Beruflich Dokumente
Kultur Dokumente
Squirrel Version /
Date Reference: Page, Paragraph Revision # Build Comments
Aug. 12, 15 Annual Revision (2012) 3.00 v1.55, v6.0, v7.0 PA-DSS v2.0
Updated configuration for PCI DSS v2.0
Squirrel Professional v7.0,
SQL Server 2008
Now validated under PA-DSS
v2.0
Aug. 12, 15 Annual Revision (2014) 4.00 v7.0, v8.0, v9.0 PA-DSS v2.0
Updated Backoffice IDE to PCI DSS v2.0
Microsoft Visual Studio 2010
for Squirrel Professional v8.0
and renaming to v9.0.
Disclaimer
Squirrel Systems provides this documentation as is without warranty of any kind, either express or implied. This
document could include technical inaccuracies or typographical errors. Squirrel Systems may make
improvements and/or changes at any time to the product(s) and/or program(s) described in this document.
Changes are made periodically to the information herein; these changes will be incorporated in new editions of
the document. Please check the Squirrel TechWeb frequently for such updates
(http://techweb.squirrelsystems.com).
If the merchants systems have connections to the Internet, or transmit credit card or gift card
transactions over the Internet, the security and protection of the network, data, and applications on
that network, including protection from unauthorized access, is solely and entirely the merchants
responsibility. A properly configured firewall is required for systems connecting to the Internet or any
private network where there is access to applications and data containing important information.
For more information on merchant data security, or to obtain copies of related Squirrel materials referenced within
this document, please contact the Squirrel Solution Center or refer to the links below:
For Squirrel Customers For Authorized Resellers
http://www.squirrelsystems.com/datasecurity http://techweb.squirrelsystems.com
OVERVIEW .................................................................................................................................................................................. 8
Requirement 10: Track and monitor all access to network resources and cardholder data ................... 130
Enable Windows Auditing Features ................................................................................................................ 130
Enable SQL Server Auditing Policies .............................................................................................................. 143
Enable Time Synchronization Features .......................................................................................................... 147
Squirrel Browser Security Auditing .................................................................................................................. 148
Employ Centralized Logging / Backup of Audit Trails ..................................................................................... 152
Requirement 11: Regularly test security systems and processes ............................................................. 160
Perform Routine Internal and External Vulnerability Scans ............................................................................ 160
Test for Unauthorized Wireless Access Points ............................................................................................... 160
MAINTAIN AN INFORMATION SECURITY POLICY .............................................................................................................. 161
Requirement 12: Maintain a policy that addresses information security for employees and contractors
........................................................................................................................................................................... 161
Create a Security Policy .................................................................................................................................. 161
PART II: SQUIRREL KEY MANAGEMENT ............................................................................................................................ 163
KEY MANAGEMENT OVERVIEW........................................................................................................................................... 164
Document Purpose
This guide is offered in accordance with the requirements of the Payment Card Industry (PCI) Payment
Application Data Security Standard (PA-DSS). Derived from the Payment Card Industry Data Security Standard
(PCI DSS), the PA-DSS details what validated payment applications must support in order to facilitate a
merchants PCI DSS compliance.
This guide provides information to those seeking to configure and deploy Squirrel POS systems in a manner
supporting merchant compliance with the PCI DSS and is divided into three parts:
Part I, Configuring Squirrel for PCI DSS covers configuration of the Squirrel POS system in
accordance with supporting PA-DSS / PCI DSS v2.0 requirements.
Part II, Squirrel Key Management details necessary procedures for supporting compliant encryption
of stored cardholder data, per PA-DSS / PCI DSS v2.0 requirements
Appendices include guidance on configuring strong passwords and creating a key custodian
agreement.
Intended Audience
This document is intended for the following audiences:
Squirrel POS system owners and administrators (the merchant)
Squirrel Support, Service, Sales, Training & Implementation, Manufacturing, and Product
Development personnel
Required Knowledge
This document presumes users have read the supporting documentation listed below and have knowledge of,
and operational experience with, the following:
Basic understanding of PC hardware and software
Configuration, operation, and installation of Squirrel POS software and hardware (v1.5 or higher)
Basic TCP/IP networking concepts
Typeface Meaning
The following section outlines software and hardware components required to support the PCI DSS compliance
procedures outlined in this manual.
Note that procedures covering installation of minimum required software are included in this manual or supporting
reference materials.
All systems must be protected from unauthorized access from untrusted networks, whether entering the system
via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access,
dedicated connections such as business-to-business connections, via wireless networks, or via other sources.
Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key
systems. Firewalls are a key protection mechanism for any computer network.
Other system components may provide firewall functionality, provided they meet the minimum requirements for
firewalls as provided in Requirement 1. Where other system components are used within the cardholder data
environment to provide firewall functionality, these devices must be included within the scope and assessment of
Requirement 1. 1
Use a Firewall between the Squirrel POS Network and External / Publicly Accessible Networks
In accordance with PCI DSS Req. 1, merchants are required to employ a firewall that performs stateful packet
inspection (SPI) to secure the cardholder data environment (CDE) from external or publicly accessible
networks.
Merchants are responsible for ensuring firewalls are properly configured and
maintained in compliance with PCI DSS requirements, and utilize access control
via strong / complex passwords.
Squirrel currently supplies the Cisco RVL 200 VPN Firewall/Router to assist
merchants in restricting traffic into the cardholder data environment from external
or publicly accessible networks.
1 PCI Security Standards Council, "Payment Card Industry Data Security Standard: Requirements and Security
Assessment Procedures, Version 2.0" <https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf>
[accessed 24 February 2011] (20)
3) Select On.
5) Leave the Windows Firewall dialog open and continue to the next section.
Use a Firewall between Wireless and Wired Networks in the Cardholder Data Environment
Merchants are required to implement perimeter firewalls between any wireless networks and the cardholder
data environment and must configure these firewalls to deny or control traffic (if such traffic is necessary for
business purposes) from the wireless environment into the cardholder data environment.
Prohibit Direct Connection from the Internet to the Cardholder Data Environment
Per PCI DSS Requirement 1.3, merchants are reminded that systems in the cardholder data environment must
never be connected directly to the Internet.
This means the Squirrel Host PC must always be situated behind a router supporting NAT (Network Address
Translation), as shown in the diagram below. Use of a NAT-enabled router prevents disclosure of private IP
addresses and routing information from internal networks to the Internet, as demonstrated in the diagram below:
NOTE: Applications that permit compliant remote access to the cardholder data
environment over public networks do not constitute direct public access.
NOT E
Merchants are advised to contact the Squirrel Solution Center prior to installing applications or enabling
services on the Host PC that could introduce a potential compliance risk for systems in the cardholder data
environment
For further information on maintaining a secure network, and for complete merchant responsibilities under PCI
DSS Requirement 1, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml.
Unique Windows and SQL accounts must be created for all Squirrel POS installations.
Using system default accounts, such as the Windows Administrator or SQL Server sa
account, or failing to secure these accounts with strong passwords, violates PCI DSS
requirements.
NOTE: Do not use generic, example, or easily guessable names. The default
administrator account should be renamed such that it can only be identified by authorized
NOT E users for emergency purposes.
11) Right-click the newly renamed Administrator account and click Set Password.
13) Enter and confirm a unique, strong password for the account. See Appendix A Creating Strong
Passwords for guidance on creating strong passwords for default administrative accounts.
Securing the sa account for Microsoft SQL Server 2005 / SQL Server 2008:
Perform the following steps to assign a strong password to, then disable use of, the default SQL Server
2005 or SQL Server 2008 administrative account.
1) Login to the Host PC using your Windows administrative account
2) Open Start Microsoft SQL Server 2005 Microsoft SQL Server Management Studio.
4) In the Object Explorer pane, expand the local Server to open Security Logins.
7) If not already enabled, click to select Enforce password policy and Enforce password
expiration check boxes.
NOTE: SQL Server 2005 password policies are enforced only on Windows 2003 systems
or higher, i.e. Windows Server 2003, Server 2008, or Windows 7.
NOT E
8) In the Password field, enter and confirm a new, strong password for the account. See Appendix
A Creating Strong Passwords for guidance on creating strong passwords for default
administrative accounts.
12) Upon returning to the Logins menu, press the <F5> key to refresh the details pane.
