WIXLIB

PCI DSSRequirementWhat IntuitQuickBooks CashRegister Plusprovides What you need todo For more information Requirement 10Facilitate secureremote softwareupdates.Is designed to operatesecurely in a networkprotected with antivirus,anti-spyware, andpersonal firewallproducts.Use well-known andsupported securityproducts on all yourbusiness computers.Regularly installsoftware updates toWindows, anti-virussoftware, and othersecurity products.For recommendations for anti-virusand system security tools, refer towww.ConsumerReports.org, or consultan IT ProfessionalRequirement 11Facilitate secureremote access toapplication.Intuit will NEVERconnect into remotesystems for any reason(installation,configuration upgradesetc.).If the customeraccesses the CashRegister Plusapplication remotely,two factorauthentication isrequired for PCI DSScompliance. Examplesof Two FactorAuthentication:1. AppUsername/Password,VPN with individualcertificate(s).2. User-Radius orTACACS, individualtokens.The PCI DSS standard requires that ifemployees, administrators, or vendorsare granted remote access to thepayment processing environment;access should be authenticated usinga two-factor authentication mechanism(username/ password and anadditional authentication item such asa token or certificate).If remote access is enabled for anyreason, in addition to the standardaccess controls, vendor accountsshould only be active while access isrequired to provide service. Accessrights should include only the accessrights required for the servicerendered, and should be robustlymonitored and audited.8

PCI DSSRequirementRequirement 12Encrypt sensitivetraffic over publicnetworks.The PCI DSS requiresthe use of strongcryptography andencryption techniqueswith at least a 128 bitencryption strength(either at the transportlayer with SSL orIPSEC; or at the datalayer with algorithmssuch as RSA or TripleDES) to safeguardsensitive cardholderdata duringtransmission overpublic networks (thisincludes the Internetand Internetaccessible DMZnetwork segments).What IntuitQuickBooks CashRegister Plusprovides Applies SSL encryptionto all transmitted data.The Cash RegisterPlus application has noemail integration anddoes not email cardholder data.What you need todo For more information If deploying wirelessnetwork, protect it withequipment and aconfiguration thatemploys WPAencryption methods(rather than WEPmethods).Consult your vendor documentation forwireless security information.IT professionals may refer towww.cisecurity.org for detailedguidance on configuring wirelessnetworking security.Additionally, PCIrequires thatcardholder informationis never sent via emailwithout strongencryption of the data.9

PCI DSSRequirementRequirement 13Encrypt all nonconsole administrativeaccess.What IntuitQuickBooks CashRegister Plusprovides If logins are required,program enforcesunique user names andpasswords for access.What you need todo For more information Set up each user witha user name andpassword and thenrequire logins, alongwith assigned securityrights, to restrictaccess to sensitivedata.Refer to Protecting Your Data withUnique IDs and Passwords in thisguide. Refer to the PCI SecurityStandards for more information, atwww.pcisecuritystandards.orgIf remote access isused to access otherhosts within thepayment processingenvironment enabledfor any reason, thirdparty remote accesssoftware such asRemote Desktop(RDP)/TerminalServer, pcAnywhere isavailable. However,to be compliant withthe PCI DSS, everysuch session must beencrypted with at least128-bit encryption (inaddition to satisfyingthe requirement fortwo-factorauthenticationrequired for usersconnecting fromoutside the paymentprocessingenvironment). ForRDP/TerminalServices this meansusing the highencryption setting onthe server, and forpcAnywhere it meansusing symmetric orpublic key options forencryption.In order to maintainPCI DSS compliance,be sure to enforce theuser account andpasswordrequirements forremote/non-consoleadministration accessmethods.10

PCI DSSRequirementRequirement 14Maintain instructionaldocumentation andtraining programs forcustomers, resellersand integrators.What IntuitQuickBooks CashRegister Plusprovides Provides this guide.Facilitates securitypolicies with accesscontrols and auditlogging.What you need todo For more information Maintain a writtenpolicy and trainingmanual for theimplementation ofsecurity program.Review your securityprogram and networkconfiguration at leastonce each year.Refer to http://www.uscert.gov/reading room/CSGsmallbusiness.pdf for more informationabout issues that should beaddressed in your security practices.IT Professionals may refer tohttp://www.sans.org/resources/policies/for more information about establishingand maintaining security policies.Build and Maintain a Secure NetworkBuilding and Maintaining a Secure NetworkConceptually, your company network should be constructed like the model shown in Figure 1. Point-of-Sale workstationInternetProcessor ServerBusinessNetworkProcessor FirewallFirewallWhen you conduct payment cardtransactions over the internet, all data isencrypted using SSL.Sample point-of-sale networkwith payment card processingFigure 1 - PCI-Compliant Network ConfigurationConsistent with careful business practices, the PCI standards require that your network: Be protected from unauthorized traffic using a firewall. Have anti-virus software installed (and updated regularly). Is regularly updated with the latest operating system (Windows) and network softwarepatches to keep your system current.11

