1. Commerce
  2. NetSuite Point of Sale (NSPOS)
  3. NSPOS Security Guide
  4. Ongoing User Security

Ongoing User Security

This section describes tasks that are typically performed within or with the NetSuite Point of Sale (NSPOS) secure environment after the initial implementation.

Secure the Default Operator after first Implementation

A new NSPOS implementation comes with a default operator user called 9999 with the default password Admin123.

You should secure this user account by disabling the 9999 operator’s role or resetting the password. This adjustment to the default operator is part of the NSPOS Payment Application Data Security Standard (PADSS).

After you disable the 9999 account or change its password from any register, you do not need to repeat the procedure on other registers, including new registers and newly-provisioned registers.

Warning:

Immediately after your initial implementation you should secure the default operator by disabling the operator’s role or changing the default password.

You can choose from two methods:

  • Disable the Default Operator, or

  • Reset the Default Operator’s password

Change the 9999 operator’s Role to Disabled.

To Disable the Default Operator:

  1. Sign in to any NSPOS register as an administrator (9090 level operator).

  2. Press Ctrl+F12 on the keyboard to open the Function List.

  3. Enter edit operator in the search field.

  4. Tap Edit Operator.

  5. Search for operator 9999.

  6. Tap the 9999 record.

  7. Tap the Operator Role browse icon.

  8. Select Disabled.

  9. Tap Done.

    Important:

    After disabling the default operator’s role, you should verify that the change occurred. Do either of the following tasks.

  10. Verify that 9999’s role is disabled. You can:

    • Repeat the previous steps 1 – 6. Verify that the 9999 Operator Role is Disabled. or

    • Try to log in as the default operator.

      You should not be able to log in, and see the following:

      Error message showing invalid logon entered

To Reset the Default Operator’s password:

  1. Sign in to any NSPOS register as an administrator (9090 level operator).

  2. Press Ctrl+F12 on the keyboard to open the Function List.

  3. Enter edit operator in the search field.

  4. Tap Edit Operator.

  5. Search for operator 9999.

  6. Tap the 9999 record.

  7. Tap Set Password.

  8. Enter the new Password.

  9. Enter the password again to Confirm.

  10. Tap Change.

    Important:

    After resetting the password, you should verify that the default password is no longer valid. .

  11. Verify that 9999’s password was changed.

    Login to NSPOS using the default operator account 9999 and default password Admin123. You should see the following:

    Error message showing invalid logon entered
Tip:

For more information on working with operator accounts, see Employees and NSPOS.

Register Use

A cashier, sales associate or other authorized operator can perform the following customer transactions from an NSPOS register:

  • Process Sales Transactions

  • Apply Discounts

  • Make limited adjustments to how Sales Taxes are applied

  • Suspend, Resume, Cancel Transactions

  • Print and reprint Receipts

  • Look up Past Transactions

  • Change the Sales Associate assigned to a transaction

  • Process Sales Orders

  • Process Returns

  • Sell or redeem a Gift Card or Gift Certificate

For more information on daily register tasks involving transactions, see Basic Sales Transactions in the NSPOS Administrator Guide.

Cash Till Management

The physical portion of a till is also called a cash drawer, and is the drawer or cabinet in which cash payments are placed and change is removed. Most till management tasks are manual, such as entering the cash put into and removed from the drawer. These tasks are important for recording deposit amounts and determining any overages or shortages.

A business day represents the time from when a retail store starts its operations to when operations end, as a continuous session. NSPOS uses start of day and end of day tasks to separate till activities into separate business days. The day does not have to match a calendar date or time range. If more than one cashier shift uses a register during a business day, then each cashier can be responsible for opening and closing the till for their shift within that day.

A typical business day includes the following manager tasks:

  • Start of Day – Enter Beginning Till Count

  • During the Day – Make a Drawer Drop

  • During the Day – Make a Drawer Loan

  • During the Day – Make a Disbursement

  • End of Day – Count and Settle Till

For complete steps, see Cash Drawer Till Management in the NSPOS Administrator Guide.

Auto Logout for Idle Time

It is important that an NSPOS register not be left unattended. The methods used to lock out a register if it is left idling depend on the cashier or other user’s role.

  • Administrator role — If a register is left idle for 15 minutes, the administrator is logged off and the register switches to Closed Mode. Access to NSPOS from the register is denied until that user or another user logs on.

  • Non-administrator roles — The idle time minutes allowed can be adjusted by role. See Update a Password Policy to find the password policy associated with a role. Then update the Auto Logout Period in Minutes field.

Lock Down vs. Log Out

An automatic lock down disables access to NSPOS registers while leaving the cashier logged in. A log out ends the cashier’s NSPOS session.

  • When locked down:

    • NSPOS appears closed, but the cashier is still logged in.

    • Any task or transaction that the cashier had open before lock down is kept open. This behavior means that the cashier can continue where they left off.

    • Only the logged in cashier or an administrator can unlock an NSPOS register.

