Squirrel PA-DSS Implementation Guide: 2014

Transcription

Squirrel PA-DSS
Implementation Guide: 2014
Squirrel Versions 7.0/ 8.0/ 9.0 | July 6, 2014
Squirrel PA-DSS Implementation Guide: 2014
Record of Revisions
Date
Reference: Page, Paragraph
Revision #
Squirrel Version /
Build
Comments
Oct. 15, 09
Initial Release
1.00
v1.55
PA-DSS v1.2
PCI DSS v1.2
Aug. 4, 10
Annual Revision (2010)
2.00
v1.55, v6.0
Configuration updates for
Squirrel Professional v6.0 &
SQL Server 2005 added
PA-DSS v1.2
PCI DSS v1.2
Implementation procedures
now ordered under
corresponding PCI DSS
requirement
Aug. 12, 15
3.00
v1.55, v6.0, v7.0
Updated configuration for
Squirrel Professional v7.0,
SQL Server 2008
PA-DSS v2.0
PCI DSS v2.0
Now validated under PA-DSS
v2.0
Aug. 12, 15
Updated Backoffice IDE to
Microsoft Visual Studio 2010
for Squirrel Professional v8.0
and renaming to v9.0.
4.00
v7.0, v8.0, v9.0
PA-DSS v2.0
PCI DSS v2.0
Disclaimer
Squirrel Systems provides this documentation as is without warranty of any kind, either express or implied. This
document could include technical inaccuracies or typographical errors. Squirrel Systems may make
improvements and/or changes at any time to the product(s) and/or program(s) described in this document.
Changes are made periodically to the information herein; these changes will be incorporated in new editions of
the document. Please check the Squirrel TechWeb frequently for such updates
(http://techweb.squirrelsystems.com).
07/06/2014
SQD-11Confidential
Squirrel PA-DSS Implementation Guide: 2014 | pg 2
Important Notice for Squirrel Customers (‘Merchants’)
This data security guide applies to Squirrel Customers (referred to herein as ‘merchants’ or ‘the merchant’),
Squirrel Systems’ installers, system integrators, support personnel, authorized resellers, and any other parties
using, or facilitating the use of, a Squirrel POS system for purpose of processing, transmitting, or storing
cardholder data.
Information contained within this document is offered in accordance with the Payment Application Data Security
Standard (PA-DSS), and is intended to be a supporting resource to the Payment Card Industry Data Security
Standard (PCI DSS) and other associated materials issued by the Payment Card Industry Security Standards
Council (PCI-SSC). This document is reviewed annually and updated as needed in order to remain current with
major and minor software changes, as well as changes to the PCI DSS or PA-DSS.
Merchants are expressly reminded that this document is not intended to be, nor should be construed as, a
comprehensive reference for PCI DSS requirements. In furtherance to the above, merchants are advised of the
following:

It is the responsibility of the merchant to perform their own evaluation and due diligence in ensuring
the PCI DSS compliance of their organization and its members. The merchant is responsible for
understanding their obligations under the PCI DSS and for obtaining their copy of the latest data
security standard from www.pcisecuritystandards.org.

Use of any one or more of the applications, components, system features, or procedures listed in this
guide does not guarantee or ensure merchant compliance with the PCI DSS.

It is the responsibility of the merchant to have in place, and maintain, security controls for all of its
systems and data, which such security includes but is not limited to, firewalls, antivirus protection
strong/complex passwords, physical security, and access control policies.

For security controls to be effective, the merchant must understand that system components,
including but not limited to, operating systems, point-of-sale software, antivirus software, device
firmware, and system passwords require periodic and routine updates and that obtaining / performing
such updates is solely and entirely the merchant’s responsibility.

If the merchant’s systems have connections to the Internet, or transmit credit card or gift card
transactions over the Internet, the security and protection of the network, data, and applications on
that network, including protection from unauthorized access, is solely and entirely the merchant’s
responsibility. A properly configured firewall is required for systems connecting to the Internet or any
private network where there is access to applications and data containing important information.
For more information on merchant data security, or to obtain copies of related Squirrel materials referenced within
this document, please contact the Squirrel Solution Center or refer to the links below:
For Squirrel Customers
http://www.squirrelsystems.com/datasecurity
07/06/2014
SQD-11Confidential
For Authorized Resellers
http://techweb.squirrelsystems.com
Table of Contents
DISCLAIMER ............................................................................................................................................................................... 2
IMPORTANT NOTICE FOR SQUIRREL CUSTOMERS (‘MERCHANTS’) ................................................................................. 3
OVERVIEW .................................................................................................................................................................................. 8
Document Purpose ...............................................................................................................................................8
Intended Audience ................................................................................................................................................8
Required Knowledge ............................................................................................................................................8
Supporting Documentation ..................................................................................................................................9
Conventions Used in this Document ..................................................................................................................9
SYSTEM REQUIREMENTS ....................................................................................................................................................... 10
Minimum Software Requirements .................................................................................................................... 10
Minimum Hardware Requirements ................................................................................................................... 10
Additional Requirements for Systems with Connection to External or Public Networks .......................... 10
Merchant Organization Requirements ............................................................................................................. 10
PART I: CONFIGURING SQUIRREL POS TO SUPPORT
PCI DSS COMPLIANCE ............................................................ 11
BUILD AND MAINTAIN A SECURE NETWORK ...................................................................................................................... 12
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.......................... 12
Use a Firewall between the Squirrel POS Network and External / Publicly Accessible Networks ................... 12
Enable the Windows Firewall on the Host PC................................................................................................... 12
Use a Firewall between Wireless and Wired Networks in the Cardholder Data Environment .......................... 13
Prohibit Direct Connection from the Internet to the Cardholder Data Environment .......................................... 14
Prohibit Applications That Permit Direct Public Access to the Cardholder Data Environment. ........................ 16
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters .......................................................................................................................................................... 17
Rename and Password-Protect the Windows Default ‘Administrator’ Account ................................................ 17
Secure the Microsoft SQL Server Default Administrative Account (‘sa’) .......................................................... 19
Assign a Strong Squirrel ‘Linux’ Terminal Account Password .......................................................................... 24
Restrict the Squirrel ‘Linux’ Account from Interactive Logon ............................................................................ 25
Employ Industry-Accepted System Hardening Standards ................................................................................ 28
Remove Generic or Vendor-Default Windows Administrative Accounts .......................................................... 29
Remove Generic or Vendor-Default Browser Security Accounts ...................................................................... 31
Change Vendor-Default Wireless Network Security Settings ........................................................................... 32
Secure Vendor-Default Passwords and Accounts on Additional System Components ................................... 33
Encrypt Non-Console Administrative Access .................................................................................................... 33
PROTECT CARDHOLDER DATA ............................................................................................................................................. 37
Requirement 3: Protect stored cardholder data ............................................................................................. 37
07/06/2014
SQD-11Confidential
Limit Cardholder Data Retention (‘Purge Encrypted Credit Card Data’) ........................................................... 37
Disable Squirrel Credit Card Tracking ............................................................................................................... 38
Mask POS Display of PAN (Primary Account Number) .................................................................................... 40
Securely Remove Prohibited or Insecure Cardholder Data .............................................................................. 44
Enable Squirrel Key Management .................................................................................................................... 45
Requirement 4: Encrypt transmission of cardholder data across open, public networks ........................ 46
Transmission of Cardholder Data over Public Networks by Squirrel POS ....................................................... 46
Transmission of Cardholder Data over Public Networks by the Merchant ....................................................... 46
MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM .................................................................................................. 47
Requirement 5: Use and regularly update anti-virus software or programs ............................................... 47
Install an Approved Antivirus Solution ............................................................................................................... 47
Requirement 6: Develop and maintain secure systems and applications ................................................... 48
Maintain Squirrel POS Software Updates ......................................................................................................... 48
Maintain Microsoft Software Updates ............................................................................................................... 48
Configure and Maintain Java Updates .............................................................................................................. 63
Maintain Critical Updates for Third-Party Applications ...................................................................................... 67
IMPLEMENT STRONG ACCESS CONTROL MEASURES ...................................................................................................... 69
Requirement 7: Restrict access to cardholder data by business need-to-know ........................................ 69
Engage Squirrel Browser Security .................................................................................................................... 69
Restrict Access to Squirrel Tracking Controls ................................................................................................... 69
Use a Limited Windows Account for POS Operations (Squirrel Users Setup) ................................................. 71
Restrict Access to Physical Squirrel POS Tracking Data ................................................................................. 92
Restrict Access to SQL Server Application Directories (SQL Server 2005 / 2008 /2012) ................................ 97
Limit Number of Windows Administrators ....................................................................................................... 101
Requirement 8: Assign a unique ID to each person with computer access .............................................. 104
PCI DSS Unique User Requirements: Overview ............................................................................................ 104
Create an Administrative Browser Security Group.......................................................................................... 105
Create Additional Non-Administrative Browser Groups .................................................................................. 106
Create Unique Browser ‘Security Administrator’ Accounts ............................................................................. 107
Create Unique Browser Users for All Other Members of the Merchant Organization .................................... 111
Enforce Windows Password Policies .............................................................................................................. 111
Enforce Windows Account Lockout Policies ................................................................................................... 112
Enable a Password-Protected Screensaver ................................................................................................... 114
Create Unique Windows Accounts for System Administrators ....................................................................... 120
Remote Access by Members of the Merchant Organization ........................................................................... 124
Remote Access by the Squirrel Solution Center ............................................................................................. 126
Remote Access over Dialup Connections (Symantec pcAnywhere™) ........................................................... 126
Enable WS9L SSHFS Support ........................................................................................................................ 128
Requirement 9: Restrict physical access to cardholder data ..................................................................... 129
Restrict Physical Access to the Cardholder Data Environment ...................................................................... 129
07/06/2014
SQD-11Confidential
Restrict Physical Access to Squirrel Backup Media and Reports ................................................................... 129
REGULARLY MONITOR AND TEST NETWORKS ................................................................................................................ 130
Requirement 10: Track and monitor all access to network resources and cardholder data ................... 130
Enable Windows Auditing Features ................................................................................................................ 130
Enable SQL Server Auditing Policies .............................................................................................................. 143
Enable Time Synchronization Features .......................................................................................................... 147
Squirrel Browser Security Auditing .................................................................................................................. 148
Employ Centralized Logging / Backup of Audit Trails ..................................................................................... 152
Requirement 11: Regularly test security systems and processes ............................................................. 160
Perform Routine Internal and External Vulnerability Scans ............................................................................ 160
Test for Unauthorized Wireless Access Points ............................................................................................... 160
MAINTAIN AN INFORMATION SECURITY POLICY .............................................................................................................. 161
Requirement 12: Maintain a policy that addresses information security for employees and contractors
........................................................................................................................................................................... 161
Create a Security Policy .................................................................................................................................. 161
PART II: SQUIRREL KEY MANAGEMENT ............................................................................................................................ 163
KEY MANAGEMENT OVERVIEW........................................................................................................................................... 164
Key Management Cycle ................................................................................................................................... 164
Key Custodians ................................................................................................................................................ 165
Preparing for Key Management Deployment ................................................................................................ 166
IMPLEMENTING KEY MANAGEMENT .................................................................................................................................. 167
Creating a Keyfile (sqKeys) ............................................................................................................................ 167
Registering a Keyfile (SqRegisterKeys) ........................................................................................................ 172
Re-Encrypting the Squirrel Database (SqReEncrypt.exe) ........................................................................... 174
Verifying Re-Encryption Routines ................................................................................................................... 178
ENCRYPTION KEY MAINTENANCE ...................................................................................................................................... 180
Changing Merchant Encryption Keys (‘Re-Keying’)..................................................................................... 180
Generating a Replacement Keyfile ................................................................................................................. 180
Registering the Replacement Keyfile ............................................................................................................ 180
Re-Encrypting with the Replacement Encryption Keys ............................................................................... 181
Removing Old Encryption Keys ..................................................................................................................... 183
Unregistering an Old Keyfile............................................................................................................................ 183
Secure Deletion of Old Keyfiles....................................................................................................................... 185
APPENDICES .......................................................................................................................................................................... 186
07/06/2014
SQD-11Confidential
APPENDIX A - CREATING STRONG PASSWORDS ............................................................................................................. 187
Microsoft Recommendations for Creating Strong Passwords ........................................................................ 187
Windows Security - ‘Password must meet complexity requirements’ Policy Definition .................................. 187
APPENDIX B - SQUIRREL PA-DSS CONFIGURATION CHECKLIST................................................................................... 188
POS Server and Network Hardening (1 of 2) .................................................................................................. 188
Software Vulnerability Management (1 of 2) ................................................................................................... 189
Squirrel Browser Security ................................................................................................................................ 190
Windows Account and Auditing Management................................................................................................. 191
SQL Server Account & Auditing Management ................................................................................................ 192
Windows Limited User Setup .......................................................................................................................... 192
Implementing Key Management...................................................................................................................... 193
Windows Access Controls and Auditing .......................................................................................................... 193
Limiting Data Retention (2 of 2) ...................................................................................................................... 194
POS Server and Network Hardening (2 of 2) .................................................................................................. 194
Final System Review ....................................................................................................................................... 195
APPENDIX C – SAMPLE POS NETWORK TOPOLOGIES .................................................................................................... 196
Network Configurations Supporting PCI DSS Compliance ............................................................................. 196
Network Configurations Not Supporting PCI DSS Compliance ...................................................................... 198
APPENDIX D - SAMPLE CUSTODIAN AGREEMENT ITEMS ............................................................................................... 200
APPENDIX E – LIST OF SQUIRREL POS COMPONENTS, SERVICES AND PROTOCOLS ............................................... 201
POS Hardware Components ........................................................................................................................... 201
POS Software Components ............................................................................................................................ 201
Services ............................................................................................................................................................ 201
Protocols ........................................................................................................................................................... 202
07/06/2014
SQD-11Confidential
Overview
Document Purpose
This guide is offered in accordance with the requirements of the Payment Card Industry (PCI) Payment
Application Data Security Standard (PA-DSS). Derived from the Payment Card Industry Data Security Standard
(PCI DSS), the PA-DSS details what validated payment applications must support in order to facilitate a
merchant’s PCI DSS compliance.
This guide provides information to those seeking to configure and deploy Squirrel POS systems in a manner
supporting merchant compliance with the PCI DSS and is divided into three parts:

Part I, Configuring Squirrel for PCI DSS covers configuration of the Squirrel POS system in
accordance with supporting PA-DSS / PCI DSS v2.0 requirements.

Part II, Squirrel Key Management details necessary procedures for supporting compliant encryption
of stored cardholder data, per PA-DSS / PCI DSS v2.0 requirements

Appendices include guidance on configuring strong passwords and creating a key custodian
agreement.
Intended Audience
This document is intended for the following audiences:

Squirrel POS system owners and administrators (the ‘merchant’)

Authorized Squirrel Resellers

Squirrel Support, Service, Sales, Training & Implementation, Manufacturing, and Product
Development personnel
Required Knowledge
This document presumes users have read the supporting documentation listed below and have knowledge of,
and operational experience with, the following:

Basic understanding of PC hardware and software

Configuration, operation, and installation of Squirrel POS software and hardware (v1.5 or higher)

Basic TCP/IP networking concepts

Windows operating systems (Windows XP Professional), including:
o
Software and hardware installation
o
Windows File and Print Sharing, user management
o
Windows Firewall configuration
Users unfamiliar with the above concepts are advised to contact the Squirrel Solution Center for assistance
before attempting procedures outlined in this document.
07/06/2014
SQD-11Confidential
Supporting Documentation
This document is supplemented by the following materials:

Squirrel Secure Data Deletion: PA-DSS Implementation Guide Supplement

Squirrel WS9L/10L SSHFS Installation Guide: PA-DSS Implementation Guide Supplement
Conventions Used in this Document
Symbol
NOT E
Title
Meaning
PCI DSS REMINDER
Reinforces required PCI DSS practices and/or provides
cautionary information against potential compliance violations
IMPORTANT
Cautions on actions or scenarios that could adversely affect
system operation.
NOTE
Provides additional information on a concept, procedure or
system feature
Typeface
Meaning
Italics
Emphasis or term being defined for the first time
Monospace
Text value which appears onscreen or in code
Bold Monospace
Text to be entered by an end user
07/06/2014
SQD-11Confidential
System Requirements
The following section outlines software and hardware components required to support the PCI DSS compliance
procedures outlined in this manual.
Note that procedures covering installation of minimum required software are included in this manual or supporting
reference materials.
Minimum Software Requirements

Windows 7 Professional with Microsoft Update and latest critical security updates installed

Squirrel Professional v7.0 for Microsoft SQL Server 2008 SP3



ESET NOD32 Antivirus 4 or equivalent compatible antivirus solution.
Minimum Hardware Requirements

Removable media for merchant encryption keyfiles, e.g. USB thumb drive
Additional Requirements for Systems with Connection to External or Public Networks

Hardware firewall with stateful packet inspection (SPI)

Router with Network Address Translation (NAT) / Port Address Translation (PAT) enabled
Merchant Organization Requirements

Secure physical storage location to protect removable media against disclosure or misuse, e.g. safe
or locked area with monitored access.

Minimum two members of the merchant organization to serve as system ‘key custodians’.

