POSPay Client Installation Guide 1 Changes

POSPay Client
www.payex.no
Installation Guide
PayEx Solutions AS
PO.Box 308 Sentrum
N-0167 Oslo
Switch: +47 22 03 63 00
[email protected]
Document information:
AUTHOR:
Marte H. Austdal, PayEx Solutions AS
1 Changes
Change log:
Date:
Description:
2009-03-13 Initial version
2009-03-18 Corrections of offline retention time, some other minor
adjustments
2009-03-18 Finalized into version 1.0
By:
Marte Austdal
Lars J. Vigeland
Lars Marlow Krosby
_________________Installation Guide__________________
Table of contents
1
CHANGES ................................................................................................................. 1
2
NB: IMPORTANT INFORMATION ..................................................................... 3
2.1
Background ......................................................................................................... 3
2.2
Requirements to merchants, resellers and integrators......................................... 5
2.2.1
Sensitive data .............................................................................................. 5
2.2.2
Logs............................................................................................................. 6
2.2.3
Backup solution / offline transactions......................................................... 6
2.2.4
Receipts ....................................................................................................... 7
3
ADDITIONAL INFORMATION ............................................................................ 9
3.1
Security updates ................................................................................................ 11
3.2
Trafic from/to the POSPay client ...................................................................... 11
3.2.1
SSL............................................................................................................ 11
3.3
The POSPay client ............................................................................................ 12
3.4
Test or production ............................................................................................. 13
4
INSTALL PINPAD ................................................................................................. 14
5
DOWNLOAD POSPAY CLIENT ......................................................................... 15
6
INSTALL POSPAY CLIENT................................................................................ 18
6.1
Before installation ............................................................................................. 18
6.2
ini file installation ............................................................................................. 18
6.2.1
Example file .............................................................................................. 19
6.2.2
SSL Example file ...................................................................................... 19
6.3
Manual installation without .ini file .................................................................. 20
_____________________________________________________________________
2
_________________Installation Guide__________________
2 NB: Important information
2.1 Background
A brief overview of some of the standards the POSPay Client is compliant to is listed
below:
PCI DSS
The PCI DSS, a set of comprehensive requirements for enhancing payment account data
security, was developed by the founding payment brands of the PCI Security Standards
Council, including American Express, Discover Financial Services, JCB International,
MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad
adoption of consistent data security measures on a global basis.
The PCI DSS is a multifaceted security standard that includes requirements for security
management, policies, procedures, network architecture, software design and other
critical protective measures. This comprehensive standard is intended to help
organizations proactively protect customer account data.
The POSPay Client is PCI DSS compliant from version 3.1.18.
Please visit https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml for
more information about PCI DSS.
PA DSS
PA DSS is the PCI Security Standards Council-managed program formerly under the
supervision of the Visa Inc. program known as the Payment Application Best Practices
(PABP). The goal of PA-DSS is to help software vendors and others develop secure
