Opera Hotel Edition

OPERA Payment Application Data Security
Standard (PA-DSS) Implementation Guide
V5.0+
August 2009

---

Opera Hotel Edition ⎯ PA-DSS IMPLEMENTATION GUIDE


Copyright
© 2009 MICROS Systems, Inc. All rights reserved. No part of this publication may be reproduced,
photocopied, stored on a retrieval system, or transmitted without the express prior written
consent of the publisher. MICROS Systems, Inc. retains the right to update or change the
contents of this document without prior notice. MICROS Systems, Inc. assumes no responsibility
for the contents of this document.
OPERA is a trademark of MICROS Systems, Inc.
On Oracle and the On Oracle logo are trademarks of Oracle Corporation.
Information in this document is subject to change without notice.
MICROS Systems, Inc. makes no warranty of any kind with regard to this material, including but
not limited to the implied warranties of marketability and fitness for a particular purpose.
MICROS Systems, Inc. shall not be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing, performance, or use of this material.
MICROS Systems, Inc.
Fidelio Technologies Inc.
2640 Golden Gate Parkway, Suite 211
Naples, FL 34105
Voice: (239) 643-7999 / Fax: (239) 643-7911

Document: 1470 Opera PA-DSS Implementation Guide


Author:


Contributors:
MICROS SYSTEMS, INC. PAGE 2
AUGUST 2009
CONFIDENTIAL AND PROPRIETARY

---

Opera Hotel Edition ⎯ PA-DSS IMPLEMENTATION GUIDE



Contents 
GENERAL INFORMATION ............................................................................... 4 
About This Document ................................................................................................4 
About the PCI Security Standards Council .....................................................................4 
About The PCI Data Security Standard (PCI DSS) ..........................................................4 
Who Should be Reading This Document .......................................................................6 
What the Reader Should Already Know ........................................................................6 
OPERA VERSION 5.0+ AND THE PAYMENT APPLICATION DATA STANDARD .. 7 
Payment Application Data Security Standard .................................................................7 
Build and Maintain a Secure Network ...........................................................................7 
Protect Cardholder Data .............................................................................................8 
Option Settings ............................................................................................................ 8 
Option Settings ............................................................................................................ 9 
Maintain a Vulnerability Management Program ............................................................ 10 
Implement Strong Access Control Measures ................................................................ 10 
Regularly Monitor and Test Networks ............................................................................ 11 
Maintain an Information Security Policy ...................................................................... 12 
Guidance when Upgrading from a Previous Opera Version ............................................. 12 
Establish and Follow a Data Retention Policy ............................................................... 13 
3rd Party Interfaces ................................................................................................. 15 

MICROS SYSTEMS, INC. PAGE 3
AUGUST 2009
CONFIDENTIAL AND PROPRIETARY

---

Opera Hotel Edition ⎯ PA-DSS IMPLEMENTATION GUIDE


General Information
About This Document
This document is intended as a quick reference guide to provide you with information
concerning MICROS Systems, Inc. adherence to the Payment Card Industries – Security
Standards Council (PCI-SSC) concerning PA-DSS. This document relates specifically to OPERA
Version 5.0+ Enterprise Solution software, including Opera Property Management, Opera
Limited Service (Xpress), Opera Xpress Lite (Lite), Operetta, & Opera Reservation System. This
document is distributed to all customers on a annual basis or whenever there is a software
upgrade performed.
About the PCI Security Standards Council1
The PCI Security Standards Council is an open global forum, launched in 2006, that is
responsible for the development, management, education, and awareness of the PCI Security
Standards, including: the Data Security Standard (DSS), Payment Application Data Security
Standard (PA-DSS), and Pin-Entry Device (PED) Requirements.
All of the five founding members have agreed to incorporate the PCI DSS as the technical
requirements of each of their data security compliance programs. Each founding member also
recognizes the QSAs and ASVs certified by the PCI Security Standards Council as being qualified
to validate compliance to the PCI DSS.
A Limited Liability Corporation (LLC) chartered in Delaware, USA, the PCI Security Standards
Council was founded by American Express, Discover Financial Services, JCB International,
MasterCard Worldwide, and Visa Inc.. All five payment brands share equally in the council's
governance, have equal input to the PCI Security Standards Council and share responsibility for
carrying out the work of the organization. Other industry stakeholders are encouraged to join
the group and review proposed additions or modifications to the standards.
About The PCI Data Security Standard (PCI DSS)2
The PCI DSS, a set of comprehensive requirements for enhancing payment account data
security, was developed by the founding payment brands of the PCI Security Standards Council,
including American Express, Discover Financial Services, JCB International, MasterCard
Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent
data security measures on a global basis.
The PCI DSS is a multifaceted security standard that includes requirements for security
management, policies, procedures, network architecture, software design and other critical
protective measures. This comprehensive standard is intended to help organizations proactively
protect customer account data.
The PCI Security Standards Council will enhance the PCI DSS as needed to ensure that the
standard includes any new or modified requirements necessary to mitigate emerging payment
security risks, while continuing to foster wide-scale adoption.
Ongoing development of the standard will provide for feedback from the Advisory Board and
other participating organizations. All key stakeholders are encouraged to provide input, during
the creation and review of proposed additions or modifications to the PCI DSS.