Agreement forms signed by key custodians acknowledging acceptance of key management
responsibilities.
PCI DSS REMINDER:
Unless explicitly noted otherwise, the procedures and configuration settings
outlined in this manual are necessary to support merchant compliance with the PCI
DSS.
Failure to enable provided security features, or disabling / changing of required
settings related to unique usernames, secure authentication, or auditing features,
will result in non-compliance with PCI DSS.
07/06/2014
SQD-11Confidential
Part I: Configuring Squirrel POS to Support
PCI DSS Compliance
07/06/2014
SQD-11Confidential
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
“Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted
networks (external), as well as traffic into and out of more sensitive areas within an entity’s internal trusted
networks. The cardholder data environment is an example of a more sensitive area within an entity’s trusted
network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified
security criteria.
All systems must be protected from unauthorized access from untrusted networks, whether entering the system
via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access,
dedicated connections such as business-to-business connections, via wireless networks, or via other sources.
Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key
systems. Firewalls are a key protection mechanism for any computer network.
Other system components may provide firewall functionality, provided they meet the minimum requirements for
firewalls as provided in Requirement 1. Where other system components are used within the cardholder data
environment to provide firewall functionality, these devices must be included within the scope and assessment of
Requirement 1.” 1
Use a Firewall between the Squirrel POS Network and External / Publicly Accessible Networks
In accordance with PCI DSS Req. 1, merchants are required to employ a firewall that performs stateful packet
inspection (SPI) to secure the cardholder data environment (CDE) from external or publicly accessible
networks.
Merchants are responsible for ensuring firewalls are properly configured and
maintained in compliance with PCI DSS requirements, and utilize access control
via strong / complex passwords.
Squirrel currently supplies the Cisco RVL 200 VPN Firewall/Router to assist
merchants in restricting traffic into the cardholder data environment from external
or publicly accessible networks.
Enable the Windows Firewall on the Host PC
Merchants are also advised to enable the Windows Firewall on the Squirrel Host PC, to provide an additional
layer of network protection.
1) Open Start  Control Panel  Windows Firewall.
1
PCI Security Standards Council, "Payment Card Industry Data Security Standard: Requirements and Security
Assessment Procedures, Version 2.0" <https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf>
[accessed 24 February 2011] (20)
07/06/2014
SQD-11Confidential
2)
The Windows Firewall properties dialog opens.
3) Select On.
4) Click OK to save and close.
5) Leave the Windows Firewall dialog open and continue to the next section.
Use a Firewall between Wireless and Wired Networks in the Cardholder Data Environment
Merchants are required to implement perimeter firewalls between any wireless networks and the cardholder
data environment and must configure these firewalls to deny or control traffic (if such traffic is necessary for
business purposes) from the wireless environment into the cardholder data environment.
07/06/2014
SQD-11Confidential
Merchants implementing Squirrel POS into an existing wireless environment, or adding a wireless network to
the cardholder data environment, must adhere to all PCI DSS requirements for securing wireless networks, in
addition to reviewing with their PCI assessors.
Prohibit Direct Connection from the Internet to the Cardholder Data Environment
Per PCI DSS Requirement 1.3, merchants are reminded that systems in the cardholder data environment must
never be connected directly to the Internet.
This means the Squirrel Host PC must always be situated behind a router supporting NAT (Network Address
Translation), as shown in the diagram below. Use of a NAT-enabled router prevents disclosure of private IP
addresses and routing information from internal networks to the Internet, as demonstrated in the diagram below:
07/06/2014
SQD-11Confidential
For additional information on Squirrel POS network topologies, please refer to Appendix C – Sample POS
Network Topologies.
PCI DSS REMINDER
Computers in the cardholder data environment should never be configured to use, or
directly acquire, publicly routable IP addresses.
07/06/2014
SQD-11Confidential
Prohibit Applications That Permit Direct Public Access to the Cardholder Data Environment.
Squirrel does not require enabling applications or default services that expose the Host PC to direct public
access from the Internet.
Merchants are expressly reminded never to install applications or enable services that provide direct public
access to the cardholder data environment, including but not limited to the following examples:
Do not install outward-facing web or FTP (File Transfer Protocol) servers in the Squirrel POS
network
Do not enable potentially insecure protocols or optional networking components, such as
Telnet, or SNMP (Simple Network Management Protocol) on the Host PC
NOTE: Applications that permit compliant remote access to the cardholder data
environment over public networks do not constitute ‘direct public access’.
NOT E
Merchants are advised to contact the Squirrel Solution Center prior to installing applications or enabling
services on the Host PC that could introduce a potential compliance risk for systems in the cardholder data
environment
For further information on maintaining a secure network, and for complete merchant responsibilities under PCI
DSS Requirement 1, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml.
07/06/2014
SQD-11Confidential
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
“Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor
default settings to compromise systems. These passwords and settings are well known by hacker communities
and are easily determined via public information"
PCI DSS REMINDER
Unique Windows and SQL accounts must be created for all Squirrel POS installations.
Using system default accounts, such as the Windows ‘Administrator’ or SQL Server ‘sa’
account, or failing to secure these accounts with strong passwords, violates PCI DSS
requirements.
Rename and Password-Protect the Windows Default ‘Administrator’ Account
The Windows default administrative account cannot be used in production environments and must be protected
against unauthorized use.
6)
Login to the Host PC using your Windows administrative account.
7) From the Run command, type lusrmgr.msc (or, alternately, open Control Panel and select
Administrative Tools  Computer Management  Local Users and Groups).
8) The Local Users and Groups snap-in opens. In the left pane, click Users.
9) Right-click the default Administrator account and click Rename.
07/06/2014
SQD-11Confidential
10) Enter a new, unique name for the account.
NOT E
NOTE: Do not use generic, example, or easily guessable names. The default
administrator account should be renamed such that it can only be identified by authorized
users for emergency purposes.
11) Right-click the newly renamed ‘Administrator’ account and click Set Password.
12) A warning dialog appears. Click Proceed.
13) Enter and confirm a unique, strong password for the account. See Appendix A – Creating Strong
Passwords for guidance on creating strong passwords for default administrative accounts.
07/06/2014
SQD-11Confidential
14) Click OK to apply the password change.
15) The Windows default administrator account is now renamed and protected by a strong password.
This default account must no longer be used for any normal purpose; please see Creating Unique
Windows Accounts for System Administrators for more information on using unique administrative
accounts.
Secure the Microsoft SQL Server Default Administrative Account (‘sa’)
The Microsoft SQL Server default ‘sa’ administrative account cannot be used in production environments and
must be protected against unauthorized access.
Securing the ‘sa’ account for Microsoft SQL Server 2005 / SQL Server 2008:
Perform the following steps to assign a strong password to, then disable use of, the default SQL Server
2005 or SQL Server 2008 administrative account.
1) Login to the Host PC using your Windows administrative account
2) Open Start  Microsoft SQL Server 2005 Microsoft SQL Server Management Studio.
3) The Connect to Server login dialog appears. Click Connect.
4) In the Object Explorer pane, expand the local Server to open Security  Logins.
07/06/2014
SQD-11Confidential
5) In the side Object Explorer Details pane, double-click the sa login.
6) The Login Properties - sa dialog opens to the General page.
7) If not already enabled, click to select Enforce password policy and Enforce password
expiration check boxes.
NOTE: SQL Server 2005 password policies are enforced only on Windows 2003 systems
or higher, i.e. Windows Server 2003, Server 2008, or Windows 7.
NOT E
07/06/2014
SQD-11Confidential
In Windows XP, the Enforce password policy flag only prevents creation of very weak
or obvious passwords, including the computer name, SQL login name, "password",
"admin", "administrator", "sa", "sysadmin", or a blank password.
8) In the Password field, enter and confirm a new, strong password for the account. See Appendix
A – Creating Strong Passwords for guidance on creating strong passwords for default
administrative accounts.
9)
Click the Status page.
10) Under Login, select Disabled.
07/06/2014
SQD-11Confidential
11) Click OK to close the Login Properties - sa dialog.
12) Upon returning to the Logins menu, press the <F5> key to refresh the details pane.
13) Ensure the ‘sa’ account icon changes to show a red ‘down arrow’, indicating its disabled status:
14) The default ‘sa’ account is now disabled and can no longer be used for connections to SQL
Server
Securing the ‘sa’ account for Microsoft SQL Server 2000:
Perform the following steps to assign a strong password to the SQL Server 2000 default administrative
account.
NOTE: The ‘sa’ default administrative account cannot be disabled in SQL Server 2000.
Ensure this account is protected with a strong password
NOT E
1) Login to the Host PC using your Windows administrative account.
2) Launch Microsoft SQL Server Enterprise Manager.
3) Expand the SQL Server Group, then expand the (local) server.
07/06/2014
SQD-11Confidential
4) In the left-side pane, expand the Security folder and click Logins.
5) In the Logins pane, double-click the ‘sa’ account icon.
6) The SQL Server Login Properties - sa dialog appears.
7) In the Password field, enter and a new, strong password for the account, then click OK. See
Appendix A – Creating Strong Passwords for guidance on creating strong passwords for default
administrative accounts.
07/06/2014
SQD-11Confidential
8) The Confirm Password menu appears. Re-enter the password to confirm and click OK to close
the window.
9) Close Enterprise Manager when finished.
Assign a Strong Squirrel ‘Linux’ Terminal Account Password
To support PCI DSS Req. 2.1, the Squirrel ‘Linux’ account - created during Squirrel POS software installation must be secured with a strong password that is unique to the merchant installation.
1)
Login to the Host PC using your unique Windows administrative account.
2) From the Run command, type lusrmgr.msc (or, alternately, open Control Panel 
3) The Local Users and Groups snap-in opens. Click Users.
4) Right-click the Linux account and click Set Password.
07/06/2014
SQD-11Confidential
5) A Set Password for Linux warning dialog appears. Click Proceed.
6) Enter and confirm a unique, strong password for the Linux account. See Appendix A – Creating
Strong Passwords for guidance on creating strong passwords.
7) Click OK to commit the password change.
8) A dialog confirms the password has been set. Click OK to close.
9) Exit Local User Manager.
Restrict the Squirrel ‘Linux’ Account from Interactive Logon
The Squirrel ‘Linux’ account is intended as a service account for client workstations only. To support
compliance with the PCI DSS this account must be restricted against interactive logon at the Host PC.
1) From the Run command, type secpol.msc (or, alternately, open Control Panel 
Administrative Tools  Local Security Policy).
07/06/2014
SQD-11Confidential
2) The Local Security Settings snap-in opens.
3) Expand Local Policies  User Rights Assignment.
4) In the right pane, double click on Deny logon locally.
5) The Deny logon locally Properties dialog opens.
6) Click Add User or Group.
07/06/2014
SQD-11Confidential
7) Under Enter the object names to select, type linux, then click Check Name to verify the
object.
8) The pane refreshes to show the local <hostname>\Linux account. Click OK to commit the
change and close the dialog.
9) Confirm the <hostname>\Linux user appears in the Deny logon locally pane.
10) Click OK to close.
11) Close the Local Security Settings snap-in and log off from your local administrative account.
12) Attempt to logon to the Host PC using the Linux account credentials.
07/06/2014
SQD-11Confidential
13) Confirm logon is denied with the logon message ‘The local policy of this system
does not permit you to log on interactively’.
14) The Squirrel ‘Linux’ account is now secured against interactive logon at the Squirrel Host PC.
Employ Industry-Accepted System Hardening Standards
Per PCI DSS Requirement 2.2, merchants are advised to apply the following configuration changes to the
Squirrel Host PC, which are in accordance with industry-accepted system hardening standards.
Enable Windows Anonymous Enumeration and Interactive Logon Security Policies
Additional security settings must be employed to prevent against unauthorized enumeration of Windows
resources or cached logons.
2) From the Run command, type secpol.msc and click OK (or, alternately, open Control Panel
 Administrative Tools  Local Security Policy).
3) The Local Security Settings snap-in opens.
4) Expand Local Policies  Security Options.
07/06/2014
SQD-11Confidential
5) In the right pane, select each of the following password policies by double-clicking the policy,
then configure each to the match corresponding values in the table below:
Security Policy
Setting
6)
7)
Network Access: Do not allow anonymous enumeration of SAM accounts and
shares
Enable
Network Access: Do not allow anonymous enumeration of SAM accounts
Enable
Interactive Logons: Number of previous logons to cache (in case domain
controller is not available)
0*
8)
9)
10)
11)
* Workgroup only. For PC’s that are part of a domain, ‘Number of previous logons to cache’ should be set = 2
12) Confirm all settings, and then exit the console to commit the policy changes.
Remove Generic or Vendor-Default Windows Administrative Accounts
Some merchants may still be using generic and/or vendor-default Windows accounts that originated from initial
system installation, ‘pre-live’ operations, or previous troubleshooting.
All generic or vendor-default administrative Windows accounts must be removed from the system to comply
with PCI Requirements.
IMPORTANT
If individuals are currently using a shared or generic Windows administrative account
for Host PC logon, i.e. ‘Squirrel’, ’Manager’, etc., ensure unique Windows accounts
have been created for all merchant system administrators before proceeding with
account removal.
For steps on creating unique Windows accounts for members of the merchant
organization, please refer to steps under Requirement 8, ‘Creating Unique Windows
Accounts for System Administrators’.
1) Ensure any important files kept in the user’s profile folder, i.e. C:\Documents and
Settings\<username>\ have been copied to another location and are available to at least one
other administrative account before proceeding with account removal.
2) Login to the Host PC using your unique Windows administrative account.
3) From the Run command, type lusrmgr.msc (or, alternately, open Control Panel 
07/06/2014
SQD-11Confidential
4)
The Local Users and Groups snap-in opens. Click Users.
5) In the right-side pane, right-click the first generic or vendor-default account you wish to remove.
6) Click Delete.
7) Click Yes to the warning dialog that appears.
8) The selected account is removed from the right side pane.
9) Repeat Steps 6 – 9, as necessary, to continue removing any additional generic or vendor-default
Windows accounts.
10) Close the Local Users and Groups snap-in when finished.
07/06/2014
SQD-11Confidential
Remove Generic or Vendor-Default Browser Security Accounts
All Squirrel Browser User accounts - administrative or otherwise - must correspond to a single member of the
merchant organization; compliant Browser User accounts can be created according to the steps detailed in
Requirement 8, ‘Creating a Browser ‘Security Administrator’ and ‘Creating Additional Browser Users’.
IMPORTANT:
If currently using a shared or generic account for the default Browser logon (e.g.
Squirrel, or Manager, etc.), ensure you have created compliant Browser accounts
for each system administrator before proceeding.
Accounts can be created according to the steps detailed in Requirement 8,
‘Creating a Browser ‘Security Administrator’ and ‘Creating Additional Browser
Users’.
1) Login to the Squirrel Browser using your unique Browser Security Administrative user account.
2) Click Utilities / Security  Browser Users.
3) Browser Users opens.
4) Select the first generic or vendor-default user you intend to remove from the This Record
dropdown.
07/06/2014
SQD-11Confidential
5) Click the Delete Record (‘ X ‘ ) button (upper-right) to delete the Browser User.
6) A warning dialog appears asking to confirm deletion. Click Yes.
7) The record is deleted.
8) Exit Browser Users and click Yes to save the last screen data.
9) Repeat Steps #3 – 6 above to continue removing additional generic or vendor-default Browser
User accounts, as needed.
10) When finished, only Browser User accounts corresponding to individual members of the merchant
organization should remain.
Change Vendor-Default Wireless Network Security Settings
Merchants implementing Squirrel into an existing wireless environment, or introducing a wireless network into
the cardholder data environment, are required to observe PCI DSS requirements for securing wireless defaults:

Merchants must change wireless vendor defaults on all hardware, including but not limited to:
o
Wireless encryption keys
o
Default Service Set Identifier (SSID)
o
SNMP community strings
o
Default passwords/passphrases on access points
o
Firmware version, if required to support strong encryption for authentication and transmission

Merchants must disable SSID broadcasts

Merchants must enable Wi-Fi Protected Access (WPA2) technology for encryption and authentication

Wireless encryption keys must be changed anytime anyone with knowledge of the keys leaves (or
steps down from a position of authority in) the merchant organization.
07/06/2014
SQD-11Confidential
Secure Vendor-Default Passwords and Accounts on Additional System Components
PCI Req. 2 applies to all system components included in, or connected to, the cardholder data environment. Be
sure to assign strong passwords and remove/rename vendor-default accounts on any system component
before installing it into the cardholder data environment, including but not limited to:

Network devices, such as routers, managed switches, wireless access points, client bridges, etc.

Security applications installed on the Squirrel Host PC, e.g. antivirus applications, etc.

Other PC’s in the cardholder data environment, e.g. office PC, security DVR PC’s, etc.
Encrypt Non-Console Administrative Access
Merchant organizations that utilize non-console administrative access,
such as Remote Desktop (RDP), VNC, pcAnywhere, etc., in the
cardholder data environment are required to observe the following
practices to support PCI compliance:

If using Remote Desktop Protocol (RDP), install RDP v6.0 or
newer on all remote and local systems.

If using other potentially insecure remote technologies, such as
VNC, pcAnywhere, etc., transmissions must be encrypted
(through SSH, VPN, IPSec, or SSL/TLS, for example) to prevent against disclosure of user credentials or
other sensitive data.
If using non-console access for daily procedures, e.g. daily reporting or POS operation, merchants are advised
to avoid using administrative accounts and instead add necessary non-administrative users or groups to the
Remote Desktop Users Group for such purposes.
PCI DSS REMINDER:
Merchants are reminded of the potential for PCI DSS violations related to non-console
access:
Do not use any remote technologies that transmit clear-text passwords or data
Never use Telnet or rlogin for administrative access
Do not use older, insecure versions of Remote Desktop (pre-v6.0 )
Do not save account passwords in Remote Desktop (.RDP) connection files as
these files susceptible to potential password disclosure. Always enter user
credentials manually at time of connection.
07/06/2014
SQD-11Confidential
Disable Windows Remote Assistance
The Windows Remote Assistance feature is not required for the operation or support of a Squirrel POS
system. Merchants are advised to disable this feature, in accordance with industry-hardening standards.
1) Logon to the Host PC using your Windows administrative account.
2) Open Start  Control Panel and double-click the System icon.
3) The System Properties dialog opens. Select the Remote tab.
4) Click to clear the Allow Remote Assistance invitations to be sent from this computer check box.
5) Click OK to close.
6) Sending of Remote Assistance invitations is now disabled.
Disable Autorun for Removable Media (CD/DVD/USB)
Squirrel advises merchants to disable the Windows autoplay or AutoRun features on the Host PC, in
accordance with industry-hardening standards. This practice helps protect against potential spread of
malicious code when removable media, i.e. USB drives or CD/DVD’s are inserted.
To disable all AutoRun functionality for removable media, perform the following steps:
1) Ensure all high-priority Windows Updates have been applied to the PC before configuring. See
Maintain Microsoft Software Updates, under Requirement 6, for assistance in applying OS
updates.
NOT E
NOTE: To disable the Autorun functionality in Windows XP, security update 950582,
update 967715, or update 953252 must be installed. Please refer to Microsoft KB article
967715 for further information (http://support.microsoft.com/kb/967715).
07/06/2014
SQD-11Confidential
3) From the Run command, type gpedit.msc and click OK.
4) The Group Policy Editor snap-in opens. Expand Computer Configuration  Administrative
Templates  System.
5) In the Settings pane, right-click Turn off Autoplay, and click Properties.
6) Select Enabled.
07/06/2014
SQD-11Confidential
7) Select All drives from the Turn off Autoplay dropdown menu.
8) Click OK to close the Turn off Autoplay Properties dialog box.
9) The Turn off Autoplay policy now reads ‘Enabled’.
10) Restart the PC at the next available opportunity.
11) After next restart, removable media, such as CD or DVD-ROM’s, USB drivers, etc. no longer
AutoRun when inserted or connected.
12) Users are now required to navigate using Windows Explorer to access files or launch programs
manually from removable volumes.
For further information on not using vendor-supplied default passwords or security settings, and for complete
merchant responsibilities under PCI DSS Requirement 2, please refer to resources available from the PCI
Security Standards Council at https://www.pcisecuritystandards.org/index.shtml
07/06/2014
SQD-11Confidential
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
“Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder
data protection. If an intruder circumvents other network security controls and gains access to encrypted data,
without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective
methods of protecting stored data should be considered as potential risk mitigation opportunities. For example,
methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating
cardholder data if full PAN is not needed, and not sending PAN in unencrypted e-mails”. 2
Limit Cardholder Data Retention (‘Purge Encrypted Credit Card Data’)
In supporting compliance with PCI DSS Req. 3, the Squirrel POS system must be configured to perform
automatic purges of PAN (Primary Account Number), expiry date, cardholder name, and other discretionary
data from posted transactions older than a customer-defined retention period.
These cardholder data purge procedures do not remove the associated transactional data from the Squirrel
database; all original sales information, including payment media type, amounts, tips, etc. remain intact.
To purge encrypted cardholder data from the Squirrel database, follow the steps outlined below:
PCI DSS REMINDER
Merchants are required by PCI DSS Req. 3.1 to develop a policy limiting retention of
cardholder data to the minimum period required for business, legal, and/or regulatory
purposes.
Merchants must purge cardholder data when storage is no longer required for any
business, legal, or regulatory purpose.
1)
Open the Squirrel Browser and select Advanced Setup  Credit Card Setup.
2) Under Purge Encrypted Credit Card data older than <nnn> weeks, enter or select the number
of weeks after which posted credit card data will be purged from the Squirrel database.
2
PCI Security Standards Council, "Payment Card Industry Data Security Standard: Requirements and Security Assessment
Procedures, Version 2.0" <https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf> [accessed 24 February 2011]
07/06/2014
SQD-11Confidential
3) Exit Credit Card Setup, ensuring to click OK to save changes.
4) On next Credit Card Posting, encrypted cardholder data in transactions older than the customerdefined retention period is purged from the Squirrel database.
5) Confirm purge of encrypted cardholder data by running a Credit Card Detail Report for the
appropriate date range. Previously stored PAN’s (‘Credit Card #’ field) are empty and all expiry
date fields are replaced with ‘00/00’ for transactions where cardholder data has been purged.
NOT E
NOTE: The following procedures are intended for merchants who use payment solutions
that depend on encrypted cardholder data being stored in the Squirrel POS application
database. For merchants who use tokenized payment solutions, i.e. do not store
cardholder data in the application database, Squirrel advises the Purge Encrypted Credit
Card data flag still be enabled in support of merchant compliance efforts.
For more information on tokenization solutions available for the Squirrel POS system, please contact your
authorized Squirrel sales representative.
Disable Squirrel Credit Card Tracking
PCI DSS Req. 3.2 requires that merchants not store magnetic stripe data, card validation values, or PIN block
codes in any type of log, debugging, or diagnostic trace file. To support compliance with this requirement,
07/06/2014
SQD-11Confidential
Squirrel Credit Card Tracking must always be disabled unless otherwise specified by the Squirrel Solution
Center.
1) Login to the Squirrel Browser using your Browser Security Administrative account.
2) Click Utilities  Tracking.
3) Under Interface Tracking, click to clear the Credit Card check box.
4) Exit Tracking, ensuring to click OK to save changes.
NOT E
07/06/2014
SQD-11Confidential
NOTE: Terminal/Host Message and Terminals Touch Tracking controls may be left
enabled. With Credit Card Interface Tracking disabled, these tracking mechanisms are
designed to filter (truncate) cardholder values from diagnostic data collected.
 Credit Card Tracking data copied from merchant systems by authorized
must be transmitted directly to the Squirrel Solution Center via
PCI DSSpersonnel
REMINDER:
secure encrypted channel, or secured removable media
Squirrel Credit Card Tracking may only be engaged in direct consultation with the
 Solution
All CreditCenter.
Card Tracking
data generated,
and
copies thereof,
must
be to the
Squirrel
Any diagnostic
captures of
cardholder
data are
subject
deleted
immediately
following securely
restrictions,
per PA-DSS
v2.0:after use, in accordance with PCI
requirements. Please refer to the Squirrel Secure Data Deletion: PA-DSS
Implementation
Credit Card Tracking
may only be
by authorized
Squirreldeletion
POS
Guide Supplement
forengaged
further information
on secure
resellers, integrators, or support personnel