payment applications that do not store prohibited data, such as full magnetic stripe,
CVV2 or PIN data, and ensure their payment applications support compliance with the
PCI DSS. Payment applications that are sold, distributed or licensed to third parties are
subject to the PA-DSS requirements. In-house payment applications developed by
merchants or service providers that are not sold to a third party are not subject to the PADSS requirements, but must still be secured in accordance with the PCI DSS.
The POSPay Client is PA DSS compliant from version 3.1.18.
Please visit https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml for
more information about PA DSS.
PCI PED
_____________________________________________________________________
3
_________________Installation Guide__________________
To gain approval by PCI Security Standards Council, PED’s (PIN entry devices) must
comply with the requirements and guidelines specified in the following documents.
The Sagem Flexi 2 is PCI PED Approved and can be ordered from POS System AS
as of now.
Please visit https://www.pcisecuritystandards.org/security_standards/ped/index.shtml for
more information about PCI DSS.
EMV
EMV (Europay, MasterCard, Visa) is the global standard that is helping ensure smart
cards, terminals and other systems can interoperate.
EMV chip-based payment cards, also known as smart cards, contain an embedded
microprocessor, a type of small computer. The microprocessor chip contains the
information needed to use the card for payment, and is protected by various security
features. Chip cards are a more secure alternative to traditional magnetic stripe payment
cards.
The EMV standard defines the interaction at the physical, electrical, data and application
levels between IC cards and IC card processing devices for financial transactions.
Portions of the standard are heavily based on the IC Chip card interface defined in ISO
7816.
The POSPay Client has passed several EMV certifications in Norway (with BBS and
Nordea as processor), Sweden (done by SCC with Swedbank as processor) and
Denmark (with NETS as processor).
EMV Certification of POSPay Client in Denmark (with PBS as processors) is scheduled
in April 2009.
Please visit http://www.emvco.com/specifications.aspx for more information about the
EMV Standard..
_____________________________________________________________________
4
_________________Installation Guide__________________
2.2 Requirements to merchants, resellers and integrators
The following requirements must be complied and it’s very important that you have a
conscious knowledge about this.
These requirements are absolutely necessary for PCI DSS and PA DSS compliance,
PayEx Solutions AS can not be hold responsible of the requirements are not overheld.
2.2.1 Sensitive data
In old versions of the PosPay client, sensitive data may be stored in logs or the POSPay
clients database. Sensitive data will be cleaned up if you follow the instructions in this
chapter(2.2).
The values in the “Data element” column are defined as sensitive data:
Cardholder Data
Sensitive
Authentication
Data
Data Element
Storage
Permitted
Primary Account Number
Yes
Cardholder Name
Yes
Service Code
Yes
Expiration Date
Yes
Full Magnetic Stripe Data
No
CAV2/CID/CVC2/CVV2
No
PIN/PIN Block
No
In som scenarios, it may be necessary for you as a merchant to collect sensitive data:
 Offline scenarios where full pan is printed on receipt(se chapter 2.2.4)
 A problem has occurred in a transaction and sensitive data is collected to solve the
issue.
 Etc
If you for some reason has collected sensitive data, please se to that the following
procedures are followed to comply to PCI and PA DSS standards:
 Collect sensitive authentication only when needed to solve a specific problem.
 Store such data only in specific, known locations with limited access.
 Collect only the limited amount of data needed to solve a specific problem.
 Encrypt sensitive authentication data while stored.
 Securely delete such data immediately after use.
Please note that cardholder data in the PCI - and PA DSS compliant POSPay client will
be stored encrypted for two scenarios and only in it’s database
(path: %POSPAY_HOME%\data. files: database.script and database.log):
 Backup/Offline transactions (also see chapter 2.2.3 for notes on clean up of
offline transactions)
_____________________________________________________________________
5
_________________Installation Guide__________________