1 https://www.pcisecuritystandards.org/about/index.shtml

2 https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
MICROS SYSTEMS, INC. PAGE 4
AUGUST 2009
CONFIDENTIAL AND PROPRIETARY

---

Opera Hotel Edition ⎯ PA-DSS IMPLEMENTATION GUIDE


The core of the PCI DSS is a group of principles and accompanying requirements, around which
the specific elements of the DSS are organized:3


Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder
data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder
data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security


3 pcisecuritystandards.org
MICROS SYSTEMS, INC. PAGE 5
AUGUST 2009
CONFIDENTIAL AND PROPRIETARY

---

Opera Hotel Edition ⎯ PA-DSS IMPLEMENTATION GUIDE


Who Should be Reading This Document
This document is intended for the following audiences:
•
MICROS Customers
•
MICROS Installers/Programmers
•
MICROS Dealers
•
MICROS Customer Service
•
MICROS Training Personnel
•
MIS Personnel
What the Reader Should Already Know
This document assumes that you have the following knowledge or expertise:
•
Operational understanding of PCs
•
Understanding of basic network concepts
•
Experience with the operating systems platforms supported by OPERA
•
Familiarity with the OPERA software
• Familiarity with operating MICROS peripheral devices

MICROS SYSTEMS, INC. PAGE 6
AUGUST 2009
CONFIDENTIAL AND PROPRIETARY

---

Opera Hotel Edition ⎯ PA-DSS IMPLEMENTATION GUIDE


OPERA Version 5.0+ and the Payment Application Data Standard
Payment Application Data Security Standard
While MICROS recognizes the importance of upholding cardmember security and data integrity,
certain parameters of the PCI Data Security Standard and PCI-SSC are the sole responsibility of
the client. This section contains a description of the 12 points of The PCI Data Security
Standard. Information within this section pertains only to how the OPERA Version 5.0 software
conforms to the PCI Data Security Standard.
For a complete description of the PCI Data Security Standard, please consult the Payment Card
Industries – Security Standards Council website found at <http://pcisecuritystandards.org>.
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
Firewalls are computer devices that control computer traffic allowed into a company’s network from
outside, as well as traffic into more sensitive areas within a company’s internal network. All systems
need to be protected from unauthorized access from the Internet, whether for e-commerce, employees’
Internet-based access via desktop browsers, or employees’ email access. Often, seemingly insignificant
paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key
protection mechanism for any computer network.
MICROS strongly recommends that all systems containing sensitive information (servers,
databases, wireless access points, etc.) reside behind a firewall in order to protect that data as
well as meet PCI-SSC Security Standards.
To make sure your firewall configuration is set up in compliance with Step 1 of the PCI Data
Security Standard, “Install and maintain a firewall configuration to protect data”, please consult
the Payment Card Industries – Security Standards Council website found at
<http://pcisecuritystandards.org>.
2. Do not use vendor-supplied defaults for system passwords and other security
parameters
Hackers (external and internal to a company) often use vendor default passwords and other vendor
default settings to compromise systems. These passwords and settings are well known in hacker
communities and easily determined via public information.
MICROS recommends that customers change all default passwords when installing systems,
including those for operating systems, wireless access points, servers, databases, etc. Opera
provides two default accounts for which the passwords should be changed to meet the PCI-SSC
complex password requirements; they are Application User account: SUPERVISOR and DB
accounts: SYS, SYSTEM, OPERA, OXI, OXIHUB and OUTLN.
In addition, the IT department of the property and/or responsible parties should create an
Opera Support User with all the needed credentials.
The PCI-DSS expressly prohibits the use of generic or default user names or passwords for any
component of the payment processing system which includes Windows accounts. Any access to
any part of the payment processing system should be handled with unique and strong user
access credentials.
For more information on Step 2 of The PCI Data Security Standard, “Do not use vendor-
supplied defaults for system passwords and other security parameters”, please consult the
MICROS SYSTEMS, INC. PAGE 7
AUGUST 2009
CONFIDENTIAL AND PROPRIETARY

---

Opera Hotel Edition ⎯ PA-DSS IMPLEMENTATION GUIDE


Payment Card Industries – Security Standards Council website found at
<http://pcisecuritystandards.org>.
Protect Cardholder Data
3. Protect stored data
Encryption is the ultimate protection mechanism because even if someone breaks through all other
protection mechanisms and gains access to encrypted data, they will not be able to read the data
without further breaking the encryption. This is an illustration of the defense in depth principle.
MICROS Systems Inc., uses credit card masking and Triple-DES 128-bit encryption to store the
personal account number (PAN), account name, expiration date and ensure credit card data is
stored in a manner compliant with the PCI Data Standard.
When upgrading from version 2.0 of Opera, please refer to the section “Guidance when
Upgrading from a Previous Opera Version” at the bottom of this document, which describes how
to upgrade to a newer version, using a secure wipe tool and completely purge any old credit
card data from Opera.
To be in compliance with Step 3 of the PCI Data Security Standard, please ensure the following
Credit Card Masking options are configured as follows:
Option Settings
•
Setup>Application Settings: Set General>MASK CREDIT CARD NUMBER (Mask Credit Card Number)
to Yes.

