Last Topic "Software Installation"
This section outlines the basic procedures for setting up the different password levels in Restaurant Manager:
Employee Passwords - allow individual employees to execute POS operations and BackOffice Functions that have been protected at a Security Level equal to or less than the Security Level of the password, itself
Master Password - gives access to ANY POS Operation or BackOffice Function protected with an Employee Password prompt.
Administrator Passwords - allows select employees to access sensitive credit card information that has been protected with a hard coded password prompt in order to meet the Data Security Standards (DSS) promulgated by the Payment Card Industry (PCI).
Daily Passwords - used by technicians who need to reset Administrator Passwords.
The Restaurant Manager Manual section on passwords outlines how and where passwords are used within the software. This section deals more with the PCI-DSS requirements of password use.
ASI Resellers, end users, and third party participants (i.e. outside network specialists) are advised to control access using unique usernames and PCI DSS compliant complex passwords, to any servers/computers, and databases with payment applications and cardholder data.
The PCI DSS requires that access to all systems in the payment processing environment be protected through use of unique users and complex passwords. Unique user accounts indicate that every account used is associated with an individual user and/or process with no use of generic group accounts used by more than one user or process.
PA-DSS 3.1 - The payment application must support and enforce the use of unique user IDs and secure authentication for all administrative access and for all access to cardholder data. Secure authentication must be enforced to all accounts generated or managed by the application by the completion of installation and for subsequent changes after installation. Aligns with PCI DSS Requirements 8.1 and 8.2. The application must enforce 3.1.1 through 3.1.11 below:
PA-DSS 3.1.1 The payment application does not use (or require the use of) default administrative accounts for other necessary software (for example, the payment application must not use the database default administrative account). Aligns with PCI DSS Requirement 2.1
PA-DSS 3.1.2- The application must enforce the changing of all default application passwords for all accounts that are generated or managed by the application, by the completion of installation and for subsequent changes after installation. This applies to all accounts, including user accounts, application and service accounts, and accounts used by the vendor for support purposes. Aligns with PCI DSS Requirement 2.1
PA-DSS 3.1.3 -The payment application assigns unique IDs for user accounts. Aligns with PCI DSS Requirements 8.1.1
PA-DSS 3.1.4 - The payment application employs at least one of the following methods to authenticate all users:
- Something you know, such as a password or passphrase
- Something you have, such as a token device or smart card
- Something you are, such as a biometric.
Aligns with PCI DSS Requirements 8.2
PA-DSS 3.1.5 -The payment application does not require or use any group, shared, or generic accounts and passwords.
Aligns with PCI DSS Requirement 8.5
PA-DSS 3.1.6 -The payment application requires that passwords meet the following:
- Require a minimum length of at least seven characters.
- Contain both numeric and alphabetic characters.
Alternatively, the passwords/passphrase must have complexity and strength at least equivalent to the parameters specified above.
PA-DSS 3.1.7- The payment application requires changes to user passwords at least once every 90 days. Aligns with PCI DSS Requirement 8.2.4
PA-DSS 3.1.8 - The payment application keeps password history and requires that a new password is different than any of the last four passwords used. Aligns with PCI DSS Requirement 8.2.5
PA-DSS 3.1.9- The payment application limits repeated access attempts by locking out the user account after not more than six logon attempts. Aligns with PCI DSS Requirement 8.1.6
PA-DSS 3.1.10 - The payment application sets the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. Aligns with PCI DSS Requirement 8.1.7
PA-DSS 3.1.11 - If a payment application session has been idle for more than 15 minutes, the application requires the user to re-authenticate to re-activate the session. Aligns with PCI DSS Requirement 8.1.8
PA-DSS 3.2 - Software vendor must provide guidance to customers that all access to PCs, servers, and databases with payment applications must require a unique user ID and secure authentication. Aligns with PCI DSS Requirements 8.1 and 8.2
Note: These password controls are not intended to apply to employees who only have access to one card number at a time to facilitate a single transaction. These controls are applicable for access by employees with administrative capabilities, for access to servers with cardholder data, and for access controlled by the application.
The following sections outline how you can configure Restaurant Manager to meet PCI DSS requirements
All passwords in version 20 are encrypted. In previous versions, it was possible to use DBU, or other database utility to view passwords stored in Employee.dbf and Config.dbf, these passwords are now encrypted. If DBU (or other utility) is used to change any of the passwords stored in these files, those passwords will be rendered unusable until they are reset.