Last transaction. Must be stored if the POSPay client should be able to perform
reversals.
2.2.2 Logs
When a PCI compliant client is installed, any old logs from any old version of the
POSPay client, if existing, must be deleted. These logs may contain sensitive data and
constitutes a security risk.
The logs are located in : %POSPAY_HOME5\logs.
Be especially aware of logs that you may have moved from it’s original folder. Should
such logs be used for malicious purposes like fraud it will be your responsibility, POS is
not responsible for files removed from %POSPAY_HOME% folder (home directory for
the installation, like C:\Program Files\POSPay).
If you should fail to delete your old logs right away, the POSPay Client will clean them
up when their timestamp reaches 30 days(as long as the logs have not been tampered with,
renamed etc. Remember, this is the backup solution, old logs should be deleted manually
by you).
Be aware that this also concerns logs from the new installation of the POSPay client, by
default all logs will be deleted when they reaches 30 days.
2.2.3 Backup solution / offline transactions
It is no longer allowed to store cardholder data for indefinite time periods, even if the
data is encrypted.
This requirement will affect the transactions performed with backup solution (offline
transactions) because offline transactions, which contains encrypted cardholder data, is
stored in the POSPay Clients local database while awaiting online state.
Please note that normally the POSPay Client should not be offline for more than
maximum a few hours. When the client has online connection again, the offline
transactions are immediately transferred to the server and deleted from the client.
If the client is offline for a longer period, the following actions will be taken by the
POSPay Client to meet this requirement:
1. From the point the first offline transaction in the POSPay Client database expires
the warn-limit, default 7 days(configurable), a warning will be displayed every
time a financial transaction is initiated.
This warning will contain a message like “Offline limit exceeded, call support
+47 99401150”.
The same warning will be stated if more than 500 (default) offline transactions are
stored, also a configurable value.
2. The warning will not block you from using the till or the client, but you will need
to confirm or reject the warning. A confirm allows you to continue with the
transaction, a reject will abort the transaction.
_____________________________________________________________________
6
_________________Installation Guide__________________
3. We recommend that POS support is contacted as soon as possible to solve the
problem.
4. If the problem is not solved in 30 days(configurable), further actions must be
taken in the POSPay client. You as a merchant may choose between the following
options:
a) Offline transactions older than the limit on 30 days is deleted. After the offline
transactions are deleted, the client will function as normal. This is an
automatic job initiated and performed by the client itself.
Please note that if offline transactions are deleted from your client, the only
way you as a merchant can retrieve your money is to physically send the
signed receipt to the acquirer.
b) The client detects that offline transactions older than 30 days exists and will
deny any financial transaction in the client until this is cleaned up/solved. The
detect job is automatically performed by the client itself, but the follow up
(calling POS support) must be performed by you as merchant.
Please note that it will be impossible to perform a payment with card or any
other action in the client until this is cleaned up.
We would like to note that normally offline transactions is flushed quite immediately
after it’s performed. If an offline transactions gets i.e two days old on the client, there’s
most likely a problem with for example the internet connection.
Note: Default setup is deletion of transactions older than 30 days.
Note: All values are configurable so that each merchant can set up the most efficient
limits for their business.
2.2.4 Receipts
There are strict requirements when it comes to storage of pan/card number.
Some ECR’s locally stores the receipt data sent by POSPay Client. PAN is always
masked on online receipts, but offline transactions normally did contain the whole pan in
versions prior to POSPay Client 3.1.18, as this is necessary if you are forced to use a
signed receipt to get your money from the acquirer for a purchase.
To avoid problems with storage of pan, pan in offline receipts will be “masked” like :
123456__ __ __ __ __ __1234
(see example receipt below)
You as a merchant must fill in the missing numbers from the pan, or else you can risk not
getting your money back if you for some reason are forced to send the receipt to the
acquirer.
_____________________________________________________________________
7
_________________Installation Guide__________________
It is possible to turn off this function and display entire PAN on offline receipts, but then
it’s the ECR vendor/merchants responsibility that PAN is not electronically stored
anywhere in the system.
Note that you as a merchant are always responsible for storing offline receipts with full
PAN in a safe location.
2.2.4.1 Example receipt
SIGNATURE PAYMENT
BAX 578141-4
BANKKORT
957852__ __ __ __ __ __ __ __ 0198
Expire:12/2012
2009-03-13
16:51
Ref:123695950828-L07501
Amount
NOK
2.00
Total
NOK
2.00
AID: D5780000021010
CG: E7AAE0AE8594AA48
TVR: 8000088000
Godkjennes for debitering av min
konto i henhold til ovenstående
****
Må fylles ut
****
Bankkortets
kontrollnr:__________________________
Kortholders
signatur:_____________________________
********************************
* Arkiveres i butikk i henhold *
*
til regnskapsloven
*
********************************
_____________________________________________________________________
8
_________________Installation Guide__________________
2.2.5 Access controll
It’s recommended that access controll is implemented for the POSPay client installation.
Access to the installation should only be provided to a trusted admin, any tampering with
the installation might lead to a corruption in the POSPay client which causes it to be unuasble.
2.2.6 Wireless network
If wireless networking is used by the merchant, necessary precautions must be taken. The
network must be implemented securely by industri best practise:
 Perimeter firewalls must be installed between any wireless networks and the
cardholder data environment
 Firewalls must be configured to deny or control(if such data is necessary for
business purposes) any trafic from the wireless environment into the cardholder
data environment.
 Strong encryption for authentication and transmission must be implemented
o Encryption keys were changed from default at installation, and are
changed anytime anyone with knowledge of the keys leaves the company
or changes positions
o Default SNMP community strings on wireless devices were changed
o Default passwords/passphrases on access points were changed
o Firmware on wireless devices is updated to support strong encryption for
authentication and transmission over wireless networks (for example,
WPA/WPA2)
o Other security-related wireless vendor defaults, if applicable
2.2.7 Cardholder data and internet
Data containing cardholder data must never be stored on medias accessable from the
internet.
Data from the POSPay client installation should never be moved
from %POSPAY_HOME%.
2.2.8 Remote access
PayEx Solutions AS has not got remote access to the POSPay client and does not use
remote access for installations. Installations are performed by the merchants/vendors.
If customers/integratores uses remote access, make sure the following requirments are
fullfilled:
 Remote access technologies must only be turned on when needed by vendors and
turned of immidiately after
_____________________________________________________________________
9
_________________Installation Guide__________________