Credit Card Tracking may only be engaged when deemed necessary by
Squirrel Systems to resolve a problem related to payment authorization,
reconciliation, or other business critical issue

Collection of Credit Card Tracking data is limited to only the amount
necessary to solve a specific issue, as determined by the Squirrel Solution
Center on a per-case basis

Squirrel Credit Card Tracking data is encrypted by default and may be
decrypted only by authorized Squirrel Systems personnel

Credit Card Tracking data must be stored in specific, known locations with
limited access. This includes data stored on systems belonging to the
merchant organization, authorized Squirrel resellers, system integrators,
support personnel, or other third parties. To regulate access to Tracking
data collected on a merchant system see Restrict Access to Physical
Squirrel POS Tracking Data
(cont’d)
Mask POS Display of PAN (Primary Account Number)
Merchants are required by the PCI DSS to limit displays of cardholder data to only those parties or members of
the merchant organization with a legitimate business need to see it.
07/06/2014
SQD-11Confidential
Engage PAN Masking for all Voucher Copies
In supporting compliance with the PCI DSS, merchants are advised to engage PAN masking on all copies
of printed credit card vouchers.
NOTE: PAN masking for the Customer credit card voucher is engaged by default for all
Squirrel versions. PAN masking for both the Customer and Merchant copies is default for
Squirrel Version 7.0 and up.
NOT E
To engage PAN masking on both Merchant and Customer card vouchers in Squirrel versions 1.55 or 6.0,
complete the following steps.
1) Login to the Squirrel Browser using your Browser Security Administrative account.
2) Click Utilities  POS Extensions.
3) The sqPOSExtensions dialog appears.
4) In the Terminal Name dropdown, select All Terminals.
5) Under Available Extensions, scroll down to the [Vouch] group heading and click the
MerchMaskVouch extension.
6) Click the right arrow button (‘ ’ ) to move MerchMaskVouch into the Selected Extensions
pane.
07/06/2014
SQD-11Confidential
7) Click OK to commit the change and exit.
8) Reboot all terminals to implement the POS extension change.
9) On next credit card authorization, confirm both Merchant and Customer copies of the voucher
have the PAN and expiry date masked.
07/06/2014
SQD-11Confidential
Engage PAN Masking for the Squirrel Browser
With Squirrel Browser Security engaged, merchants are required to disable the Can see DeCrypted
Credit Cards privilege for all Browser Users who do not have a legitimate business need to see the full
PAN.
Disabling this feature supports compliance with PCI DSS Requirements by ensuring PAN’s are masked in
Browser displays, such as Check Adjust and Squirrel Reports.
NOTE: Squirrel strongly advises merchants to disable full PAN decryption for all Browser
groups. Viewing of full PAN data, even by authorized users, should only be done when
absolutely necessary for business purposes, i.e. if the processor is unable to provide a
PAN lookup or cross-reference by other means, such as an approval (‘auth’) code, token,
or partial PAN.
NOT E
To disable viewing of full-PAN data in Squirrel Browser:
1) Ensure Browser Security is enabled. If not, see Engage Squirrel Browser Security first to correct.
2) Login to the Squirrel Browser using your Browser Security Administrative account and click
Utilities  Browser Users.
3) Click to clear the Can see DeCrypted Credit Cards check box for the first user.
4)
Change to the next record and repeat steps above to deselect the flag for all additional Browser
Users.
5)
Exit Browser Users, ensuring to save.
6) Test viewing Browser displays, including Check Adjust and the Credit Card Detail Report, for
each Browser Group to verify only partial (‘masked’) PAN data is displayed.
07/06/2014
SQD-11Confidential
PCI DSS REMINDER
Merchants are required by PCI DSS Req. 3.3 to limit display of PAN data to only
those members of the merchant organization or supporting party whose job requires
such access.
Merchants who fail to engage Squirrel Browser Security or properly engage PAN
masking cannot be compliant with the PCI DSS.
Securely Remove Prohibited or Insecure Cardholder Data
Merchants, system installers & integrators, and support personnel are required to check new and existing
Squirrel POS installations for potential instances of prohibited or insecure cardholder data and to securely
sanitize or delete such data. This includes the following:

magnetic stripe data

card validation codes (CVV)

unencrypted primary account numbers (PAN)

PINs or PIN blocks
The following data sources are known to contain potential prohibited or insecure historical cardholder data:

Transaction data from legacy versions of Squirrel POS software

Diagnostic data (credit card tracking) from all versions of Squirrel POS software

Database backups from previous versions of Squirrel POS software
System age, upgrade/installation path, and diagnostic history are the main determinants as to whether or not
prohibited or insecure cardholder data may be present. Please refer to the Squirrel Secure Data Deletion: PADSS Implementation Guide Supplement for further information on secure data removal.
PCI DSS REMINDER
Prohibited historical cardholder data (magnetic stripe data, card validation codes,
PINs, or PIN blocks) MUST be removed for PCI compliance.
Failure to check for and securely remove files known to contain potential prohibited
cardholder data violates PCI DSS requirements.
07/06/2014
SQD-11Confidential
Enable Squirrel Key Management
Squirrel POS supports merchant compliance by encrypting stored cardholder data with 512-bit RSA encryption.
To ensure data is secured to each unique merchant installation, merchants are required to enable personal Key
Management.
Please refer to Part II: Squirrel Key Management for further information on how to deploy key management for
Squirrel.
For further information on protecting stored cardholder data, and for complete merchant responsibilities under PCI
https://www.pcisecuritystandards.org/index.shtml
07/06/2014
SQD-11Confidential
Requirement 4: Encrypt transmission of cardholder data across open, public networks
“Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious
individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols
can be continued targets of malicious individuals who exploit these vulnerabilities to gain privileged access to
cardholder data environments”. 3
Transmission of Cardholder Data over Public Networks by Squirrel POS
Squirrel POS only supports high-speed credit and gift card solutions that utilize, by default, secure encryption
technologies (such as SSL/TLS) for transmission of cardholder data over public networks, i.e. the Internet.
Transmission of such data is only conducted for purpose of payment authorization or reconcilliation only.
Transmission of Cardholder Data over Public Networks by the Merchant
Squirrel POS does not utilize or enable use of end-user messaging technologies, such as e-mail, instant
messaging, chat, SMS, etc. to transmit unencrypted PAN’s (Primary Account Numbers). Merchants are
advised not to transmit cardholder data across open public networks unless necessary for business purposes,
and to never transmit cardholder data in clear-text.
PCI DSS REMINDER
Merchants who choose to transmit PAN’s via end-user messaging technologies are
required by PCI DSS Req 4.2 to use encrypted transmission, i.e. encrypted email
(PGP, etc).
Transmitting PAN data in clear or plaintext over public or insecure networks is a
violation of PCI DSS requirements.
For further information on encrypting transmission of PANs, and for complete merchant responsibilities under PCI
3.
(26)PCI Security Standards Council, "PCI DSS Requirements and Security Assessment Procedures, v1.2"
<https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf>, 26
07/06/2014
SQD-11Confidential
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs
“Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the
network during many business approved activities including employees’ e-mail and use of the Internet, mobile
computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be
used on all systems commonly affected by malware to protect systems from current and evolving malicious
software threats”. 4
Install an Approved Antivirus Solution
Merchants are required to install antivirus (AV) software on all systems in the cardholder data environment
commonly affected by malware. Merchants are also required to ensure their antivirus programs are capable of
detecting, removing, and protecting against all known types of malicious software, and that antivirus
components are current, actively running, and generating audit logs.
Squirrel has certified ESET NOD32 Antivirus 4 Business Edition for use with Squirrel POS. Please contact the
Squirrel Solution Center or your authorized Squirrel sales representative for further information regarding
supported AV products.
PCI DSS REMINDER
Merchants who fail to install or properly configure and maintain an updated antivirus
solution on all commonly affected systems in the cardholder data environment cannot
be compliant with Requirement 5 of the PCI DSS
For further information on antivirus software requirements, and for complete merchant responsibilities under PCI
4.
PCI Security Standards Council, "PCI DSS Requirements and Security Assessment Procedures, v1.2"
<https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf>, 28
07/06/2014
SQD-11Confidential
Requirement 6: Develop and maintain secure systems and applications
“Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these
vulnerabilities are fixed by vendor provided security patches, which must be installed by the entities that manage
the systems. All critical systems must have the most recently released, appropriate software patches to protect
against exploitation and compromise of cardholder data by malicious individuals and malicious software. Note:
Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine
that the patches do not conflict with existing security configurations. For in-house developed applications,
numerous vulnerabilities can be avoided by using standard system development processes and secure coding
techniques”. 5
Maintain Squirrel POS Software Updates
Upgrades and critical patches for Squirrel POS software are available to merchants, system resellers,
integrators, installers, and support personnel through the Squirrel Solution Center.
Please contact the Squirrel Solution Center for further information on obtaining updates necessary for payment
security purposes.
Maintain Microsoft Software Updates
Squirrel advises merchants to install Microsoft Update and to schedule Automatic Updates for automatic
download and installation.
Configure Automatic Updates
Perform the following steps to configure Automatic Update settings:
1)
Open Start  Control Panel  Automatic Updates.
2) Set updates to Automatic (recommended). Leave the default download date and time set to
Everyday, 3:00 AM, unless this time conflicts with active merchant operations.
5.
07/06/2014
SQD-11Confidential
3) Click OK to exit and apply changes.
Install Microsoft Update Components
Squirrel strongly advises merchants to install the Microsoft Update component, in order to receive
automatic updates to both the Windows operating system and installed Microsoft products. This includes
critical updates to Microsoft SQL Server, the Microsoft Office System, and other Microsoft applications.
1) Open Start  All Programs  Windows Update.
2) Internet Explorer opens to www.update.microsoft.com and checks for the latest version of
Windows update software.
3) If prompted, click Install Now to install the latest update components
07/06/2014
SQD-11Confidential
4) The page refreshes to read Welcome to Windows Update.
NOTE: If Microsoft Update is already installed, the welcome page refreshes to read
Welcome to Microsoft Update.
NOT E
5) Next to the Get Microsoft Update today! banner, click Go.
6) Click Start Now.
07/06/2014
SQD-11Confidential
7) Click Continue to accept the license agreement.
8) If prompted with Information Bar dialog, click to select the Do not show this message again
check box, then click to OK to close.
9) Click the Information Bar, then select Install ActiveX Control.
07/06/2014
SQD-11Confidential
10) An Internet Explorer – Security Warning dialog appears. Click Install.
11) When finished, the page refreshes to display Microsoft Update setup is complete.
Check for Outstanding High-Priority Microsoft Updates
Once Microsoft Update has been installed, merchants are advised to check for any outstanding updates
to their system.
1) Click Check for Updates to review and download critical updates for other installed Microsoft
products.
07/06/2014
SQD-11Confidential
2) Click Express.
3) Microsoft Update checks for the latest updates to Windows and installed Microsoft applications.
4) Click Yes when prompted about sending information to the Internet.
5)
07/06/2014
SQD-11Confidential
The page refreshes to prompt for a required upgrade to Windows components.
6) Click Download and Install Now.
7) Updates for the Windows Genuine Advantage Validation Tool begin downloading.
8) Update installation completes. Click Close.
07/06/2014
SQD-11Confidential
9) The page refreshes. Click Continue.
10) Outstanding high-Priority updates for the PC are displayed. Click Install updates.
11) Click I Accept to accept the license terms.
07/06/2014
SQD-11Confidential
12) Updates begin to download and install.
13) If prompted to install Internet Explorer 8, select I do not want to participate right now and
click Install to continue.
Otherwise, if IE8 has already installed, continue to Step# 18.
07/06/2014
SQD-11Confidential
14) Click I accept to accept the license terms.
15) Leave Install updates selected and click Next to proceed.
16) Download and installation begins.
07/06/2014
SQD-11Confidential
17) When Internet Explorer 8 installation finishes, installation of remaining updates continues.
18) When updates are complete, click Restart Now to restart the PC (if prompted).
19) The PC restarts.
20) Continue to the next section.
07/06/2014
SQD-11Confidential
Windows Genuine Advantage (WGA) Notifications
21) After the restart, a Windows Genuine Advantage Notifications - Installation Wizard appears. Click
Next.
22) Select I agree, then click Next.
23) WGA setup begins.
07/06/2014
SQD-11Confidential
24) When done, click to clear the Show me some of the many benefits… check box, then click
Finish to close.
Check for Outstanding High-Priority Microsoft Updates
25) Open Start  All Programs  Microsoft Update.
26) An Internet Explorer 8 Setup dialog appears. Click Ask me later.
07/06/2014
SQD-11Confidential
27) Click the Microsoft Update tab.
28) The Microsoft Update website requests to install a new ActiveX control. Right click the information
bar and select Run Add-on.
29) Click Run.
30) Click Express.
07/06/2014
SQD-11Confidential
31) Microsoft Update checks for the latest updates to Windows and installed Microsoft applications.
32) Microsoft Update detects outstanding updates and prompts for installation. Click Install Updates.
33) Updates begin to download and install.
34) When updates are complete, click Restart Now to restart the PC.
07/06/2014
SQD-11Confidential
35) Open Start  All Programs  Microsoft Update.
36) Click Express.
37) Continue performing update checks until Microsoft Update no longer detects any missing Highpriority updates.
38) Close Internet Explorer when finished.
Configure and Maintain Java Updates
Squirrel recommends merchants also configure Java to check automatically for important security updates.
Complete the following steps to configure Java for automatic updating:
NOTE: Current Java 6 update versions/builds may differ from screenshots shown.
NOT E
07/06/2014
SQD-11Confidential
1) Open Start  Control Panel  Java.
2) The Java Control Panel opens. Click the Update tab.
3) Ensure Check for Updates Automatically is selected. In the Notify Me drop-down menu, select
Before Installing.
4) Click Advanced.
07/06/2014
SQD-11Confidential
5)
Select Weekly frequency, with the update check for every Sunday at 12:00 AM. Click OK to
close.
6)
Click Update Now to check online for the latest Java update.
7) If an update is available, the Java Update Available icon appears in the service tray. Click the
icon to begin downloading and installing the update.
8)
The Java Update dialog appears. Click Install to continue.
9) The Java Setup welcome dialog appears. Click Install.
10) If prompted, click to clear any check boxes offering installation of optional software (e.g. Google
Toolbar, Open Office, etc.). Confirm additional software offers are not selected, then click Next.
07/06/2014
SQD-11Confidential
11) If prompted to close the Java Control Panel, click Close Programs and Continue.
12) Click OK.
13) Java Setup proceeds.
14) Setup completes. Click Close to exit setup.
07/06/2014
SQD-11Confidential
15) Java update is complete.
Maintain Critical Updates for Third-Party Applications
Squirrel advises merchants to maintain critical security updates for all installed applications or components in
the cardholder data environment. This can often be accomplished by enabling automatic updates for an
application (if available), or by regularly checking the vendor’s website.
Merchants may also want to employ free online patch management solutions, such as Secunia’s Online
Software Inspector (http://secunia.com/vulnerability_scanning/online/), to help discover and remediate
unpatched vulnerabilities in many popular third-party applications.
Fig. 1 - Sample OSI scan before patching
07/06/2014
SQD-11Confidential
Fig. 2 - Sample OSI scan after patching
PCI DSS REMINDER
Merchants are solely responsible for ensuring all critical systems have the most recent,
appropriate software updates to protect against exploitation or compromise of cardholder
data.
Failure to check for and regularly apply critical updates to all system components in the
cardholder data environment causes risk for compliance with PCI DSS Requirement 6.
For further information on maintaining secure systems, and for complete merchant responsibilities under PCI DSS
Requirement 6, please refer to resources available from the PCI Security Standards Council at
07/06/2014
SQD-11Confidential
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
“To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place
to limit access based on need to know and according to job responsibilities. “Need to know” is when access rights
are granted to only the least amount of data and privileges needed to perform a job”. 6
Engage Squirrel Browser Security
Enabling Squirrel Browser Security supports merchant PCI compliance through the following features:

Restricts access to cardholder data and POS configuration settings, including Security and Advanced
Setup components, based on employee security / job level

Enforces masking of PAN (Primary Account Number) in Browser interfaces and reports

Provides PCI-required timeout controls to lock idle Browser sessions.

