beautypg.com

2 - getting started, Physical security, System security – Gasboy CFN III Fuel Management System PA-DSS User Manual

Page 7: System report and other logs, Installations and upgrades, Purge transaction records, 2 – getting started, System security system report and other logs

background image

MDE-4870A CFN III Fuel Management System PA-DSS Implementation Guide Version 3.6 · June 2010

Page 3

Physical Security

Getting Started

2 – Getting Started

Physical Security

The merchant is responsible for ensuring that the CFN III is physically secure.

System Security

Physical access to the Site Controller system must be limited to only those that use the Site
Controller. If modular Profit Point POS systems are used, then the Site Controller is best
controlled in a locked back room, with restricted access. If using Integral Profit Point POS
system, the system must only be accessible by those using the system. If it is not possible to
maintain the system in a secure area, the area must have adequate coverage by available
security cameras so that unauthorized access can be recorded and used to determine any cause
of physical security breaches.

System Report and Other Logs

Though the system log is secure from exposing any sensitive card information, it is a good
practice to keep the log printer in a secure area. It is possible that some bank host systems
require card account information to be listed on a report or log for back office purposes. When
the reports are used for holding account information it is the responsibility of the site manager
or store owner to secure the reports from unauthorized access.

Installations and Upgrades

To upgrade the CFN payment system from a non-compliant version of 3.4 or earlier, to a
secure PCI-compliant version, refer to MDE-4739 CFN III PCI Secure Controller Software
Installation/Upgrade Instructions.

The integrity of software upgrades is guaranteed because only software created by Gasboy

®

will operate on the CFN III board set. Software created without the unique Gasboy
development system will typically fail checksum. However, in the event that the software
passes that test, the system will not boot or operate.

Purge Transaction Records

After the installation is complete, the embedded payment controller transaction table must be
purged of any information left in memory, which may retain previous card information. This is
a mandatory procedure in order to meet PCI requirements and cannot be skipped. This process
must be executed before the site is allowed to start processing card data. It would be best to
proceed with this process right after the table sizing is finalized.

See also other documents in the category Gasboy Hardware: