This document establishes system configuration recommendations for all systems that we sell and support. Although it is important for all customers to read, its primary target is customers that have integrated credit card processing with SuperSalon. The goal is to establish one secure recommended configuration that we use on all salon software systems to reduce that ability for personal information or payment information to be compromised at our customer locations. We expect this document to continually evolve. Note that Rogers Software cannot be responsible for ensuring that your business is PCI compliant or that your data is secure. PCI compliance involves many things out of our control including your network, your business policies and controls, etc. We are continually improving our systems, but we cannot guarantee PCI compliance. Please see the information links at the bottom of this page. For more information on PCI compliance we recommend you read the information on the information on this web site. Note: It is the customer's (merchant's) responsibility to ensure these configurations and policies are in place. We have added notes about items that we feel are a point of contention between convenience and security. Note: We do not represent that we are security experts or that this is a complete.

Note: If you ever have a computer that you believe has been breached, we recommend that you format the drive, reinstall Windows and SuperSalon, and all software including anti-virus software, etc. We will assist you in the process. Note, you may wish to replace the hard drive with a new drive so that you can preserve the original drive for evidence if needed.

Typical vulnerabilities in your salon POS system

Keylogging: Card Data passes through salon POS computer hence vulnerable to key loggers.
Network: Networks has vulnerabilities that allow remote access.
Windows: Firewall and updates are not enabled, antivirus is not installed, running as an administrator.
Policies: Staff are allowed to access email or Internet. Systems are infected by mail attachments or links to sites that install malware.
Stored Data: Computers have card data stored locally that can be stolen (old versions of SuperSalon* or 3rd Party software like PC Charge)
Employee: Salon management procedures allow staff to misappropriate card data.

What is SuperSalon doing to improve system security?

New encrypted card readers! We are offering valuable discounts for customers who convert to encrypted readers. This removes readable card data from you system all together. Card data is not unencrypted until it reaches the processor.
- Free encrypted readers
- Low cost processing (guaranteed money savings) through Securenet
- Free setup
We are recommending more secure configurations for your salon POS and network.
We have service offerings to assist with security, or recommended instructions for do-it-yourselfers.
We are using Logmein for increased remote control security.
We are using a password generator to create passwords
We have removed all storage of card data in SuperSalon.
We are integrating with the Verifone MX870 Card reader so we can offer an option where card data never even passes through SuperSalon.
SuperSalon has always come with a built in firewall. We are currently enhancing it to block web access but allow credit processing. (in testing now)
We are reducing the profile of SuperSalon by disabling un-needed services and systems.
Supersalon uploads and downloads are encrypted

What can I do to improve the security of my salon POS?

Basic steps to protect your computer from becoming infected:

Convert to encrypted card readers.
Keep your Windows firewall turned on. (See Below)
Keep your Windows operating system up-to-date by enabling Auto-updates. (See Below)
Keep your anti-virus and anti-spyware software up-to-date. We recommend: Microsoft AntiVirus Instructions.
Add a "limited" Windows user account for the salon called "SuperSalon" to use daily, and password protect the administrator login.
Use secure and unique passwords for your network router, camera systems and remote access systems.
Recognize there is a trade-off between security and convenience.
Instructions for recommended security configurations.
We can help: Security validation services
Comprehensive Microsoft Resource Site.

Network

Convert to encrypted card readers.
Keep your Windows firewall turned on. (See Below)
Keep your Windows operating system up-to-date by enabling Auto-updates. (See Below)
Keep your anti-virus and anti-spyware software up-to-date. We recommend: Microsoft AntiVirus Instructions.
Add a "limited" Windows user account for the salon called "SuperSalon" to use daily, and password protect the administrator login.
Use secure and unique passwords for your network router, camera systems and remote access systems.
Recognize there is a trade-off between security and convenience.
Instructions for recommended security configurations.
We can help: Security validation services.
Comprehensive Microsoft Resource Site.