Audits user activity for access to application-level components, as required by the PCI DSS.
PCI DSS REMINDER
Merchants are required to enable Browser Security and limit access to system
components and cardholder data to only individuals whose job requires such access.
Merchants who fail to engage Squirrel Browser Security or properly engage required
security controls cannot be compliant with the PCI DSS.
Please refer to Requirement 8: Assign a unique ID to each person with computer access for information on
what Browser Security configuration is necessary to support PCI DSS compliance.
Restrict Access to Squirrel Tracking Controls
Access to Tracking Controls must be limited, via Browser Security, to only administrators for the merchant
organization or authorized vendor personnel.
1) Ensure Browser Security is enabled. If not, please complete Engaging Squirrel Browser Security
first to correct.
2) Login to the Squirrel Browser using your Browser Security Administrative account and click
Utilities  Browser Security Groups.
3) Select the first non-administrative Browser Security Group.
6.
(35)
07/06/2014
SQD-11Confidential
4) Under Available Pages, scroll to and click Util.htm.
5) Under Browser Choices For the Selected Page, click to clear the Tracking browser choice
check box.
NOTE: If Grayed Browser Choice Means is already set to the recommended default ‘Not
Selected’, greyed options are already unavailable by default.
NOT E
6) Click Test.
07/06/2014
SQD-11Confidential
7)
Confirm the Tracking link is unavailable for the selected Browser Group.
8) Repeat steps 4-6 for all other non-administrative Browser Security Groups and confirm the
Tracking option is not available to each.
9) Save settings, then Exit Browser Users.
Use a Limited Windows Account for POS Operations (Squirrel Users Setup)
Windows administrative accounts must not be used for normal POS operations. To support compliance with the
PCI DSS, a Limited User account can be created and configured for use during most daily operations.
Create a Windows Limited User Account
3) The Local Users and Groups snap-in opens. In the left pane, click Users.
4) Open the Action menu and click New User.
07/06/2014
SQD-11Confidential
5) The New User dialog appears. Enter the following information:
a) User name: Type a unique username for this limited user account.
NOTE: Ensure the user name is unique to the merchant installation, i.e. do not use
generic, easily guessable, or sample names like, ‘admin’, ‘squirrel’, etc.
NOT E
b) Description: Type a description for this account, e.g. Squirrel POS Limited User
Account.
c) Click to clear the User must change password at next logon check box.
d) Enter and confirm a strong Password for the account. See Creating Strong Passwords for
guidance, if necessary.
e) Leave all other settings at default and click OK to close the New User dialog.
6) Close the Local Users and Groups snap-in.
Create the ‘Squirrel Users’ Windows Group
The SquirrelUsers.exe utility is provided to create a new Windows group called ‘Squirrel Users’, and to
assign the group the necessary rights and privileges for Squirrel POS operations. The SquirrelUsers utility
also provides a shortcut for adding a previously-created Limited User account to the group.
07/06/2014
SQD-11Confidential
2) From the Run command, type squirrelusers (or, alternately, use Windows Explorer to launch
\Squirrel\Program\SquirrelUsers.exe).
3) The SquirrelUsers utility opens.
4) Click (Re)Create ‘Squirrel Users’ Group.
5) The SquirrelUsers dialog refreshes to show a new Windows Group called Squirrel Users (under
Current Security Groups), along with the list of new privileges, registry permissions, and service
control rights are granted to the group.
07/06/2014
SQD-11Confidential
6)
Click Add User to ‘Squirrel Users’ Group.
7) The Add Existing Account to ‘Squirrel Users’ dialog opens. Under the List of Local Windows
Accounts only, locate and double-click the Windows Limited User account created previously in
Create a Windows Limited User Account.
8) The account name appears the Selected Users field. Click Add Selected User.
9)
The dialog closes and the selected user is added to the Members of ‘Squirrel Users’ Group
pane.
10) Click Exit to close the SquirrelUsers application and continue to the next section below for
additional setup.
07/06/2014
SQD-11Confidential
Grant the ‘Squirrel Users’ Group Write Access to Squirrel Application Folders
Before attempting to operate POS as a limited user, additional permissions must be assigned to the
Squirrel Users group for the Squirrel application directories.
1) Logon to the PC using your Windows administrative account.
2) Use Windows Explorer to locate the \Squirrel installation folder, e.g. ‘C:\Squirrel’.
3) Right-click the Squirrel folder and select Sharing and Security.
4) The Squirrel Properties dialog opens. Click the Security tab.
5) Click the Add button.
07/06/2014
SQD-11Confidential
6) The Select Users or Groups dialog appears. Under Enter the object names to select, type
squirrel users and click the Check Names button.
7) The pane refreshes to show the <hostname>\Squirrel Users group. Click OK.
8) The Squirrel Properties dialog refreshes to show the Squirrel Users group. Click to select the
Squirrel Users group, then under Allow, click to enable the Write check box.
9) Click OK to close the Squirrel Properties dialog.
07/06/2014
SQD-11Confidential
SQL Server 2005: Create Unique SQL Logins for Database Access
The default installation of Squirrel POS utilizes Windows Trusted authentication when accessing the
Microsoft SQL Server. For a compliant operation, merchants are required to configure SQL Server
Authentication, which allows the Squirrel application to connect to SQL Server when running under a nonadministrative Windows user
Complete the following steps to create the two unique SQL Logins necessary for Squirrel to connect with
SQL Server 2005.
NOT E
NOTE: For SQL Server 2000 configuration steps please continue to the next section,
SQL Server 2000: Create Unique SQL Logins for Database Access.
1) Login to the Host PC using your Windows administrative account
2) Open Start  Microsoft SQL Server 2005 Microsoft SQL Server Management Studio.
3) The Connect to Server login dialog appears. Click Connect.
4) In the Object Explorer pane, expand the local Server to open Security  Logins.
07/06/2014
SQD-11Confidential
5) Under Object Explorer Details pane, right-click and click New Login.
6) The Login – New dialog appears. Click the General page.
07/06/2014
SQD-11Confidential
7) Select / enter the following settings for the new SQL login:
a) Name: Type a name for the first account.
NOTE: Always ensure account names are unique to the merchant installation. Do not use
generic, easily guessable, or example names like, ‘admin’, ‘squirrel’, etc.
NOT E
b) Authentication: Select SQL Server Authentication.
c) Password: Type and confirm a strong password for the account.
NOTE: SQL Logins used by Squirrel cannot contain the following characters in either the
Name or Password: semi-colons ( ; ), double-quotation marks ( " ), or blank spaces.
NOT E
d) Leave the default Enforce password policy and Enforce password expiration options
checked.
NOT E
NOTE: SQL 2005 password policy flags are enforced only on Windows 2003 systems or
higher. In Windows XP, the Enforce password policy flag only prevents creation of very
weak passwords, such as null (empty), PC name, existing Windows user name, or any of
the following: "password", "admin", "administrator", "sa", or "sysadmin".
e) Click to clear the User must change password at next login check box.
f)
Default Database: Click to select the Squirrel database as the default database.
g) Leave Default Language at the ‘<default>’ setting.
07/06/2014
SQD-11Confidential
8) Click the Server Roles page.
9) Click to enable the sysadmin check box.
10) Click OK to close the properties menu and create the new login.
11) Confirm the new SQL Login appears in the Logins folder.
12) Repeat Steps #1 - 10 above to create a second, unique SQL Login with the same settings and
permissions.
07/06/2014
SQD-11Confidential
13) When complete, confirm an icon for each new SQL Logins appears in the Logins folder.
14) Exit SQL Server Management Studio and proceed to the next section for further configuration.
SQL Server 2000: Create Unique SQL Logins for Database Access
Complete the following steps to create the two unique SQL Logins necessary for the Squirrel application
to connect with SQL Server 2000.
2) Launch Microsoft SQL Server Enterprise Manager.
3) Expand SQL Server Group, then expand (local) server to Security  Logins.
4) Click the ‘new object’ icon (‘*’) on the tool bar at the top to begin creating a new SQL Login.
07/06/2014
SQD-11Confidential
5) The SQL Server Login Properties – New Login dialog appears. On the General tab, select /
enter the following:
a) Name: Type a name for the first account.
NOTE: Always ensure account names are unique to the merchant installation. Do not use
generic, easily guessable, or example names like, ‘admin’, ‘squirrel’, etc.
NOTEE
NOT
b) Authentication: Select SQL Server Authentication.
c) Password: Type and confirm a strong password for the account.
NOTE: SQL Logins used by Squirrel cannot contain the following characters in either the
Name or Password: semi-colons ( ; ), double-quotation marks ( " ), or blank spaces
NOT E
d) Defaults: Select the Squirrel database for the default database. Leave Language at the
default setting.
6) Click the Server Roles tab.
07/06/2014
SQD-11Confidential
7) Under Server Role, clack to enable the System Administrators check box.
8) Click the Database Access tab.
9) Under Specify which databases can be accessed by this login, click to select the Squirrel
database.
07/06/2014
SQD-11Confidential
10) Click OK.
11) The Confirm Password dialog appears. Re-type the password and click OK to close the window.
12) Confirm the new SQL Login appears in the Logins pane.
13) Repeat steps #1 to #11 above to create a second unique SQL Login, using the same settings
and permissions.
14) When finished, confirm an icon for each new SQL Logins appears in the Logins pane.
15) Exit Enterprise Manager and proceed to the following sections for further configuration.
07/06/2014
SQD-11Confidential
Configure the Squirrel ODBC Connection for SQL Authentication
By default, non-administrative Windows accounts are not granted trusted access to a SQL Server
installation. To grant database access by the Squirrel applications while running under a nonadministrative user, the Squirrel ODBC connection must be configured to use SQL Authentication.
IMPORTANT:
Before changing the Squirrel ODBC DSN to use SQL Authentication, ensure all
installed optional products or partner systems which share the Squirrel DSN or
connect to the Squirrel SQL Server are capable of supporting SQL Authentication,
and have been reconfigured accordingly.
Perform the following steps to change the Squirrel ODBC connection to use SQL Authentication:
1) From the Run command, type odbcad32 (or, alternately, use Control Panel  Administrative
Tools  Computer Management  Data Sources (ODBC)).
2) The ODBC Data Source Administrator dialog opens.
07/06/2014
SQD-11Confidential
3) Click the System DSN tab and select the ‘Squirrel’ System Data Source, then click Configure.
4) The Microsoft SQL Server DSN Configuration dialog appears. Click Next to confirm the existing
DSN name and local server.
5) Select With SQL Server authentication using login ID and password entered by the user.
07/06/2014
SQD-11Confidential
6) Click to select the Connect to SQL Server to obtain default settings for the additional
configuration options check box.
7) Under Login ID, type the username of either of the two SQL Logins configured in the previous
section.
8) Enter the password for this SQL Login and click Next to continue
NOTE: SQL credentials entered in this dialog are used only by ODBC setup for
temporary SQL server access. They are not retained for future database connections.
NOT E
9) Click Next to confirm Squirrel as the default database.
07/06/2014
SQD-11Confidential
10) Click Finish.
11) On the final setup screen, click Test Data Source to confirm ODBC can connect to SQL server.
12) Once the data source connection has tested successful, click OK and close the ODBC Data
Source Administrator.
Configure the Squirrel Browser to Use SQL Authentication
SQL Authentication requires that SQL Logins be passed on every database connection. To support this,
credentials for the previously created SQL Logins must be securely cached for future Squirrel Browser
sessions.
1) Open the Squirrel Browser.
07/06/2014
SQD-11Confidential
2) On first launch after configuring ODBC for SQL Authentication, the Squirrel Browser prompts for
SQL Server Login credentials to be provided manually.
3) Under Login ID, type the username of either of the two SQL Logins configured in the previous
section.
4) Under Password, type the corresponding password for the SQL Login and click OK.
5) The Squirrel Browser connects to SQL Server, and to the Squirrel database (if Browser Security
is enabled, cancel any Browser login prompts that appear).
6) Open the Tools menu and click Database Preferences.
07/06/2014
SQD-11Confidential
7) The Database Preferences dialog appears.
8) Click the ‘ …’ button next to the SQUIRREL ODBC DSN.
9) Click the Machine Data Source tab and select the SQUIRREL DSN, then click OK.
10) The first of two SQL Server Login dialogs appears, prompting for the Login ID
Enter_Full_Decrypt_ID.
07/06/2014
SQD-11Confidential
11) Erase the Login ID and type the username of the first SQL Login that created for Squirrel
database access.
12) Type the corresponding password and click OK.
NOTE: This same SQL Login must also be used during configuration of Key
Management. See Creating a Keyfile (sqKeys) for further details.
NOT E
13) A second SQL Server Login dialog appears, prompting for the Login ID
Enter_Partial_Decrypt_ID.
14) Erase the Login ID and type the username of the second SQL Login you created for database
access.
15) Type the corresponding password and click OK.
16) Close the Database Preferences dialog.
17) Close the Squirrel Browser.
18) Re-open the Squirrel Browser.
07/06/2014
SQD-11Confidential
19) The Squirrel Browser now connects to SQL Server using the cached SQL Logins. Only the
Browser Security Log On dialog appears, if configured.
20) Login and access at least one setup screen or report to confirm information can be read from the
Squirrel database without any further request for SQL Login credentials.
NOT E
NOT E
Note for SQL Server 2000: When using SQL authentication, full PAN decryption via
Squirrel Reports (e.g. Credit Card Detail Report, Payments Report, etc.) is not available
until unique merchant encryption keys (bound to a specific SQL Login) are implemented.
Please see Part II: Squirrel Key Management for further setup.
Note for SQL Server 2005, SQL Server 2008: When using SQL authentication, full PAN
decryption in the Squirrel Browser is now only available on a per-record basis via Check
Adjust. Full PAN decryption via Squirrel Reports (e.g. Credit Card Detail Report,
Payments Report, etc.) is no longer supported for SQL 2005 and up.
21) Proceed to the next section to continue with additional required setup.
Restrict Access to Physical Squirrel POS Tracking Data
If diagnostic logging is engaged by the Squirrel Solution Center, merchants must ensure access controls are
always in place to secure any data stored in the \Squirrel\Tracking folder. Access to this location - and any
subsequent location to which tracking data is copied - must be restricted to administrators only.
1)
Log in using your individual Windows administrative account.
2)
Use Windows Explorer to explore the \Squirrel folder.
3) Right-click the Tracking folder and select Sharing and Security from the context menu.
07/06/2014
SQD-11Confidential
IMPORTANT
Do not attempt to modify permissions on the parent Squirrel folder. Ensure the dialog
displays the title Tracking Properties before proceeding with any edits.
4) The Tracking Properties dialog opens. Click the Security tab.
5) Click Advanced.
6) The Advanced Security Settings for Tracking dialog opens to the Permissions tab.
Note the Permission entries pane shows permissions for the Tracking folder and contents, with
all permissions inherited from the parent and root folders, i.e. C:\ or C:\squirel.
07/06/2014
SQD-11Confidential
7) Click to clear the Inherit from parent the permission entries that apply to child objects…
check box.
8) A Security dialog appears, informing parent permissions of the parent folder will no longer be
applied to child objects. Click Copy.
9) Permissions are copied to the Tracking folder and the dialog now refreshes to show all
permissions as <not inherited>.
10) Use SHIFT+CLICK to select and highlight all non-administrative groups or individual user
accounts listed, i.e. only the following four entries should remain deselected:
a) Squirrel Users (group)
b) Administrators (group)
c) SYSTEM
d) CREATOR OWNER
07/06/2014
SQD-11Confidential
11) Confirm none of the four entries named above are selected, then click Remove.
12) Highlighted entries are removed, leaving only Squirrel Users, Administrators, SYSTEM, and
CREATOR OWNER.
13) Click the Squirrel Users group.
14) Click Edit.
15) The Permissions Entry for Tracking dialog opens.
07/06/2014
SQD-11Confidential
16) Click to select or clear Squirrel Users permissions, as per the following table:
07/06/2014
SQD-11Confidential
Permissions
Allow
Full Control
(Clear)
Traverse Folder / Execute File
Select
List Folder / Read Data
(Clear)
Read Attributes
Select
Read Extended Attributes
Select
Create Files / Write Data
Select
Create Folders / Append Data
Select
Write Attributes
Select
Write Extended Attributes
Select
Delete Subfolders and Files
Select
Delete
(Empty)
Read Permissions
Select
Change Permissions
(Empty)
Take Ownership
(Empty)
17) Click OK to close Advanced Security Settings.
18) Click OK to close the Tracking Properties.
19) In Windows Explorer, confirm the currently logged-on administrative account has access to the
Tracking folder before proceeding, i.e. can open the folder and browse files.
20) Log off your Windows administrative account.
21) Log in with a account belonging to the Squirrel Users group, i.e. the Limited User account created
for POS operations
22) Open Windows Explorer and attempt to access the Tracking folder. An Access is denied
message appears for the Limited User.
23) Click OK to close the message.
24) Access to sensitive diagnostic data in this folder is now restricted to authorized users only. Log off
and continue to the next section for with further configuration.
Restrict Access to SQL Server Application Directories (SQL Server 2005 / SQL Server 2008)
Microsoft recommends modifying the ACL (Access Control List) on certain MSSQL directories to restrict access
to only system Administrators and the SYSTEM account.
2) Use Windows Explorer to navigate to the following folder for SQL version installed:
a) For SQL Server 2005: \Program Files\Microsoft SQL Server\MSSQL.1\MSSQL
b) For SQL Server 2008: \Program Files\Microsoft SQL Server\MSSQL.10\MSSQL
07/06/2014
SQD-11Confidential
3) Right-click the Data folder and select Sharing and Security.
4) The Data Properties dialog appears. Click the Security tab.
5) Click Advanced.
6) The Advanced Security Settings for Data menu opens.
07/06/2014
SQD-11Confidential
7) Click to clear the Inherit from parent the permission entries that apply to child objects…
check box.
8) A Security dialog appears, informing parent permissions of the parent folder will no longer be
applied to child objects. Click Copy.
9) Permissions are copied to the Tracking folder and the dialog now refreshes to show Inherited
From as <not inherited>.
10) Use SHIFT+CLICK to select and highlight all non-administrative groups or individual user
accounts listed, i.e. only the following entries should remain unselected:
a) Administrators (group)
b) SYSTEM
07/06/2014
SQD-11Confidential
11) Confirm none of the above-named entries are selected, then click Remove.
12) Highlighted entries are removed, leaving only Administrators and SYSTEM.
13) Click OK, then Close to exit the Data folder properties dialog.
14) Right-click the \Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn folder and repeat
the same steps #3 - 13 above to for this folder.
15) When finished, only the Administrators and SYSTEM entries remain for the Binn folder.
07/06/2014
SQD-11Confidential
16) Using Windows Explorer, confirm the currently logged-on administrative account has access to
the \Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn and the \Program
Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data folders before proceeding, i.e. can open
the folder and browse files.
17) Log off your Windows administrative account.
18) Log in with any non-administrative account, i.e. the Limited User account created for POS
operations
19) Open Windows Explorer and attempt to access the \Binn and \Data folders. Confirm an Access
is denied message appears for the Limited User.
20) Click OK to close the message.
21) When finished, close Windows Explorer.
Limit Number of Windows Administrators
In supporting PCI DSS Requirement 7, merchants are advised to ensure only those Windows accounts that
have a legitimate business need for administrative rights and privileges are members of the Administrators
group.
NOT E
NOTE: Users are advised to first Create Unique Windows Accounts for System
Administrators (Req. 8) and Remove Generic or Vendor-Default Windows Administrative
Accounts (Req.2) before reviewing final Administrators group membership.
To confirm and edit membership in the Windows Administrators group, complete the following steps:
3) The Local Users and Groups snap-in opens. Click Groups.
07/06/2014
SQD-11Confidential
4) Right-click the Administrators group and select Properties.
5) Under Members, confirm that only those accounts with a legitimate business need for
administrative rights and privileges are listed.
6) For any account listed that does not require Windows administrative rights , click the account to
highlight it.
7) Click Remove to revoke the account’s membership in the Administrators group
8)
07/06/2014
SQD-11Confidential
When finished, click OK to close.
PCI DSS REMINDER:
The Squirrel Linux account is created during Squirrel software installation as a member
of the Windows Users group. As part of previous troubleshooting efforts, however, some
merchant installations may have had this account added to the local Administrators
group,
Squirrel does not require the Linux account to have administrative rights or permissions
for POS operation.
The Linux account must be removed from the local Administrators group to support
compliance with the PCI DSS. Failure to properly restrict the Squirrel Linux account, as
outlined in this guide, violates PCI DSS requirements.
For further information on restricting cardholder data access, and for complete merchant responsibilities under
PCI DSS Requirement 7, please refer to resources available from the PCI Security Standards Council at
07/06/2014
SQD-11Confidential
Requirement 8: Assign a unique ID to each person with computer access
“Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely
accountable for his or her actions. When such accountability is in place, actions taken on critical data and
systems are performed by, and can be traced to, known and authorized users”. 7
PCI DSS Unique User Requirements: Overview
The following sections provide information on how to create and configure unique user accounts in a manner
supporting compliance with the PCI DSS. In accordance with PCI DSS Reqs. 8.1 through 8.5, the following
over-arching guidelines must be observed for user accounts on all system components in the cardholder data
environment:

Merchants and system resellers/integrators must control, via unique user ID and PCI DSS-compliant
secure authentication, access to all system components in the cardholder data environment, including
but not limited to: PC’s, servers, databases, network devices, and payment or security-related
applications.

Merchants and system resellers/integrators must assign strong passwords to all user and system
accounts.

Merchants must not use default administrative accounts for application logins. For example, using the
Windows default ‘administrator’ account or SQL “sa” account for any operational purpose is a noncompliant practice.

Merchants and system resellers/integrators must assign strong passwords to default accounts, even
though default accounts are not used.

