1. Commerce
  2. SuiteCommerce InStore (SCIS)
  3. SCIS Administrator Guide
  4. SCIS Compatible Peripheral Hardware
  5. Security For Your Peripheral Devices

Security For Your Peripheral Devices

In addition to maintaining security for your applications through updates and monitoring, you should ensure the security of your peripheral devices. The following are guidelines to help with this task.

PCI-Compliant Wireless and Bluetooth Settings

The wireless communication channel — either Wi-FI or Bluetooth — should be secured using strong cryptography.

Strong Cryptography

Cryptography based on industry-tested and accepted algorithms, along with strong key lengths (minimum 112-bits of effective key strength) and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”). At the time of publication, examples of industry-tested and accepted standards and algorithms for minimum encryption strength include AES (128 bits and higher), TDES (minimum triple-length keys), RSA (2048 bits and higher), ECC (160 bits and higher), and ElGamal (2048 bits and higher). See NIST Special Publication 800-57 Part 1 (http://csrc.nist.gov/publications/) for more guidance on cryptographic key strengths and algorithms.

SCIS is compatible with various wireless technologies, and the wireless networking device(s) chosen can vary. All wireless vendor guidance on how to properly secure these devices should be followed, and the following should be confirmed wherever possible per PCI Data Security Standard 3.2.1 requirement 1.2.3, 2.1.1, 4.1.1, and 11.1:

  • 1.2.3: Perimeter firewalls must be installed between any wireless networks and systems that store cardholder data. These firewalls must deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.

  • 2.1.1: The tasks described below cannot be performed in SCIS but can be performed on peripheral devices used with SCIS. Follow vendor or manufacturer recommendations to change wireless vendor defaults per the following 5 points:

    1. Encryption keys must be changed from default at installation and must be changed anytime with knowledge of the keys leaving the company or changing positions.

    2. Default SNMP community strings on wireless devices must be changed.

    3. Default passwords and passphrases on access points must be changed.

    4. Firmware on wireless devices must be updated to support strong encryption for authentication and transmission over wireless networks.

    5. Other security-related wireless vendor defaults, if applicable, must be

  • 4.1.1: Industry best practices, such as IEEE 802.11.i, must be used to implement strong encryption for authentication and transmission of cardholder data.

  • 11.1: Involves detecting and identifying wireless access points, specifically 802.11 devices. Detection and identification of wireless access points must occur at least quarterly. This requirement is for all locations, including those where no authorized wireless technologies are deployed, as the aim is to detect both authorized and unauthorized wireless access points.

Note:

The use of WEP as a security control was prohibited as of June 30, 2010.

Include Use of Secure Protocols

SCIS does not require the use of any insecure services or protocols. The only protocol required are HTTPS and TLS 1.2.

Physical Security

Include the following guidelines when ensuring the physical security of your peripheral devices.

  • Protect the mobile device from unauthorized attachments: If an entry device, such as a card reader, is attached to the mobile device—whether the connection is physical or wireless—the device needs to identify itself uniquely to the mobile payment-acceptance application. This identification ensures that the correct entry device is paired to the correct mobile device.

  • Maintain a device inventory: Track all devices used for payment transaction processing with their serial #, hardware #, and model # . A process should exist for the detection and reporting of the theft or loss of a mobile device.

  • Prevent unauthorized logical device access: Protect mobile devices from unauthorized logical-device access by using a lock screen with a password or PIN. Store devices in locked cabinets at the end of a business day or shift.

Maintain an Information Security Program

In addition to the preceding security recommendations, a comprehensive approach to assessing and maintaining the security compliance of the payment application environment is necessary to protect the organization and sensitive cardholder data.

Related Topics

SCIS Compatible Peripheral Hardware
Compatible Peripherals
Setting Up Receipt Printers for SCIS
Setting up Barcode Scanners for SCIS
Customer-facing Accessories

General Notices