Firewall

A firewall such as the Windows XP firewall or SuperSalon firewall should be enabled. Start-> Settings -> Control Panel -> Windows Firewall (Security Center) -> On. See firewall settings.
Note: Simply turning on the firewall does not block web and email access. SuperSalon firewall should be installed and configured with "No Web Access" mode. A new version should be installed for salons with integrated processing that allows blocking of all domains except processor domains. (we are testing this now)
Note: Please note that since 2005 SuperSalon has shipped all systems with a built in firewall independent of the Windows firewall. It has no user interface and is not easily detectable. Please email customer support for more information. support@rogerspos.com.

Anti-Virus

We recommend an anti-virus / anti-spyware / anti-malware program be installed. What is malware?
We recommend the use of Microsoft Security Essentials: Microsoft Security Essentials. Ensure that real time protection is enabled. This is FREE to customers with a licensed copy of the Windows operating system. It has low resource usage, a straight forward interface and it is very effective.

Card processing Software:

PC Charge Payment processing software

Old versions of PC Charge are no longer considered secure. These include 5.7 and earlier. You should update to 5.8.x Please see: Security Validation
We strongly recommend using an encrypted and hosted solution like Securenet that does not pass or store card data locally AND that is updated automatically at the server level instead of updating your POS computer when new versions are released, AND there is no up-charge fee for the updates.
We have designed a promotion to help move our customers to secure solutions at no cost.
Note: If you replace PC Charge with secure solutions as recommended, please ensure that you completely uninstall PC-Charge and delete all files

Open ports (Router, Firewall)

Note: Customers often have ports (80, 5700, 5900, etc) open for remote access of the POS computer's browser, VNC, or cameras on the network. This is not recommended. All ports should be closed to incoming requests. If you decide to open ports, then you should limit IP addresses that can access these ports. This can be often be done through firewall settings or router settings.
Router Setup.
Firewall setup.

Remote access software

Logmein, VNC and other remote access software - Must use different password at each location. This can be a point of contention as customers want same password for ease of use. If you use VNC remote access software ensure that you have version 4.1.2 or later.
We recommend Logmein for remote access. We have concerns that VNC may be able to be breached.
Logmein installer.

Third Party Software

We do not recommend installing other software on your POS computer. This includes email clients, camera system software, etc.

SuperSalon Software

If you have integrated credit card processing and you are using a version of SuperSalon prior to version 5, you should upgrade. Prior version stored credit card data in the database. Although it is encrypted, we can no longer support this configuration. Our current version is 5.5.22.

Windows Configurations

Windows Version must be XP updated to Service Pack 3
Windows operating should be set for updates to install automatically. Start-> Settings -> Control Panel -> Automatic Updates -> Automatic
Login to Windows as a user, not as Administrator. Running the computer as an Administrator increases chances that trojans can be installed. To do so simply cake a user account, them password protect the Administrator login. Start-> Settings -> Control Panel -> User Accounts. See Instructions for recommended security configurations.
Disable Windows services that are unused.
- Here are some resources that explain security and how to disable unneeded services:

Customer (your) staff

Restrict access to the Internet on the salon POS system. This is an excellent step to take to avoid spyware and viruses.

FBI Warnings

Restrict access to email on salon POS systems. Attachments or website links can result in viruses. This is a point of contention as many owners wish to use POS for staff email.

FBI Warnings

Create and enforce policy requiring strong passwords.

Security Testing Companies

Regarding PCI DSS testing and certification. Some processors are now requiring all merchants to certify as secure because MasterCard and Visa are requiring proof of compliance in instances of fraud, with the threat of heavy fines. There are four levels of certification. All SuperSalon clients fit in the least stringent level, which is level 4. Level 4 merchants are required to perform a self-assessment questionnaire and network scans. SuperSalon has negotiated a rate of $79 per location for our merchants through National Merchant. This is our cost. We are not looking at this as a revenue source as it is a bit of an “unfunded mandate” of sorts and we don’t think making money from merchants for this service would be fair. Conversely, other programs costs almost $200 per location.

Practical issues for salon owners

Note: Switching to encrypted credit card readers dramatically reduces all of these vulnerabilities as there is no readable card data to steal. Please click here to read more.
Can I safely access my Salon POS system remotely? There are two types or remote access... Use a remote access program that allows you to take control of the host PC, or access host PC as a client through a browser.