13) Ensure the sa account icon changes to show a red down arrow, indicating its disabled status:
14) The default sa account is now disabled and can no longer be used for connections to SQL
Server
NOTE: The sa default administrative account cannot be disabled in SQL Server 2000.
Ensure this account is protected with a strong password
NOT E
1) Login to the Host PC using your Windows administrative account.
2) Launch Microsoft SQL Server Enterprise Manager.
3) Expand the SQL Server Group, then expand the (local) server.
7) In the Password field, enter and a new, strong password for the account, then click OK. See
Appendix A Creating Strong Passwords for guidance on creating strong passwords for default
administrative accounts.
6) Enter and confirm a unique, strong password for the Linux account. See Appendix A Creating
Strong Passwords for guidance on creating strong passwords.
8) The pane refreshes to show the local <hostname>\Linux account. Click OK to commit the
change and close the dialog.
9) Confirm the <hostname>\Linux user appears in the Deny logon locally pane.
14) The Squirrel Linux account is now secured against interactive logon at the Squirrel Host PC.
Interactive Logons: Number of previous logons to cache (in case domain 11)
0*
controller is not available)
* Workgroup only. For PCs that are part of a domain, Number of previous logons to cache should be set = 2
12) Confirm all settings, and then exit the console to commit the policy changes.
IMPORTANT
For steps on creating unique Windows accounts for members of the merchant
organization, please refer to steps under Requirement 8, Creating Unique Windows
Accounts for System Administrators.
1) Ensure any important files kept in the users profile folder, i.e. C:\Documents and
Settings\<username>\ have been copied to another location and are available to at least one
other administrative account before proceeding with account removal.
2) Login to the Host PC using your unique Windows administrative account.
3) From the Run command, type lusrmgr.msc (or, alternately, open Control Panel
Administrative Tools Computer Management Local Users and Groups).
5) In the right-side pane, right-click the first generic or vendor-default account you wish to remove.
6) Click Delete.
IMPORTANT:
If currently using a shared or generic account for the default Browser logon (e.g.
Squirrel, or Manager, etc.), ensure you have created compliant Browser accounts
for each system administrator before proceeding.
1) Login to the Squirrel Browser using your unique Browser Security Administrative user account.
4) Select the first generic or vendor-default user you intend to remove from the This Record
dropdown.
Wireless encryption keys must be changed anytime anyone with knowledge of the keys leaves (or
steps down from a position of authority in) the merchant organization.
Security applications installed on the Squirrel Host PC, e.g. antivirus applications, etc.
Other PCs in the cardholder data environment, e.g. office PC, security DVR PCs, etc.
If using non-console access for daily procedures, e.g. daily reporting or POS operation, merchants are advised
to avoid using administrative accounts and instead add necessary non-administrative users or groups to the
Remote Desktop Users Group for such purposes.
Merchants are reminded of the potential for PCI DSS violations related to non-console
access:
Do not use any remote technologies that transmit clear-text passwords or data
Never use Telnet or rlogin for administrative access
Do not use older, insecure versions of Remote Desktop (pre-v6.0 )
5) Click OK to close.
6) Sending of Remote Assistance invitations is now disabled.
NOTE: To disable the Autorun functionality in Windows XP, security update 950582,
update 967715, or update 953252 must be installed. Please refer to Microsoft KB article
NOT E
967715 for further information (http://support.microsoft.com/kb/967715).
4) The Group Policy Editor snap-in opens. Expand Computer Configuration Administrative
Templates System.
5) In the Settings pane, right-click Turn off Autoplay, and click Properties.
6) Select Enabled.
For further information on not using vendor-supplied default passwords or security settings, and for complete
merchant responsibilities under PCI DSS Requirement 2, please refer to resources available from the PCI
Security Standards Council at https://www.pcisecuritystandards.org/index.shtml
Merchants are required by PCI DSS Req. 3.1 to develop a policy limiting retention of
cardholder data to the minimum period required for business, legal, and/or regulatory
purposes.
Merchants must purge cardholder data when storage is no longer required for any
business, legal, or regulatory purpose.
1) Open the Squirrel Browser and select Advanced Setup Credit Card Setup.
2) Under Purge Encrypted Credit Card data older than <nnn> weeks, enter or select the number
of weeks after which posted credit card data will be purged from the Squirrel database.
2PCI Security Standards Council, "Payment Card Industry Data Security Standard: Requirements and Security Assessment
Procedures, Version 2.0" <https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf> [accessed 24 February 2011]
NOTE: The following procedures are intended for merchants who use payment solutions
that depend on encrypted cardholder data being stored in the Squirrel POS application
NOT E database. For merchants who use tokenized payment solutions, i.e. do not store
cardholder data in the application database, Squirrel advises the Purge Encrypted Credit
Card data flag still be enabled in support of merchant compliance efforts.
For more information on tokenization solutions available for the Squirrel POS system, please contact your
authorized Squirrel sales representative.
NOTE: Terminal/Host Message and Terminals Touch Tracking controls may be left
enabled. With Credit Card Interface Tracking disabled, these tracking mechanisms are
NOT E designed to filter (truncate) cardholder values from diagnostic data collected.
NOTE: PAN masking for the Customer credit card voucher is engaged by default for all
Squirrel versions. PAN masking for both the Customer and Merchant copies is default for
NOT E
Squirrel Version 7.0 and up.
To engage PAN masking on both Merchant and Customer card vouchers in Squirrel versions 1.55 or 6.0,
complete the following steps.
1) Login to the Squirrel Browser using your Browser Security Administrative account.
2) Click Utilities POS Extensions.
3) The sqPOSExtensions dialog appears.
5) Under Available Extensions, scroll down to the [Vouch] group heading and click the
MerchMaskVouch extension.
6) Click the right arrow button ( ) to move MerchMaskVouch into the Selected Extensions
pane.
NOTE: Squirrel strongly advises merchants to disable full PAN decryption for all Browser
groups. Viewing of full PAN data, even by authorized users, should only be done when
NOT E absolutely necessary for business purposes, i.e. if the processor is unable to provide a
PAN lookup or cross-reference by other means, such as an approval (auth) code, token,
or partial PAN.
4) Change to the next record and repeat steps above to deselect the flag for all additional Browser
Users.
5) Exit Browser Users, ensuring to save.
6) Test viewing Browser displays, including Check Adjust and the Credit Card Detail Report, for
each Browser Group to verify only partial (masked) PAN data is displayed.
Merchants are required by PCI DSS Req. 3.3 to limit display of PAN data to only
those members of the merchant organization or supporting party whose job requires
such access.
Merchants who fail to engage Squirrel Browser Security or properly engage PAN
masking cannot be compliant with the PCI DSS.
Diagnostic data (credit card tracking) from all versions of Squirrel POS software
Database backups from previous versions of Squirrel POS software
System age, upgrade/installation path, and diagnostic history are the main determinants as to whether or not
prohibited or insecure cardholder data may be present. Please refer to the Squirrel Secure Data Deletion: PA-
DSS Implementation Guide Supplement for further information on secure data removal.
Prohibited historical cardholder data (magnetic stripe data, card validation codes,
PINs, or PIN blocks) MUST be removed for PCI compliance.
Failure to check for and securely remove files known to contain potential prohibited
cardholder data violates PCI DSS requirements.
For further information on protecting stored cardholder data, and for complete merchant responsibilities under PCI
DSS Requirement 3, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml
Merchants who choose to transmit PANs via end-user messaging technologies are
required by PCI DSS Req 4.2 to use encrypted transmission, i.e. encrypted email
(PGP, etc).
For further information on encrypting transmission of PANs, and for complete merchant responsibilities under PCI
DSS Requirement 4, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml
3.PCI Security Standards Council, "Payment Card Industry Data Security Standard: Requirements and Security Assessment
Procedures, Version 2.0" <https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf> [accessed 24 February 2011]
(26)PCI Security Standards Council, "PCI DSS Requirements and Security Assessment Procedures, v1.2"
<https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf>, 26
Merchants who fail to install or properly configure and maintain an updated antivirus
solution on all commonly affected systems in the cardholder data environment cannot
be compliant with Requirement 5 of the PCI DSS
For further information on antivirus software requirements, and for complete merchant responsibilities under PCI
DSS Requirement 5, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml
4.PCI Security Standards Council, "PCI DSS Requirements and Security Assessment Procedures, v1.2"
<https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf>, 28
2) Set updates to Automatic (recommended). Leave the default download date and time set to
Everyday, 3:00 AM, unless this time conflicts with active merchant operations.