Remote access must be authenticated using a two-factor authentication
mechanism
Secure implementation of remote access:
o Change default settings in the remote access software (for example,
change default passwords and use unique passwords for each customer).
o Allow connections only from specific (known) IP/MAC addresses.
o Use strong authentication and complex passwords for logins
o Enable encrypted data transmission(for example SSL/TLS or IPSEC)
o Enable account lockout after a certain number of failed login attempts
o Configure the system so a remote user must establish a Virtual Private
Network ("VPN") connection via a firewall before access is allowed.
o Enable the logging function.
o Restrict access to customer passwords to authorized reseller/integrator
personnel.
o Establish customer passwords, make sure unique users id’s are used.
2.2.9 Non-console administration
If non-console administration is used, the following requirments must be fulfilled:
 Encrypt all non-console administrative access
 Technologies such as SSH, VPN or SSL/TLS must be used for webbased
management and other non-console administrative access.
_____________________________________________________________________ 10
_________________Installation Guide__________________
3 Additional information
3.1 Security updates
The POSPay client uses bundled java in it’s releases(optional).
To detect vulnerabilities or security updates in java, PayEx has an agreement with
Secunia.
Secunia’s main area of operation is discovering and alerting customers about bugs,
vulnerabilities, security patches and/or updates in known software and applicatiosn like
Microsoft or Sun’s products.
3.2 Trafic from/to the POSPay client
3.2.1 SSL
SSL is supported for clients which authorizes directly with the POSPay Transaction
server. This is fully supported by the POSPay_Client_EVM installation. Other client
types like IPOS and Manison requires a direct communication link with an authorization
server which doesn’t support SSL, but the link towards the POSPay transaction server for
reporting can be enabled with SSL.
To enable SSL the following settings must be set in config.properties:
pospay.client.address=https://pospay.payex.com:443
pospay.client.ssl.enabled=true
pospay.client.gpa.communicationType=http
_____________________________________________________________________ 11
_________________Installation Guide__________________
3.3 The POSPay client
There are several different types of the POSPay Client. Each type has a different layer of
communication to the PED and transaction server/acquirers, but they all share a mutual
core.
Quick overview of the types:
Typename
Country
Current
version
GPA EMV
NO, SE, DK 3.1.17
IPOS
SE
3.1.17
MANISON
PSAM
FI
DK
NO
NOPINPAD
TOREX
PED
PCI
Note
compliant
Flexi
Flexi2
Flexi
LAN
X
3.1.17
3.1.17
Verifone
Flexi Lan
X
X
NO
3.1.17
Flexi
X
All
-
-
-
X
Host Swedbank,
copy-tx to POSPay
tx-server
Host PBS, copy-tx to
POSPay tx-server
Will be phased out
when alle NO
merchants has GPA
EMV client.
Phased out
Phased out
_____________________________________________________________________ 12
_________________Installation Guide__________________
3.4 Test or production
Four installers for each client type is built for a release:
No
Name
Note
1
POSPay_Client-<version>_<type>.exe
2
POSPay_Client-<version>_<type>_NOJRE.exe
3
POSPay_Client-<version>_<type>_Test-exe
4
POSPay_Client-<version>_<type>._Test _NOJRE
exe
Production version with
java bundled
Production version
without java bundled
Test version with java
bundled
Test version without java
bundled
_____________________________________________________________________ 13
_________________Installation Guide__________________
4 Install PinPad
The Sagem Flexi PinPad used to read customer cards is installed as
displayed below.
The installation of received pinpad should
be performed as following:
Unwrap the powersupply and COM
cable(cable from pinpad to PC)
The cables are connected as displayed on
the illustration.
The cable with the circular end is for power
and must be inserted in the power outlet.
The cable with the square end handles
data communication between the PC and
pinpad.
This must be attached to the PC trough a
COM port, see illustration to the left.
The COM port has nine pegs.
When the power supply is inserted to the power outlet, the pinpad will light up a
short moment. That means it’s ok.
Messages like ”Insert card” will not be displayed before the POSPay client is
installed and started.
For more information, visit our website http://pim.payex.com/pos
Username: download
Password: loaddown