Remote access program: Using a solid program like GoToMyPC, or LogMeIn is a safe method as long as strong passwords are used. Disadvantage is that you take over the computer, and this can disrupt staff activities. You cannot simultaneously work in a different section of the program from the staff using the host PC when using one of these programs.
Web based client. SuperSalon is one of the few programs available with this feature. Going to the IP address from a remote computer allows you to go in without disrupting staff using the host PC. You can literally work on other screens. Negative is that it requires an open port in the router to allow access. We have added the ability to add access controls for accessing SuperSalon this way, but it is still not considered secure. See: Security Validation

Can I safely access a camera system remotely at my salon?

Less secure: Your camera system uses cameras with their own IP addresses - and is connected to the same network as your POS - and you open router ports to access the cameras.
More secure: Cameras record to a local PC, and you remotely access this PC with a secure connection or third party software such as GoToMyPC.

Can I allow my staff to use the Internet on the salon POS computer or network?

We do not recommend it as there are many websites that can infect your system and web-based email access that can allow staff to open email attachments with viruses or click on links that open malicious sites.
It is best if POS computer be reserved for running salon managment software.

Can I allow my staff to access email on the salon POS computer or network?

We do not recommend it as we all receive spam email that contains attachments containing viruses and links to malicious sites. Opening these can infect systems. Again, even if there are no attachments, emails can have links to websites that inject viruses using JavaScript.

Is my current credit card processing system secure?

Old versions of PC Charge are no longer considered secure. These include 5.7.x and earlier. You should at minimum update to 5.8.x, or better yet go to IP Charge by Verifone (Payware Connect). We are offering a promotion to make this available at no cost.

Why am I being charged PCI compliance fees by my processor?

More and more processors are assessing fees to cover compliance upgrades, testing, etc. We have negotiated a rate with NMA for $79.

Can I access customer credit card numbers after the initial sale?

Often if there is a problem charging a credit card, or if there was an under-charge, owners wish to go back and charge the card correctly. Since SuperSalon does not keep the card number locally, managers call us for the number. (Asking us to go into PC Charge and retrieve the number. Owners should discourage this.

Can I give customers wireless access through the network shared by my salon POS network?

This is not recommended.

What security policies should I implement for my staff?

All salon POS use (and other computers on network) requires authentication (password)
No sharing passwords with other staff. Each staff has unique password.
Prohibit writing down or electronically saving credit card information

What are my liabilities?

If there is a security breach the merchant may be liable to repay stolen money
With or without a breach, merchants can be liable for fines if they are not secure

Other questions? Email support@rogerspos.com

Passwords

One of the most important components of a secure POS system This tool will make a password for you: PC Tools Password Generator

The strongest passwords look like a random string of characters to attackers. But random strings of characters are hard to remember. Make a random string of characters based on a sentence that is memorable to you but is difficult for others to guess.Think of a sentence that you will remember Example: "My hair salon is three years old." Turn your sentence into a password.

Use the first letter of each word of your memorable sentence to create a string, in this case: "mhsityo".Add complexity to your password or pass phrase Mix uppercase and lowercase letters and numbers. Introduce intentional misspellings. For example, in the sentence above, you might substitute the number 3 for the word "three", so a password might be "MsAi3yo". Substitute some special characters Use symbols that look like letters, combine words, or replace letters with numbers to make the password complex. Using these strategies, you might end up with the password "Mh$ni3y0."Test your new password with Password Checker Password Checker evaluates your password's strength as you type.Keep your password a secret Treat your passwords with as much care as the information that they protect.

For more information, see 5 tips to help keep your passwords secret.Change your password often.Qualities of strong password: Length: Each character you add to your password increases the protection it provides.8 or more characters are the minimum for a strong password; 14 characters or longer are ideal. The greater variety of characters that you have in your password, the harder it is to guess. An ideal password combines both length and different types of symbols. Use the entire keyboard. The easiest way to remember your passwords is to write them down.

It is OK to write passwords down, but keep them secret so they remain secure and effective. Password strategies to avoid: Avoid sequences or repeated characters"12345678," "222222," "abcdefg." Adjacent letters on your keyboard do not make secure passwords. Avoid using only look-alike substitutions of numbers or symbols. Criminals will not be fooled by common look-alike replacements, such as to replace an 'i' with a '1' or an 'a' with '@' as in "M1cr0$0ft" or "P@ssw0rd". These substitutions can be effective when combined with other measures, such as length, misspellings, or variations in cAsE. Avoid your login name. Don't use any part of your name, birthday, social security number, or similar information for your loved ones.