Merchants and system resellers/integrators are advised to disable or rename default accounts,
wherever possible.
IMPORTANT
Merchants are advised to review anticipated operational impact with affected members
of their merchant organization before implementing account or policy changes for
Squirrel POS system components.
Ensure system account holders are notified well in advance of any changes to
password complexity, history, or lockout policy requirements, and expressly instruct
account holders that sharing or disclosing passwords for individual user accounts
violates PCI DSS requirements.
7.
(37)
07/06/2014
SQD-11Confidential
Create an Administrative Browser Security Group
To utilize Browser Security, merchants must first create a top-level security, or ‘Administrative’ group, to be
used only for the most security-sensitive tasks, such as creating or modifying other Browser Users or Browser
Security Groups.
NOT E
NOTE: If a ‘Complete Access’ Browser Security Group already exists, review the
following to ensure the group has been created in accordance with instructions below to
support PCI DSS requirements.
1) Open the Squirrel Browser and click Utilities/Security  Browser Security Groups.
2) Click the “ * “ button to create a new Browser Security Group.
3) Enter a meaningful Group Name for the new group, e.g. Administrators.
4) Click to enable the Complete Access check box.
07/06/2014
SQD-11Confidential
PCI DSS REMINDER
Unless there is a strong business need to do so, merchants are advised to configure
only one security group with the ‘Complete Access’ flag.
5) Click to enable the 15 Minute Timeout check box. This setting is required to ensure the Squirrel
Browser sessions are automatically locked after 15 minutes of inactivity (supporting compliance
with PCI Req. 8.5.15).
6) Click to enable the Hide Sys Monitor check box.
7) Exit Browser Security Groups and answer Yes to save the record.
Create Additional Non-Administrative Browser Groups
For routine POS administrative and operational tasks, merchants are advised to create ‘secondary’ Browser
Groups that grant access to only the minimum system areas for a specific group to perform their duties, e.g.
‘Managers’, ‘Kitchen’, ’Accounting’ , ‘IT’, etc.
PCI DSS REMINDER
Squirrel strongly recommends merchants leave the Grayed Browser Choice Means
option set to the default value Not Selected, to support the assigning of group
permissions in accordance with principles of ‘least privilege’.
Perform the following to create additional non-administrative Browser Groups:
1) Repeat steps 1-3 from Create an Administrative Browser Security Group to create a new Browser
Group.
2) Ensure the Complete Access flag is cleared (deselected) for the Browser Group.
3) Click to enable the Hide Sys Monitor check box
07/06/2014
SQD-11Confidential
4) Click to enable the 15 Minute Timeout check box. This setting is required to ensure the Squirrel
Browser sessions are automatically locked after 15 minutes of inactivity (supporting compliance
with PCI Req. 8.5.15).
5) Under Browser Choices For the Selected Page, click to select check boxes for only those
pages required for the specific security group.
6) Use the Test button to confirm each Browser page offers access to only the selected links.
7) When finished, Exit Browser Security Groups and click Yes to save the record.
Create Unique Browser ‘Security Administrator’ Accounts
The following steps outline how to create a Browser User assigned to the top-level or ‘Administrative’ Browser
Security group.
Use of such Browser User accounts by members of the merchant organization should be limited to only
security-sensitive tasks, such as the creation or modification of other Browser Users or Browser Security
Groups.
PCI DSS REMINDER
Browser Users must correspond to a single member of the merchant organization –
they cannot be shared by multiple users. Note that a user is required in Employee
Setup (with proper First Name and Last Name) before a corresponding Browser User
can be properly linked.
Merchants who use generic or shared accounts, e.g. ‘Admin’, ‘Manager’, ‘Squirrel’,
etc. to access the Squirrel Browser cannot comply with requirements of the PCI DSS.
Perform the following to create an administrative Browser User account:
1) Click Browser Users.
2) Use the ‘ * ’ button to create a new Browser User record for the employee.
07/06/2014
SQD-11Confidential
3) Type an unique User Name that corresponds to the member of the merchant organization.
NOTE: Use an industry-practiced naming scheme, such as firstinitiallastname (e.g.
‘jsmith’), to assist in reviewing user activity in audit trails.
NOT E
4) Click to select the corresponding POS Employee from the Employee dropdown, e.g. ‘John
Smith’.
07/06/2014
SQD-11Confidential
PCI DSS REMINDER
Do not select the generic ‘Default’ employee. The corresponding POS employee record
must be selected to comply with PCI DSS auditing requirements.
5) Select your Browser Security Administrative group from the Security Group dropdown.
6) Have the employee type a strong Password for the account, then re-enter in the Confirm
Password field.
7) Configure the remaining Browser User flags per the table below:
Browser User Flag
07/06/2014
SQD-11Confidential
Setting
Disable User After x consecutive bad passwords
3
Must Change Password every x days
90
New password must be Different than previous last 4
passwords
New password must be 8 or more characters and contain
letters and numbers
Checked (‘Yes’)
Disabled
Unchecked (‘No’)
Can See Decrypted Credit Cards
Checked (‘Yes’)
8) Save the record and exit.
NOTE: If not already in use, Squirrel Browser Security is enabled upon exit. You must
click OK to exit the current ‘unauthenticated’ session and login to continue.
NOT E
9) Login to the Squirrel Browser using the account and test credentials to ensure it has access to all
Browser links.
07/06/2014
SQD-11Confidential
10) Continue with setup of additional non-administrative Browser Users, as detailed in the next
section.
Create Unique Browser Users for All Other Members of the Merchant Organization
All members of the merchant organization who access the Squirrel application via the Squirrel Browser must
have his or her own, unique Browser User. Perform the following to create additional non-administrative
Browser User accounts:
1) Repeat steps #1 - 4 from the Create a Browser ‘Security Administrator’ to start a new Browser
User record.
2) Select an appropriate Browser Security Group that grants the new user access to only those
areas necessary for their role in the merchant organization.
3) Ensure the same security flags are set to the following PCI-required minimums for each Browser
user:
Browser User Flag
Setting
Disable User After x consecutive bad passwords
3
Must Change Password every x days
90
New password must be Different than last password used’
Checked (‘Yes’)
New password must be 8 or more characters and contain letters
and numbers
Checked (‘Yes’)
Disabled
Can See Decrypted Credit Cards
4) Repeat steps as needed to create additional Browser Users.
5) When finished, Save the last record and Exit.
6) Test Browser User logins to ensure feature access is limited to only those links desired.
Enforce Windows Password Policies
To ensure Windows account settings are consistently applied at the PCI-required minimums, OS security and
account policies (including minimum password strength, account lockouts, and more) must be enforced via
security policy.
To define and enable these policies, perform the following:
2) From the Run command, type secpol.msc (or, alternately, open Control Panel and select
Administrative Tools  Local Security Policy).
3) The Local Security Settings snap-in loads. Click to expand Account Policies  Password
Policy.
07/06/2014
SQD-11Confidential
4) Double-click the following policies and configure each per settings shown in the table below:
Password Policy
Security Setting
Enforce password history
4 passwords remembered
Maximum password age
90 days
Minimum password length
8 characters (or greater)
Password must meet complexity requirements*
Enabled
5) Leave the console open and continue with configuring Windows Account Lockout Policies below.
NOTE: For more information on the impact of Windows password complexity requirements,
please see Appendix A - Creating Strong Passwords.
NOT E
Enforce Windows Account Lockout Policies
To limit repeat of unauthorized access attempts at the OS level, PCI Requirement 8.5 requires user ID’s be set
to lock out after no more than six attempts, and for a minimum of 30 minutes.
To define and enable Windows account lockout policies, perform the following steps:
1) In the Local Security Settings snap-in, click to expand Account Policies  Account Lockout
Policy.
07/06/2014
SQD-11Confidential
2) In the right pane, double-click the Account lockout threshold policy and set it to ‘6’ (Invalid
logon attempts)
3) Click OK to accept automatically activating the remaining two lockout policies (‘Account Lockout
Duration’ and ‘Reset…’) with required default values.
4) Re-check all policies to ensure they are configured according to the corresponding values in the
table below:
Account Lockout Policy
Security Setting
Account Lockout Duration
30 mins
Account Lockout Threshold attempts
6 invalid logon attempts
Reset Account Lockout Counter After
30 mins
5) Close Local Security Policy. Upon exiting, the above policies are now active.
07/06/2014
SQD-11Confidential
Enable a Password-Protected Screensaver
To support compliance with PCI DSS requirement 8.5.15, merchants must ensure user sessions left idle for
more than 15 minutes require the user to re-authenticate to re-activate the terminal or session.
In addition to configuring the required 15 minute timeout in Squirrel Browser Security (see Create an
Administrative Browser Security Group), support for compliance of requirement 8.5.15 also requires users to
enable password-protected timeouts at the OS level. This can be accomplished by configuring the Windows
screensaver to prompt for password on resume, requiring users re-enter a password after an idle session has
timed out.
07/06/2014
SQD-11Confidential
PCI DSS REMINDER
To ensure the password-protected screensaver configuration is applied globally to all
local user accounts, Squirrel recommends configuring screensaver settings via Group
Policy Editor.
Merchants who opt to enable password-protected screensavers via the Windows’
Display interface instead (Control Panel  Display  Screensavers) are reminded
they must check to ensure password-protected screensaver settings are configured for
each individual user account.
2) From the Run command, type gpedit.msc and click OK.
3) The Group Policy Editor snap-in opens. Expand User Configuration  Administrative
Templates  Control Panel  Display.
07/06/2014
SQD-11Confidential
4) In the Settings pane, double-click the Screen Saver setting.
5) The Screen Saver Properties dialog appears. Select Enabled, then click OK to commit changes
and close the dialog.
6) The Screen Saver state changes to read Enabled.
07/06/2014
SQD-11Confidential
7) Double-click the Screen Saver executable name setting.
8) The Screen Saver executable name Properties dialog appears. Select Enabled.
9) Under Screen Saver executable name, type logon.scr. This enables the default Windows XP
‘logo’ screensaver.
10) Click OK to commit changes and close the dialog.
11) The Screen Saver executable name state changes to read Enabled.
07/06/2014
SQD-11Confidential
12) Double-click the Password protect the screen saver setting.
13) The Password protect the screen saver Properties dialog appears. Select Enabled, then click
OK to commit changes and close the dialog.
14) The Password protect the screen saver state changes to read Enabled.
15) Double-click the Screen saver timeout setting.
07/06/2014
SQD-11Confidential
16) The Screen saver timeout Properties dialog appears. Select Enabled, then click OK to accept
the default value of 900 seconds (15 minutes) and close the dialog.
NOT E
NOTE: Compliance with PCI DSS Req. 8.5.15 requires a minimum 15-minute timeout. If
a shorter timeout is desired, enter a smaller value (in seconds), e.g. 600 (10 mins.), 300
seconds (5 mins.), etc. before closing the dialog.
17) The Screen saver timeout state changes to read Enabled.
18) Close the Group Policy editor.
19) The Screen Saver tab in Display Properties is now greyed out for all users (including
Administrators), with the required defaults applied globally.
07/06/2014
SQD-11Confidential
Create Unique Windows Accounts for System Administrators
Members of the merchant organization or third party contractors who require administrative access to the Host
PC must have their own unique Windows account and password. Such access should also be limited to only
those personnel whose tasks require administrative permissions, e.g. for advanced OS or application
configuration, hardware installation, etc.
PCI DSS REMINDER
Once unique administrative accounts have been created for necessary users, PCI DSS
Requirement 2 requires any generic or vendor-default Windows accounts to be removed
or renamed (e.g. ‘Squirrel’, ‘Administrator’, etc.).
Please refer to “Requirement 2 - Do not use vendor-supplied defaults for system
passwords and other security parameters” for further information.
To create a new administrative account, and/or to revoke group membership for any non-administrative
accounts, perform the following steps:
3) Open the Action menu and select New User…
07/06/2014
SQD-11Confidential
4) In the New User dialog, enter the following information:
a) User name: Type a unique username for the account.
NOT E
Using industry-practiced naming schemes, such as firstinitiallastname (e.g. ‘jsmith’),
etc., is strongly recommended for purposes of reviewing user activity in audit trails.
b) Full Name: Type the first & last name of the user in this field (e.g. ‘John Smith’)
c) Description: Add a description for this user’s account (e.g. ‘Owner‘, ’General Manager’, etc).
d) Type and confirm a strong Password for the account..
e) Leave all other flags at their default settings.
f)
Click OK to close the New User popup.
5) Double-click the icon for the new administrative account.
07/06/2014
SQD-11Confidential
6) The Properties dialog appears. Click the Member Of tab.
7) Click Add.
8) Under Enter the object names to select, type administrators and click the Check Name
button to verify the group name.
9) The pane refreshes to show the built-in Administrators group.
10) Click OK to add the account to the group.
07/06/2014
SQD-11Confidential
11) Membership in now the Administrators and Users groups is displayed. Click OK to close the
Properties window.
12) Repeat steps #4-11 above to create any additional accounts needed for other administrative
users.
07/06/2014
SQD-11Confidential
PCI DSS REMINDER
Once unique administrative accounts have been created for necessary users, merchants
are reminded of PCI DSS Requirement 2 requires any generic or vendor-default Windows
accounts to be removed or renamed (e.g. ‘Squirrel’, ‘Administrator’, etc.).
Please refer to “Requirement 2 - Do not use vendor-supplied defaults for system
passwords and other security parameters” for further information.
Remote Access by Members of the Merchant Organization
Merchants, who enable access to systems in the cardholder data environment over public or insecure networks
(i.e. the Internet or wireless networks), either for personal use or for use by another authorized party, are
responsible for ensuring their remote access solution complies with PCI DSS requirements.
Merchants, system resellers and implementers must:

Configure unique password settings for both the remote application and for each remote party
connecting each customer, e.g. change default passwords and use unique passwords.

Allow connections only from specific (known) IP/MAC addresses by use of IP or MAC address
filtering

Restrict access to customer passwords to authorized reseller/integrator personnel only

Use strong authentication and complex passwords for all logins, per PCI DSS Requirements 8.1, 8.3,
and 8.5.8–8.5.15, which include:
07/06/2014
SQD-11Confidential
o
Assign all users a unique ID before allowing them to access system components or cardholder
data.
o
Incorporate two-factor authentication (TFA) for all remote access (network-level access
originating from outside the network)
o
Do not use group, shared, or generic accounts and passwords
o
Change user passwords at least every 90 days
o
Require a minimum password length of at least seven characters
o
Use passwords containing both numeric and alphabetic characters
o
Do not allow an individual to submit a new password that is the same as any of the last four
passwords used
o
Limit repeated access attempts by locking out the user ID after not more than six attempts.
o
Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID.
o
If a session has been idle for more than 15 minutes, require the user to re-enter the password to
re-activate the terminal.

Enable strong encrypted data transmission, such as SSL/TLS or IPsec to protect data in transit over
unprotected or public networks

Enable account lockout after a certain number of failed login attempts

Configure the system so remote users must establish a Virtual Private Network (“VPN”) connection
via a firewall before access is allowed

Enable all available logging & auditing functions

Restrict access to login passwords to only authorized reseller/integrator personnel

Establish login passwords according to PCI DSS requirements 8.1, 8.2, 8.4, and 8.5, which include:
o
In addition to assigning a unique ID, employ at least one of the following methods to authenticate
all users: Password/passphrase or Two-factor authentication
o
Render all passwords unreadable during transmission and storage on all system components
using strong cryptography
o
Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
o
Verify user identity before performing password resets.
o
Set first-time passwords to a unique value for each user and change immediately after the first
use.
o
Immediately revoke access for any terminated users.
o
Remove/disable inactive user accounts at least every 90 days.
o
Enable accounts used by vendors for remote maintenance only during the time period needed.
o
Communicate password procedures and policies to all users who have access to cardholder
data.
For more information on remote access solutions supporting merchant compliance, such as VendorSafe’s
managed Global Security Mesh/VPN™ service, or LogMeIn Pro2, please contact the Squirrel Solution Center or
an authorized Squirrel sales representative.
PCI DSS REMINDER
While many remote access solutions offer features supporting merchant compliance (or
can be used in conjunction with other supporting protocols or technologies), they are
often not compliant with PCI DSS requirements in the default configuration.
Merchants are reminded to review all remote access applications, devices, protocols,
configurations, policies, and practices in detail against all corresponding PCI DSS
requirements. Employing a remote solution that permits access to the cardholder data
environment without satisfying the requirements referenced above will result in merchant
non-compliance with the PCI DSS.
07/06/2014
SQD-11Confidential
Remote Access by the Squirrel Solution Center
Vendor support and delivery of software updates by Squirrel Systems is provided to merchants through Squirrel
Solution Center’s centralized LogMeIn® Rescue service. LogMeIn Rescue provides the Squirrel Solution Center
with secure, on-demand remote access to systems in the merchant cardholder data environment.
On-demand remote support via LogMeIn® Rescue is available to all Squirrel customers with broadband Internet
access and a valid support contract. For any questions regarding remote access, please contact the Squirrel
Solution Center.
PCI DSS REMINDER
Merchants requesting remote access or remote delivery of payment application updates
into the cardholder data environment via methods other than Squirrel Systems’ LogMeIn
Rescue account are advised of the following:
-
Merchants must enable remote-access technologies only when needed by Squirrel
Systems to provide remote assistance.
-
Merchants must disable remote access immediately after upload/download or vendor
remote support is completed.
-
If delivered via VPN or other high-speed connection, merchants must properly
configure a firewall or a personal firewall product to secure “always-on” type remote
access.
Remote Access over Dialup Connections (Symantec pcAnywhere™)
Merchant organizations who enable dialup remote access via Symantec pcAnywhere™ to systems in their
cardholder data environment are required to ensure such access is secured, per PCI DSS requirements.
Merchants are advised to complete the following configuration if using pcAnywhere dialup access:
Set Automatic Disconnect of Modem Sessions After a Specific Period of Inactivity
1) Launch pcAnywhere from either the Start Menu or desktop shortcut.
2) Right-click the Host Modem connection icon and select Properties from the context menu.
3) Click the Security Options tab.
07/06/2014
SQD-11Confidential
4) Under Session options, click the Disconnect if inactive check box and set the Timeout vale to
15 minutes.
5) Click the Settings tab.
6) Under After an abnormal end of session, set the Wait… value to 15 minutes then select
Cancel Host.
7) Leave the Properties dialog open to the Settings tab.
07/06/2014
SQD-11Confidential
Set Activation of Modems for Vendors Only When Needed, With Immediate Deactivation After Use:
1) On the Settings tab, under After a normal end of session, select Cancel Host.
2) Click to clear Launch with Windows check box.
3) Save settings, then exit pcAnywhere.
Enable WS9L SSHFS Support
To ensure secure operation of client workstations, merchants and system implementers must enable SSHFS
support for the WS9L workstation.
For systems not pre-installed with the WS9L SSH module, complete procedures are outlined in the Squirrel
WS9L SSHFS Installation Guide to install the OpenSSH server on the Host PC.
For further information on user security and the complete merchant responsibilities under PCI DSS Requirement
8, please refer to resources available from the PCI Security Standards Council at
07/06/2014
SQD-11Confidential
Requirement 9: Restrict physical access to cardholder data
“Any physical access to data or systems that house cardholder data provides the opportunity for individuals to
access devices or data and to remove systems or hardcopies, and should be appropriately restricted”. 8
Restrict Physical Access to the Cardholder Data Environment
Squirrel reminds merchants to observe PCI DSS requirements for limiting and monitoring physical access to
systems and devices in the cardholder data environment, including but not limited to:

Servers, desktop PC’s, POS terminals, and mobile devices

Routers, switches, hubs, wireless access points, gateways, and other network devices

Publicly accessible network jacks

Backup media (e.g. CD/DVD, external HD or USB drives) containing cardholder information

All printed reports or other materials storing cardholder information
Restrict Physical Access to Squirrel Backup Media and Reports
Merchants are reminded to observe PCI DSS requirements pertaining to protection of hardcopy and electronic
media containing cardholder data. Squirrel customers must monitor and control access to media, including but
not limited to:

Electronic media containing database backups, e.g. CD/DVD-R/W discs, external HDD (Hard Disk
Drive), USB ‘thumb’ drives.