5.
2) Internet Explorer opens to www.update.microsoft.com and checks for the latest version of
Windows update software.
NOTE: If Microsoft Update is already installed, the welcome page refreshes to read
Welcome to Microsoft Update.
NOT E
8) If prompted with Information Bar dialog, click to select the Do not show this message again
check box, then click to OK to close.
11) When finished, the page refreshes to display Microsoft Update setup is complete.
3) Microsoft Update checks for the latest updates to Windows and installed Microsoft applications.
7) Updates for the Windows Genuine Advantage Validation Tool begin downloading.
10) Outstanding high-Priority updates for the PC are displayed. Click Install updates.
13) If prompted to install Internet Explorer 8, select I do not want to participate right now and
click Install to continue.
Otherwise, if IE8 has already installed, continue to Step# 18.
18) When updates are complete, click Restart Now to restart the PC (if prompted).
28) The Microsoft Update website requests to install a new ActiveX control. Right click the information
bar and select Run Add-on.
32) Microsoft Update detects outstanding updates and prompts for installation. Click Install Updates.
34) When updates are complete, click Restart Now to restart the PC.
37) Continue performing update checks until Microsoft Update no longer detects any missing High-
priority updates.
3) Ensure Check for Updates Automatically is selected. In the Notify Me drop-down menu, select
Before Installing.
4) Click Advanced.
5) Select Weekly frequency, with the update check for every Sunday at 12:00 AM. Click OK to
close.
6) Click Update Now to check online for the latest Java update.
10) If prompted, click to clear any check boxes offering installation of optional software (e.g. Google
Toolbar, Open Office, etc.). Confirm additional software offers are not selected, then click Next.
Fig. 1 - Sample OSI scan before patching Fig. 2 - Sample OSI scan after patching
Merchants are solely responsible for ensuring all critical systems have the most recent,
appropriate software updates to protect against exploitation or compromise of cardholder
data.
Failure to check for and regularly apply critical updates to all system components in the
cardholder data environment causes risk for compliance with PCI DSS Requirement 6.
For further information on maintaining secure systems, and for complete merchant responsibilities under PCI DSS
Requirement 6, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml
Restricts access to cardholder data and POS configuration settings, including Security and Advanced
Setup components, based on employee security / job level
Enforces masking of PAN (Primary Account Number) in Browser interfaces and reports
Provides PCI-required timeout controls to lock idle Browser sessions.
Audits user activity for access to application-level components, as required by the PCI DSS.
Merchants are required to enable Browser Security and limit access to system
components and cardholder data to only individuals whose job requires such access.
Merchants who fail to engage Squirrel Browser Security or properly engage required
security controls cannot be compliant with the PCI DSS.
Please refer to Requirement 8: Assign a unique ID to each person with computer access for information on
what Browser Security configuration is necessary to support PCI DSS compliance.
6.PCI Security Standards Council, "Payment Card Industry Data Security Standard: Requirements and Security Assessment
Procedures, Version 2.0" <https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf> [accessed 24 February 2011]
(35)
5) Under Browser Choices For the Selected Page, click to clear the Tracking browser choice
check box.
NOTE: If Grayed Browser Choice Means is already set to the recommended default Not
Selected, greyed options are already unavailable by default.
NOT E
6) Click Test.
8) Repeat steps 4-6 for all other non-administrative Browser Security Groups and confirm the
Tracking option is not available to each.
9) Save settings, then Exit Browser Users.
Use a Limited Windows Account for POS Operations (Squirrel Users Setup)
Windows administrative accounts must not be used for normal POS operations. To support compliance with the
PCI DSS, a Limited User account can be created and configured for use during most daily operations.
a) User name: Type a unique username for this limited user account.
NOTE: Ensure the user name is unique to the merchant installation, i.e. do not use
NOT E generic, easily guessable, or sample names like, admin, squirrel, etc.
b) Description: Type a description for this account, e.g. Squirrel POS Limited User
Account.
c) Click to clear the User must change password at next logon check box.
d) Enter and confirm a strong Password for the account. See Creating Strong Passwords for
guidance, if necessary.
e) Leave all other settings at default and click OK to close the New User dialog.
6) Close the Local Users and Groups snap-in.
5) The SquirrelUsers dialog refreshes to show a new Windows Group called Squirrel Users (under
Current Security Groups), along with the list of new privileges, registry permissions, and service
control rights are granted to the group.
7) The Add Existing Account to Squirrel Users dialog opens. Under the List of Local Windows
Accounts only, locate and double-click the Windows Limited User account created previously in
Create a Windows Limited User Account.
8) The account name appears the Selected Users field. Click Add Selected User.
9) The dialog closes and the selected user is added to the Members of Squirrel Users Group
pane.
10) Click Exit to close the SquirrelUsers application and continue to the next section below for
additional setup.
7) The pane refreshes to show the <hostname>\Squirrel Users group. Click OK.
8) The Squirrel Properties dialog refreshes to show the Squirrel Users group. Click to select the
Squirrel Users group, then under Allow, click to enable the Write check box.
NOTE: For SQL Server 2000 configuration steps please continue to the next section,
NOT E SQL Server 2000: Create Unique SQL Logins for Database Access.
4) In the Object Explorer pane, expand the local Server to open Security Logins.
NOTE: Always ensure account names are unique to the merchant installation. Do not use
generic, easily guessable, or example names like, admin, squirrel, etc.
NOT E
NOTE: SQL Logins used by Squirrel cannot contain the following characters in either the
Name or Password: semi-colons ( ; ), double-quotation marks ( " ), or blank spaces.
NOT E
d) Leave the default Enforce password policy and Enforce password expiration options
checked.
NOTE: SQL 2005 password policy flags are enforced only on Windows 2003 systems or
higher. In Windows XP, the Enforce password policy flag only prevents creation of very
NOT E
weak passwords, such as null (empty), PC name, existing Windows user name, or any of
the following: "password", "admin", "administrator", "sa", or "sysadmin".
e) Click to clear the User must change password at next login check box.
f) Default Database: Click to select the Squirrel database as the default database.
g) Leave Default Language at the <default> setting.
10) Click OK to close the properties menu and create the new login.
11) Confirm the new SQL Login appears in the Logins folder.
12) Repeat Steps #1 - 10 above to create a second, unique SQL Login with the same settings and
permissions.
14) Exit SQL Server Management Studio and proceed to the next section for further configuration.
SQL Server 2000: Create Unique SQL Logins for Database Access
Complete the following steps to create the two unique SQL Logins necessary for the Squirrel application
to connect with SQL Server 2000.
1) Login to the Host PC using your Windows administrative account.
2) Launch Microsoft SQL Server Enterprise Manager.
3) Expand SQL Server Group, then expand (local) server to Security Logins.
4) Click the new object icon (*) on the tool bar at the top to begin creating a new SQL Login.
NOTE: Always ensure account names are unique to the merchant installation. Do not use
generic, easily guessable, or example names like, admin, squirrel, etc.
NOTEE
NOT
NOTE: SQL Logins used by Squirrel cannot contain the following characters in either the
Name or Password: semi-colons ( ; ), double-quotation marks ( " ), or blank spaces
NOT E
d) Defaults: Select the Squirrel database for the default database. Leave Language at the
default setting.
6) Click the Server Roles tab.
9) Under Specify which databases can be accessed by this login, click to select the Squirrel
database.
12) Confirm the new SQL Login appears in the Logins pane.
13) Repeat steps #1 to #11 above to create a second unique SQL Login, using the same settings
and permissions.
14) When finished, confirm an icon for each new SQL Logins appears in the Logins pane.
15) Exit Enterprise Manager and proceed to the following sections for further configuration.
IMPORTANT:
Before changing the Squirrel ODBC DSN to use SQL Authentication, ensure all
installed optional products or partner systems which share the Squirrel DSN or
connect to the Squirrel SQL Server are capable of supporting SQL Authentication,
and have been reconfigured accordingly.
