POSPay Client www.payex.no Installation Guide PayEx Solutions AS PO.Box 308 Sentrum N-0167 Oslo Switch: +47 22 03 63 00 [email protected] Document information: AUTHOR: Marte H. Austdal, PayEx Solutions AS 1 Changes Change log: Date: Description: 2009-03-13 Initial version 2009-03-18 Corrections of offline retention time, some other minor adjustments 2009-03-18 Finalized into version 1.0 By: Marte Austdal Lars J. Vigeland Lars Marlow Krosby _________________Installation Guide__________________ Table of contents 1 CHANGES ................................................................................................................. 1 2 NB: IMPORTANT INFORMATION ..................................................................... 3 2.1 Background ......................................................................................................... 3 2.2 Requirements to merchants, resellers and integrators......................................... 5 2.2.1 Sensitive data .............................................................................................. 5 2.2.2 Logs............................................................................................................. 6 2.2.3 Backup solution / offline transactions......................................................... 6 2.2.4 Receipts ....................................................................................................... 7 3 ADDITIONAL INFORMATION ............................................................................ 9 3.1 Security updates ................................................................................................ 11 3.2 Trafic from/to the POSPay client ...................................................................... 11 3.2.1 SSL............................................................................................................ 11 3.3 The POSPay client ............................................................................................ 12 3.4 Test or production ............................................................................................. 13 4 INSTALL PINPAD ................................................................................................. 14 5 DOWNLOAD POSPAY CLIENT ......................................................................... 15 6 INSTALL POSPAY CLIENT................................................................................ 18 6.1 Before installation ............................................................................................. 18 6.2 ini file installation ............................................................................................. 18 6.2.1 Example file .............................................................................................. 19 6.2.2 SSL Example file ...................................................................................... 19 6.3 Manual installation without .ini file .................................................................. 20 _____________________________________________________________________ 2 _________________Installation Guide__________________ 2 NB: Important information 2.1 Background A brief overview of some of the standards the POSPay Client is compliant to is listed below: PCI DSS The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. The POSPay Client is PCI DSS compliant from version 3.1.18. Please visit https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml for more information about PCI DSS. PA DSS PA DSS is the PCI Security Standards Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PADSS requirements, but must still be secured in accordance with the PCI DSS. The POSPay Client is PA DSS compliant from version 3.1.18. Please visit https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml for more information about PA DSS. PCI PED _____________________________________________________________________ 3 _________________Installation Guide__________________ To gain approval by PCI Security Standards Council, PED’s (PIN entry devices) must comply with the requirements and guidelines specified in the following documents. The Sagem Flexi 2 is PCI PED Approved and can be ordered from POS System AS as of now. Please visit https://www.pcisecuritystandards.org/security_standards/ped/index.shtml for more information about PCI DSS. EMV EMV (Europay, MasterCard, Visa) is the global standard that is helping ensure smart cards, terminals and other systems can interoperate. EMV chip-based payment cards, also known as smart cards, contain an embedded microprocessor, a type of small computer. The microprocessor chip contains the information needed to use the card for payment, and is protected by various security features. Chip cards are a more secure alternative to traditional magnetic stripe payment cards. The EMV standard defines the interaction at the physical, electrical, data and application levels between IC cards and IC card processing devices for financial transactions. Portions of the standard are heavily based on the IC Chip card interface defined in ISO 7816. The POSPay Client has passed several EMV certifications in Norway (with BBS and Nordea as processor), Sweden (done by SCC with Swedbank as processor) and Denmark (with NETS as processor). EMV Certification of POSPay Client in Denmark (with PBS as processors) is scheduled in April 2009. Please visit http://www.emvco.com/specifications.aspx for more information about the EMV Standard.. _____________________________________________________________________ 4 _________________Installation Guide__________________ 2.2 Requirements to merchants, resellers and integrators The following requirements must be complied and it’s very important that you have a conscious knowledge about this. These requirements are absolutely necessary for PCI DSS and PA DSS compliance, PayEx Solutions AS can not be hold responsible of the requirements are not overheld. 