PCI SSF Related Application Summary
This NetSuite Point of Sale (NSPOS) application summary provides information related to PCI SSF requirements.
|
Payment Application Name |
NetSuite Point of Sale |
|
Payment Application Version |
2024.1.X |
|
Stored Cardholder Data |
File or Table Name: Not applicable |
|
Description of Stored Cardholder Data:
|
|
|
Individual access to cardholder data is logged as follows:
|
|
|
Database Software Supported |
MySQL 8.0 or later |
|
Operating Systems Supported |
|
|
Application Authentication |
The NetSuite Point of Sale administrator can manage users’ accounts and define their privileges. Each user is required to login to the application with a user name/password at the beginning of their work and must log out at the end. The user is automatically logged out after 15 minutes of inactivity. |
Setting Up Strong Access Controls
PCI SSF requires that access to all systems in the payment processing environment be protected through the use of unique users and complex passwords. Unique user accounts indicate that every account used is associated with an individual user and/or process with no use of generic group accounts used by more than one user or process.
All authentication credentials are generated and managed by the application. Secure authentication is enforced automatically for all credentials by the completion of the initial installation and for any subsequent changes (for example, any changes that result in user accounts reverting to default settings, any changes to existing account settings, or changes that generate new accounts or recreate existing accounts). To maintain PCI SSF compliance the following 11 points must be followed:
-
The payment application must not use or require the use of default administrative accounts for other necessary or required software (for example, database default administrative accounts)
-
The payment application must enforce the changing of all default application passwords for all accounts that are generated or managed by the application, by the completion of installation and for subsequent changes after the installation. This statement applies to all accounts, including user accounts, application and service accounts, and accounts used by Oracle Corporation for support purposes.
-
The payment application must assign unique IDs for all user accounts
-
The payment application must provide at least one of the following three methods to authenticate users:
-
Something you know, such as a password or pass-phrase
-
Something you have, such as a token device or smart card
-
Something you are, such as a biometric characteristic
-
-
The payment application must NOT require or use any group, shared, or generic accounts and passwords
-
The payment application requires passwords must be at least 7 characters and include alphanumeric characters
-
The payment application requires passwords to be changed at least every 90 days
-
The payment application keeps password history and requires that a new password is different from any of the last 4 passwords used
-
The payment application limits repeated access attempts by locking out the user account after not more than 6 sign on attempts
-
The payment application sets the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID
-
The payment application requires the user to re-authenticate to re-activate the session if the application session has been idle for more than 15 minutes
To find the Password Policy and Account Lockout Policy in Windows 11:
-
Enter group in the Windows Start search field.
-
Open the Edit Group Policy application.
-
Go to Local Computer Policy > Computer Configuration > Windows Settings.
-
Go to Security Settings > Account Policies > Password Policy or Account Lockout Policy.
-