Hardcopy reports of cardholder information, e.g. Credit Card Detail Report, Payment Reports, etc.
For information on securely deleting cardholder data from, or destroying electronic media, please refer to the
Squirrel Secure Data Deletion: PA-DSS Implementation Guide Supplement
For further information on physical security and the complete merchant responsibilities under PCI DSS
8.
(42)
07/06/2014
SQD-11Confidential
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder
data
“Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the
impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and
analysis when something does go wrong. Determining the cause of a compromise is very difficult without system
activity logs”. 9
Tracking system activity within the cardholder data environment is an important component of the PCI DSS. In
order to provide accountability for the merchant organization it is imperative that auditing be properly engaged at
all levels, including but not limited to: OS auditing, SQL Server auditing, Squirrel Browser auditing, and auditing of
network devices, such as routers, managed switches, wireless access points, etc.
PCI DSS REMINDER:
Disabling of audit logs must not be done on any system in the cardholder data
environment.
Merchants who disable or fail to maintain audit trails cannot be compliant with
Requirement 10 of the PCI DSS.
Enable Windows Auditing Features
Configure Windows Auditing Policies
Windows audit policies govern what events are recorded by the OS for user, application, and system
activity. Enforcement of audit policies is accomplished through the Windows XP Local Security Policy.
1) Logon to Windows using your Windows administrative account.
2) From the Run command, type secpol.msc and click OK.
3) The Local Security Settings snap-in loads.
9.
(46)
07/06/2014
SQD-11Confidential
4) Click to expand Local Policies  Audit Policies.
5) Double-click to select each of the following password policies and configure each to the match
the corresponding values in the following table:
Security Policy
Setting
Audit account logon events
Success, Failure
Audit account management
Success, Failure
Audit directory service access
No auditing
Audit logon events
Success, Failure
Audit object access
Success, Failure
Audit policy change
Success, Failure
Audit privilege use
Success, Failure
Audit process tracking
No auditing
Audit system events
Success, Failure
6) Exit the console to apply changes.
07/06/2014
SQD-11Confidential
7) Windows auditing policies are now set. Continue to the following sections for further required
configuration.
07/06/2014
SQD-11Confidential
Configure Windows Event Retention Settings
The PCI DSS requires merchants to retain audit trails for at least one year and to have in place processes
for restoring logs from at least the last three months for immediate analysis. To support compliance with
these requirements, configure individual Windows logs to retain events per below.
2) From the Run command, type eventvwr (or, alternately, open Control Panel and select
Administrative Tools  Event Viewer).
3) Use the following steps to configure each log with the corresponding values from the table below:
Setting / Log
Application Log
Security Log
System Log
Squirrel Log
Maximum log
size
16384 KB
(16 MB)
81920 KB
(80 MB)
16384 KB
(16 MB)
81920 KB
(80 MB)
When
maximum log
size is
reached
Do not overwrite
events (clear log
manually)
Do not overwrite
events (clear
log manually)
Do not overwrite
events (clear
log manually)
Do not overwrite
events (clear
log manually)
4) Right-click the fist log to be configured, e.g. Application, and click Properties.
5) Select Do not overwrite events (clear log manually).
6) Change the Maximum log size to the value specified in the table.
07/06/2014
SQD-11Confidential
7) Click OK to apply the change and close.
8) Repeat the above procedures for all logs, using the corresponding values specified in the table
above.
9) When finished, close Event Viewer.
PCI DSS REMINDER:
Once set to manual, event logs must be individually maintained to avoid eventually
becoming full.
Merchants are reminded to regularly save logs to a centralized server (or media that is
difficult to alter) before clearing events.
Please see the following section “Automate Archival and Clearing of Event Logs” for
additional information on automating log clearing and archival.
07/06/2014
SQD-11Confidential
Automate Archival and Clearing of Event Logs
By default, only Windows administrators may clear event logs. By design, failure to clear the Security log
will result in non-administrative users being prevented from logging on if the Security log is full.
To prevent the Security log limit from being reached, merchants can employ procedures described in the
Microsoft Knowledge Base Article #312571 (“The event log stops logging events before reaching the
maximum log size”, http://support.microsoft.com/kb/312571) to add a registry value that automates the
clearing and archiving of Windows event logs.
NOTE: Users are strongly advised to contact the Squirrel Solution Center for assistance
in performing this registry change.
NOT E
To enable automatic log archiving feature, complete the following steps:
1) Ensure all logs are configured to Do not overwrite events (clear log manually).
2) Perform the registry modifications as outlined in KB312571and add the required
AutoBackupLogFiles value to the Windows registry for each of the following event logs:
Application, Security, System, and Squirrel.
3) Save and clear each event log to apply the changes.
07/06/2014
SQD-11Confidential
4) Upon next reaching the maximum configured log size, Windows makes an archive of the log in
the \Windows\System32\config directory (with the concatenated filename Logname-YYYY-MMDD-HH-MM-SSS-mmm.evt), then clears all events for the specified log.
5) After each successful archival, a Security Event ID 524 is also written to the Security log to
indicate the backup occurred, e.g. “The Security log file was saved as Security2009-12-02-22-48-40-042.evt because the current log file is full”.
PCI DSS REMINDER:
As archived event log files, i.e. Archive*.EVT files, are stored in the same Windows
default location as all other log files, merchants are reminded to ensure these archive
files are regularly copied up to a centralized server or media that is difficult to alter.
Audit Access and Initialization of Windows Event Logs
To monitor the accessing or initialization (clearing) of event logs, file & folder auditing should be applied to
the folder where event log objects are stored.
1) Ensure Windows Audit Policies are already configured.
2) Use Windows Explorer to browse to the %windir%\System32 folder, i.e. ‘C:\Windows\system32’)
07/06/2014
SQD-11Confidential
3) Right-click the config folder and select Properties.
4) Select the Security tab.
5) Click Advanced (lower right).
6) The Advanced Security Settings for config dialog opens. Select the Auditing tab.
7) Click the Add.
07/06/2014
SQD-11Confidential
8)
Under Enter the object names to select, type everyone and click the Check Name button to
verify the object.
9) The pane refreshes to show the Windows built-in Everyone group. Click OK.
10) The Auditing Entry for config dialog opens. Ensure the ‘Apply To’ combo is set at This folder,
subfolders, and files.
07/06/2014
SQD-11Confidential
11) Click to select the following Successful check boxes:
Access
Successful
Traverse Folder / Execute File
Checked
List Folder / Read Data
Checked
Read Attributes
Checked
Read Extended Attributes
Checked
Delete Subfolders and Files
Checked
Delete
Checked
Read Permissions
Checked
Change Permissions
Checked
Take Ownership
Checked
12) Verify settings, then Click OK three times (3 x) to close the open Auditing, Advanced, and
Properties dialogs.
13) Close Windows Explorer.
14) Future accesses of the Windows event logs – via Event Viewer, Windows Explorer, etc.– are now
recorded as entries in the Security Log.
07/06/2014
SQD-11Confidential
Audit Access to Squirrel Tracking Data
Access to the application default tracking folder (%sqcurdir%\Tracking, e.g. ‘C:\Squirrel\Tracking’) is
restricted to authorized users only. As such, access of this folder must be audited to support compliance.
2) Use Windows Explorer to browse to the \Squirrel folder (e.g. ‘C:\Squirrel’)
3) Right-click the Tracking folder and select Properties from the context menu.
4) Select the Security tab.
5) Click Advanced.
6) The Advanced Security Settings for Tracking dialog opens. Click the Auditing tab
7) Click the Add.
07/06/2014
SQD-11Confidential
8) Under Enter the object names to select, type everyone and click the Check Name button to
verify.
9) The pane refreshes to show the Windows built-in Everyone group. Click OK.
10) The Auditing Entry for Tracking dialog appears. Click to select the Full Control check boxes
for both Successful and Failed (this selects all check boxes).
11) Verify checked settings, then Click OK three times (3 x) to close the Auditing, Advanced, and
Properties windows.
12) Close Windows Explorer.
07/06/2014
SQD-11Confidential
13) Future accesses of the \Squirrel\Tracking folder are now recorded to the Windows Security Log,
as shown in the example below.
Enable Windows Firewall Logging
Logging of Windows firewall activity is recommended to support compliance with auditing requirements.
1) Open Start  Control Panel  Windows Firewall.
2)
The Windows Firewall properties dialog opens. Click the Advanced tab.
3)
Under Security Logging, click Settings.
4) The Log Settings dialog appears. Click to select the Log dropped packets and Log successful
connections check boxes, then click OK.
07/06/2014
SQD-11Confidential
5) Click OK again to close the Windows Firewall dialog and apply changes.
Enable SQL Server Auditing Policies
An audit trail must be configured to log every time a user connects to the SQL database server, including
access by the payment application (e.g. Squirrel Browser) or access by system administrators / authorized
support personnel (via Enterprise Manager, Query Analyzer, etc).
SQL Server Auditing for SQL Server 2008, SQL Server 2005
NOTE: For SQL Server 2000, please skip to the next section, SQL Server 2000: Enable
Server Auditing Policies
NOT E
2) Launch Microsoft SQL Server Management Studio and click Connect.
3) Right-click the local SQL Server and click Properties.
07/06/2014
SQD-11Confidential
4) The Server Properties dialog opens. Click the Security page.
5) Under Login Auditing, select Both failed and successful logins.
6) Click OK to close the Properties dialog.
7) To initialize auditing of database connections, SQL Server must first be restarted. Restart SQL
Server at the next available opportunity by either:
a) Stop Squirrel Host Service  Stop SQL Server service  Start SQL Server service  Start
Squirrel Host Service,
OR
b) Reboot the Squirrel Host PC.
8) Once complete, future logins to SQL Server are audited to the Windows Application Log, as
shown below:
07/06/2014
SQD-11Confidential
SQL Server Auditing for SQL Server 2000
2) Launch the Microsoft SQL Server Enterprise Manager.
3) Expand the SQL Server Group down to the (LOCAL) server.
NOTE: On some installations, the local server may appear as <hostname>, e.g.
SMITH-SQPC (Windows NT).
NOT E
4) Right-click the local server and click Properties.
5) The SQL Server Properties dialog opens. Select the Security tab.
07/06/2014
SQD-11Confidential
6) Under Audit Level, select All.
7) Click OK to close, and then exit Enterprise Manager.
8) To initialize auditing of database connections, SQL Server must first be restarted. Restart SQL
Server at the next available opportunity by either of the following methods:
a) Stop Squirrel Host Service  Stop SQL Server service  Start SQL Server service  Start
Squirrel Host Service,
OR
b) Reboot the Squirrel Host PC.
9) Once complete, future logins to SQL Server are audited to the Windows Application Log, as
shown below:
07/06/2014
SQD-11Confidential
Enable Time Synchronization Features
Merchants are required by the PCI DSS to employ time-synchronization technologies, such as NTP (Network
Time Protocol), to synchronize all critical system clocks and times and ensure the integrity of activity logs and
audit trails.
Enable Windows Internet Time on the Host PC
For users with standalone (Workgroup) Host PC’s, perform the following steps to enable time
synchronization:
1) Open Start  Control Panel  Date and Time.
2) The Date and Time Properties dialog opens. Click the Internet Time tab.
3) Click to select the Automatically synchronize with an Internet time server check box.
4) Under Server, enter the URL for a valid, working Internet timeserver.
NOTE: A list of current NIST (National Institute of Standards and Technology)
timeservers can be found at http://tf.nist.gov/tf-cgi/servers.cgi
NOT E
5) Click OK to apply changes and close.
Set Time Synchronization on Network Devices
Network devices, such as routers, firewalls, and managed switches must also be synchronized with a
central timeserver in the cardholder data environment (if available), or with an industry-accepted external
time source.
07/06/2014
SQD-11Confidential
Please consult individual hardware vendor documentation for further information on configuring device
time and date settings.
Squirrel Browser Security Auditing
Squirrel Event Log Overview
Squirrel Browser Security auditing is activated by default with Browser Security and cannot be disabled.
Squirrel POS and newer include enhanced auditing to support merchant compliance with the PCI
requirements by tracking Squirrel Browser user activity via the Windows Event Log service.
A new Squirrel PCI Audit Log (‘SquirrelLog”) tracks access to the Squirrel Browser and records activity
(modules loaded, reports run, etc.) in event log messages.
System administrators can report on this log activity via the Squirrel Browser Activity Report, or opt to
harvest event information directly from the event logs service using 3rd-party event management
applications (PCI Requirement 10.6)
07/06/2014
SQD-11Confidential
Replicating SquirrelLog Events in the Windows Application Log
To accommodate log harvesting or parsing tools that cannot read from a custom Windows Event log,
Browser Security events can also be configured to replicate in the Windows Application log through the
addition of a marker file to the \Squirrel\Program directory.
2) Use Windows Explorer to browse to the \squirrel\program directory.
3) Open the File menu and select New  Text Document.
07/06/2014
SQD-11Confidential
4) A ‘New Text Document.txt file’ appears with the filename highlighted for editing.
5) Rename the file to SquirrelAudit (no file extension) and press Enter.
6) Click Yes to confirm the file rename operation
7) The marker file is renamed successfully. Close Windows Explorer.
8) Open the Squirrel Browser and login.
07/06/2014
SQD-11Confidential
9) Open Event Viewer (eventvwr.msc) and confirm a corresponding SqPCIAudit Logon event is
written to default SquirrelLog.
10) Click the Application Log and confirm a corresponding SquirrelAudit event also written for the
same logon.
NOT E
NOTE: Squirrel Browser Security events recorded in the SquirrelLog are listed under the
source SqPCIAudit, while replicated events in the Application Log they are listed under
the source SquirrelAudit.
11) Close the Event Viewer when finished. .
PCI DSS REMINDER
The Squirrel Event Log is offered only in support of merchant compliance with
auditing requirements of the PCI DSS.
Recording Browser Security events does not guarantee or ensure compliance, nor
does it satisfy a merchants’ obligation to routinely perform their own evaluations and
due diligence in ensuring compliance with all requirements of the PCI DSS
07/06/2014
SQD-11Confidential
Employ Centralized Logging / Backup of Audit Trails
Squirrel reminds merchants of their obligations under PCI DSS Req.10.5.3 to ensure audit trail files are
promptly backed up to a centralized log server or media that is difficult to alter. Squirrel stores application audit
trails in Windows Event Log format in order to support converting log data into industry standard log formats
suitable for centralized logging.
Merchants can utilize the following suggested solutions to support centralized harvesting of Squirrel POS event
log data, in addition to Windows Application, System, and Security events from their Squirrel POS system:
Installing VendorSafe LANScribe™
Merchants subscribing to VendorSafe Technologies’ (VST) managed services are advised to deploy the
LANScribe™ Client for both centralized backup of their POS audit trails and requisite file-integrity
monitoring.
Existing VendorSafe customers can contact VendorSafe Technologies for assistance in deploying and
configuring LANScribe for their Squirrel POS. For further information on VendorSafe Technologies
solutions, please contact your authorized Squirrel sales representative or the Squirrel Solution Center.
Installing SNARE Agent for Windows
For those merchants with existing security information and event management (SIEM) infrastructure, the
SNARE Agent for Windows (http://www.intersectalliance.com/projects/BackLogNT/) event management
client can be used to export Squirrel Event Log trails to a centralized server via industry-standard
SYSLOG events.
The following outlines how to the install SNARE Agent for Windows client:
1) Download the SNARE Agent for Windows installer (Version 4.0.0.2, Jul 2011) from:
http://www.intersectalliance.com/projects/SnareWindows/index.html#Download
2) Double-click to run the SNARE for Windows MultiArch installer.
3)
07/06/2014
SQD-11Confidential
Click Next.
4) Select I accept the agreement and click Next.
5)
Select No and click Next.
6) Click Next to accept the default service account.
07/06/2014
SQD-11Confidential
7)
Click Enable Web Access. Click Yes – Please enter a password and then enter a strong
password.
8) Click Local access only and then click Next.
9) Click Next to accept the default installation path.
10) Click Next to accept creating a Start Menu group
07/06/2014
SQD-11Confidential
11) Click Install to begin installing SNARE.
12) Click Next to continue with setup.
13) Click Finish to close the installer.
07/06/2014
SQD-11Confidential
14) Open Start  Intersect Alliance  Snare for Windows.
15) The SNARE localhost configuration page opens requiring authentication. Enter the username snare
and your previously selected password, then click OK.
16) In the left-side navigation pane, click Network Configuration.
07/06/2014
SQD-11Confidential
17) Enter the following information:
a) Enter the IP address of your SYSLOG or SIEM server in the Destination Snare Server
address field.
b) Click to select the Enable SYSLOG Header checkbox.
c) Under SYSLOG Facility, select Kernel from the dropdown list.
d) Under SYSLOG Priority, select Information from the dropdown list.
18) Click Change Configuration.
07/06/2014
SQD-11Confidential
19) Change is confirmed by the message, ‘Values have been changed’.
20) Click Apply the Latest Audit Configuration.
21) Click Reload Settings.
22) The change is confirmed by the message, ‘Snare Objectives have been applied to the
running system’.
07/06/2014
SQD-11Confidential
23) Future log events are now forwarded by the SNARE Agent to the specified centralized SYSLOG or
SIEM server.
Note: The SNARE agent service must be stopped manually before running Squirrel POS
software upgrades.
NOT E
Failure to stop SNARE before attempting a Squirrel software upgrade may result in errors
during file copy operations.
Squirrel reminds merchants to observe their obligations under PCI DSS Req.10.6, to review all logs, and audit
trails from devices in the cardholder data environment on a daily basis.
Merchants are advised to use file integrity monitoring systems, in addition to log harvesting / parsing, and offline
log backup tools, to assist with mandatory practices of securing and maintaining system audit history.
Merchants are advised to employ alerting tools to assist in maintaining a proactive awareness of system
security through immediate notification of stakeholders via email or SMS when important activity occurs in the
cardholder data environment, such as account lockouts, audit failures, critical system errors, etc.
For further information on auditing, and for the complete merchant responsibilities under PCI DSS Requirement
10, please refer to resources available from the PCI Security Standards Council at
07/06/2014
SQD-11Confidential
Requirement 11: Regularly test security systems and processes
“Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced
by new software. System components, processes, and custom software should be tested frequently to ensure
security controls continue to reflect a changing environment”. 10
Perform Routine Internal and External Vulnerability Scans
Squirrel advises merchants observe their responsibilities under the PCI DSS Req. 11.2 in running internal and
external network vulnerability scans at least quarterly and after any significant change in the network, such as:

New system component installations

Changes in network topology

Firewall rule modifications

Product upgrades
Merchants are reminded that quarterly external vulnerability scans must be performed by an Approved
Scanning Vendor (ASV), as qualified by the PCI SSC. The PCI SSC maintains their current list of ASVs at
https://www.pcisecuritystandards.org/pdfs/asv_report.html.
Merchants are recommended to contact their acquirer for further information on vulnerability scanning. Many
processors currently maintain relationships with both ASV’s and QSA’s that allow them to offer vulnerability and
compliance assessment tools and services to assist their merchants in achieving PCI compliance.
Test for Unauthorized Wireless Access Points
Squirrel advises merchants to observe their responsibilities under the PCI DSS Req. 11.1 by testing for the
presence of unauthorized wireless access points (WAP) in their cardholder data environment at least quarterly.
Testing can be done using a wireless analyzer or by deploying wireless IDS/IPS to identity wireless devices in
use, and should also include a physical inspection of network locations where a rogue WAP could be present,
i.e. publicly accessible switches, routers, network jacks, etc.
For further information on security testing, and for the complete merchant responsibilities under PCI DSS
10.
(49)
07/06/2014
SQD-11Confidential
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for employees
and contractors
“A strong security policy sets the security tone for the whole company and informs employees what is expected of
them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it. For the
purposes of this requirement, “employees” refers to full-time and part-time employees, temporary employees and
personnel, and contractors and consultants who are “resident” on the company’s site”. 11
Create a Security Policy
Squirrel advises merchants to observe their responsibilities under PCI DSS Req. 12 in establishing, publishing,
maintaining, and disseminating a merchant information security policy that includes, but is not limited to, the
following items:

Addresses all PCI requirements from the merchant operation perspective

Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk
assessment

Includes a review at least once a year and updates to reflect changes to business objectives or the
risk environment

Develops daily operational security procedures that are consistent with PCI DSS requirements, such
as account maintenance, security log reviews, etc.

Includes acceptable usage policies for critical employee-facing technologies, such as:

o
E-mail and Internet usage
o
Removable electronic media, such as USB drives, external hard drives, etc., and mobile
devices, such as laptops / tablets, smart phones, MP3 players, etc.
o
Wireless technologies
o
Remote-access technologies
For employees who access cardholder data via remote-access technologies, prohibit copying,
moving, and storing of cardholder data onto local hard drives and removable electronic media, unless
explicitly authorized for a defined business need.
For further information on developing a merchant security policy, and for complete merchant responsibilities under
PCI DSS Requirement 12, please refer to resources available from the PCI Security Standards Council at
11.
07/06/2014
SQD-11Confidential
07/06/2014
SQD-11Confidential
Part II: Squirrel Key Management
08/12/2015
SQD-11Confidential
Squirrel PA-DSS Implementation Guide: 2014 | pg -163
Key Management Overview
The following sections describe the principle of encryption key management for Squirrel POS, including required
components, stakeholders involved, and procedures for implementation.
Key Management Cycle
Default installations of Squirrel POS utilize a set of hard-coded encryption keys for the preliminary storage of
cardholder data. These hard-coded keys are intended for pre-production use only; they are not compliant with the
PCI DSS for continued storage, transmission, or processing of live cardholder data in site environments.
Compliance with the PCI DSS requires merchants to implement and regularly maintain their own set of unique
encryption keys. This entails adherence to a key management cycle, as supported by the Squirrel Key
Management Utilities shown in the following diagram:
Key Management Cycle Overview
07/06/2014
SQD-11Confidential
Key Custodians
Compliance with the PCI DSS also requires at least two trusted members of the merchant organization to serve
as Key Custodians. These custodial roles are generally fulfilled by system owners and system administrators,
who work together to establish dual-control over the merchant encryption keys.
Dual control can be established by allocating key components as per the table below:
Custodian
Responsibility
Custodian A
Maintains and secures physical possession of the Merchant Keyfile (USB drive)
This role is generally recommended for system owners, or another trusted,
non-technical member of the merchant organization (e.g. accountant,
controller, etc).
Custodian B
Maintains and secures the SQL Server Logins (usernames and passwords)
This role is generally recommended for system administrators, or another
trusted, technical member of the merchant organization (IT Manager, GM,
controller, etc).
Once implemented, dual-control constraints are intended to ensure no one member of the merchant organization
has sole permission to make changes to the encryption scheme. Each custodian must contribute his or her
individual key component in order to effect a change in encryption keys, as characterized by the diagram below:
Custodian A
Merchant
Keyfile
Custodian B
SQL
Passwords
Change
Encryption
Keys
07/06/2014
SQD-11Confidential
Preparing for Key Management Deployment
Much of the Key Management implementation process takes place well in advance of actual cardholder data reencryption. The following flowchart outlines preparation steps for ensuring all key changeover components are in
place, with minimal interruption to POS operations:
Preparation
• Assign key custodian roles to at least two members of the merchant organization
• Obtain USB drive for storage of merchant keyfiles
• Have custodians each decide on strong password for their respective components
Planning
• Ensure Squirrel POS installation is activated by Squirrel Solution Center
• Assemble unique SQL Logins used by the application to access the database
• Ensure Squirrel ODBC Connection is configured to SQL Authentication
SQL Server
Configuration
• Ensure Squirrel Browser has been associated with the unique SQL Logins
• Generate a Merchant Keyfile (sqKeys.exe)
• Register the Merchant Keyfile on Host PC (sqRegisterKeys.exe)
Keyfile
Creation &
Registration
• Post any outstanding credit card batches prior to Re-Encryption
Implementation
• Shutdown POS / Stop Host Service
• Backup Squirrel Database
• Re-Encrypt Squirrel Database (sqReEncrypt.exe)
Data
ReEncryption
07/06/2014
SQD-11Confidential
• Backup newly Re-Encrypted Squirrel database
• Start Business Day , test POS and BOH encryption / decryption routines
Implementing Key Management
The following sections outline the three stages involved in deploying Squirrel Key Management.

