Retailer Responsibilities

An instance of EFTLink and any third-party EFT software (dependent on solution) will typically run on the POS hardware and communicate with each other to process EFT transactions when requested by the POS software.

The POS Terminals are in the customer facing areas of the store in proximity to both customers and employees. Physical security of the hardware is the responsibility of the retailer in addition to operational practices like provisioning employees to appropriate application roles and shutting registers down when not in use.

Securing the in-store network is a responsibility of the retailer and is assumed to be compliant with PCI-DSS requirements for topology, wireless access, and wan connections. The connection to the corporate data centers and the external credit authorizers also are assumed to follow PCI-DSS requirements for secured connections.

The PCI-DSS standards are available at:

https://www.pcisecuritystandards.org/pci_security/

It is recommended that all machines on the store network be kept up to date with vendor supplied patches, especially security patches. The operating systems on POS Terminals should be locked down by removing or disabling unneeded functionality, in particular, ensure that the system cannot be used for browsing the internet.