  • When Logged out:

    • The cashier is logged off NSPOS, closing the session. The register is not “locked down.”

    • Any task or transaction that was open before log out is closed.

    • For administrators customizing NSPOS settings, logging out causes any unsaved changes to be lost.

    • Any cashier or other user can log into a register after the previous user has logged out.

Warning:

You should never leave an NSPOS register unattended with an open session under any circumstances. If a cashier must leave the register area, they should log off first.

Cashiers must log out when their shift ends. Otherwise, NSPOS will lock down after a predetermined period and a cashier starting a new shift on the register will be unable to log in.

To open a register that was left locked after shift end, either the logged in cashier must return to unlock NSPOS or the manager must locate an administrator to perform the task.

Gift Card and Certificate Management

NSPOS supports creating gift cards and gift certificates through the NetSuite ERP interface. These products can then be sold or redeemed by the cashier through a sales transaction. NSPOS also supports selling and redeeming external gift cards issued by an authorized third-party.

NetSuite uses the term gift certificate exclusively instead of gift card. Each gift card issued in NSPOS – whether as a physical gift card or email gift certificate – creates a corresponding gift certificate record in the business’s NetSuite account. A gift certificate record is a type of item record that holds all key information about the gift card/certificate, including the beginning amount, remaining amount, and the authorization code.

Gift Card Track Data Specifications

Gift card track data must be formatted in a specific way for it to be readable in NetSuite Point of Sale (NSPOS). This formatting follows ISO standards (ISO/IEC_7813) for cards with magnetic stripes. The following are the requirements and options for using gift cards in NSPOS retail operations.

Gift card numbers must meet these requirements:

  • Card number prefix is a fixed series of digits with a length of 1 digit minimum, 3 or more digits recommended.

    In general, all gift cards issued by a single retailer will use the same prefix. However, Professional Services can set up additional prefixes if needed.

  • Total length, including the prefix, must be between 9 and 32 digits.

  • Numeric values 0 – 9 only. The number cannot contain alphabetic characters.

  • Gift card number must be present on Track 2.

Important:

Businesses should avoid using numbering schemes from which it is possible to determine future numbers by reviewing numbers previously issued. For example, do not use sequential numbers.

Gift Cards numbers should be generated using a cryptographically-secure random number generator and of sufficient length. These security requirements apply to all gift cards issued through NSPOS.

For more information, see Gift Cards and Gift Certificates in NSPOS in the NSPOS Administrator Guide.

Employee Set up and Maintenance

NSPOS uses a combination of NetSuite ERP operations and functions available from the register to manage employee access.

Set up a new Employee (Operator)

Employees are called operators in NSPOS. Administrators set up new NSPOS operators for their retail business. These setup tasks take place in the NetSuite ERP online application and in the manager tools found in NSPOS. The second part can be performed from any NSPOS register.

The procedure is to:

  1. Create the Employee record and RA-Operator ID in NetSuite

  2. Complete the Operator setup in NSPOS using the Manager Functions button.

Note:

By default, the Manager Functions button is located on the main (bottom) button bar in the Journal window. Your company’s custom setup may have the button in a different location or under a different name.

For complete steps, see Setting up a New Employee in the NSPOS Administrator Guide.

Reset an Employee’s Password

Administrators can reset an employee’s (operator’s) NSPOS password from any register. This procedure can be used when they have forgotten their password, believe it has been compromised, or as part of a standard security task.

For complete steps, see Resetting an Employee Password in the NSPOS Administrator Guide.

Change an Employee’s Security Role Assignment

Administrators can adjust a NSPOS security role assignment. This adjustment can be used for permanent assignments or for things like covering a shift gap by temporarily assigning a manager role to a sales associate/cashier. The administrator can reverse temporary assignments by using the same procedure.

For complete steps, see Changing an Employee’s Security Role in the NSPOS Administrator Guide.

Block an Employee’s Access to NSPOS

Administrators can remove an employee’s (operator’s) access to sign into NSPOS by setting their role to Disabled. This role change does not remove the employee from the system, but it does lock them out. Keeping the employee in the system is important in the event you must research their NSPOS history.

For complete steps, see Disabling an Employee’s Access to NSPOS in the NSPOS Administrator Guide.

Assign Operator Roles to Limit Access

In NSPOS, we call employees or users that perform register tasks or are responsible for maintaining the application operators. Operators include all positions below. The list of duties is not comprehensive. These are brief descriptions only and your business might use its own customized positions or roles.

  • Sales Associates – Perform sales transactions and work with customer information.

  • Specialists – Perform tasks that require training and responsibilities beyond a basic sales associate.

  • Openers/Closers – Perform sales associate and specialized tasks plus can be delegated to perform beginning of day and end of day till tasks.

  • Managers – Perform beginning of day and end of day till tasks, can sign in during transactions to authorize discounts or other overrides, run reports and assist employees with optional time clock issues.