Perform the following steps to change the Squirrel ODBC connection to use SQL Authentication:
1) From the Run command, type odbcad32 (or, alternately, use Control Panel Administrative
Tools Computer Management Data Sources (ODBC)).
4) The Microsoft SQL Server DSN Configuration dialog appears. Click Next to confirm the existing
DSN name and local server.
5) Select With SQL Server authentication using login ID and password entered by the user.
7) Under Login ID, type the username of either of the two SQL Logins configured in the previous
section.
8) Enter the password for this SQL Login and click Next to continue
NOTE: SQL credentials entered in this dialog are used only by ODBC setup for
temporary SQL server access. They are not retained for future database connections.
NOT E
11) On the final setup screen, click Test Data Source to confirm ODBC can connect to SQL server.
12) Once the data source connection has tested successful, click OK and close the ODBC Data
Source Administrator.
3) Under Login ID, type the username of either of the two SQL Logins configured in the previous
section.
4) Under Password, type the corresponding password for the SQL Login and click OK.
5) The Squirrel Browser connects to SQL Server, and to the Squirrel database (if Browser Security
is enabled, cancel any Browser login prompts that appear).
6) Open the Tools menu and click Database Preferences.
10) The first of two SQL Server Login dialogs appears, prompting for the Login ID
Enter_Full_Decrypt_ID.
NOTE: This same SQL Login must also be used during configuration of Key
Management. See Creating a Keyfile (sqKeys) for further details.
NOT E
13) A second SQL Server Login dialog appears, prompting for the Login ID
Enter_Partial_Decrypt_ID.
14) Erase the Login ID and type the username of the second SQL Login you created for database
access.
20) Login and access at least one setup screen or report to confirm information can be read from the
Squirrel database without any further request for SQL Login credentials.
Note for SQL Server 2000: When using SQL authentication, full PAN decryption via
Squirrel Reports (e.g. Credit Card Detail Report, Payments Report, etc.) is not available
NOT E until unique merchant encryption keys (bound to a specific SQL Login) are implemented.
Please see Part II: Squirrel Key Management for further setup.
Note for SQL Server 2005, SQL Server 2008: When using SQL authentication, full PAN
decryption in the Squirrel Browser is now only available on a per-record basis via Check
NOT E
Adjust. Full PAN decryption via Squirrel Reports (e.g. Credit Card Detail Report,
Payments Report, etc.) is no longer supported for SQL 2005 and up.
21) Proceed to the next section to continue with additional required setup.
Do not attempt to modify permissions on the parent Squirrel folder. Ensure the dialog
displays the title Tracking Properties before proceeding with any edits.
5) Click Advanced.
6) The Advanced Security Settings for Tracking dialog opens to the Permissions tab.
Note the Permission entries pane shows permissions for the Tracking folder and contents, with
all permissions inherited from the parent and root folders, i.e. C:\ or C:\squirel.
8) A Security dialog appears, informing parent permissions of the parent folder will no longer be
applied to child objects. Click Copy.
9) Permissions are copied to the Tracking folder and the dialog now refreshes to show all
permissions as <not inherited>.
10) Use SHIFT+CLICK to select and highlight all non-administrative groups or individual user
accounts listed, i.e. only the following four entries should remain deselected:
a) Squirrel Users (group)
b) Administrators (group)
c) SYSTEM
d) CREATOR OWNER
12) Highlighted entries are removed, leaving only Squirrel Users, Administrators, SYSTEM, and
CREATOR OWNER.
Permissions Allow
Full Control (Clear)
Traverse Folder / Execute File Select
List Folder / Read Data (Clear)
Read Attributes Select
Read Extended Attributes Select
Create Files / Write Data Select
Create Folders / Append Data Select
Write Attributes Select
Write Extended Attributes Select
Delete Subfolders and Files Select
Delete (Empty)
Read Permissions Select
Change Permissions (Empty)
Take Ownership (Empty)
Restrict Access to SQL Server Application Directories (SQL Server 2005 / SQL Server 2008)
Microsoft recommends modifying the ACL (Access Control List) on certain MSSQL directories to restrict access
to only system Administrators and the SYSTEM account.
1) Logon to the Host PC using your Windows administrative account.
2) Use Windows Explorer to navigate to the following folder for SQL version installed:
a) For SQL Server 2005: \Program Files\Microsoft SQL Server\MSSQL.1\MSSQL
b) For SQL Server 2008: \Program Files\Microsoft SQL Server\MSSQL.10\MSSQL
5) Click Advanced.
8) A Security dialog appears, informing parent permissions of the parent folder will no longer be
applied to child objects. Click Copy.
9) Permissions are copied to the Tracking folder and the dialog now refreshes to show Inherited
From as <not inherited>.
10) Use SHIFT+CLICK to select and highlight all non-administrative groups or individual user
accounts listed, i.e. only the following entries should remain unselected:
a) Administrators (group)
b) SYSTEM
12) Highlighted entries are removed, leaving only Administrators and SYSTEM.
13) Click OK, then Close to exit the Data folder properties dialog.
14) Right-click the \Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn folder and repeat
the same steps #3 - 13 above to for this folder.
15) When finished, only the Administrators and SYSTEM entries remain for the Binn folder.
NOTE: Users are advised to first Create Unique Windows Accounts for System
Administrators (Req. 8) and Remove Generic or Vendor-Default Windows Administrative
NOT E
Accounts (Req.2) before reviewing final Administrators group membership.
To confirm and edit membership in the Windows Administrators group, complete the following steps:
1) Login to the Host PC using your Windows administrative account.
2) From the Run command, type lusrmgr.msc (or, alternately, open Control Panel and select
Administrative Tools Computer Management Local Users and Groups).
3) The Local Users and Groups snap-in opens. Click Groups.
5) Under Members, confirm that only those accounts with a legitimate business need for
administrative rights and privileges are listed.
6) For any account listed that does not require Windows administrative rights , click the account to
highlight it.
7) Click Remove to revoke the accounts membership in the Administrators group
8) When finished, click OK to close.
The Squirrel Linux account is created during Squirrel software installation as a member
of the Windows Users group. As part of previous troubleshooting efforts, however, some
merchant installations may have had this account added to the local Administrators
group,
Squirrel does not require the Linux account to have administrative rights or permissions
for POS operation.
The Linux account must be removed from the local Administrators group to support
compliance with the PCI DSS. Failure to properly restrict the Squirrel Linux account, as
outlined in this guide, violates PCI DSS requirements.
For further information on restricting cardholder data access, and for complete merchant responsibilities under
PCI DSS Requirement 7, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml
IMPORTANT
Merchants are advised to review anticipated operational impact with affected members
of their merchant organization before implementing account or policy changes for
Squirrel POS system components.
Ensure system account holders are notified well in advance of any changes to
password complexity, history, or lockout policy requirements, and expressly instruct
account holders that sharing or disclosing passwords for individual user accounts
violates PCI DSS requirements.
7.PCI Security Standards Council, "Payment Card Industry Data Security Standard: Requirements and Security Assessment
Procedures, Version 2.0" <https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf> [accessed 24 February 2011]
(37)
1) Open the Squirrel Browser and click Utilities/Security Browser Security Groups.
2) Click the * button to create a new Browser Security Group.
3) Enter a meaningful Group Name for the new group, e.g. Administrators.
Unless there is a strong business need to do so, merchants are advised to configure
only one security group with the Complete Access flag.
5) Click to enable the 15 Minute Timeout check box. This setting is required to ensure the Squirrel
Browser sessions are automatically locked after 15 minutes of inactivity (supporting compliance
with PCI Req. 8.5.15).
6) Click to enable the Hide Sys Monitor check box.
7) Exit Browser Security Groups and answer Yes to save the record.
Squirrel strongly recommends merchants leave the Grayed Browser Choice Means
option set to the default value Not Selected, to support the assigning of group
permissions in accordance with principles of least privilege.
6) Use the Test button to confirm each Browser page offers access to only the selected links.
7) When finished, Exit Browser Security Groups and click Yes to save the record.
Merchants who use generic or shared accounts, e.g. Admin, Manager, Squirrel,
etc. to access the Squirrel Browser cannot comply with requirements of the PCI DSS.
4) Click to select the corresponding POS Employee from the Employee dropdown, e.g. John
Smith.