The “Master Password” in Restaurant Manager allows access to all back office as well as Point of Sale functions. It is highly recommended that the master password not be used (PA-DDS 3.1.2). By default, the Master password on a new system is 0000. When setting up a new system, you must change the Master password to something other than the default value. It is also recommended that you change the master password at least every 90 days.
Because the master password is encrypted, the program PASS0000.EXE, must not be used as in previous versions to version 15.1. After upgrading from a version prior to v15.1 and if the executable remains: it should be removed from the system. If you do execute PASS0000.EXE, or otherwise manually change or corrupt the master password on the system, it will render the master password unusable. If this happens, you will only be able to reset the master password with assistance from ASI Tech Support. Open a help desk ticket with the subject, “Reset v20 master password”.
Restaurant Manager Version 20 relies on the concept of Administrators. They have access to settings and operations normal users do not. Those items include:
Set or Change master password, located in Setup -> Security Configuration screen. User must also be a level 9.
Set or Change other employee’s administrator password, accessible using “Edit Administrator Password Info” button in Employee Setup. User must also be equal or higher security level than the one being changed.
Modify PCI Security Configuration settings, in new Setup -> Security Configuration. User must also be a level 9.
Access the BackOffice Configuration screen.
Access sensitive credit card configuration settings in RM Gateway Supplemental Setup (RMCCWIN).
Add or Delete employees from the database.
Choosing these options in the Restaurant Manager BackOffice or RM Gateway Supplemental Setup (RMCCWIN) will cause an admin password prompt to appear, or a notice that the user does not have adequate permission.
Admin passwords are set in the Restaurant Manager BackOffice under Employee Setup, click on Edit Administrator Password Info”.
NOTE: It is always the Administrator password of the LOGGED-IN user that is required. This can be confusing when an admin is trying to change the Administrator password of another Administrator. It is their own password that should be entered, not the one of the employee he is editing.
NOTE: You are allowed only six attempts to enter an administrator password. Failures to enter the correct administrator password will block additional attempts for thirty minutes (PA-DSS 3.1.9, PA-DSS 3.1.10, and PA-DSS 3.1.11). Aligns with PCI-DSS 8.1.6
A “strong” password is an industry term to denote that the password is complex enough to reduce the chances of it being guessed using brute force methods. The rules for strong passwords are:
MUST be 7 characters or longer (PA-DSS 3.1.6)
MUST contain both letters and numbers (PA-DSS 3.1.6)
Should contain both upper and lower case letters
Should contain symbols (e.g. characters above numbers on keyboard)
Password should not be similar or contain the same numbers found in the employee password.
The last 2 are not required, but add additional password security, and make an admin password quality “excellent”.
After installing Restaurant Manager, start Restaurant Manager BackOffice (rmwin.exe) and you will be immediately prompted to create the first Administrator account, a level 9 user with access to all PCI sensitive settings in the system. ASI recommends this account be a user tied to the reseller. It is from this user account that the reseller can continue configuring the credit card settings, and creating additional Administrator passwords for store personnel.
Resellers may wish to restrict the level 9 security level for reseller use, and have store personnel be level 8 and below. Administrators, by default, are defined as level 8 and above, configurable from within Restaurant Manager BackOffice.
Admin passwords expire in 90 days by default (PA-DSS 3.1.7) After expiration, the user can no longer gain access to the admin restricted areas of Restaurant Manager. That user needs to have his password reset to regain administrator access.
EXPIRATION WARNING: The Restaurant Manager BackOffice program will warn of impending administrator password expirations upon Back Office log-in. If any administrator passwords will expire within the next 10 days, or have already expired, an expiration dialog will appear listing the employees affected.
If admin passwords are forgotten, or left to expire, they will need to be reset. That can be done through the following means:
By a fellow admin- Another admin at equal or higher security level who does still have access can change the password of the user whose admin password is unusable.
By the reseller – If all store administrators have forgotten their password or let them expire, then the reseller’s own admin user can be used to reset the admin password of the highest security level store employee to allow them to regain admin access.
By calling ASI – If all admin users have lost access, the only way to regain access is to call ASI Tech Support and get the Restaurant Manager Admin Daily Passcode and follow the instructions given by the ASI technician
After retrieving the Daily Passcode:
• Re-start Rmwin and enter in the code into the password field when prompted.