  • Administrators – Set up employees, customize NSPOS to fit business needs, perform other administrator and system tasks.

Operator Role / Group

Operator Role / Group ID

Resource ID

Sales Associate, Cashier, xPOS Access

100

2

Specialist

200

2

Opener / Closer

500

9050

Manager

700

9070

System Administrator

900

9090

Password Requirements

Signing into NSPOS requires entering a User ID and Password. NSPOS uses the Payment Application Data Security Standards (PA-DSS) to determine requirements for setting and maintaining passwords.

NSPOS uses different password requirements for administrator roles and roles that do not require administrator-level access. Administrators can adjust the requirements for non-administrator roles.

Requirements for Administrator Roles

Administrators cannot adjust the requirements for their role.

  • Passwords must be at least 7 characters and include both letters and numbers.

  • Passwords must change every 90 days.

  • New passwords must be different than the previous 5 passwords.

Default Requirements for Non-administrator Roles

For managers, sales associates and other operators, the administrator is responsible for setting up their passwords and password policies per your store or company's policies. Administrators can adjust the requirements for non-administrator roles by adjusting a role’s password policy. See Update a Password Policy.

The following are the default requirements for non-administrator roles:

  • Length must be at least 8 characters, maximum 128 characters

  • Must include at least 1 number (0 - 9)

  • Must include at least 1 lowercase alpha character (a - z)

  • Must include at least 1 uppercase alpha character (A - Z)

  • Must include at least 1 non-alphanumeric character (!@#$%^&*.:;~'` "*/\+?-,_|=()[]{}<>)

  • Passwords expire after 180 days

  • Account is locked after 5 failed login attempts

Update a Password Policy

Administrators make updates to a password policy by editing a Role’s NetSuite ERP RA-Operator Password Policy record. Each Role has a separate record and can have a unique policy. Policy updates download to your registers during the normal synchronization process.

If a user is assigned a different Role, they might be required to change their password at the next login.

To update Password Policy rules:

  1. Log in to NetSuite as an administrator.

  2. Go to Customization > Lists, Records & Fields > Record Types.

  3. Locate the RA-Operator Password Policy row.

  4. Click List.

    The RA-Operator Password Policy List displays the current password setup for all Roles.

    Password Policy List

  5. Click a Role’s Edit link to make changes.

    Password Policy setup
    Tip:

    Use the System Notes subtab on the record to view your history of Password Policy changes.

  6. Select the Operator Role/Group to which the password policy will apply.

  7. Set the desired policy for the Role:

    • Minimum Length – Enter the minimum password character length allowed.

      • Values: 8 – 128

      • Default: 8

    • Require Special Characters – If checked, password must include at least one non-alphanumeric character (!@#$%^&*.:;~'` "*/\+?-,_|=()[]{}<>).

      • Values: Yes (checked), No (cleared)

      • Default: Yes

    • Require Mixed-Case Characters – If checked, password must include at least one uppercase alphabetic character (A - Z) and one lowercase alphabetic character (a - z).

      • Values: Yes (checked), No (cleared)

      • Default: Yes

    • Require Numbers – If checked, password must include at least one number (09).

      • Values: Yes (checked), No (cleared)

      • Default: Yes

    • Expiration Period in Days – Number of days after current password was set before user is required to change their NSPOS password.

      A value of 0 (zero) means that passwords do not expire.

      • Values: 0 – 365

      • Default: 180

    • Max Invalid Login Attempts – Number of failed login attempts before the user’s account is locked. If a user is locked out, they cannot log in until an administrator unlocks their account.

      See Unlock an Employee’s Account for NSPOS under Company > Employees in the NSPOS Administrator Guide.

      A value of 0 (zero) means the Invalid Login Attempts feature is disabled.

      • Values: 0 – 10

      • Default: 5

    • Auto Logout Period in Minutes – If a register is left idle for this period, the register automatically logs the user out. They must log in again to resume activity.

      A value of 0 (zero) means the Auto Logout Period feature is disabled.

      • Values: 0 – 60

      • Default: 15

    • Require Password Change Next Login – If checked, all users with the selected Role must change their password the next time they log in.

      • Values: Yes (checked), No (cleared)

      • Default: No

    Tip:

    Use the User Notes subtab to list why a policy was changed. Click New Note.

    Password Policy User Notes

  8. Click Save.

Minimum Security Standards Warning

If an administrator sets one or more password fields to values that do not meet minimum recommendations, NetSuite displays a warning when they click Save.

Password Policy Warning of not meeting recomendations

The administrator can:

  • Click OK to update the policy, or

  • Click Cancel to go back and adjust the settings.

No Backward Compatibility for Password Policy changes

The NSPOS password policy feature in NSPOS 2019.1.0 or later will not synchronize to registers that are on prior releases. For a policy to apply to all registers, you must upgrade all registers to 2019.1.0 or later.

Important:

Upgrade all registers to ensure your password policy applies to your entire register network.

General Notices