Do not select the generic Default employee. The corresponding POS employee record
must be selected to comply with PCI DSS auditing requirements.
5) Select your Browser Security Administrative group from the Security Group dropdown.
6) Have the employee type a strong Password for the account, then re-enter in the Confirm
Password field.
7) Configure the remaining Browser User flags per the table below:
NOTE: If not already in use, Squirrel Browser Security is enabled upon exit. You must
click OK to exit the current unauthenticated session and login to continue.
NOT E
9) Login to the Squirrel Browser using the account and test credentials to ensure it has access to all
Browser links.
Create Unique Browser Users for All Other Members of the Merchant Organization
All members of the merchant organization who access the Squirrel application via the Squirrel Browser must
have his or her own, unique Browser User. Perform the following to create additional non-administrative
Browser User accounts:
1) Repeat steps #1 - 4 from the Create a Browser Security Administrator to start a new Browser
User record.
2) Select an appropriate Browser Security Group that grants the new user access to only those
areas necessary for their role in the merchant organization.
3) Ensure the same security flags are set to the following PCI-required minimums for each Browser
user:
New password must be Different than last password used Checked (Yes)
New password must be 8 or more characters and contain letters
Checked (Yes)
and numbers
Disabled Unchecked (No)
5) Leave the console open and continue with configuring Windows Account Lockout Policies below.
NOTE: For more information on the impact of Windows password complexity requirements,
please see Appendix A - Creating Strong Passwords.
NOT E
3) Click OK to accept automatically activating the remaining two lockout policies (Account Lockout
Duration and Reset) with required default values.
4) Re-check all policies to ensure they are configured according to the corresponding values in the
table below:
5) Close Local Security Policy. Upon exiting, the above policies are now active.
5) The Screen Saver Properties dialog appears. Select Enabled, then click OK to commit changes
and close the dialog.
8) The Screen Saver executable name Properties dialog appears. Select Enabled.
9) Under Screen Saver executable name, type logon.scr. This enables the default Windows XP
logo screensaver.
10) Click OK to commit changes and close the dialog.
11) The Screen Saver executable name state changes to read Enabled.
13) The Password protect the screen saver Properties dialog appears. Select Enabled, then click
OK to commit changes and close the dialog.
14) The Password protect the screen saver state changes to read Enabled.
NOTE: Compliance with PCI DSS Req. 8.5.15 requires a minimum 15-minute timeout. If
a shorter timeout is desired, enter a smaller value (in seconds), e.g. 600 (10 mins.), 300
NOT E
seconds (5 mins.), etc. before closing the dialog.
Once unique administrative accounts have been created for necessary users, PCI DSS
Requirement 2 requires any generic or vendor-default Windows accounts to be removed
or renamed (e.g. Squirrel, Administrator, etc.).
To create a new administrative account, and/or to revoke group membership for any non-administrative
accounts, perform the following steps:
1) Login to the Host PC using your Windows administrative account.
2) From the Run command, type lusrmgr.msc (or, alternately, open Control Panel and select
Administrative Tools Computer Management Local Users and Groups).
3) Open the Action menu and select New User
b) Full Name: Type the first & last name of the user in this field (e.g. John Smith)
c) Description: Add a description for this users account (e.g. Owner, General Manager, etc).
d) Type and confirm a strong Password for the account..
e) Leave all other flags at their default settings.
f) Click OK to close the New User popup.
7) Click Add.
8) Under Enter the object names to select, type administrators and click the Check Name
button to verify the group name.
12) Repeat steps #4-11 above to create any additional accounts needed for other administrative
users.
Once unique administrative accounts have been created for necessary users, merchants
are reminded of PCI DSS Requirement 2 requires any generic or vendor-default Windows
accounts to be removed or renamed (e.g. Squirrel, Administrator, etc.).
While many remote access solutions offer features supporting merchant compliance (or
can be used in conjunction with other supporting protocols or technologies), they are
often not compliant with PCI DSS requirements in the default configuration.
Merchants are reminded to review all remote access applications, devices, protocols,
configurations, policies, and practices in detail against all corresponding PCI DSS
requirements. Employing a remote solution that permits access to the cardholder data
environment without satisfying the requirements referenced above will result in merchant
non-compliance with the PCI DSS.
6) Under After an abnormal end of session, set the Wait value to 15 minutes then select
Cancel Host.
For further information on user security and the complete merchant responsibilities under PCI DSS Requirement
8, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml
Routers, switches, hubs, wireless access points, gateways, and other network devices
For information on securely deleting cardholder data from, or destroying electronic media, please refer to the
Squirrel Secure Data Deletion: PA-DSS Implementation Guide Supplement
For further information on physical security and the complete merchant responsibilities under PCI DSS
Requirement 9, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml
8.PCI Security Standards Council, "Payment Card Industry Data Security Standard: Requirements and Security Assessment
Procedures, Version 2.0" <https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf> [accessed 24 February 2011]
(42)
Requirement 10: Track and monitor all access to network resources and cardholder
data
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the
impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and
analysis when something does go wrong. Determining the cause of a compromise is very difficult without system
activity logs. 9
Tracking system activity within the cardholder data environment is an important component of the PCI DSS. In
order to provide accountability for the merchant organization it is imperative that auditing be properly engaged at
all levels, including but not limited to: OS auditing, SQL Server auditing, Squirrel Browser auditing, and auditing of
network devices, such as routers, managed switches, wireless access points, etc.
Disabling of audit logs must not be done on any system in the cardholder data
environment.
Merchants who disable or fail to maintain audit trails cannot be compliant with
Requirement 10 of the PCI DSS.
9.PCI Security Standards Council, "Payment Card Industry Data Security Standard: Requirements and Security Assessment
Procedures, Version 2.0" <https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf> [accessed 24 February 2011]
(46)
5) Double-click to select each of the following password policies and configure each to the match
the corresponding values in the following table:
Setting / Log Application Log Security Log System Log Squirrel Log
When
Do not overwrite Do not overwrite Do not overwrite Do not overwrite
maximum log
events (clear log events (clear events (clear events (clear
size is
manually) log manually) log manually) log manually)
reached
4) Right-click the fist log to be configured, e.g. Application, and click Properties.
8) Repeat the above procedures for all logs, using the corresponding values specified in the table
above.
9) When finished, close Event Viewer.
Once set to manual, event logs must be individually maintained to avoid eventually
becoming full.
Merchants are reminded to regularly save logs to a centralized server (or media that is
difficult to alter) before clearing events.
Please see the following section Automate Archival and Clearing of Event Logs for
additional information on automating log clearing and archival.
To prevent the Security log limit from being reached, merchants can employ procedures described in the
Microsoft Knowledge Base Article #312571 (The event log stops logging events before reaching the
maximum log size, http://support.microsoft.com/kb/312571) to add a registry value that automates the
clearing and archiving of Windows event logs.
NOTE: Users are strongly advised to contact the Squirrel Solution Center for assistance
in performing this registry change.
NOT E
5) After each successful archival, a Security Event ID 524 is also written to the Security log to
indicate the backup occurred, e.g. The Security log file was saved as Security-
2009-12-02-22-48-40-042.evt because the current log file is full.
As archived event log files, i.e. Archive*.EVT files, are stored in the same Windows
default location as all other log files, merchants are reminded to ensure these archive
files are regularly copied up to a centralized server or media that is difficult to alter.
6) The Advanced Security Settings for config dialog opens. Select the Auditing tab.
9) The pane refreshes to show the Windows built-in Everyone group. Click OK.
10) The Auditing Entry for config dialog opens. Ensure the Apply To combo is set at This folder,
subfolders, and files.
Access Successful
Traverse Folder / Execute File Checked
List Folder / Read Data Checked
Read Attributes Checked
Read Extended Attributes Checked
Delete Subfolders and Files Checked
Delete Checked
Read Permissions Checked
Change Permissions Checked
Take Ownership Checked
12) Verify settings, then Click OK three times (3 x) to close the open Auditing, Advanced, and
Properties dialogs.
13) Close Windows Explorer.
14) Future accesses of the Windows event logs via Event Viewer, Windows Explorer, etc. are now
recorded as entries in the Security Log.
5) Click Advanced.
6) The Advanced Security Settings for Tracking dialog opens. Click the Auditing tab
9) The pane refreshes to show the Windows built-in Everyone group. Click OK.
