Micros 3700 PCI Compliant

[RockHouse]

I'm working on getting my Micros 3700 system up and running. I was told by Micros that it would not be PCI compliant, so I paid a guy to program a button for an external, pci compliant credit card reader. The previous owner of my restaurant just stopped by and told my that he used a program called "trustkeeper" to bring the system up to PCI compliance using the internal credit card readers... This changes my whole plan of attack. Could someone please shed some light on this?
Thanks,
Andy

 

[pmegan]

As far as I know TrustKeeper doesn't have anything to do with credit cards directly. It's a product from TrustWave to help you reach and maintain compliancy. You may or may not get there using TrustKeeper, it really depends on why you're not PCI compliant to begin with. For instance, if you're running an old Windows 2000 version of Micros there's no 3rd party product that will bring you up to compliancy.

This might help you out
[URL unfurl="true"]https://www.trustwave.com/pci-for-small-business/[/url]

 

[RockHouse]

so, to use the built in card readers, I would need to upgrade my workstations to windows xp, correct? My server is also a windows 2000 machine

 

[pmegan]

Yes. Part of PCI compliancy is maintaining recent software versions. Windows 2000 and any version of Micros that runs on it are past end of life, so can't be made PCI compliant. Without an OS/Res upgrade the only choice I know of is the external card readers.

 

[Shift4SMS]

You can try googling "micros 3700 secure drivers" as there are options available. Just make sure whatever you find is on PCI SSC's Validated Payment Applications list: [URL unfurl="true"]https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php[/url]


Steve Sommers

http://www.shift4.com

-- Creators of $$$ ON THE NET(tm) payment processing services

Blog:

http://paymenttidbits.blogspot.com/

 

[Moregelen]

It doesn't matter if your drivers are compliant if your OS isn't. EVERYTHING needs to be compliant or you could get slammed with fees.

 

[Shift4SMS]

I believe you can take the operating system out of scope if you use hardware based point-to-point encryped (P2PE) entry devices (swipes and/or keypad). They cost some money for devices, but cheaper than replacing everything and may be an option for some.

Steve Sommers

http://www.shift4.com

-- Creators of $$$ ON THE NET(tm) payment processing services

Blog:

http://paymenttidbits.blogspot.com/

 

[Moregelen]

I wouldn't consider it worth it to risk it. I will say this, and I know this from experience, even if you are PCI Compliant, if you are breached, you aren't. We had a retail location that had someone there signing off on their PCI Compliance at literally the same time their credit card data was being hacked. It didn't matter.

So.. just take the most secure route you can and hope you don't get targeted.

 

[pmegan]

My thoughts exactly. If you can't upgrade stick with the external readers. Once you have cc info flowing through your POS there's a ton of other rules that have to be met for compliancy. Physical security, rotating passwords, auto time-outs, etc... and every computer on your network has to be secure, not just the POS server.

 

[Moregelen]

Exactly. They don't care how secure the transport is. If someone can steal the data, even if it is encrypted, I've been breached. No encryption is fool proof. Modern encryption is actually 'easy' to crack.. assuming you can factor prime numbers quickly at least.

Even if that isn't the case, SOMEONE out there can crack it. People used to think WEP was great.. look at it now.

So, for PCI, it might suck for the people running the credit cards to use a stand-alone terminal, but it is the safest way to do things right now. POS systems are working to catch up, but the fact that they are on a network which you are running your internet, other computers, possibly WiFi (even if it is segmented), the security risks will always be greater.

It is kind of cool that I've been seeing some mag card readers that actually encrypt the data while it is being swiped so that the workstation never at any point has the credit info in plain text. Nothing actually integrated yet, but they are coming.


I'll reiterate though, from a security stand-point, nothing beats a processor provider terminal right now.

 

[Shift4SMS]

RE: "It is kind of cool that I've been seeing some mag card readers that actually encrypt the data while it is being swiped so that the workstation never at any point has the credit info in plain text."

This is exactly what I was describing and many POS applications are integrating or have payment drivers to these devices -- including Micros. Yes, all encryption can be cracked. The question then moves to "is it worth it?" All things being equal, I trust hardware encryption at the reader in a P2PE environment than I do a "fully PCI compliant" POS not using encrypting readers. After all, as far as PCI is concerned, you're only compliant until your breached.

Steve Sommers

http://www.shift4.com

-- Creators of $$$ ON THE NET(tm) payment processing services

Blog:

http://paymenttidbits.blogspot.com/

 

[Moregelen]

Of course. No matter how hard you work, if you are breached, you aren't PCI no matter what you did.

Still, the fact remains that it is much, much harder to be breached using a stand-beside terminal.

 

[Shift4SMS]

I understand what you're saying, I just don't fully agree. What makes stand alone terminals so hack resistant? The have a mother board, memory, CPU, operating system, I/O and an application -- all in common with a POS. Yes, they are not "normally" connected to a LAN and this may be their only saving grace. Most do not have any sort of firewall. Most in the field use default password to configure. Most are easy to reset to factory defaults (and the default password) with nothing more than a paperclip so they can be easily reprogrammed. They can also be easily swapped out with a compromised terminal. Lastly, due to the fact that most are not normally connected to the POS, you increase the chances for user error -- $10.00 authorized that should have been $100.00 and Visa-versa.

Steve Sommers

http://www.shift4.com

-- Creators of $$$ ON THE NET(tm) payment processing services

Blog:

http://paymenttidbits.blogspot.com/

 

[Moregelen]

The problem isn't so much security. You're right that a properly secure network is just as secure. In fact, when we put our systems in, we install them with physically segmented networks, we put in real firewalls with deep packet inspection, intrusion detection, etc etc... we lock the server down with Bit9 (which runs off of our server rather than Bit9's, so that recent breach wouldn't have affected us) and Antivirus.. we don't connect the unused jacks to the switch.. etc etc.

Despite all of this that we do to make it secure, I have lost track of the number of times we have come back not even a month later to find someone plugged a personal PC loaded with all kinds of junk on it, without even anti-virus, onto our network. So, yeah, nothing infected the Micros server, but at the same time, you just created a hole through your computer into the Micros network. Bad bad bad server! These days everyone know that 'oh, if I plug into that box with flashing lights I can get on the internet'. That is where the real problem I've seen comes in. The owner has done everything right; the idiot employees opened the doors.

And oh god.. the owners/managers with kids who think that they are computer wizards because they can program.. or know the basics of networking.. or even just know how to plug in and turn on a router.. they are the worst. They come in and screw EVERYTHING up without really understanding the big picture.

So yes.. I generally agree with you, and if I were running my own place (god forbid) I would do it with integrated processing and call it a day. But I'm also fairly confident I can MAINTAIN that PCI Compliancy, while most people wouldn't be able to. So while a stand-beside are vulnerable like every other piece of hardware in the world, it is easier to maintain. Most employees know enough to go 'Hey, what the hell are you doing?' if they see someone behind the counter messing with equipment. Most employees don't know enough to realize that 'hey, that guy over in that corner has been here the last five days sniffing our traffic, watching for the pattern'.

Its all a mess though.. even if you're vigilant, someone determined to get in will get in. Its all about making it harder to hack you then it is to hack the guy down the street. Hurts to say that... but its true.