EDC Showing all Credit Card Numbers

[RosemarysBaby]

Hey
Does anyone know how to mask the full credit card number from showing up on the EDC transaction report? I'm assumming it's somewhere in the edc.ini but I can't find it. Thank you.
Aloha V.6.1.16

 

[SwampGas]

I wrote a program that will go through all the settings in the ALOHA.INI and TDR.DBF and change them if needed, and we run it everynight during EOD to ensure this never happens, but here is the settings to adjust manually:


1.
Adjust receipt printing in the Tender settings:
From Aloha Manager, go into MAINTENANCE / PAYMENTS / TENDER SETTINGS. Then select each credit card type tender you have defined. On each tender, go into the TYPE tab and uncheck the, "Print Expiration" option.

You can make the tender adjustments directly on the TDR.DBF file by changing the value in any fields in the database named, "PRINTEXP" change the value to, "N".


2.
Then go to MAINTENANCE / STORE SETTINGS / CREDIT CARD group / Voucher Printing 2 tab.
Check the option that says, "Suppress Expiration Dates".


These settings can also be changed directly in the ALOHA.INI file:
DONOTPRINTEXPONVOUCHER = TRUE
MASKCREDITCARDNUMBERS = 2



FACTA law requires you to NOT show expiration dates on any receipts, and credit card numbers must be masked on any receipt that a guest has. The receipt you keep by law can have the full number on it, but if it isn't needed for your business needs, then mask everything and save the confusion.

 

[SwampGas]

One more point, which I answered in another post. You will see the full credit card number in the AUDIT Report. This is normal

Unless you go to version 6.5 which I believe is still in pre-release to the public, there is no option to hide the expiration dates.

Since only managers should have access to Aloha manager, the business use policy is acceptable for this.

I would recommend running the DELTRACK utility nightly during EOD and set it to scrub the data after 30 days. This way any data with credit card numbers stored (Even in encrypted form) will be removed.

Keeping the setting at 30 is great, because after 30 days, you cannot re-process a card anyway and the information is totally useless after that.

Once DELTRACK is run, you will not be able to see the credit card numbers on the audit reports either.


To use the DELTRACK utility (Make sure you use the latest one). Drop it into the %IBERDIR%\BIN directory, and add the following line to your WINHOOK.BAT (Or whatever winhook file you use) -Change the path to your IBER or IBERQS directory:

%IBERDIR%\BIN\deltrack.exe /iberdir D:\AlohaQS /s /delinfo 36

 

[RosemarysBaby]

Megabyte
All good points, thank you, but we're all good on everything you mentioned.

My problem is very specific to EDC only, not customer chits. When I go to my EDC program and go under reports> review transactions; the full numbers show up with expration date. I looked all over EDC.INI. I believe the change to make is there.

Possibly the reason I can't find the line to change is because the "absence" of a certain line may be the cause the numbers aren't being mask. Do you know if there is a line I'm missing. When I search edc.ini for the word "mask" I get nothing. Should there be a mask line?

 

[SwampGas]

Not in the EDC.INI. The EDC.INI is only for configuring the EDC service for processing card information only.

There is no way to mask this information in the EDC program. Only after DELTRACK has run for a particular day's data will you no longer see the credit card information.

You have to trust that the people you give access to the EDC program can be trusted with seeing this information. for a business use policy, this is totally acceptable and does not cause issues with PCI.

I would recommend getting the PCI newsletters from Radiant that they release periodically to understand their stance and best practices to maintain PCI compliancy.



---
MegabyteCoffee.com

 

[DTSMAN]

Someone may have added a line in the edc.ini file that looks like this or very similar. It will have the word print in the variable even though it is only showing them on the screen.
printfullcardnumber=true

Bo

Remember,
If the women don't find you handsome,
they should at least find you handy.
(Red Green)

http://www.redgreen.com

 

[RosemarysBaby]

Sorry Mega, Disman got you on this one. That nailed it exactly. I had a line in my edc.ini that was "printfullcardnumber=1". I changed it to "0" and problem solved. EDC report only showing last 4 numbers now.

Thanx again to both of you.

 

[SwampGas]

That's a new one for me too!

I had no idea that option even existed. I sent an email to the developer of the EDC program to ask about this one. This isn't in any of the PCI guidelines either. Great call DTSMAN.



---
MegabyteCoffee.com

 

[SwampGas]

Ok, what version of Aloha are you using?

Here is what I was told:

On EDC versions late in 5.3(and E versions) and later, the reports will only show the last four digits of credit and debit. The line DTSMAN stated is valid on older versions of EDC (Early 5.3 and earlier).

The time I started really working with EDC, was during when the 'e' version track was started.

I Learn something new everyday!


---
MegabyteCoffee.com

 

[DTSMAN]

I think, how I understand it, is that the edc report is nothing more than print prieview. It is a function still embedded in the code from many years ago that still works when added to the ini. It was a backup for support desk to be able to retrieve information. A support tech must have added that line and then did not remove it after diagnosing the initial issues.