10) The Auditing Entry for Tracking dialog appears. Click to select the Full Control check boxes
for both Successful and Failed (this selects all check boxes).
11) Verify checked settings, then Click OK three times (3 x) to close the Auditing, Advanced, and
Properties windows.
12) Close Windows Explorer.
2) The Windows Firewall properties dialog opens. Click the Advanced tab.
4) The Log Settings dialog appears. Click to select the Log dropped packets and Log successful
connections check boxes, then click OK.
SQL Server Auditing for SQL Server 2008, SQL Server 2005
NOTE: For SQL Server 2000, please skip to the next section, SQL Server 2000: Enable
Server Auditing Policies
NOT E
7) To initialize auditing of database connections, SQL Server must first be restarted. Restart SQL
Server at the next available opportunity by either:
a) Stop Squirrel Host Service Stop SQL Server service Start SQL Server service Start
Squirrel Host Service,
OR
NOTE: On some installations, the local server may appear as <hostname>, e.g.
SMITH-SQPC (Windows NT).
NOT E
5) The SQL Server Properties dialog opens. Select the Security tab.
8) To initialize auditing of database connections, SQL Server must first be restarted. Restart SQL
Server at the next available opportunity by either of the following methods:
a) Stop Squirrel Host Service Stop SQL Server service Start SQL Server service Start
Squirrel Host Service,
OR
2) The Date and Time Properties dialog opens. Click the Internet Time tab.
3) Click to select the Automatically synchronize with an Internet time server check box.
4) Under Server, enter the URL for a valid, working Internet timeserver.
A new Squirrel PCI Audit Log (SquirrelLog) tracks access to the Squirrel Browser and records activity
(modules loaded, reports run, etc.) in event log messages.
System administrators can report on this log activity via the Squirrel Browser Activity Report, or opt to
harvest event information directly from the event logs service using 3rd-party event management
applications (PCI Requirement 10.6)
5) Rename the file to SquirrelAudit (no file extension) and press Enter.
10) Click the Application Log and confirm a corresponding SquirrelAudit event also written for the
same logon.
NOTE: Squirrel Browser Security events recorded in the SquirrelLog are listed under the
source SqPCIAudit, while replicated events in the Application Log they are listed under
NOT E the source SquirrelAudit.
The Squirrel Event Log is offered only in support of merchant compliance with
auditing requirements of the PCI DSS.
Recording Browser Security events does not guarantee or ensure compliance, nor
does it satisfy a merchants obligation to routinely perform their own evaluations and
due diligence in ensuring compliance with all requirements of the PCI DSS
15) The SNARE localhost configuration page opens requiring authentication. Enter the username snare
and your previously selected password, then click OK.
a) Enter the IP address of your SYSLOG or SIEM server in the Destination Snare Server
address field.
b) Click to select the Enable SYSLOG Header checkbox.
c) Under SYSLOG Facility, select Kernel from the dropdown list.
d) Under SYSLOG Priority, select Information from the dropdown list.
22) The change is confirmed by the message, Snare Objectives have been applied to the
running system.
Note: The SNARE agent service must be stopped manually before running Squirrel POS
software upgrades.
NOT E
Failure to stop SNARE before attempting a Squirrel software upgrade may result in errors
during file copy operations.
Squirrel reminds merchants to observe their obligations under PCI DSS Req.10.6, to review all logs, and audit
trails from devices in the cardholder data environment on a daily basis.
Merchants are advised to use file integrity monitoring systems, in addition to log harvesting / parsing, and offline
log backup tools, to assist with mandatory practices of securing and maintaining system audit history.
Merchants are advised to employ alerting tools to assist in maintaining a proactive awareness of system
security through immediate notification of stakeholders via email or SMS when important activity occurs in the
cardholder data environment, such as account lockouts, audit failures, critical system errors, etc.
For further information on auditing, and for the complete merchant responsibilities under PCI DSS Requirement
10, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml
Merchants are recommended to contact their acquirer for further information on vulnerability scanning. Many
processors currently maintain relationships with both ASVs and QSAs that allow them to offer vulnerability and
compliance assessment tools and services to assist their merchants in achieving PCI compliance.
Testing can be done using a wireless analyzer or by deploying wireless IDS/IPS to identity wireless devices in
use, and should also include a physical inspection of network locations where a rogue WAP could be present,
i.e. publicly accessible switches, routers, network jacks, etc.
For further information on security testing, and for the complete merchant responsibilities under PCI DSS
Requirement 11, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml
10.PCI Security Standards Council, "Payment Card Industry Data Security Standard: Requirements and Security Assessment
Procedures, Version 2.0" <https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf> [accessed 24 February 2011]
(49)
Requirement 12: Maintain a policy that addresses information security for employees
and contractors
A strong security policy sets the security tone for the whole company and informs employees what is expected of
them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it. For the
purposes of this requirement, employees refers to full-time and part-time employees, temporary employees and
personnel, and contractors and consultants who are resident on the companys site. 11
Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk
assessment
Includes a review at least once a year and updates to reflect changes to business objectives or the
risk environment
Develops daily operational security procedures that are consistent with PCI DSS requirements, such
as account maintenance, security log reviews, etc.
Includes acceptable usage policies for critical employee-facing technologies, such as:
o E-mail and Internet usage
o Removable electronic media, such as USB drives, external hard drives, etc., and mobile
devices, such as laptops / tablets, smart phones, MP3 players, etc.
o Wireless technologies
o Remote-access technologies
For employees who access cardholder data via remote-access technologies, prohibit copying,
moving, and storing of cardholder data onto local hard drives and removable electronic media, unless
explicitly authorized for a defined business need.
For further information on developing a merchant security policy, and for complete merchant responsibilities under
PCI DSS Requirement 12, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml
11.PCI Security Standards Council, "Payment Card Industry Data Security Standard: Requirements and Security Assessment
Procedures, Version 2.0" <https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf> [accessed 24 February 2011]
The following sections describe the principle of encryption key management for Squirrel POS, including required
components, stakeholders involved, and procedures for implementation.
Compliance with the PCI DSS requires merchants to implement and regularly maintain their own set of unique
encryption keys. This entails adherence to a key management cycle, as supported by the Squirrel Key
Management Utilities shown in the following diagram:
Custodian Responsibility
Custodian A Maintains and secures physical possession of the Merchant Keyfile (USB drive)
This role is generally recommended for system owners, or another trusted,
non-technical member of the merchant organization (e.g. accountant,
controller, etc).
Custodian B Maintains and secures the SQL Server Logins (usernames and passwords)
This role is generally recommended for system administrators, or another
trusted, technical member of the merchant organization (IT Manager, GM,
controller, etc).
Once implemented, dual-control constraints are intended to ensure no one member of the merchant organization
has sole permission to make changes to the encryption scheme. Each custodian must contribute his or her
individual key component in order to effect a change in encryption keys, as characterized by the diagram below:
Custodian A
Merchant
Keyfile
Custodian B
SQL
Passwords
Change
Encryption
Keys
Preparation
Assign key custodian roles to at least two members of the merchant organization
Obtain USB drive for storage of merchant keyfiles
Have custodians each decide on strong password for their respective components
Planning Ensure Squirrel POS installation is activated by Squirrel Solution Center
Assemble unique SQL Logins used by the application to access the database
Ensure Squirrel ODBC Connection is configured to SQL Authentication
SQL Server Ensure Squirrel Browser has been associated with the unique SQL Logins
Configuration
Implementation
The following sections outline the three stages involved in deploying Squirrel Key Management.
Creating a Keyfile
Registering a Keyfile
Re-Encrypting the Squirrel Database
NOTE: Squirrel Key Management requires SQL Authentication. Do not begin key
creation procedures until unique SQL Logins have been created and SQL Authentication
NOT E configured for the merchant installation. See Use a Limited Windows Account for POS
Operations (Squirrel Users Setup), under Requirement 7, for further information on
implementing SQL Authentication.
The sqKeys.exe utility does not require merchant keyfile generation to be conducted on the same PC on which
the Keyfile is being installed. Merchant keyfiles can be generated on one licensed installation of Squirrel POS
software, and then securely deployed to another Squirrel installation later.
