Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Make old Aloha data PCI compliant 2

Status
Not open for further replies.

hoagiemcgee

Technical User
Dec 7, 2006
9
US
Any tips on cleaning card data from older Aloha files? Regrinding data still leaves behind some plain text card numbers in translog.

I'm hoping for something more elegant than my plan of a search-and-replace with text editor.
 
I have news for you, the encryption algorithm that the plain text files (TXN,STL) files are stored in is NOT enough to stop dedicated hackers. Just ask the music/movie industries about how encryption works. That is the reason that the PCI/CISP compliance rules were set forth in the first place. I have been complaining about the encryption issue since ver 3.55 when Ibertech first created their own EDC module, telling customers that they need to password protect the backup files.

As a consumer I am glad that there have been some concrete steps forward by Radiant to begin with, but I am VERY disturbed that all that work is thrown down the drain when a reseller creates backdoors for anyone who has access to an an Aloha file server to hack into another restaurants Aloha system by using the same passwords for pcANYWHERE, Firewall setup, etc.

One of the things that I try to do is to really tighten down security on ALL computer systems. Including who has access to the internet, updates on XP, recurring offline-spyware-virus scans, etc. Remember that the credit card data isn't the only data to worry about, you have all your employee personal data as well.

Get rid of a single user signon for the Aloha server, encrypt backups and for god sakes, change pcANYWHERE password authentication methods to public/private key encryption with different password for each user. Running it on non standard ports is also a good idea to obfuscate script kiddies running nmap scans.

Remember, it's not YOUR data your entrusted with, it's mine and your employee's data.

I would be happy to discuss offline some of the steps we take to secure systems.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top