Creating a Keyfile

Registering a Keyfile

Re-Encrypting the Squirrel Database
NOT E
NOTE: Squirrel Key Management requires SQL Authentication. Do not begin key
creation procedures until unique SQL Logins have been created and SQL Authentication
configured for the merchant installation. See Use a Limited Windows Account for POS
Operations (Squirrel Users Setup), under ‘Requirement 7’, for further information on
implementing SQL Authentication.
Creating a Keyfile (sqKeys)
The Squirrel sqKeys.exe utility is used to generate a merchant keyfile - an encrypted file containing a pair of
unique public and private encryption keys for securing stored cardholder data. Once generated, this merchant
keyfile can be registered to a Squirrel Host PC for purposes of encrypting stored cardholder data.
The sqKeys.exe utility does not require merchant keyfile generation to be conducted on the same PC on which
the Keyfile is being installed. Merchant keyfiles can be generated on one licensed installation of Squirrel POS
software, and then securely deployed to another Squirrel installation later.
07/06/2014
SQD-11Confidential
PCI REMINDER
Though encrypted itself, a merchant keyfile must never be transmitted via insecure
methods, e.g. unencrypted email or FTP, etc. Any distribution of keyfiles must be
secured by strong encryption, authentication, and auditing mechanisms”.
Merchants are required to ensure their cryptographic materials are always protected
against disclosure or misuse. Squirrel reminds merchants to restrict Keyfile access to
the fewest number of custodians possible.
07/06/2014
SQD-11Confidential
To generate a merchant keyfile, perform the following:
1) Log onto the PC using your Windows administrative account.
2) From the Windows Run command, enter sqkeys and click OK (or alternately, browse to
\Squirrel\Program and double-click the sqKeys.exe application to launch).
3) The sqKeys application opens:
4) Type a meaningful name for the new keyfile in the Filename Prefix field. The file name, as
entered, is appended with the current date and time and displays its final form in the Actual
FileName field (e.g. ‘FirstKey_2009_04_21_112256.key’).
5) Click the browse button ( ‘ … ‘ ) next to Create in Location.
6) Browse to and select a primary location on the USB thumb drive where the keyfile will be stored.
7) (Optional): Click the ‘browse’ button on the Backup Location to browse for and select a
secondary location on the same or different removable media to store a backup copy of the
keyfile. To generate only the single keyfile, re-enter the same path from Step #6.
07/06/2014
SQD-11Confidential
PCI REMINDER
Merchant Keyfiles must be stored on removable media that can be physically secured
against unauthorized access, such as a USB thumb-drive or other removable massstorage device reserved exclusively for Key Management purposes.
Merchants are advised never to store keyfiles on any local system in the cardholder data
environment, e.g. on fixed disks or network drives.
Entering ‘Custodian A’ Inputs
8) To protect the merchant keyfile against misuse or accidental compromise, have Custodian ‘A’
secure the file by typing a unique keyfile password in the Password to Encrypt File field.
9) Re-type the password in the Type Password Again field to confirm.
10) (Optional): Enter optional hint information in Hint field, if desired. Ensure only the passwordholder alone can infer its meaning.
11) Click to select the Substitution of this Keyfile with another keyfile requires this keyfile
password check box. This flag ensures substitution of this keyfile can, once registered, can only
be done with the consent of Custodian ‘A’ (by the act of Custodian ‘A’ re-entering the keyfile
password)
12) Click to select the And Keyfile check box. This flag also ensures substitution of this keyfile can
only be done with the consent of Custodian ‘A’ (by the act of providing physical access to the
saved keyfile).
Entering ‘Custodian B’ Inputs
13) Have Custodian ‘B’ type the username for the first SQL ‘Full Decryption’ login in the SQL acct
allowing decryption with password field.
NOTE: This is the same ‘Full Decryption’ SQL login, as entered previously in Configure
the Squirrel Browser for SQL Authentication.
NOT E
07/06/2014
SQD-11Confidential
14) Verify the Specific password box is checked, then have Custodian ‘B’ type the first SQL Login’s
password in the PW: field.
15) Re-type the password in the Again: field to confirm.
16) Click to select the Hide check box. This flag prevents the SQL username used from being shown
during later key management operations.
17) Click to select the Substitution of this keyfile with another keyfile requires this SQL password
check box.
This flag ensures any replacement of this keyfile by any another keyfile can be done only with the
consent of Custodian ‘B’ (by the act of their re-entering the associated SQL password).
18) When ready, click Generate Encrypted Key File to generate the physical keyfile (*.key) on your
removable media.
19) The sqKeys application closes upon successful keyfile generation.
20) Navigate to the specified location(s) on the removable media to confirm successful keyfile
creation, e.g. ‘FirstKey_yyyy_mm_dd_hhmmss.key’.
07/06/2014
SQD-11Confidential
21) If ready to proceed with registration of the keyfile on the same PC, leave the USB drive
connected to the PC and continue to Registering a Keyfile (SqRegisterKeys).
22) Otherwise, if this keyfile is intended for another system, or you are not ready to register the
keyfile at this time eject the USB drive and have Custodian ‘A’ physically secure the removable
media, e.g. store in a safe, safety deposit box, etc. until such time that keyfile registration can be
performed.
Registering a Keyfile (SqRegisterKeys)
Registration is the process by which the merchant’s unique
encryption keys from the keyfile are registered, or ‘bound’, to the
Host PC, as shown below:
The SqRegisterKeys.exe is used to register a merchant keyfile to a
PC. This utility ensures cardholder data encrypted with the
encryption keys can only be decrypted by systems on which the
keyfile has been registered.
To register a keyfile to a Squirrel PC, perform the following:
1) Log onto the PC using your Windows
administrative account.
2) Have Custodian A connect the USB drive
containing the merchant keyfile to the Squirrel
Host PC.
3) From the Windows Run command, enter sqregisterkeys and click OK (or alternately, browse
to \Squirrel\Program and double-click the sqRegisterKeys.exe icon to launch).
4) The sqRegisterKeys application opens.
07/06/2014
SQD-11Confidential
NOT E
NOTE: As this is the first keyfile to be registered, the List of Keyfiles Currently Registered
on this Machine pane is empty and the Use KeyFile field in the bottom of the window
reads HARDCODED.KEY, indicating application default encryption keys are is still in use.
5) Click the ‘browse’ button ( ‘ … ‘ ) next to the Register KeyFile field to browse to the keyfile.
6) From the Select Key file dialog, browse to your removable media and select the keyfile to be
registered, then click Open.
7) The Enter Password dialog appears. Have Custodian A enter the password used to secure this
keyfile and click OK.
8) The keyfile appears under List of Keyfiles Currently Registered on this Machine, indicating it
is now registered with this Host PC.
07/06/2014
SQD-11Confidential
9) Close SqRegisterKeys to exit the application.
10) If ready to proceed with Re-Encryption of the Squirrel database, leave the USB drive connected
and continue below to Re-Encrypting the Squirrel Database and Purging Cardholder Data.
11) Otherwise, if not ready to Re-Encrypt the database at this time, eject the USB drive and have
Custodian ‘A’ physically secure the removable media, e.g. store in a safe, safety deposit box, etc.
until such time that keyfile registration can be performed.
Re-Encrypting the Squirrel Database
(SqReEncrypt.exe)
Re-encryption of stored cardholder data is the
final step in implementing Squirrel Key
Management.
The Squirrel sqReEncrypt.exe utility is used to
change from the default ‘hard-coded’ encryption
keys to unique encryption keys. This reencryption process also initializes the new keys for use in the storage of future cardholder data.
IMPORTANT:
Ensure all credit card batches have been successfully posted to network before
beginning re-encryption. Changing encryption keys with open / unposted batches is not
recommended.
To re-encrypt cardholder data in the Squirrel database, complete the following steps:
1) Log onto the PC using your Windows administrative account.
2) Ensure the Squirrel Business Day is Shutdown.
3) Stop the Squirrel Host Service and close all other connections to the Squirrel database
(Squirrel Browser, etc).
07/06/2014
SQD-11Confidential
4) Click Transactions  Credit Card Posting and check to confirm all batches have been posted
before proceeding.
5) Click Utilities  Database Maintenance, then perform a Manual Database Backup.
6) Use Windows Explorer to verify a database backup file (.ZIP) was created.
7) Exit the Squirrel Browser.
8) From the Windows Run command, enter sqReEncrypt and click OK (or alternately, browse to
\Squirrel\Program and double-click the sqReEncrypt.exe icon to launch).
07/06/2014
SQD-11Confidential
9) The sqReEncrypt application opens. Click the ‘browse’ button ( ‘ … ‘ ) next to the ReEncrypt
with KeyFile or RSA file field.
10) The Select Key file menu dialog appears. Have Custodian A connect the USB drive containing
the merchant keyfile to the Squirrel Host PC. Browse the media to select the desired keyfile, then
click Open.
11) The Enter Password dialog appears. Have Custodian A enter the Password for this keyfile and
click OK.
12) The selected keyfile displays in the ReEncypt with Keyfile or RSA file field.
07/06/2014
SQD-11Confidential
13) Leave the Blank out (erase) Encrypted Data setting at the default Don’t Blank out any data.
NOT E
NOTE: Squirrel recommends merchants use the ‘Purge Encrypted Credit Card Data’ to
automate purging of posted encrypted data. See the Limit Cardholder Data Retention
(‘Purge Encrypted Credit Card Data’) in section Requirement 3: Protect stored cardholder
data for details.
14) When ready, click Re-Encrypt data using Public/Private Keys supplied in the file to begin
data re-encryption
07/06/2014
SQD-11Confidential
15) Re-Encryption begins.
16) Depending on database size and system specifications, re-encryption can take from a few
seconds to upwards of 10 minutes. The SqRegisterKeys application window closes automatically
to indicate when re-encryption is finished.
17) Eject the USB drive and have Custodian A secure the removable media until such time that the
KeyFile is required, i.e. at next scheduled key change.
18) Continue below to Verifying Encryption Routines.
Verifying Re-Encryption Routines
After re-encrypting cardholder data, several basic tests should performed to confirm encryption and decryption
routines are functional, and to verify any cardholder data purged is no longer present.
To confirm successful decryption / removal of cardholder data, perform the following:
1) Login to the Squirrel Browser with a Browser User that has access to both Check Adjust and the
Credit Card Detail Report.
2) Open Check Adjust and ensure a previous credit card transaction can be decrypted (partial or
otherwise).
3) Run the Credit Card Detail Report for a previous day to ensure the new private key can
successfully decrypt PAN’s and expiry dates (partial or otherwise) in the report.
NOTE: For previously-purged cardholder data, PAN and expiry date fields are empty
(Credit Card# field should be empty; Exp Date field should read ‘00/00’).
NOT E
07/06/2014
SQD-11Confidential
4) When finished, Start Squirrel Host Service and Start Business Day.
5) Ensure a test credit card transaction is performed prior to starting live business operations.
6) Perform a full database backup from the Squirrel Browser before continuing (Utilities 
Database Maintenance  Manual Database Backup).
IMPORTANT:
Once encryption keys have been changed, restoring any Squirrel database backup
made prior to the key change will result in mismatched encryption between data in the
database and current encryption keys registered on the PC.
To reduce the potential for encryption mismatch, always perform a Manual Database
Backup (*MBK.zip) immediately following a change in encryption keys, and make
record of the date when the encryption keys were changed.
Until scheduled Database Maintenance routines have completed a full weekly cycle
(replacing all previous BKW*.zip archives), the backup archives in
\SqDBHouse\DBBackup\Zipfiles and weekly folders on the secondary media will
contain database backups encrypted with previous encryption keys.
Once personal key management has been implemented, any future change to
encryption keys requires all of the following inputs from the respective key custodians:
•
Physical access to the USB drive containing the keyfile (Custodian A)
•
Password used to protect the keyfile (Custodian A)
•
SQL username / password associated with the keyfile (Custodian B)
7) Implementation of the first unique encryption keys is complete. Eject the USB drive and have
Custodian ‘A’ physically secure the removable media, e.g. store in a safe, safety deposit box, etc.
until the keyfile required for the next key change
For details on continued maintenance and next change of the encryption keys, please refer to the
following section Changing Merchant Encryption Keys (‘Re-Keying’).
07/06/2014
SQD-11Confidential
Encryption Key Maintenance
Changing Merchant Encryption Keys (‘Re-Keying’)
Merchants are required by the PCI DSS to change encryption keys on a minimum annual basis. The process of
changing between unique merchant encryption keys, referred to herein as ‘Re-Keying’, follows the same basic
process as used at the time of initial key implementation: a new merchant keyfile is generated, encryption keys
are registered with the PC and finally, data is re-encrypted using the new keys.
The notable difference in changing between unique merchant encryption is enforcement of the dual-control
constraints, described in greater detail below, which prevent merchant encryption keys from being changed
without input from both key custodians.
For administrative ease and key consistency, Squirrel recommends merchants perform Re-Keying in conjunction
with any SQL password changes. This ensures SQL credentials bound to the current merchant keyfile are always
consistent with the active SQL accounts on the PC.
PCI DSS REMINDER:
The PCI DSS also requires merchants to replace encryption keys if they suspect any
encryption materials or related passwords have been disclosed or compromised,
and whenever employees are assigned to, or removed from, a key custodial role,
(e.g. an employee leaves the merchant organization and their custodial role is
assigned to a new employee).
Generating a Replacement Keyfile
Complete the following to generate a new merchant keyfile:
1) Per procedures outlined previously in Creating a Keyfile (sqKeys), generate a new keyfile by
running sqKeys.exe.
2) Be sure to observe the following during generation of the new keyfile:
3) Use meaningful naming convention to identify new keyfiles.
4) Keep all keyfiles in an organized, consistent location, i.e. use the same USB drive, and never lose
track of physical media containing keyfiles.
5) Continue adhering to dual-control constraints during the creation and replacement of all keyfiles.
Registering the Replacement Keyfile
Complete the following to register a new merchant keyfile:
1) Per steps previously outlined in Registering a Keyfile (SqRegisterKeys), register the new keyfile
using sqRegisterKeys.exe.
2)
07/06/2014
SQD-11Confidential
Observe the following notes during registration of a new keyfile:
3) The new, replacement keyfile appears alongside the current keyfile under List of keys
registered with the machine. Note the current keyfile is still in active use, as indicated by the
Uses KeyFile field at the bottom.
4) Do not attempt to ‘Unregister’ or physically delete any keyfiles at this time. Removal of expired
key materials is performed only after Re-encryption has been performed and confirmed
successful.
Re-Encrypting with the Replacement Encryption Keys
Complete the following to re-encrypt cardholder data with a new merchant encryption keys:
1) Per steps previously outlined in Re-Encrypting the Squirrel Database (SqReEncrypt.exe), ensure
POS is Shutdown and Squirrel Host Service stopped.
2) Ensure all credit cards are posted and the Squirrel database manually backed up.
3) Launch sqReEncryptKeys.exe.
4) When replacing an existing merchant keyfile, the new sqReEncypt - Current Encryption can
only be Changed if the following is provided dialog appears:
07/06/2014
SQD-11Confidential
5) This ‘challenge’ request for inputs appears in response to the dual-control flags selected at
creation of the original (current) keyfile. All available fields must be completed before reencryption can be performed.
The following table shows the relationship between these ‘challenge’ flags from sqKeys.exe and
the corresponding ‘response’ fields required by sqReEncrypt.exe:
Related Flag From Original KeyFile
(sqKeys.exe)
Custodian Input Required During
Replacement of Original keyfile
(sqReEncrypt.exe)
‘Substitution of this Keyfile with another
Keyfile requires this Keyfile password’
Keyfile Password
‘And Keyfile’
Keyfile, e.g. USB drive with the original ‘.KEY’ file
‘Substitution of this Keyfile with another
Keyfile requires this SQL password’
SQL Account Password associated with the
current Keyfile
6) In the Keyfile Password field, have Custodian ‘B’ enter the original keyfile password. Note that
this password may differ from the password Custodian ‘B’ has assigned to the new (replacing)
keyfile.
07/06/2014
SQD-11Confidential
7) Have Custodian ‘A’ insert the removable media containing the original keyfile and click the
‘browse’ (‘…’) button on the KeyFile field. Browse to and select the original keyfile.
8) Have Custodian ‘B’ enter the password for SQL Login associated with the original keyfile in the
SQL Password field.
9) Click OK.
10) The main sqReEncrypt window now appears. If not, review any error prompts and correct inputs
to retry.
11) Proceed with the re-encryption process, as previously outlined in Re-Encrypting the Squirrel
Database (SqReEncrypt.exe).
12) Confirm re-encryption routine success, as previously outlined in Verifying Re-Encryption
Routines.
Removing Old Encryption Keys
Once the system has been successfully re-keyed, old encryption keys must be unregistered (removed) from the
Host PC and securely deleted from removable media.
Unregistering an Old Keyfile
To unregister an old keyfile, perform the following.
1) Launch sqRegisterKeys.exe.
07/06/2014
SQD-11Confidential
2) Under List of keyfiles Currently Registered on this Machine, click to select (highlight) the old
keyfile you wish to unregister from the machine.
3) Confirm the keyfile you are attempting to unregister are not still currently in use, i.e. is not listed in
the Use KeyFile field at the bottom of the dialog.
4) Click Unregister Selected files from this machine.
5) A ‘challenge’ dialog appears asking for the same dual-control custodian inputs as per previously
in Re-Encrypting with the Replacement Encryption Keys.
6) Have Custodians ‘A’ and ‘B’ provide the original physical keyfile, keyfile password, and SQL
Password components (respectively).
7) Click OK.
07/06/2014
SQD-11Confidential
8) Upon successful removal, the keyfile disappears from the List of Key Files pane.
NOT E
NOTE: If the current (active) keyfile is accidentally selected for deletion, a warning
message appears to alert the user to the error. Click ‘No’ to return and reselect the
correct inactive keyfile.
Secure Deletion of Old Keyfiles
When no longer in use, removal of old cryptographic materials from the merchant system is absolutely
necessary for PCI DSS compliance.
After unregistering old encryption keys, retired merchant keyfiles must either be destroyed using a deletion tool
capable of conforming to Department of Defense standard DOD 5220.22-M (such as Eraser or SDelete), or
securely archived (e.g. in a safe, or safety deposit box).
Please refer to the Squirrel Secure Data Deletion: PA-DSS Implementation Guide Supplement for further
information on how to perform manual securely delete files.
PCI DSS REMINDER
Keyfiles stored on read-only media incapable of secure file deletion, e.g. CD /
DVD-R, must be physically destroyed in accordance with PCI DSS requirements,
e.g. destroyed by cross-cutting CD/DVD shredder, incineration, etc.
If retaining keyfiles for retired or replaced cryptographic keys, the archived keyfiles must be securely stored and
used only for decryption/verification purposes; they may not be used for production encryption purposes again.
07/06/2014
SQD-11Confidential
Appendices
07/06/2014
SQD-11Confidential
Appendix A - Creating Strong Passwords
Microsoft Recommendations for Creating Strong Passwords
Complex or ‘strong’ passwords must be used for all system components in - or connected to - the cardholder
data environment. Microsoft site offers guidance on how to create strong passwords in Strong passwords: How
to create and use them (http://www.microsoft.com/protect/yourself/password/create.mspx).
NOTE: Squirrel recommends use of strong, random-password generation for default or
rarely used administrative accounts.
NOT E
Windows Security - ‘Password must meet complexity requirements’ Policy Definition
Enabling of the Windows policy Password must meet complexity requirements (as performed in Enforce
Windows Password Policies ) enforces the following specific complexity requirements on newly created or
changed Windows passwords. The information below, taken from Windows’ policy description tab, is provided
for clarification:
Attempting to create or change a Windows password that does not satisfy any of the above requirements will be
denied with a ‘password does not meet password complexity’ error.
“Password must meet complexity requirements: This security setting determines whether
passwords must meet complexity requirements. If this policy is enabled, passwords must
meet the following minimum requirements:

Not contain the user's account name or parts of the user's full name that exceed
two consecutive characters

Be at least six characters in length

Contain characters from three of the following four categories:

English uppercase characters (A through Z)

English lowercase characters (a through z)

Base 10 digits (0 through 9)

Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.
Default:
Enabled on domain controllers.
Disabled on stand-alone servers.
Note: By default, member computers follow the configuration of their domain controllers.”
07/06/2014
SQD-11Confidential
Appendix B - Squirrel PA-DSS Configuration Checklist
The following checklist summarizes many of the system configuration and management procedures from this
guide by grouping / order of configuration area and other dependencies (vs. order by applicable PCI DSS
requirement). This list is intended to help end-users expedite configuration of the Squirrel POS system in a
manner supporting PCI compliance.
PCI DSS REMINDER
The following is provided to merchants and system implementers for reference purposes
only. The information below only addresses payment application configuration items with
explicit settings or procedure directly supporting an associated PCI requirement.
This checklist does not address ‘policy-related’ PCI requirements, including but not
limited to creation of security policies, system and account management procedures,
ongoing vulnerability management processes, etc. which are the responsibility of the
merchant.
Completion of this checklist is not a substitute for thorough review of the Squirrel PADSS Implementation Guide, the Payment Card Industry Data Security Standard (PCI
DSS), or other supporting documentation provided by the PCI SSC or Squirrel Systems.
Protecting Stored Cardholder Data (1 of 2)
Procedure / Setting
Checked PCI Req.
Section References
Squirrel Credit Card Tracking disabled / verified

Req. 3
Disable Squirrel Credit Card Tracking
Squirrel ‘Purge Encrypted Cardholder Data’ flag
enabled / verified in accordance with merchant
data retention policies

Req. 3
Limit Cardholder Data Retention (‘Purge
Encrypted Credit Card Data’)
POS Server and Network Hardening (1 of 2)
Procedure / Setting
Linksys RVL200 Router/Firewall, Alphashield,
or equivalent compatible hardware firewall with
SPI (Stateful Packet Inspection) installed
between Squirrel POS network and any other
external networks
07/06/2014
SQD-11Confidential
Checked PCI Req.