Contact your ECR/cash register supplier if any problems should occure.
You could also contact us directly by mail: [email protected] or on phone
number: +47 99401150
_____________________________________________________________________ 14
_________________Installation Guide__________________
5 Download POSPay client
Og to our website http://pim.payex.com/pos
Username: download
Password: loaddown
Press OK.
_____________________________________________________________________ 15
_________________Installation Guide__________________
After log in, the downloadsite will appear. Scroll to section 4 as displayed below.
Press the link of the desired client, i.e Norwegian Production Client including Java 1.5.
Choose save and then a where to store the install file on your PC.
_____________________________________________________________________ 16
_________________Installation Guide__________________
I.e choose Desktop to easier locate the file later on.
_____________________________________________________________________ 17
_________________Installation Guide__________________
6 Install POSPay Client
6.1 Before installation
To install the POSPay client, you must have an unique merchant- and terminal id within
the PosPay system.
Note that you need different merchant- and terminal id’s for production and for test
clients.
The unique id is entered during installation and used to verify you on the PosPay
transaction server. I.e see merchant and terminal id in the ini file in 6.2.1.
You will receive the unique id from PayEx.
If you haven’t received this, please contact PayEx and you will receive your unique id
within a short time. Without your id, you will not be able to install your client.
6.2 ini file installation
We recommend that a .ini file is used to install the POSPay Client. The .ini file should
contain all necessary information to install the client.
POS support will assist the merchants to generate a .ini file for their installation.
The ini file takes no regard to wheter the installer is for test or production environment.
Quick explanation of the example file:
Property
Values
Comment
Components
DLL_INTERFACE
COM_DLL_1_0_INTERFACE
COM_DLL_INTERFACE
OCX_INTERFACE
COM_EXE_INTERFACE
CR_TERMINAL
Dll integration
Com-Dll 1.0 integratopn
Com-Dll integratopn
OCX intragration
Com-Exe integration
Bundles Cash Register, ECR
simulator supplied by POS
Bundled localserver for hotel
and restaurant solution
Bundles correct version(1.5) of
java.
Installation is performed
aboslutely silent based on info in
the .ini file, no dialog-boxes will
be prompted user.
All dialog-boxes will be
prompted user, see next chapter.
Some dialog boxes will be
LOCAL_SERVER
BUNDLED JRE
Silent
YES
NO
Almost
_____________________________________________________________________ 18
_________________Installation Guide__________________
Directory
Configuration
C:\PPPClient
GPAConfiguration
prompted user, all info is
autofilled.See next chapter for
more information.
Path to the installation
Config values, see API
documentation. Other than
default values should be agreed
with POS
Config values for 3. part source.
POS will supply these.
6.2.1 Example file
This example file is for the GPA EMV client. In other ini files, the entry
GPAConfiguration must be excluded:
[Main]
Components=DLL_INTERFACE,BUNDLED_JRE
Silent=Yes
Directory=C:\PPPClient
Configuration=POSPay.client.installation.password=password,POSPay.client.timeout.ver
ify=90000,POSPay.client.merchant.id=1,POSPay.client.terminal.id=1,POSPay.client.ena
bleReversalCardCheck=true,POSPay.client.enableReversalAmountCheck=false,POSPay.
client.gpa.input.voiceAuth.optional=true,POSPay.client.retryReversal=true
GPAConfiguration=FlexiTerm.0.port=COM1
6.2.2 SSL Example file
This example file is for the GPA EMV client with SSL. In other ini files, the entry
GPAConfiguration must be excluded:
[Main]
Components=CR_TERMINAL,DLL_INTERFACE,BUNDLED_JRE
Silent=No
Directory=C:\PPPClient
Configuration=pospay.client.installation.password=password,pospay.client.timeout.verif
y=90000,pospay.client.merchant.id=,pospay.client.terminal.id=,pospay.client.gpa.input.v
oiceAuth.optional=true,pospay.client.address=https://pospay.payex.com:443,pospay.clien
t.ssl.enabled=true,pospay.client.gpa.communicationType=http
GPAConfiguration=FlexiTerm.0.port=COM1
_____________________________________________________________________ 19
_________________Installation Guide__________________
6.3 Manual installation without .ini file
After selecting type of client, test/prodenvironment and bundled/not bundled java, you
are ready to install the POSPay Client.

