\S4WayStopCe.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5\Packages\Shift4 4Go SAR\S4cedStart.dll Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5\Packages\Shift4 4Go SAR\setup.dat Yes Yes No



Secure Suite 4

MICROS 9700

Version


in the Installer

Changes on Version

Upgrade


Change

C:\MICROS\LES\POS\9700\ETC\CaDOTN.dat No No Yes


C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5A\Packages\Shift4 4Go SAR\FourGoDCE.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5A\Packages\Shift4 4Go SAR\S4WayStopCe.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5A\Packages\Shift4 4Go SAR\S4cedStart.dll Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5A\Packages\Shift4 4Go SAR\setup.dat Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\WS5A\Files\CF\PosClient\Sim\CaDOTN.param Yes Yes Yes

3.60 and Above - KW270 SAR Specific Files

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\KW270\Packages\Shift4 4Go SAR\FourGoDCE.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\KW270\Packages\Shift4 4Go SAR\S4WayStopCe.exe Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\KW270\Packages\Shift4 4Go SAR\S4cedStart.dll Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\KW270\Packages\Shift4 4Go SAR\setup.dat Yes Yes No

C:\MICROS\LES\POS\9700\ClientInstalls\CALInstall\KW270\Files\Store\PosClient\Sim\CaDOTN.param Yes Yes Yes

HKEY_LOCAL_MACHINE\SOFTWARE\Shift4 Corporation Yes Yes Yes

Date post:	10-Mar-2020
Category:	Documents
Upload:	others
View:	45 times
Download:	0 times

Secure Suite 4 MICROS 3700 or 9700 PA-DSS Implementation … suite 4...Secure Suite 4 MICROS 3700 or...

Documents