EasyManua.ls Logo

Toast PCI User Manual

Default Icon
44 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
Page #1 background imageLoading...
Page #1 background image
Toast PCI Instruction Guide

Table of Contents

Question and Answer IconNeed help?

Do you have a question about the Toast PCI and is the answer not in the manual?

Toast PCI Specifications

General IconGeneral
BrandToast
ModelPCI
CategoryTouch terminals
LanguageEnglish

Summary

What are PCI DSS & PA-DSS

About PCI DSS

Explains the Payment Card Industry Data Security Standard (PCI DSS) and its scope.

About PA-DSS

Explains the Payment Application Data Security Standard (PA-DSS).

Merchant General Responsibilities

Remote Access

Data Capture and Removal

Transmitting Cardholder Data

Installation and Removal of Devices

Device Physical Security

PCI DSS Controls Impact & Toast Responsibilities

Keyed to PCI DSS SAQ v3.2.1

Maps PCI DSS v3.2.1 requirements to Toast's role and merchant actions.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

2.1 Always change vendor-supplied defaults...

Requirement 3: Protect stored cardholder data

3.1 Keep cardholder data storage to a minimum...

3.2 Do not store sensitive authentication data (SAD) after authorization...

Prohibits storing sensitive authentication data post-authorization.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

4.1 Use strong cryptography and security protocols...

Mandates strong cryptography for data transmission over networks.

4.2 Never send unprotected PANs by end-user messaging technologies...

Requirement 6: Develop and maintain secure systems and applications

6.2 Ensure that all system components and software are protected from known vulnerabilities...

Installing security patches to protect against vulnerabilities.

Requirement 7: Restrict access to cardholder data by business need to know

7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.

Restricting access based on job role and need-to-know.

7.2 Establish an access control system(s)...

Establishing access control systems based on need-to-know.

Requirement 8: Assign a unique ID to each person with computer access

8.1 Define and implement policies and procedures to ensure proper user identification management...

Policies for user identification management for all system components.

8.2 In addition to assigning a unique ID, ensure proper user-authentication management...

8.3.2 Incorporate multi-factor authentication for all remote network access...

Multi-factor authentication for remote network access.

8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods...

Requirement 9: Restrict physical access to cardholder data

9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

Using facility entry controls for physical access to cardholder data environment.

9.3 Control physical access for onsite personnel to sensitive areas as follows:

9.5 Physically secure all media.

9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

Protecting devices from tampering and substitution.

9.9.1 Maintain an up-to-date list of devices.

9.9.2 Periodically inspect device surfaces to detect tampering...

Periodic inspection of devices for tampering or substitution.

Requirement 10: Track and monitor all access to network resources and cardholder data

10.1 Implement audit trails to link all access to system components to each individual user.

Implementing audit trails for user access to system components.

10.2 Implement automated audit trails for all system components to reconstruct the following events:

10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.

Reviewing logs to identify anomalies and suspicious activity.

Requirement 11: Regularly test security systems and processes

11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change...

Running network vulnerability scans quarterly and after changes.

11.2.1 Perform quarterly internal vulnerability scans.

11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV)...

Performing quarterly external vulnerability scans via ASV.

11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification...

Performing annual external penetration testing.

Requirement 12: Maintain a policy that addresses information security for all personnel

12.1 Establish, publish, maintain, and disseminate a security policy.

12.2 Implement a risk-assessment process that:

12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.

12.5.1 Establish, document, and distribute security policies and procedures.

12.6 Implement a formal security awareness program...

12.7 Screen potential personnel prior to hire...

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data...

12.8.4 Maintain a program to monitor service providers' PCI DSS compliance status at least annually.

12.10 Implement an incident response plan.

Implementing an incident response plan.

Related product manuals