Req. 1
Section References
Use a Firewall between the Squirrel
POS Network and External / Publicly
Accessible Networks
Procedure / Setting
Checked PCI Req.
Section References
Linksys RVL200 Router or equivalent router
supporting NAT / PAT is installed between
Squirrel POS network and any other external
networks

Req. 1
Prohibit Direct Connection from the
Internet to the Cardholder Data
Environment
Linksys RVL200 Router/Firewall or equivalent
compatible hardware firewall with SPI (Stateful
Packet Inspection) installed between the
between any wireless and wired networks in the
cardholder data environment

Req. 1
Use a Firewall between Wireless and
Wired Networks in the Cardholder Data
Environment

Req. 8
Remote Access by Members of the
Merchant Organization
Default password changed for logins to all
network devices (routers, managed switches,
etc.)

Req. 2
Secure Vendor-Default Passwords and
Accounts on Additional System
Components
All vendor-default wireless network security
settings changed

Req. 2
Change Vendor-Default Wireless
Network Security Settings
Merchant remote access solution (network-level
access originating from outside the network)
configured to comply with all applicable PCI
DSS requirements,
OR
Remote access disabled until compliant solution
can be implemented
Software Vulnerability Management (1 of 2)
Procedure / Setting
Checked PCI Req.
Section References
Compatible antivirus application installed /
verified on Host PC before connecting to
external networks and/or potentially insecure
media

Req. 5
Install an Approved Antivirus Solution
Latest Squirrel software critical updates
installed / verified

Req. 6
Maintain Squirrel POS Software
Updates
07/06/2014
SQD-11Confidential
Procedure / Setting
Checked PCI Req.
Section References
Microsoft Update component installed / verified

Req. 6
Maintain Windows Automatic Updates
Windows Automatic Updates configured and
latest updates downloaded, installed / verified

Req. 6
Maintain Windows Automatic Updates
Java Automatic Updates configured and latest
updates downloaded, installed / verified

Req. 6
Maintain Java Automatic Updates
Critical Updates applied for other installed 3rd
party applications / verified

Req. 6
Maintain Critical Updates for Third-Party
Applications
Squirrel Browser Security
Procedure / Setting
Browser Security (‘Browser Security
Administrative’ group and unique user accounts
created for each administrator) enabled /
verified
Checked PCI Req.

Section References
Create an Administrative Browser
Security Group
Req. 8
Create a Browser ‘Security
Administrator’
Create Additional Non-Administrative
Browser Groups
Unique Browser Users created / verified for
each individual employee needing Browser
access

Req. 8
Access to Tracking control removed / verified
for non-administrative Browser Users

Req. 7
Restrict Access to Squirrel Tracking
Controls
Can See Decrypted Credit Cards flag disabled /
verified for all users

Req. 7
Disable Full Credit Card Decryption in
the Squirrel Browser
Generic or vendor-default Browser User
accounts removed

Req. 2
Remove Generic or Vendor-Default
Browser Security Accounts:
07/06/2014
SQD-11Confidential
Create Unique Browser Users for All
Other Members of the Merchant
Organization
Windows Account and Auditing Management
Procedure / Setting
Checked PCI Req.
Section References
Windows password policies configured /
verified (secpol.msc)

Req. 8
Enforce Windows Password Policies
Windows account lockout policies enabled /
verified (secpol.msc)

Req. 8
Enforce Windows Account Lockout
Policies
Windows XP security policies enabled
(secpol.msc)

Req. 2
Enable Windows Anonymous
Enumeration and Interactive Logon
Security Policies
Linux account restricted from interactive logon

Req. 2
Restrict the Squirrel ‘Linux’ Account
from Interactive Logon
Windows auditing policies enabled
(secpol.msc)

Req. 10
Configure Windows Auditing Policies
Windows hardening policies for anonymous
sessions enabled

Req. 2
Employ Industry-Accepted System
Hardening Standards
Password-protected screensaver policies
enabled
(gpedit.msc)

Req. 8
Enable a Password-Protected
Screensaver
Unique Windows administrative account(s)
created for each intended POS system
administrator

Req. 8
Use Unique Windows Accounts for all
System Administrators
Default Windows ‘Administrator’ account
renamed and strong password assigned

Req. 2
Rename and Password-Protect the
Windows Default ‘Administrator’
Account
Windows Limited User created for daily
operation of the Squirrel Host PC

Req. 7
Create a Windows Limited User
Account
Generic or vendor-default Windows
administrative accounts removed

Req. 2
Remove Generic or Vendor-Default
Windows Administrative Accounts
Membership in Administrators group limited to
only those accounts with a legitimate need

Req. 7
Limit Number of Windows
Administrators
Windows event log retention defaults configured

Req. 10
Configure Windows Event Retention
Settings
07/06/2014
SQD-11Confidential
Procedure / Setting
Checked PCI Req.
Section References
Windows event log archival configured

Req. 10
Automate Archival and Clearing of
Event Logs
Time synchronization enabled for Host PC and
network devices

Req. 10
Enable Time Synchronization Features
SQL Server Account & Auditing Management
Procedure / Setting
Auditing of connections to SQL Server enabled
Checked PCI Req.

SQL Server 2005: Enable Server
Auditing Policies or
Req. 10
SQL Server 2000: Enable Server
Auditing Policies
Securing the ‘sa’ account in SQL
Server 2005: or
Strong password assigned to the SQL default
‘sa’ sysadmin account

Req. 2
SQL default ‘sa’ sysadmin account disabled
(SQL Server 2008, 2005 only)

Req. 2
Unique SQL Logins created for database
access by Squirrel application

Section References
Server 2000:
Server 2005:
SQL Server 2000: Create Unique SQL
Logins for Database Access or
Req. 8
SQL Server 2005: Create Unique SQL
Logins for Database Access
Windows Limited User Setup
Procedure / Setting
Checked PCI Req.
Section References
Squirrel Users group created
(SquirrelUsers.exe)

Req. 7
Create the ‘Squirrel Users’ Windows
Group
Squirrel Users group granted access to Squirrel
Program folders

Req. 7
Grant ‘Squirrel Users’ Group Write
Access to Squirrel Application Folders
07/06/2014
SQD-11Confidential
Procedure / Setting
Checked PCI Req.
Section References
Squirrel ODBC DSN configured to use SQL
Authentication

Req. 7
Configure the Squirrel ODBC
Connection for SQL Authentication
Squirrel Browser associated with new Squirrel
DSN

Req. 7
Configure the Squirrel Browser for
SQL Authentication
Checked
PCI Req.
Squirrel software activated by Squirrel Solution
Center

Req. 3
Preparing for Key Management
Deployment
Removable media, i.e. USB flash drive,
procured for merchant keyfile storage

Req. 3
Deployment
Key custodian roles assigned to at least two
members of merchant organization

Req. 3
Deployment
Unique encryption keyfile created with dual
custodial control

Req. 3
Creating a Keyfile (sqKeys)
Key Management implemented and Squirrel
database uniquely encrypted

Req. 3
Checked
PCI Req.

Req. 7,
Req. 10
Procedure / Setting
Guide Reference
Windows Access Controls and Auditing
Procedure / Setting
Access to Squirrel Tracking folder restricted
and folder-level auditing enabled
Guide Reference
Restrict Access to Physical Squirrel
POS Tracking Data
Audit Access to Squirrel Tracking Data
Access to SQL Server application folders
restricted (Microsoft SQL Server 2005)
07/06/2014
SQD-11Confidential

Req. 7
Restrict Access to SQL Server
Application Directories (SQL Server
2005)
Procedure / Setting
Checked
PCI Req.

Req. 10
Access to Windows Event Log folder audited
Guide Reference
Audit Access and Initialization of
Windows Event Logs
Limiting Data Retention (2 of 2)
Procedure / Setting
Checked PCI Req.
Section References
SysInternals’ SDelete utility downloaded /
installed

Req. 3
See Secure Data Deletion
Squirrel PA-DSS Implementation Guide
Supplement
Heidi Eraser utility downloaded / installed

Req. 3
Supplement
Default locations on fixed HD disks cleaned of
potential historic cardholder data (Squirrel
DeleteTracks v2.10)

Req. 3
Supplement
SQL Server database file free space cleaned

Req. 3
Supplement
Historical SQL database backups copied to
secure media and/or securely removed
(Eraser.exe)

Req. 3
Supplement
POS Server and Network Hardening (2 of 2)
Configuration Procedure
Checked
PCI Req.
Windows Remote Assistance disabled /
checked

Req. 2
Disable Windows Remote Assistance
Windows AutoRun disabled / checked

Req. 2
Disable Autorun for Removable Media
(CD/DVD/USB)
WS9L SSH Optional Module installed

Req. 8
Enable WS9L SSHFS Support
Merchant made aware of responsibilities under
PCI DSS to perform ext. / int. vulnerability scans

Req. 11
Perform Routine Internal and External
Vulnerability Scans
07/06/2014
SQD-11Confidential
Reference
Final System Review
Procedure / Setting
Checked
Squirrel PCI Audit Log reviewed for warnings /
errors indicating Browser Security
misconfigured.

Object access auditing enabled for physical
event log files

07/06/2014
SQD-11Confidential
PCI Req.
Guide Reference
Appendix C – Sample POS Network Topologies
The following diagrams are provided to highlight important differences between potentially compliant and noncompliant POS network configurations.
Network Configurations Supporting PCI DSS Compliance
Example A: RVL200 Router with VPN Firewall
The default Squirrel POS topology above supports compliance with PCI DSS Req 1 by:

Employing a router (#1, Linksys RVL200) at the network perimeter to prohibit direct public access
between the Internet and system components in the cardholder data environment

Providing NAT / PAT (Network Address Translation / Port Address Translation) to prevent against
disclosure of the internal network’s private IP addresses (#2) and routing information to the Internet

Implementing a stateful packet inspection (SPI) firewall at the network perimeter (#1, Linksys
RVL200) to allow only “established” connections access into the POS network, in addition to a hostbased firewall at the Host PC.
07/06/2014
SQD-11Confidential
Example B: BEFSR41 Router with AlphaShield
The older Squirrel POS topology shown above supports compliance with PCI DSS Req 1 by:

Employing a router (Linksys BEFSR41) at the network perimeter (#1) to prohibit direct public access
between the Internet and system components in the cardholder data environment

Providing NAT / PAT (Network Address Translation / Port Address Translation) to prevent against
disclosure of the internal network’s private IP addresses (#3) and routing information to the Internet

Implementing an AlphaShield stateful packet inspection (SPI) firewall at the network perimeter (#2),
Firewall) to allow only “established” connections access into the POS network, in addition to a hostbased firewall at the Host PC.
07/06/2014
SQD-11Confidential
Network Configurations Not Supporting PCI DSS Compliance
Example A: BEFSR41 Router Without Proper Firewalls / Segmentation
The above topology does not support compliance with PCI DSS Req 1, based on the following:

A router (Linksys BEFSR41) is present (#1) to prevent direct public connections between the Internet
and systems in the cardholder data environment. However, no SPI firewall is employed to protect the
network perimeter.

While the Host PC has host-based firewall protecting its outward-facing adapter (#2), an Office PC is
present on the same network segment with no host-based firewall enabled (#3).

The unprotected Office PC is also connected to the POS network segment via a second adapter (#4),
creating a ‘flat’ network topology with potential for unrestricted traffic flows between the Internet and
cardholder data environment (#5).
07/06/2014
SQD-11Confidential
Example B: AlphaShield Firewall Without Router
The above topology does not support compliance with PCI DSS Req 1, based on the following:

While an Alphashield SPI stateful packet inspection (SPI) firewall is employed at the network
perimeter (#1), there is no router providing NAT / PAT (Network Address Translation / Port Address
Translation) functions to prevent against disclosure of the internal network’s private IP addresses and
routing information to the Internet

Without a router, the Host PC’s second network adapter has been assigned a public IP address (#2),
creating a direct public connection between the Internet and systems in the cardholder data
environment.
For further information on maintaining a secure network, and for complete merchant responsibilities under PCI
https://www.pcisecuritystandards.org/index.shtml.
07/06/2014
SQD-11Confidential
Appendix D - Sample Custodian Agreement Items
As part of compliant key management practices, merchants are required to have key custodians sign a form stating they
understand and accept their data security responsibilities. The following list provides sample items from which system owners /
administrators can develop a key custodial agreement form for authorized members of their merchant organization.
A merchant custodial agreement should convey the following:

That staff authorized to administer Squirrel POS encryption keys (‘key custodians’) are required to sign the
agreement document as a condition of employment with the merchant organization and to indicate acceptance of
their custodial responsibilities.

That the key custodian is in employment with the merchant organization on the date signed

That the key custodian has been provided access to POS system security components (software, keyfiles,
equipment, documentation, passwords) and agrees that, he or she:
o
Understand that cryptographic encryption keys and information relating to the merchant organization’s PCI
security infrastructure and cryptographic controls are most sensitive to the company.
o
Has read and understood the merchant organization’s information security policies and agrees to comply
with those policies to the best of their ability (see PCI DSS Req.12)
o
Understands that non-compliance with the merchant organization’s information security policies can lead to
disciplinary and/or legal action.
o
Understands that exceptions to compliance will only occur where compliance would violate local, state, or
federal law, or where a senior officer of the merchant organization or law enforcement officer has given prior
authorization.
o
Agrees never to divulge any key management or related security system passwords, processes, security
hardware or secrets associated with the merchant organization’s systems to any third party, including other
key custodians, unless authorized by a senior officer of the merchant organization or required to do so by
law enforcement officers.
o
Agrees to report promptly and in full to the correct merchant organization personnel, any suspicious activity,
including but not limited to key compromise or suspected key compromise, and other activity which can
include:

Indications of unauthorized system use or access.

Phone, email, text, or other message requests from unidentified sources requesting access to
secure systems or information.

Unidentifiable files or applications found on systems in the cardholder data environment.

Unusual activity recorded in log files.

That the key custodian has been given the ability to raise questions about the agreement and has had those
questions answered satisfactory.

That the custodian agrees to all points and understands an original copy of the agreement will be held on their
personnel record and kept by the merchant organization for an indefinite period.

That the agreement is dated, with the custodian’s name printed & signed, and was witnessed by a senior officer
of the merchant organization.
07/06/2014
SQD-11Confidential
Appendix E – List of Squirrel POS System Components & Data Sources
Hardware Components
Component Name
Purpose
Squirrel Host PC
Back-end application, file, and database server for Squirrel Professional
POS system
Squirrel POS Workstation
Touchscreen client terminal used for POS order entry and FOH (front of
house) system administration
Ethernet Switch
Provides switched Ethernet communication between the Host PC and POS
Workstations
Router / Firewall
Provides secure routing of POS traffic to/from external networks via NAT /
PAT and SPI firewall support
Requisition / Check Printer
40-column printer for receipts, checks, and credit card vouchers
HASP USB Key
Hardware-based activation and licensing ‘dongle’
Software Components
Component Name
Purpose
Microsoft SQL Server (2000 / 2005 /
2008)
RDBMS used to store Squirrel POS configuration and transactional data
Oracle (Sun) JRE 6
Java runtime environment used by the Squirrel POS client
ESET NOD32 Antivirus 4 Business
Edition
Antivirus protection
Services
Display Name
Name
Purpose
bootpdNT
bootpdNT.exe
Bootp server for client workstations
Sentinel HASP License Manager
hasplms
Licensing service for Squirrel HASP
SQL Server (MSSQLSERVER)
MSSQLSERVER
Microsoft SQL Server service
Squirrel Host Service
Nthost.exe
Service
copSSH OpenSSHD
07/06/2014
SQD-11Confidential
OpenSSH server used to provide SFTP (secure file
transfer protocol) between from Host PC and client
Workstations
Protocols
Protocol
Purpose / Role
SSHFS / SFTP
Provides secure shell file transfer between Host PC and POS Workstations
BOOTP
Provides network boot parameters to POS Workstations
TCP/IP
Provides communication between the Squirrel Host Service and POS client
TLS / SSL
Provide encrypted transport for payment data exchanged between the
Squirrel Host Service and merchant processor(s)
Payment Application Data Files
The following data files may be present from previous Squirrel versions and/or diagnostic tracking. To support
compliance with PCI DSS Req. 3, please refer to the Squirrel Secure Data Deletion PA-DSS supplement for
procedures detailing secure removal of these files:
%sqcurdir%\host\host1\cc_*.zip
%sqcurdir%\tracking\ht*.zip
%sqcurdir%\host\host1\ccvoids.dat
%sqcurdir%\tracking\openchecksatclose.zip
%sqcurdir%\tracking\dayaft.zip
%sqcurdir%\tracking\openchecksatopen.zip
%sqcurdir%\tracking\daybef.zip
%sqcurdir%\tracking\pcm_*.dat
%sqcurdir%\tracking\dbbegin.zip
%sqcurdir%\tracking\pcm_*.lst
%sqcurdir%\tracking\dbend.zip
%sqcurdir%\tracking\pcm_*.sqe
%sqcurdir%\tracking\generationall.zip
%sqcurdir%\tracking\pcm_*.xml
%sqcurdir%\tracking\hcm_*.dat
%sqcurdir%\tracking\trak.dat
%sqcurdir%\tracking\hcm_*.lst
%sqcurdir%\tracking\trak.lst
%sqcurdir%\tracking\hcm_*.sqe
%sqcurdir%\online\xferclosepay.dat
%sqcurdir%\tracking\ hcm_*.xml
* Wildcards (‘*’) are shown for files with dynamic filenames.
07/06/2014
SQD-11Confidential
Payment Application Database Files
The following database files are used by the Squirrel POS application to securely store cardholder data. To
support compliance with PCI DSS Req. 3, please refer to the Squirrel Secure Data Deletion PA-DSS supplement
for information on managing SQL database files.
Protocol
Purpose / Role
SQL Server Database Files
\Program Files\Microsoft SQL Server\MSSQL\Data\Squirrel_Data.MDF
\Program Files\Microsoft SQL Server\MSSQL\Data\Squirrel_Log.LDF
Primary SQL backup device
\SqDBHouse\ DBBackup\Backup\sqbackup.bak
Manual Database Backups
\SqDBHouse\Zipfiles\MBK*.zip
Weekly Database Backups
\SqDBHouse \DBBackup\Zipfiles\ BKW*.zip
DBDD Copier Outputs
\SqDBHouse\DBBackup\DBDDBackup\ *.DAT)
07/06/2014
SQD-11Confidential

Squirrel PA-DSS Implementation Guide: 2014

Transcription

Similar documents

Squirrel Nut Zippers

View the Summer Spectacular Session 1 Playbill

The Squirrel

tree squirrels - Oregon Department of Fish and Wildlife

2012-12 Turnip News

Credit Card Payment Form

Aspiration in Juvenile Squirrels - WildAgain Wildlife Rehabilitation in

Desktop Network PCI Card