The following guidelines are general in nature. It is recommended that you consult a qualifiednetwork administrator to review your particular network setup for purposes of implementing thebest protective measures for your situation.Build and maintain your network carefully. Your data file on the Intuit QuickBooks CashRegister Plus Workstation should be well protected within your network, behind a firewall andshould not be stored on systems such as Internet-facing web servers or remote-access servers.Remote Network AccessIf you build out or allow remote access to your network, use applications that provide strongencryption, authentication and access controls into your network. Products should be based onwell-known and Internet standard protocols such as SSL/TLS and SSH.When Intuit QuickBooks Cash Register Plus connects with online services to conduct paymenttransactions, they do so using SSL-protected connections. Intuit QuickBooks Cash Register Plushas been constructed to facilitate compliance with PCI requirements in this regard.Note: Updates are not delivered through remote access.Intuit QuickBooks Cash Register Plus does not provide tools or means to remotely access thedata stored in your company file. If you use a third-party remote access application to allowcustomers, accountants, or technical advisors to access your data, you must ensure that your useof that application ensures that access to cardholder data is performed by, and can be traced to,known and authorized users. Specifically, you should: Not use default settings in the remote access application Identify all users with a unique user name In addition to a unique user name, require at least one of the following methods to authenticate users: Passwords. We strongly recommend the use of complex passwords for logins (seeProtecting Your Data with Unique IDs and Passwords for more information aboutestablishing complex passwords) Token devices (such as SecureID, certificates, or public key) Biometrics Implement two-factor authentication for remote access to the network by employees,administrators, and third parties. Use technologies such as remote authentication and dialin service (RADIUS) or terminal access controller access control system (TACACS) withtokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. IntuitQuickBooks Cash Register Plus has no remote access capabilities enabled or included. Authenticate all access to your data; including access by other applications,administrators, and all other users Allow connections only from specific, known IP/MAC addresses Require a Virtual Private Connection (VPN) via a firewall before allowing access Enable encryption of transmitted data Enable account lockout (30 minutes or until administrator resets user ID) after a specifiednumber (maximum 6) failed login attempts Enable logging of access activities12

Restrict access to customer passwords to authorized personnelEncrypt all passwords during transmission and for storage on your systemFollow good user authentication and password management practices for employees,administrators, advisors, or technical support users. Refer to Protecting Your Data withUnique IDs and Passwords for more information.Wireless NetworksWhen you build out a wireless network, consult your networking vendor’s documentation andonline resources carefully for optimal security configurations.When using wireless networks: Install perimeter firewalls between any wireless network and computers runningQuickBooks Point of Sale workstations. You need to configure these firewalls to deny orcontrol (if such traffic is necessary for your other business purposes) any traffic from thewireless environment into the cardholder data environment. Install firewall software on any wireless computers which are used to access yournetwork (see Using Firewalls). Change wireless vendor default settings, including but not limited to, wired equivalentprivacy (WEP) keys, default service set identifier (SSID), passwords, and SNMPcommunity strings. Disable SSID broadcasts. Enable WiFi protected access (WPA andWPA2) technology for encryption and authentication when WPA-capable. Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2)technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalentprivacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used,do the following:XUse with a minimum 104-bit encryption key and 24 bit-initialization valueXUse only in conjunction with WiFi protected access (WPA or WPA2) technology,VPN, or SSL/TLSXRotate shared WEP keys quarterly (or automatically if the technology permits)XRotate shared WEP keys whenever there are changes in personnel with access tokeysXRestrict access based on media access code (MAC) address.Note 1: Make sure the wireless devices are enabled for strong encryption for authentication andtransmission, Use industry best practices for encryption during authentication and transmission- specifically for new installationsNote 2: WEP should not be used in new installations; existing WEP implementations must beupgraded to WPA no later than June 30, 2010.See Table 3 for more information.13