Though encrypted itself, a merchant keyfile must never be transmitted via insecure
methods, e.g. unencrypted email or FTP, etc. Any distribution of keyfiles must be
secured by strong encryption, authentication, and auditing mechanisms.
Merchants are required to ensure their cryptographic materials are always protected
against disclosure or misuse. Squirrel reminds merchants to restrict Keyfile access to
the fewest number of custodians possible.
4) Type a meaningful name for the new keyfile in the Filename Prefix field. The file name, as
entered, is appended with the current date and time and displays its final form in the Actual
FileName field (e.g. FirstKey_2009_04_21_112256.key).
5) Click the browse button ( ) next to Create in Location.
6) Browse to and select a primary location on the USB thumb drive where the keyfile will be stored.
7) (Optional): Click the browse button on the Backup Location to browse for and select a
secondary location on the same or different removable media to store a backup copy of the
keyfile. To generate only the single keyfile, re-enter the same path from Step #6.
Merchant Keyfiles must be stored on removable media that can be physically secured
against unauthorized access, such as a USB thumb-drive or other removable mass-
storage device reserved exclusively for Key Management purposes.
Merchants are advised never to store keyfiles on any local system in the cardholder data
environment, e.g. on fixed disks or network drives.
NOTE: This is the same Full Decryption SQL login, as entered previously in Configure
the Squirrel Browser for SQL Authentication.
NOT E
16) Click to select the Hide check box. This flag prevents the SQL username used from being shown
during later key management operations.
17) Click to select the Substitution of this keyfile with another keyfile requires this SQL password
check box.
This flag ensures any replacement of this keyfile by any another keyfile can be done only with the
consent of Custodian B (by the act of their re-entering the associated SQL password).
18) When ready, click Generate Encrypted Key File to generate the physical keyfile (*.key) on your
removable media.
5) Click the browse button ( ) next to the Register KeyFile field to browse to the keyfile.
6) From the Select Key file dialog, browse to your removable media and select the keyfile to be
registered, then click Open.
7) The Enter Password dialog appears. Have Custodian A enter the password used to secure this
keyfile and click OK.
8) The keyfile appears under List of Keyfiles Currently Registered on this Machine, indicating it
is now registered with this Host PC.
IMPORTANT:
Ensure all credit card batches have been successfully posted to network before
beginning re-encryption. Changing encryption keys with open / unposted batches is not
recommended.
To re-encrypt cardholder data in the Squirrel database, complete the following steps:
1) Log onto the PC using your Windows administrative account.
2) Ensure the Squirrel Business Day is Shutdown.
3) Stop the Squirrel Host Service and close all other connections to the Squirrel database
(Squirrel Browser, etc).
6) Use Windows Explorer to verify a database backup file (.ZIP) was created.
10) The Select Key file menu dialog appears. Have Custodian A connect the USB drive containing
the merchant keyfile to the Squirrel Host PC. Browse the media to select the desired keyfile, then
click Open.
11) The Enter Password dialog appears. Have Custodian A enter the Password for this keyfile and
click OK.
12) The selected keyfile displays in the ReEncypt with Keyfile or RSA file field.
NOTE: Squirrel recommends merchants use the Purge Encrypted Credit Card Data to
automate purging of posted encrypted data. See the Limit Cardholder Data Retention
NOT E (Purge Encrypted Credit Card Data) in section Requirement 3: Protect stored cardholder
data for details.
14) When ready, click Re-Encrypt data using Public/Private Keys supplied in the file to begin
data re-encryption
16) Depending on database size and system specifications, re-encryption can take from a few
seconds to upwards of 10 minutes. The SqRegisterKeys application window closes automatically
to indicate when re-encryption is finished.
17) Eject the USB drive and have Custodian A secure the removable media until such time that the
KeyFile is required, i.e. at next scheduled key change.
18) Continue below to Verifying Encryption Routines.
NOTE: For previously-purged cardholder data, PAN and expiry date fields are empty
(Credit Card# field should be empty; Exp Date field should read 00/00).
NOT E
IMPORTANT:
Once encryption keys have been changed, restoring any Squirrel database backup
made prior to the key change will result in mismatched encryption between data in the
database and current encryption keys registered on the PC.
To reduce the potential for encryption mismatch, always perform a Manual Database
Backup (*MBK.zip) immediately following a change in encryption keys, and make
record of the date when the encryption keys were changed.
Until scheduled Database Maintenance routines have completed a full weekly cycle
(replacing all previous BKW*.zip archives), the backup archives in
\SqDBHouse\DBBackup\Zipfiles and weekly folders on the secondary media will
contain database backups encrypted with previous encryption keys.
Once personal key management has been implemented, any future change to
encryption keys requires all of the following inputs from the respective key custodians:
7) Implementation of the first unique encryption keys is complete. Eject the USB drive and have
Custodian A physically secure the removable media, e.g. store in a safe, safety deposit box, etc.
until the keyfile required for the next key change
For details on continued maintenance and next change of the encryption keys, please refer to the
following section Changing Merchant Encryption Keys (Re-Keying).
The PCI DSS also requires merchants to replace encryption keys if they suspect any
encryption materials or related passwords have been disclosed or compromised,
and whenever employees are assigned to, or removed from, a key custodial role,
(e.g. an employee leaves the merchant organization and their custodial role is
assigned to a new employee).
4) Do not attempt to Unregister or physically delete any keyfiles at this time. Removal of expired
key materials is performed only after Re-encryption has been performed and confirmed
successful.
The following table shows the relationship between these challenge flags from sqKeys.exe and
the corresponding response fields required by sqReEncrypt.exe:
Custodian Input Required During
Related Flag From Original KeyFile
Replacement of Original keyfile
(sqKeys.exe)
(sqReEncrypt.exe)
Substitution of this Keyfile with another
Keyfile Password
Keyfile requires this Keyfile password
And Keyfile Keyfile, e.g. USB drive with the original .KEY file
Substitution of this Keyfile with another SQL Account Password associated with the
Keyfile requires this SQL password current Keyfile
6) In the Keyfile Password field, have Custodian B enter the original keyfile password. Note that
this password may differ from the password Custodian B has assigned to the new (replacing)
keyfile.
8) Have Custodian B enter the password for SQL Login associated with the original keyfile in the
SQL Password field.
9) Click OK.
10) The main sqReEncrypt window now appears. If not, review any error prompts and correct inputs
to retry.
11) Proceed with the re-encryption process, as previously outlined in Re-Encrypting the Squirrel
Database (SqReEncrypt.exe).
12) Confirm re-encryption routine success, as previously outlined in Verifying Re-Encryption
Routines.
3) Confirm the keyfile you are attempting to unregister are not still currently in use, i.e. is not listed in
the Use KeyFile field at the bottom of the dialog.
4) Click Unregister Selected files from this machine.
5) A challenge dialog appears asking for the same dual-control custodian inputs as per previously
in Re-Encrypting with the Replacement Encryption Keys.
6) Have Custodians A and B provide the original physical keyfile, keyfile password, and SQL
Password components (respectively).
7) Click OK.
NOTE: If the current (active) keyfile is accidentally selected for deletion, a warning
message appears to alert the user to the error. Click No to return and reselect the
NOT E correct inactive keyfile.
If retaining keyfiles for retired or replaced cryptographic keys, the archived keyfiles must be securely stored and
used only for decryption/verification purposes; they may not be used for production encryption purposes again.
Password must meet complexity requirements: This security setting determines whether
passwords must meet complexity requirements. If this policy is enabled, passwords must
meet the following minimum requirements:
Not contain the user's account name or parts of the user's full name that exceed
two consecutive characters
Be at least six characters in length
The following checklist summarizes many of the system configuration and management procedures from this
guide by grouping / order of configuration area and other dependencies (vs. order by applicable PCI DSS
requirement). This list is intended to help end-users expedite configuration of the Squirrel POS system in a
manner supporting PCI compliance.
The following is provided to merchants and system implementers for reference purposes
only. The information below only addresses payment application configuration items with
explicit settings or procedure directly supporting an associated PCI requirement.
This checklist does not address policy-related PCI requirements, including but not
limited to creation of security policies, system and account management procedures,
ongoing vulnerability management processes, etc. which are the responsibility of the
merchant.
Completion of this checklist is not a substitute for thorough review of the Squirrel PA-
DSS Implementation Guide, the Payment Card Industry Data Security Standard (PCI
DSS), or other supporting documentation provided by the PCI SSC or Squirrel Systems.
