StoreGazer and the PCI Data Security Standard (DSS) V3


 

The following outlines the steps EDJ has taken to ensure that StoreGazer and the COPS feature of StoreGazer are compliant with the Payment Card Industry’s Data Security Standard Document (DSS) V3. StoreGazer is a 4690 systems management application which allows its users to monitor and support IBM 4690 point of sale systems. COPS is an optional feature of StoreGazer which allows its users to audit, create, and modify user accounts on an IBM 4690 point of sale system. Neither StoreGazer nor COPS access, or provide access to cardholder data or other sensitive data as defined by the Data Security Standard Document V1.2. This document will examine each of the 12 requirements of the Data Security Standard Document V1.2, and outline how StoreGazer is compliant with the requirements and helps retailers meet the requirements of the standard in the IBM 4690 POS environment.

 

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Not Applicable. This section applies to hardware settings and corporate policy.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Not Applicable. This section applies to corporate policy.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

Not Applicable. Neither StoreGazer nor COPS access cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Not Applicable. Neither StoreGazer nor COPS access or transmit cardholder data.

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.

Not Applicable. This section applies to corporate policy.

Requirement 6: Develop and maintain secure systems and applications.

Not Applicable. This section applies to corporate policy.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know.

Not Applicable. This section applies to corporate policy.

Requirement 8: Identify and authenticate access to system components

8.1 Define and implement policies and procedures to ensure proper user identification management for nonconsumer users and administrators on all system components

StoreGazer and COPS require a user ID and password to gain access to the application. The user ID identifies the role and permissions the user has within the StoreGazer and COPS application. Actions allowed by StoreGazer and COPS can be individually turned on or off per user or user group.

The following are features within COPS which address the subsections of 8.1.1 through 8.1.8

8.1.1 COPS allows administrators to set unique user IDs before allowing them to access system components

8.1.2 Administrators can add, delete, and modify user IDs and permissions through COPS.

8.1.3 COPS enables administrators to revoke the access of specific users.

8.1.4 Administrators can remove/disable specific user account through COPS.

8.1.5  Administrators can disable all permissions for specific users through COPS.

8.1.6, 8.1.7 Auto-lockout functionality is not currently available

8.1.8 Requiring idle users to reactivate the terminal is not currently available

8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; something you are, such as a biometric.

StoreGazer and COPS require a password, in addition to the unique ID to gain access to the applications.

8.3 Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).

Not Applicable. StoreGazer and COPS do not provide access to the network.

8.4 Document and communicate authentication procedures and policies to all users including: guidance on selecting strong authentication credentials, guidance for how users should protect their authentication credentials,  instructions not to reuse previously used passwords, instructions to change passwords if there is any suspicion the password could be compromised.

StoreGazer and COPS Passwords are encrypted.

8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: generic user IDs are disabled or removed; shared user IDs do not exist for system administration and other critical functions; and shared and generic user IDs are not used to administer any system components.

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.5.16

Requirement 9: Restrict physical access to cardholder data

Not Applicable. This section applies to corporate policy.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data