Bo

Remember,
If the women don't find you handsome,
they should at least find you handy.
(Red Green)

http://www.redgreen.com

 

[RosemarysBaby]

My EDC is V6.1.16
I did add that line to my .ini sometime ago when I had v5.xx. I remember having a major crash years ago and I needed the transaction reports with all numbers to do manual entry. Too much pain in the $%#& to do it from audit. Anyway, I never changed the line back in .ini. I forgot which line it was. So thanx again. I am a bit surprized that when I upgraded to v6 that this wasn't caught or that my old .ini wasn't replaced with a new .ini especially with all the CISP paranoia.

 

[SwampGas]

Good point.

I am using EDC 6.4.10 with Aloha 6.2.18. Alot of new PCI enhancements are added in Aloha POS 6.5 and EDC 6.4 and higher. I'm going to test it with EDC 6.4.10 and EDC 6.5 and see what happens.

I know with new installs, all PCI related options are now set correctly by default. I believe this didn't start happening until the 6.1 versions, and I remember the discussions Radiant and we were having when they were driving over to our office wanting to understand the PCI requirements that large customers like us were facing initially. Many of the newer PCI enhancement options were added to the AEM interface before it started to appear in the POS. -But, we have decided not to go with AEM, so we had to wait for the 6.5 releases to handle them. I plan on having 6.5 deployed nationwide by the end of 2nd quarter.


---
MegabyteCoffee.com

 

[alohatech2]

The reason there is no information out there about the printfullcardnumber flag is because it was removed from the RKS after PCI Compliance became the standard. It used to be information that was readily provided by Radiant.

We are still in the 5.3 family and another way we get card numbers out of EDC when we need them is to run a transaction detail report.

Mega, if you guys are running a cleanup program every night, make sure you are also deleting %iberdir%\tmp\report.txt

Try running an audit report for non cash payments and then open that file and you will see why. It is a text copy of the last report run in Aloha. Works for just about any report that I have tried it on. Can be really useful sometimes but dangerous for PCI.

 

[SwampGas]

Yep, we got that covered too. Good point that I think everyone should be aware of the report.txt.


Our locations never do a credit card settlement at night. We run a forced settlement during EOD and poll all the settlement files in-house and do one single credit card settlement from our office. We actually keep the card data on our servers for 14 days to check and delete duplicates if they happen to come through (Bad polling, etc). By settling credit cards this way, we save an annual of 220 thousand dollars per year in settlement fees, but it also raised our PCI concerns at first, which prompted us to figure out how to keep the BOH as PCI compliant as possible and minimize the chance of any exposure. So we went through everything with a fine tooth comb.

One of the projects I am working on this year is full drive encryption by using the Checkpoint's Pointsec product. We will be running this on all Aloha BOH machines.

---
MegabyteCoffee.com

 

[alexander00pr]

Mega, I also poll the txn file from my stores but only for backup purpose in different directory. I wonder how do you manage to put all the txn file in one directory to do a single settlement?

 

[SwampGas]

I personally would never back up the TXN files. I do back up the .STL files every night and copy them to the backup hard drive immediately following the end-of-day cycle. -We use dual hard drives, so if the primary fails, we can switch over to the backup drive in a few minutes and have the site back up.

Exporting a settlement file is a function in Aloha called the Darden export. Darden restaurants originally requested the function for one particular concept, but never used it.


Here's the simplified version of the process:

What this function does, is during EOD, the grind does a force settlement of the current open batch and exports the settlement into the dated subdirectoy file called CREDIT.POL.

CREDIT.POL is the settlement file we then reformat, encrypt and drop in the FTP outbox for upload to our servers. From there all settlement data from all locations is merged into a single file for transmission to the bank. Once the transmission is accepted, the data is deleted. -This is done nightly.

This is an incredible ability as the managers never have to settle the credit card batch (Or forget to settle the batch), and it saves a TON of money every year.

The Darden export is going through a major update that in 6.5 has an ability to export the settlement via a command line and can encrypt the file using a DLL that you create, so the export is very clean and tight.

If you want to go into more detail, contact me below.

---
-Chris
MegabyteCoffee.com

 

[kihps]

Best Credit Card Rates - Let's all chime in
thread693-1450480
The thread was closed and wanted to inquire about our monthly activity and how you are priced with Heartland. I work for Heartland and have a restaurant owner that I am trying to bring on board with us.

Thank You

 

[SwampGas]

Let's talk about your latest security breach.

---
MegabyteCoffee.com

 

[kihps]

We fully disclosed that we had a breach. Unlike other companies that hide the fact. RBS WorldPay also had a breach at the end of December 2008. These are becoming more and more frequent by hackers with credit card processing companies. Please check out our website that has all the information and what we are doing to enhance the security of our merchants information.

 

[SwampGas]

Thank You.

I have a few franchise sites that are using Heartland and other than helping them configure their POS system, we do not have any direct relationships with their processor and when they were calling me for assistance or information I was unable to help.

I'll pass your information to them. I appreciate your response.

Thanks
-Chris


---
MegabyteCoffee.com