This type of information is one of the first things criminals will try, and they can find it easily online from social networking sites, online resumes, and other public sources of data. Avoid dictionary words in any language. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, profanity, and substitutions. Avoid using only one password for all your salon accounts. If your password is compromised on any one of the computers or online systems that use it, you should consider all of your other information protected by that password compromised as well. It is critical to use different passwords for different systems. Be careful with password recovery questions. Many Web sites offer a "password " service that lets you provide the answer to a secret question. If you forget your password, the service will send it to you if you can remember the answer to your secret question. The questions are often random, but sometimes the answers to these questions are freely available on the Web. Choose your questions carefully or make up the answers.

PCI - DSS Standards

The core of the PCI -DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

PCI Security Standards

Build and Maintain a Secure Network.

Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data.

Protect stored card-holder data.
Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program.

Use and regularly update anti-virus software.
Develop and maintain secure systems and applications.

Implement Strong Access Control Measures.

Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.

Regularly Monitor and Test Networks.

Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.

Maintain an Information Security Policy.

Maintain a policy that addresses information security.

Security Questions and Answers for salon POS vendors

If you are a merchant, ask your POS vendor about the security of your system, with thefollowing suggested questions:

Is my salon POS software validated to the Payment Application Data Security Standard (refer to PCI SSC’s list of Validated Payment Applications)?

NO - We will persue this in 2010.

Does my salon POS software store magnetic-stripe data (track data) or PIN blocks? If so, this storage is prohibited, so how quickly can you help me remove it?

NO - Supersalon does not store credit card data. The third party program PC Charge does.

Will you document the list of files written by the application with a summary of the content of each file, to verify that the above-mentioned, prohibited data is not stored?

We plan to do this in 2010.

Does your salon POS system require me to install a firewall to protect my systems from unauthorized access?

YES - Supersalon automatically installs a basic firewall.

Are complex and unique passwords required to access my systems?

We are recommending and defining secure passwords - You share responsibility to ensure unique and strong passwords.

Can you confirm that you do not use common or default passwords for mine as well as other merchant systems you support?

NO - We have instituted a written policy. We cannot guarantee unique passwords.

Have default settings and passwords been changed on the systems and databases that are part of the POS system?

As we do security work, we try to ensure passwords are unique and strong.

Have all unnecessary and insecure services been removed from the systems and databases that are part of the POS system?

No - We are working on a list now of all unnecessary servcies such as Windows Messenger. Here are some resources that explain security and how to disable unneeded services:

Do you access your salon POS system remotely? If so, have you implemented appropriate controls to prevent others from accessing my POS system, such as using secure remote access methods and not using common or default passwords? How often do you access my POS device remotely and why? Who is authorized to access my POS remotely?

YES - Staff remotely access the systems to provide technical support. We are working to ensure unique and strong passwords.

Have all the systems and databases that are part of the salon POS system been patched with all applicable security updates?

User responsibility to maintain operating system. Windows updates should be set to automatic.

Is the logging capability turned on for the systems and databases that are part of the POS system?

YES. You can turn on additional logging in the windows firewall under the "Advanced" tab

If prior versions of my salon POS software stored track data, has this feature been removed during updates:

Note: Please ensure antivirus software is installed on all systems.

Post Mortem Findings

Investigations after compromises consistently show common PCI DSS violations, including but not limited to:

Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data.
Inadequate access controls due to improperly installed merchant POS systems, allowing hackers in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3)
Default system settings and passwords not changed when system was set up (Requirement 2.1)
Unnecessary and insecure services not removed or fixed when system was set up (Requirement 2.2.2)
Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the web site (Requirement 6.5)
Missing and outdated security patches (Requirement 6.1)
Lack of logging (Requirement 10)
Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5)
Lack of segmentation in a network, making cardholder data easily accessible through weaknesses in other parts of the network (for example, from wireless access points, employee email, and web browsing) (Requirements 1.3 and 1.4)

Resources

For more information on PCI compliance we recommend you read the information on the following web site:

Rogers Software - SuperSalon Legal