Squirrel Credit Card Tracking disabled / verified Req. 3 Disable Squirrel Credit Card Tracking
Default password changed for logins to all Secure Vendor-Default Passwords and
network devices (routers, managed switches, Req. 2 Accounts on Additional System
etc.) Components
media
Microsoft Update component installed / verified Req. 6 Maintain Windows Automatic Updates
Critical Updates applied for other installed 3rd Maintain Critical Updates for Third-Party
party applications / verified
Req. 6
Applications
Can See Decrypted Credit Cards flag disabled / Disable Full Credit Card Decryption in
verified for all users
Req. 7
the Squirrel Browser
Windows Limited User created for daily Create a Windows Limited User
operation of the Squirrel Host PC
Req. 7
Account
Squirrel Users group granted access to Squirrel Grant Squirrel Users Group Write
Program folders
Req. 7
Access to Squirrel Application Folders
Squirrel ODBC DSN configured to use SQL Configure the Squirrel ODBC
Authentication
Req. 7
Connection for SQL Authentication
Squirrel Browser associated with new Squirrel Configure the Squirrel Browser for
DSN
Req. 7
SQL Authentication
Removable media, i.e. USB flash drive, Preparing for Key Management
procured for merchant keyfile storage
Req. 3
Deployment
Key custodian roles assigned to at least two Preparing for Key Management
members of merchant organization
Req. 3
Deployment
WS9L SSH Optional Module installed Req. 8 Enable WS9L SSHFS Support
Merchant made aware of responsibilities under Perform Routine Internal and External
PCI DSS to perform ext. / int. vulnerability scans
Req. 11
Vulnerability Scans
The following diagrams are provided to highlight important differences between potentially compliant and non-
compliant POS network configurations.
The default Squirrel POS topology above supports compliance with PCI DSS Req 1 by:
Employing a router (#1, Linksys RVL200) at the network perimeter to prohibit direct public access
between the Internet and system components in the cardholder data environment
Providing NAT / PAT (Network Address Translation / Port Address Translation) to prevent against
disclosure of the internal networks private IP addresses (#2) and routing information to the Internet
Implementing a stateful packet inspection (SPI) firewall at the network perimeter (#1, Linksys
RVL200) to allow only established connections access into the POS network, in addition to a host-
based firewall at the Host PC.
The older Squirrel POS topology shown above supports compliance with PCI DSS Req 1 by:
Employing a router (Linksys BEFSR41) at the network perimeter (#1) to prohibit direct public access
between the Internet and system components in the cardholder data environment
Providing NAT / PAT (Network Address Translation / Port Address Translation) to prevent against
disclosure of the internal networks private IP addresses (#3) and routing information to the Internet
Implementing an AlphaShield stateful packet inspection (SPI) firewall at the network perimeter (#2),
Firewall) to allow only established connections access into the POS network, in addition to a host-
based firewall at the Host PC.
The above topology does not support compliance with PCI DSS Req 1, based on the following:
A router (Linksys BEFSR41) is present (#1) to prevent direct public connections between the Internet
and systems in the cardholder data environment. However, no SPI firewall is employed to protect the
network perimeter.
While the Host PC has host-based firewall protecting its outward-facing adapter (#2), an Office PC is
present on the same network segment with no host-based firewall enabled (#3).
The unprotected Office PC is also connected to the POS network segment via a second adapter (#4),
creating a flat network topology with potential for unrestricted traffic flows between the Internet and
cardholder data environment (#5).
The above topology does not support compliance with PCI DSS Req 1, based on the following:
While an Alphashield SPI stateful packet inspection (SPI) firewall is employed at the network
perimeter (#1), there is no router providing NAT / PAT (Network Address Translation / Port Address
Translation) functions to prevent against disclosure of the internal networks private IP addresses and
routing information to the Internet
Without a router, the Host PCs second network adapter has been assigned a public IP address (#2),
creating a direct public connection between the Internet and systems in the cardholder data
environment.
For further information on maintaining a secure network, and for complete merchant responsibilities under PCI
DSS Requirement 1, please refer to resources available from the PCI Security Standards Council at
https://www.pcisecuritystandards.org/index.shtml.
That staff authorized to administer Squirrel POS encryption keys (key custodians) are required to sign the
agreement document as a condition of employment with the merchant organization and to indicate acceptance of
their custodial responsibilities.
That the key custodian is in employment with the merchant organization on the date signed
That the key custodian has been provided access to POS system security components (software, keyfiles,
equipment, documentation, passwords) and agrees that, he or she:
o Understand that cryptographic encryption keys and information relating to the merchant organizations PCI
security infrastructure and cryptographic controls are most sensitive to the company.
o Has read and understood the merchant organizations information security policies and agrees to comply
with those policies to the best of their ability (see PCI DSS Req.12)
o Understands that non-compliance with the merchant organizations information security policies can lead to
disciplinary and/or legal action.
o Understands that exceptions to compliance will only occur where compliance would violate local, state, or
federal law, or where a senior officer of the merchant organization or law enforcement officer has given prior
authorization.
o Agrees never to divulge any key management or related security system passwords, processes, security
hardware or secrets associated with the merchant organizations systems to any third party, including other
key custodians, unless authorized by a senior officer of the merchant organization or required to do so by
law enforcement officers.
o Agrees to report promptly and in full to the correct merchant organization personnel, any suspicious activity,
including but not limited to key compromise or suspected key compromise, and other activity which can
include:
Indications of unauthorized system use or access.
Phone, email, text, or other message requests from unidentified sources requesting access to
secure systems or information.
Unidentifiable files or applications found on systems in the cardholder data environment.
Unusual activity recorded in log files.
That the key custodian has been given the ability to raise questions about the agreement and has had those
questions answered satisfactory.
That the custodian agrees to all points and understands an original copy of the agreement will be held on their
personnel record and kept by the merchant organization for an indefinite period.
That the agreement is dated, with the custodians name printed & signed, and was witnessed by a senior officer
of the merchant organization.
Hardware Components
Component Name Purpose
Squirrel Host PC Back-end application, file, and database server for Squirrel Professional
POS system
Squirrel POS Workstation Touchscreen client terminal used for POS order entry and FOH (front of
house) system administration
Ethernet Switch Provides switched Ethernet communication between the Host PC and POS
Workstations
Router / Firewall Provides secure routing of POS traffic to/from external networks via NAT /
PAT and SPI firewall support
Requisition / Check Printer 40-column printer for receipts, checks, and credit card vouchers
Software Components
Component Name Purpose
Microsoft SQL Server (2000 / 2005 / RDBMS used to store Squirrel POS configuration and transactional data
2008)
Oracle (Sun) JRE 6 Java runtime environment used by the Squirrel POS client
Services
Display Name Name Purpose
Sentinel HASP License Manager hasplms Licensing service for Squirrel HASP
SSHFS / SFTP Provides secure shell file transfer between Host PC and POS Workstations
TCP/IP Provides communication between the Squirrel Host Service and POS client
TLS / SSL Provide encrypted transport for payment data exchanged between the
Squirrel Host Service and merchant processor(s)
%sqcurdir%\host\host1\cc_*.zip %sqcurdir%\tracking\ht*.zip
%sqcurdir%\host\host1\ccvoids.dat %sqcurdir%\tracking\openchecksatclose.zip
%sqcurdir%\tracking\dayaft.zip %sqcurdir%\tracking\openchecksatopen.zip
%sqcurdir%\tracking\daybef.zip %sqcurdir%\tracking\pcm_*.dat
%sqcurdir%\tracking\dbbegin.zip %sqcurdir%\tracking\pcm_*.lst
%sqcurdir%\tracking\dbend.zip %sqcurdir%\tracking\pcm_*.sqe
%sqcurdir%\tracking\generationall.zip %sqcurdir%\tracking\pcm_*.xml
%sqcurdir%\tracking\hcm_*.dat %sqcurdir%\tracking\trak.dat
%sqcurdir%\tracking\hcm_*.lst %sqcurdir%\tracking\trak.lst
%sqcurdir%\tracking\hcm_*.sqe %sqcurdir%\online\xferclosepay.dat
%sqcurdir%\tracking\ hcm_*.xml