Question about Aloha 6.4 and card readers

[alohaakamai3]

Apparently 6.4 has annoying message that pops up to let you know your credit card transactions aren't secure, if the transaction not done on a Radiant terminal. '

I'm not sure if Radiant terminals are the only hardware solution that encrypt swipes, but even if the store having this problem does eventually upgrade to all Radiant, they'd rather not advertise security vulnerabilities for the time being.

Is there a way to turn if off?

 

[IberRoot]

Enable OPOS. The risk is that most terminals do not have enough processor/RAM to run a background virus scanner, pci compliance requires that windows updates are applied, giving a terminal a gateway and dns if it is infected with a keylogger, means card data can be directly transmitted out of the lan from the terminal.

 

[alohaakamai3]

Thanks IberRoot. So are you saying I should enable OPOS in the back office on non-Radiant terminals?

Also, thanks for the explanation on the typically circular logic of PCI. I'll take a stab at this in two parts.

1- So you're saying if you give have windows updates running (i.e. someone how connected to the internet) AND have a virus scanner running, you're technically PCI compliant. And thus don't really need the to have the encrypted swipers- they aren't officially part of PCI compliance.

2-But because Radiant's terminals can encrypt the transmission at the MSR level... you still need windows updates but not antivirus?
Or neither.

Thanks for your help.

 

[IberRoot]

If:
a. terminal can reach web
b. infected with keylogger
c. router protocols have not been locked down
d. content filtering (port 80) has not been locked down.

terminal can transmit card data out of the network, not pci compliant.

If:
a. terminal running current def's on background virus scanner.
b. probably not infected with keylogger.
c. router protocols not capable of being locked down.
d. router does not support content filtering.

card data probably won't be compromised, but not pci compliant.


I think they are looking at potential configuration errors accross the board.

pci compliance 2.0 is no joke, it covers a lot including lan vulnerability scanning, not just the public IP, monitoring of changes to OS (including terminals), local policy configuration such as local account password expiration and complexity, etc.

a. terminal configured to access web
b. terminal has current def's with background virus scanner.
c. terminal has ManageEngine SMP pro install with compliant config on server
d. terminal has had local policy modified to support password complexity and expiration, NTLMv2 disabled, guest acct toast etc.
e. router protocols configured to support only required communication by employing deny all rule.
f. router content filtering employed to support only required credit card processing sites.

terminal is pci compliant, unlikely to transmit cc data.
-except when you add a dvr on the same lan segment.

As far as I know, Radiant's terminals do not encrypt MSR data, unless you purchase a secure MSR, encode a shared encrytion key at firmware level in the MSR, and the target app, be it Matre'D, Aloha, etc... But if you use OPOS, Aloha doesn't seem to complain, and I don't think using OPOS magically turns off keyboard wedge functions at the MSR.

And here's one for ya, use of RFS: supposedly makes Aloha pci compliant, yet it uses the M$ ACL with NETBIOS LANA segment locking for CTL, runs as a service based DCOM package (not a tray applet), and defeats M$ EULA 10 connection limit technically violating every terminal EULA out there in effect rendering end users from being able to continue to use Windows. They say it must be used under Aloha to be pci compliant, so does pci compliance actually exist in Aloha? Well, the BSA hasn't raided yet, but I'm not counting chickens.

To my understanding, antivirus on terminals was not entirely clear, but is a requirement on BOH, if you are still allowed to use Windows.