2.2.1 Sensitive data In old versions of the PosPay client, sensitive data may be stored in logs or the POSPay clients database. Sensitive data will be cleaned up if you follow the instructions in this chapter(2.2). The values in the “Data element” column are defined as sensitive data: Cardholder Data Sensitive Authentication Data Data Element Storage Permitted Primary Account Number Yes Cardholder Name Yes Service Code Yes Expiration Date Yes Full Magnetic Stripe Data No CAV2/CID/CVC2/CVV2 No PIN/PIN Block No In som scenarios, it may be necessary for you as a merchant to collect sensitive data: Offline scenarios where full pan is printed on receipt(se chapter 2.2.4) A problem has occurred in a transaction and sensitive data is collected to solve the issue. Etc If you for some reason has collected sensitive data, please se to that the following procedures are followed to comply to PCI and PA DSS standards: Collect sensitive authentication only when needed to solve a specific problem. Store such data only in specific, known locations with limited access. Collect only the limited amount of data needed to solve a specific problem. Encrypt sensitive authentication data while stored. Securely delete such data immediately after use. Please note that cardholder data in the PCI - and PA DSS compliant POSPay client will be stored encrypted for two scenarios and only in it’s database (path: %POSPAY_HOME%\data. files: database.script and database.log): Backup/Offline transactions (also see chapter 2.2.3 for notes on clean up of offline transactions) _____________________________________________________________________ 5 _________________Installation Guide__________________ Last transaction. Must be stored if the POSPay client should be able to perform reversals. 2.2.2 Logs When a PCI compliant client is installed, any old logs from any old version of the POSPay client, if existing, must be deleted. These logs may contain sensitive data and constitutes a security risk. The logs are located in : %POSPAY_HOME5\logs. Be especially aware of logs that you may have moved from it’s original folder. Should such logs be used for malicious purposes like fraud it will be your responsibility, POS is not responsible for files removed from %POSPAY_HOME% folder (home directory for the installation, like C:\Program Files\POSPay). If you should fail to delete your old logs right away, the POSPay Client will clean them up when their timestamp reaches 30 days(as long as the logs have not been tampered with, renamed etc. Remember, this is the backup solution, old logs should be deleted manually by you). Be aware that this also concerns logs from the new installation of the POSPay client, by default all logs will be deleted when they reaches 30 days. 2.2.3 Backup solution / offline transactions It is no longer allowed to store cardholder data for indefinite time periods, even if the data is encrypted. This requirement will affect the transactions performed with backup solution (offline transactions) because offline transactions, which contains encrypted cardholder data, is stored in the POSPay Clients local database while awaiting online state. Please note that normally the POSPay Client should not be offline for more than maximum a few hours. When the client has online connection again, the offline transactions are immediately transferred to the server and deleted from the client. If the client is offline for a longer period, the following actions will be taken by the POSPay Client to meet this requirement: 1. From the point the first offline transaction in the POSPay Client database expires the warn-limit, default 7 days(configurable), a warning will be displayed every time a financial transaction is initiated. This warning will contain a message like “Offline limit exceeded, call support +47 99401150”. The same warning will be stated if more than 500 (default) offline transactions are stored, also a configurable value. 2. The warning will not block you from using the till or the client, but you will need to confirm or reject the warning. A confirm allows you to continue with the transaction, a reject will abort the transaction. _____________________________________________________________________ 6 _________________Installation Guide__________________ 3. We recommend that POS support is contacted as soon as possible to solve the problem. 