Run the desired .exe file and you should be presented with the following window,
press “Next”.
_____________________________________________________________________ 20
_________________Installation Guide__________________

A new window will appear that lets you choose where to install the client. The
default path is ok, but anyone on your local machine will do. After you have
entered the desired path, press “Next”.
_____________________________________________________________________ 21
_________________Installation Guide__________________


The next window allows you to choose what components to install/integration to
use. Press “Next”.
For testing, the default option “Java integration w/cash register terminal” os often
use. You will then get POSPay ECR simulator installed. Alternative, if you are
running a DLL integration from your ECR and the POSPay Client, you could use
“Custom” and check both “Java integration w/cash register terminal” and “DLL
integration”(small image below).
_____________________________________________________________________ 22
_________________Installation Guide__________________

The last of the option windows ask what Start Menu Folder to create, and allows
you to check if you don’t want any. Make your selection and press “Next”, this
should start the installation of the files.
_____________________________________________________________________ 23
_________________Installation Guide__________________

Installing…
_____________________________________________________________________ 24
_________________Installation Guide__________________


During the installetion, a window pops up asking for “Brukerstedsnr” and
“terminalnr”. You should have received your merchant id(brukerstedsnr) and
terminal id(terminalnr) from POS support beforehand.
Fill in the required information and press ok.
_____________________________________________________________________ 25
_________________Installation Guide__________________


The settings window appears. In this one you need to fill in the “Passord” field
with “password”. Additionally, you have to choose what COM port the pinpad
will be connected to.
Press “Lagre” and “Avslutt” in that order.
_____________________________________________________________________ 26
_________________Installation Guide__________________

That is all; the last window confirms that the installation is complete. Press
“Finish” to exit the installer.
_____________________________________________________________________ 27