SICOM DMB PCI COMPLIANCE ADVISORY NOTICE Digital Menu Board Payment Card Industry (PCI) Compliance Advisory Notice SICOM Systems provides Digital Menu Board (DMB) solutions to the Quick Service Restaurant (QSR) marketplace. Since most QSR’s accept credit cards at their Point of Sale (POS) terminals they fall under requirements of the Payment Card Industry Data Security Standards (PCI-DSS). SICOM is aware of those standards as SICOM POS systems must comply with Payment Application Data Security Standards (PA-DSS) which are a subset but integral component of the restaurant operators PCI-DSS compliance efforts. SICOM’s Digital Menu Board solutions do not process, store or forward credit card data at any time and are therefore out of scope for PA-DSS Compliance. PA-DSS is related to Payment Application Data Security Standards. It may, however, affect a restaurants’ overall PCI assessment scope depending upon how it is configured in the payment environment. If utilizing a managed network service such as Hughes, Secureconnect or VendorSafe, it is recommended that the controllers be placed on a different network segment to aid in PCI compliance of the restaurant environment. Configuration and Maintenance of the content is either performed locally via a web interface or remotely via SICOM’s Enterprise configuration tool. It is not recommended that web access to the controller is provided from the Internet. SICOM’s DMB implementations consist of one of two options, Integrated and Standalone. In an Integrated solution, the master DMB controller reaches out to the POS system to obtain updated pricing. A Standalone solution does not require any interaction with the POS system. Both solutions require an Internet connection in order to receive content updates, vendor security patches and support assistance. SICOM support assistance is provided via remotely via OpenVPN (port 1194) using digital certificates and daily changing passwords for SICOM support technicians. This is the same support method in use in SICOM’s compliant POS solutions. The recommended configuration for a Standalone Digital Menu Board is for the system to be physically separate, or segregated, from a LAN-based POS system. When restaurant personnel provide physical segmentation between the DMB and POS network, it is considered Out of Scope for PCI compliance purposes. An Integrated solution requires some network integration in order to provide access to POS pricing from the master DMB controller. The benefit of this solution is that once the Digital Menu Board configuration has been validated, pricing updates to the POS are automatically applied to the Menu Board System. The best solution for integration is similar to the standalone solution in that the DMB controllers are still segmented from the POS environment. The restaurants hardware firewall would permit only the necessary traffic into the POS environment to obtain the pricing information and no more. For example in a Micros integrated solution, a login would be created with read-only access privileges to Sybase via port 2638. It would only grant access to the mi_price_def database in the POS system. In those cases where the DMB controllers are in the same network segment as the Point of Sale systems, care should be taken to ensure that the least intrusive access be granted to permit operation of the menu board. As it applies to PCI, SICOM will automatically apply security patches to DMB systems with active subscriptions when the terms and conditions of the subscription are maintained. This is per PCI-DSS 6.1 – Vendor Security Patches. Please reference the SICOM Digital Menu Board Customer Deployment guide for additional information related to your specific implementation. 1 SICOM Systems Inc. | 4434 Progress Meadow Drive, Doylestown, PA 18902 P.800.547.4266
© Copyright 2024 ExpyDoc