4. If the problem is not solved in 30 days(configurable), further actions must be taken in the POSPay client. You as a merchant may choose between the following options: a) Offline transactions older than the limit on 30 days is deleted. After the offline transactions are deleted, the client will function as normal. This is an automatic job initiated and performed by the client itself. Please note that if offline transactions are deleted from your client, the only way you as a merchant can retrieve your money is to physically send the signed receipt to the acquirer. b) The client detects that offline transactions older than 30 days exists and will deny any financial transaction in the client until this is cleaned up/solved. The detect job is automatically performed by the client itself, but the follow up (calling POS support) must be performed by you as merchant. Please note that it will be impossible to perform a payment with card or any other action in the client until this is cleaned up. We would like to note that normally offline transactions is flushed quite immediately after it’s performed. If an offline transactions gets i.e two days old on the client, there’s most likely a problem with for example the internet connection. Note: Default setup is deletion of transactions older than 30 days. Note: All values are configurable so that each merchant can set up the most efficient limits for their business. 2.2.4 Receipts There are strict requirements when it comes to storage of pan/card number. Some ECR’s locally stores the receipt data sent by POSPay Client. PAN is always masked on online receipts, but offline transactions normally did contain the whole pan in versions prior to POSPay Client 3.1.18, as this is necessary if you are forced to use a signed receipt to get your money from the acquirer for a purchase. To avoid problems with storage of pan, pan in offline receipts will be “masked” like : 123456__ __ __ __ __ __1234 (see example receipt below) You as a merchant must fill in the missing numbers from the pan, or else you can risk not getting your money back if you for some reason are forced to send the receipt to the acquirer. _____________________________________________________________________ 7 _________________Installation Guide__________________ It is possible to turn off this function and display entire PAN on offline receipts, but then it’s the ECR vendor/merchants responsibility that PAN is not electronically stored anywhere in the system. Note that you as a merchant are always responsible for storing offline receipts with full PAN in a safe location. 2.2.4.1 Example receipt SIGNATURE PAYMENT BAX 578141-4 BANKKORT 957852__ __ __ __ __ __ __ __ 0198 Expire:12/2012 2009-03-13 16:51 Ref:123695950828-L07501 Amount NOK 2.00 Total NOK 2.00 AID: D5780000021010 CG: E7AAE0AE8594AA48 TVR: 8000088000 Godkjennes for debitering av min konto i henhold til ovenstående **** Må fylles ut **** Bankkortets kontrollnr:__________________________ Kortholders signatur:_____________________________ ******************************** * Arkiveres i butikk i henhold * * til regnskapsloven * ******************************** _____________________________________________________________________ 8 _________________Installation Guide__________________ 2.2.5 Access controll It’s recommended that access controll is implemented for the POSPay client installation. Access to the installation should only be provided to a trusted admin, any tampering with the installation might lead to a corruption in the POSPay client which causes it to be unuasble. 2.2.6 Wireless network If wireless networking is used by the merchant, necessary precautions must be taken. The network must be implemented securely by industri best practise: Perimeter firewalls must be installed between any wireless networks and the cardholder data environment Firewalls must be configured to deny or control(if such data is necessary for business purposes) any trafic from the wireless environment into the cardholder data environment. Strong encryption for authentication and transmission must be implemented o Encryption keys were changed from default at installation, and are changed anytime anyone with knowledge of the keys leaves the company or changes positions o Default SNMP community strings on wireless devices were changed o Default passwords/passphrases on access points were changed o Firmware on wireless devices is updated to support strong encryption for authentication and transmission over wireless networks (for example, WPA/WPA2) o Other security-related wireless vendor defaults, if applicable 2.2.7 Cardholder data and internet Data containing cardholder data must never be stored on medias accessable from the internet. Data from the POSPay client installation should never be moved from %POSPAY_HOME%. 2.2.8 Remote access PayEx Solutions AS has not got remote access to the POSPay client and does not use remote access for installations. Installations are performed by the merchants/vendors. If customers/integratores uses remote access, make sure the following requirments are fullfilled: Remote access technologies must only be turned on when needed by vendors and turned of immidiately after _____________________________________________________________________ 9 _________________Installation Guide__________________ Remote access must be authenticated using a two-factor authentication mechanism Secure implementation of remote access: o Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer). o Allow connections only from specific (known) IP/MAC addresses. o Use strong authentication and complex passwords for logins o Enable encrypted data transmission(for example SSL/TLS or IPSEC) o Enable account lockout after a certain number of failed login attempts o Configure the system so a remote user must establish a Virtual Private Network ("VPN") connection via a firewall before access is allowed. o Enable the logging function. o Restrict access to customer passwords to authorized reseller/integrator