Using FirewallsFirewalls monitor communication traveling through your computer’s ports and block anycommunication that they do not know is safe. This provides you with an essential component ofthe protection you need to minimize your exposure to dangers from malicious users.There are many different firewalls available to you, and they can be either software or hardwarebased (for example, many routers have built-in firewalls). On a typical network, there is a singlepoint of connection to the Internet (such as the network server) and this is the critical pointrequiring a firewall.In addition to your store’s computer network being protected by a firewall, you also must installfirewall software on any employee-owned computers with direct connectivity to the Internet (forexample, laptops used by employees), which are used to access your network.Note: You should not use applications that keep a connection to the internet open for longperiods of time. Internet connection should not always be on.Firewalls and Intuit QuickBooks Cash Register PlusIn order to ensure that desired communication is not blocked, your firewall program has to beinstructed to allow that communication.Your Intuit QuickBooks Cash Register Plus software is “white-listed” with several majorfirewall software vendors, such as McAfee, Symantec, Trend Micro, and Check Point. What thismeans is that if you use firewall software from one of these vendors, and provided you keep thefirewall software updated, it is pre-configured to recognize Intuit QuickBooks Cash RegisterPlus and the communications necessary are automatically allowed.If not using one of the white-list vendors, you may need to specify the particular ports that willbe used by Intuit QuickBooks Cash Register Plus so that your firewall allows thecommunication. How this is done will vary depending upon the particular firewall you are using.You can find out more about industry certified products from the list of sites listed inTable 3. Many of the sites listed contain references for further information.14

Protecting Cardholder DataEncrypting Card InformationIntuit QuickBooks Cash Register Plus encrypts the cardholder data stored in your company datawith encryption keys using an industry-standard, strong, encryption process that meets currentPCI DSS requirements. Intuit QuickBooks Cash Register Plus automatically generates newencryption keys at least once per year. Cryptographic material must be removed. No action isrequired on your part to enable this security feature.Note: This version of Intuit QuickBooks Cash Register Plus does not store the card swipe dataused to verify payment cards or PIN information.Note: The cardholder data stored in your company file in an encrypted format is not accessibleto any Intuit QuickBooks Cash Register Plus user; even the Intuit QuickBooks Cash RegisterPlus system administrator is blocked from viewing this information. Cardholder data is also notavailable for on Intuit QuickBooks Cash Register Plus reports and cannot be included in theprovided data export tools.Additional security measures to protect cardholder data and comply with PCI DSS standardsinclude the following. The ability for you to manually generate new encryption keys if you suspect your datahas been compromised or an unauthorized attempt to access the data was made. See IfYou Suspect a Security Breach. Old encryption keys are automatically deleted anytime new keys are generated. Card information is automatically stripped from stored transactions at sixty days of age;so that cardholder data is not retained any longer than necessary. In this version of Intuit QuickBooks Cash Register Plus, card swipe data is not stored. An Audit Log record all activities related to data access, payment card transactions, andchanges to card encryption keys. In addition, failed attempts to log in to IntuitQuickBooks Cash Register Plus are logged in the Windows Event Log.15

If You Suspect a Security BreachIf an unauthorized attempt to access your data has been made or you are aware of an actualbreach of your security system that has compromised you and your customers’ data, you shouldimmediately:1. Backup your data file and store the backup in a secure location.2. If you suspect involvement by a specific user or users, disable the user account(s).This will block further access to your data by the user(s) while you have anopportunity to investigate.3. Review the Audit Log and Windows Event Log to examine entries related to thesuspicious activity and users.4. Change your Windows and Intuit QuickBooks Cash Register Plus administratorpasswords. It is recommended you also change, or require to be changed, all otheruser passwords.5. Manually generate new encryption keys:a. Log in to Intuit QuickBooks Cash Register Plus as the admin.b. Go to the “Tasks” section on the right hand side of the screenc. Find “Key Rotation” button and click on it.d. Wait until you see a message “Successful”. If failed, try again. If the functiondoesn’t succeed at all, contact customer support.See Appendix B –Encryption Key for additional Key Management information.Transmitting and Sharing of Cardholder DataIntuit QuickBooks Cash Register Plus encrypts all cardholder data stored in the database. Whenconnecting with online services to conduct payment transactions, Intuit QuickBooks CashRegister Plus does so using SSL protected connections.If you transmit data using the options available within Intuit QuickBooks Cash Register Plus,this encryption ensures a secure transmission. Also, when using the transmission optionsincluded within Intuit QuickBooks Cash Register Plus: Card swip

PABP: Acronym for Payment Application Best Practices; a Visa U.S.A standard for validation that payment processing applications, such as Intuit QuickBooks Cash Register Plus, provide the tools to help retailers comply with the PCI standards. Cardholder data: Cardholder's name, card type, account number, and expiration date that is