• Go to “Employee- Setup”, select the employee, and click on the [Edit Administrator Password Info] button to change the admin passcode.
Password fields left inactive for a period of 15 minutes will automatically time out. You will have to begin the process again if you exceed the time frame of inactivity (PA DSS 3.1.10).
NOTE: New passwords cannot be the same as the last 4 passwords (PA DSS 3.1.8).
To be PCI compliant:
The default Password Expiration Days MUST be set to 90 or lower. 90 days is the default setting (PCI DSS 8.2.4).
All administrators MUST have their Expiration setting set to “System Default”. This is the default setting.
Note that Restaurant Manager allows expiration settings other than what PCI requires. This is to accommodate sites and countries that are not required to be PCI compliant (e.g. sites that do not accept credit cards). It is the responsibility of resellers, and ultimately store management to ensure that the store uses PCI compliant settings if required.
Employee Passwords consist of a four digit code that is associated with a Security Level. Every employee authorized to operate the POS System may be assigned a unique four digit code and an associated Security Level. Both are defined on the Employee Setup Form.The Employee Password, itself, is defined in the “Password” field and must consist of four digits unless the system is configured with Fingerprint Readers in which case a fingerprint may serve as the password.
Two fields on the Employee Setup Form control the Security Level associated with a particular Employee: Clocked in Level and Clocked out Level. Care must be used to ensure the Clocked in security level is equal to or greater than the Security Level of all POS operations the employee is authorized to execute. While any number from zero (0) to nine (9) may be used to define the Clocked in Level, it is usually set to Use Job Class as in the screen shot below.
Linking Security Level to Job Class ensures that changing the Security Levels of certain password prompts does not also require adjusting the security level of every individual employee. For employees who work multiple jobs, the Use Job Class option also allows assigning different Security Levels depending on the work they’re doing.
The way Job Class Security Levels are organized, depends on the size and nature of any given business. But the chart below shows how Security Levels might be defined in a sample Table Service Restaurant. (Note that Security Level 9 is reserved for service providers):
Security Level Security Level Function Example 0-1 Line employees, bus boys Log In/Out, Print Time Slip 1-2 Basic Server Functions Starting Order, Print Guest Check 3-4 Bartender/Cashier Functions Fast Transactions, Open Cash Drawers 4-5 Shift Leader/ Assistant Manager Functions Deleting Item From Check 6-7 Manager Functions Voiding a check, Adding Menu Items, Reporting Functions 7 General Manager functions Adding Employees 8 Owners/ General Managers Managing Security Levels 9 Service Providers ONLY Configuration Settings
The only employees who may change their own Security Level are those who have a Security Level of 9 and who have been defined as Administrators. Employees are, however, able to change the Security Level and Password of Employees with a Security Level lower than their own – unless access to the Employee Setup Form, itself, is protected on the BackOffice Security Form.
Employee Passwords may be input at configurable password prompts but are never recognized at hard coded password prompts. The Master Password is recognized at any password prompt that accepts Employee Passwords.
Restaurant Manager does not allow duplicate Employee Passwords.
In Restaurant Manager version 20 all sensitive information such as passwords and credit card data are encrypted using using the Bcrypt algorithm in conjunction with a Cryptographically Secure Pseudo-Random Number Generator. The Bcrypt algorithm is used to create a one way hash and then salt the password at a high level of randomness and unpredictability. At no point is the plain-text (unencrypted) password ever written to the hard drive. The encryption key is securely stored in the file KEY.DES, located in the RM working folder.
PCI security demands all default passwords and cryptographic material be removed. New installations must generate a new encryption key to comply with PA-DSS 2.3, 2.4, and 2.5. This is a simple process that must be done while the session is closed and takes no more than a few minutes. From the RM BackOffice Module.
Go to Setup and click "Backoffice" on the drop down menu.
Click "Security Tab"
Click “Generate new encryption key.”
The system will automatically generate a random encryption key and update the necessary system and data files, re-encrypting all encrypted data with the new key
It is important that this file not be deleted or tampered with as it will cause all encrypted data in the system to become un-readable. You should also make sure to include this file in any system backups. Restoring a backup without this file would cause passwords and stored credit cards to be un-readable.
To ensure that credit card information is not compromised, it is mandatory that a new encryption key is generated at least once per year.
Next Topic "Security Key (Dongle) Installation"