personnel. o Establish customer passwords, make sure unique users id’s are used. 2.2.9 Non-console administration If non-console administration is used, the following requirments must be fulfilled: Encrypt all non-console administrative access Technologies such as SSH, VPN or SSL/TLS must be used for webbased management and other non-console administrative access. _____________________________________________________________________ 10 _________________Installation Guide__________________ 3 Additional information 3.1 Security updates The POSPay client uses bundled java in it’s releases(optional). To detect vulnerabilities or security updates in java, PayEx has an agreement with Secunia. Secunia’s main area of operation is discovering and alerting customers about bugs, vulnerabilities, security patches and/or updates in known software and applicatiosn like Microsoft or Sun’s products. 3.2 Trafic from/to the POSPay client 3.2.1 SSL SSL is supported for clients which authorizes directly with the POSPay Transaction server. This is fully supported by the POSPay_Client_EVM installation. Other client types like IPOS and Manison requires a direct communication link with an authorization server which doesn’t support SSL, but the link towards the POSPay transaction server for reporting can be enabled with SSL. To enable SSL the following settings must be set in config.properties: pospay.client.address=https://pospay.payex.com:443 pospay.client.ssl.enabled=true pospay.client.gpa.communicationType=http _____________________________________________________________________ 11 _________________Installation Guide__________________ 3.3 The POSPay client There are several different types of the POSPay Client. Each type has a different layer of communication to the PED and transaction server/acquirers, but they all share a mutual core. Quick overview of the types: Typename Country Current version GPA EMV NO, SE, DK 3.1.17 IPOS SE 3.1.17 MANISON PSAM FI DK NO NOPINPAD TOREX PED PCI Note compliant Flexi Flexi2 Flexi LAN X 3.1.17 3.1.17 Verifone Flexi Lan X X NO 3.1.17 Flexi X All - - - X Host Swedbank, copy-tx to POSPay tx-server Host PBS, copy-tx to POSPay tx-server Will be phased out when alle NO merchants has GPA EMV client. Phased out Phased out _____________________________________________________________________ 12 _________________Installation Guide__________________ 3.4 Test or production Four installers for each client type is built for a release: No Name Note 1 POSPay_Client-<version>_<type>.exe 2 POSPay_Client-<version>_<type>_NOJRE.exe 3 POSPay_Client-<version>_<type>_Test-exe 4 POSPay_Client-<version>_<type>._Test _NOJRE exe Production version with java bundled Production version without java bundled Test version with java bundled Test version without java bundled _____________________________________________________________________ 13 _________________Installation Guide__________________ 4 Install PinPad The Sagem Flexi PinPad used to read customer cards is installed as displayed below. The installation of received pinpad should be performed as following: Unwrap the powersupply and COM cable(cable from pinpad to PC) The cables are connected as displayed on the illustration. The cable with the circular end is for power and must be inserted in the power outlet. The cable with the square end handles data communication between the PC and pinpad. This must be attached to the PC trough a COM port, see illustration to the left. The COM port has nine pegs. When the power supply is inserted to the power outlet, the pinpad will light up a short moment. That means it’s ok. Messages like ”Insert card” will not be displayed before the POSPay client is installed and started. For more information, visit our website http://pim.payex.com/pos Username: download Password: loaddown Contact your ECR/cash register supplier if any problems should occure. You could also contact us directly by mail: [email protected] or on phone number: +47 99401150 _____________________________________________________________________ 14 _________________Installation Guide__________________ 5 Download POSPay client Og to our website http://pim.payex.com/pos Username: download Password: loaddown Press OK. _____________________________________________________________________ 15 _________________Installation Guide__________________ After log in, the downloadsite will appear. Scroll to section 4 as displayed below. Press the link of the desired client, i.e Norwegian Production Client including Java 1.5. Choose save and then a where to store the install file on your PC. _____________________________________________________________________ 16 _________________Installation Guide__________________ I.e choose Desktop to easier locate the file later on. _____________________________________________________________________ 17 _________________Installation Guide__________________ 6 Install POSPay Client 6.1 Before installation To install the POSPay client, you must have an unique merchant- and terminal id within the PosPay system. Note that you need different merchant- and terminal id’s for production and for test clients. The unique id is entered during installation and used to verify you on the PosPay transaction server. I.e see merchant and terminal id in the ini file in 6.2.1. You will receive the unique id from PayEx. If you haven’t received this, please contact PayEx and you will receive your unique id within a short time. Without your id, you will not be able to install your client. 6.2 ini file installation We recommend that a .ini file is used to install the POSPay Client. The .ini file should contain all necessary information to install the client. POS support will assist the merchants to generate a .ini file for their installation. The ini file takes no regard to wheter the installer is for test or production environment. Quick explanation of the example file: Property Values Comment Components DLL_INTERFACE COM_DLL_1_0_INTERFACE COM_DLL_INTERFACE OCX_INTERFACE COM_EXE_INTERFACE CR_TERMINAL Dll integration Com-Dll 1.0 integratopn Com-Dll integratopn OCX intragration Com-Exe integration Bundles Cash Register, ECR simulator supplied by POS Bundled localserver for hotel and restaurant solution Bundles correct version(1.5) of java. Installation is performed aboslutely silent based on info in the .ini file, no dialog-boxes will be prompted user. All dialog-boxes will be prompted user, see next chapter. Some dialog boxes will be LOCAL_SERVER BUNDLED JRE Silent YES NO Almost _____________________________________________________________________ 18 _________________Installation Guide__________________ Directory Configuration C:\PPPClient GPAConfiguration prompted user, all info is autofilled.See next chapter for more information. Path to the installation Config values, see API documentation. Other than default values should be agreed with POS Config values for 3. part source. POS will supply these. 6.2.1 Example file This example file is for the GPA EMV client. In other ini files, the entry GPAConfiguration must be excluded: [Main] Components=DLL_INTERFACE,BUNDLED_JRE Silent=Yes Directory=C:\PPPClient Configuration=POSPay.client.installation.password=password,POSPay.client.timeout.ver ify=90000,POSPay.client.merchant.id=1,POSPay.client.terminal.id=1,POSPay.client.ena bleReversalCardCheck=true,POSPay.client.enableReversalAmountCheck=false,POSPay. client.gpa.input.voiceAuth.optional=true,POSPay.client.retryReversal=true GPAConfiguration=FlexiTerm.0.port=COM1 6.2.2 SSL Example file This example file is for the GPA EMV client with SSL. In other ini files, the entry GPAConfiguration must be excluded: [Main] Components=CR_TERMINAL,DLL_INTERFACE,BUNDLED_JRE Silent=No Directory=C:\PPPClient Configuration=pospay.client.installation.password=password,pospay.client.timeout.verif y=90000,pospay.client.merchant.id=,pospay.client.terminal.id=,pospay.client.gpa.input.v oiceAuth.optional=true,pospay.client.address=https://pospay.payex.com:443,pospay.clien t.ssl.enabled=true,pospay.client.gpa.communicationType=http GPAConfiguration=FlexiTerm.0.port=COM1 _____________________________________________________________________ 19 _________________Installation Guide__________________ 6.3 Manual installation without .ini file After selecting type of client, test/prodenvironment and bundled/not bundled java, you are ready to install the POSPay Client. Run the desired .exe file and you should be presented with the following window, press “Next”. _____________________________________________________________________ 20 _________________Installation Guide__________________ A new window will appear that lets you choose where to install the client. The default path is ok, but anyone on your local machine will do. After you have entered the desired path, press “Next”. _____________________________________________________________________ 21 _________________Installation Guide__________________ The next window allows you to choose what components to install/integration to use. Press “Next”. For testing, the default option “Java integration w/cash register terminal” os often use. You will then get POSPay ECR simulator installed. Alternative, if you are running a DLL integration from your ECR and the POSPay Client, you could use “Custom” and check both “Java integration w/cash register terminal” and “DLL integration”(small image below). _____________________________________________________________________ 22 _________________Installation Guide__________________ The last of the option windows ask what Start Menu Folder to create, and allows you to check if you don’t want any. Make your selection and press “Next”, this should start the installation of the files. _____________________________________________________________________ 23 _________________Installation Guide__________________ Installing… _____________________________________________________________________ 24 _________________Installation Guide__________________ During the installetion, a window pops up asking for “Brukerstedsnr” and “terminalnr”. You should have received your merchant id(brukerstedsnr) and terminal id(terminalnr) from POS support beforehand. Fill in the required information and press ok. _____________________________________________________________________ 25 _________________Installation Guide__________________ The settings window appears. In this one you need to fill in the “Passord” field with “password”. Additionally, you have to choose what COM port the pinpad will be connected to. Press “Lagre” and “Avslutt” in that order. _____________________________________________________________________ 26 _________________Installation Guide__________________ That is all; the last window confirms that the installation is complete. Press “Finish” to exit the installer. _____________________________________________________________________ 27
© Copyright 2024