•
Setup>User Configuration>Users>Permissions: Set RESERVATIONS> CREDIT CARD
INFORMATION EDIT (View and edit credit card number and expiration date) to
Non-Granted for all users except those with a “need to know.” For such users, the permission may be
changed to Granted.
MICROS SYSTEMS, INC. PAGE 8
AUGUST 2009
CONFIDENTIAL AND PROPRIETARY

---

Opera Hotel Edition ⎯ PA-DSS IMPLEMENTATION GUIDE



Note: These options must remain configured as shown above, in order to comply with Step 3 of The PCI Data Security
Standard.
For more information on Step 3 of The PCI Data Security Standard, “Protect stored data”,
please consult the Payment Card Industries – Security Standards Council website found at
<http://pcisecuritystandards.org>.
4. Encrypt transmission of cardholder data and sensitive information across public
networks
Sensitive information must be encrypted during transmission over the Internet, because it is easy and
common for a hacker to intercept and/or divert data while in transit.
MICROS recommends that all sensitive information that is transmitted over the Internet be
secured using a form of encryption such as SSLv3; this includes all wireless transmissions,
email and use of services such as Telnet and FTP.
Option Settings
MICROS strongly suggests that when using our web based credit card interface, it is set up to
use SSLv3 communication. To configure this, do the following. Select
Configuration>Setup>Property Interfaces>Credit Card Setup>General Parameters. On
this form you will see a section to configure the URL that you are to connect to. Be sure that
this URL starts with HTTPS. This will ensure a secure SSLv3 connection is made to the vendor
prior to transmitting credit card data.
For more information on Step 4 of The PCI Data Security Standard, “Encrypt transmission of
cardholder data and sensitive information across public networks”, please consult the Payment
Card Industries – Security Standards Council website found at
<http://pcisecuritystandards.org>.
MICROS SYSTEMS, INC. PAGE 9
AUGUST 2009
CONFIDENTIAL AND PROPRIETARY

---

Opera Hotel Edition ⎯ PA-DSS IMPLEMENTATION GUIDE


Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
Many vulnerabilities and malicious viruses enter the network via employees’email activities. Anti-virus
software must be used on all email systems and desktops to protect systems from malicious software.
In accordance with the PCI-SSC standards, MICROS strongly recommends regular use and
regular updates of anti-virus software. Some OPERA servers may require specific antivirus
configuration settings; these settings are detailed in the implementation instructions.
To make sure your anti-virus software is set up in compliance with Step 5 of the PCI Data
Security Standard, “Use and regularly update anti-virus software”, please consult the Payment
Card Industries – Security Standards Council website found at
<http://pcisecuritystandards.org>.
6. Develop and maintain secure systems and applications
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of
these vulnerabilities are fixed via vendor security patches, and all systems should have current
software patches to protect against exploitation by employees, external hackers, and viruses. For in-
house developed applications, numerous vulnerabilities can be avoided by using standard system
development processes and secure coding techniques.
MICROS uses separate development and production environments to ensure software integrity
and security. Updated patches and security updates are available via the MICROS product
website, <http://www.micros.com>. While MICROS makes every possible effort to conform to
Step 6 of the PCI Data Security Standard, certain parameters, including following change
control procedures for system and software configuration changes, and the installation of
available security patches, depend on site specific protocol and practices.
MICROS also strongly suggests for installation in Windows XP systems that the System Restore
Points feature be turned off.
To make sure your site develops and maintains secure systems and applications in compliance
with Step 6 of The PCI Data Security Standard, “Develop and Maintain Secure Systems and
Applications”, please consult the Payment Card Industries – Security Standards Council website
found at <http://pcisecuritystandards.org>.
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
This ensures critical data can only be accessed in an authorized manner.
MICROS recognizes the importance of data control, and does so by establishing access based
upon employee job level. This mechanism ensures access to sensitive information is restricted,
password protected, and based on a need-to-know basis.
For more information on Step 7 of The PCI Data Security Standard, “Restrict access to data by
business need-to-know”, please consult the Payment Card Industries – Security Standards
Council website found at <http://pcisecuritystandards.org>.
8. Assign a unique ID to each person with computer access
This ensures that actions taken on critical data and systems are performed by, and can be traced to,
known and authorized users.
MICROS recognizes the importance of establishing unique ID’s for each person with computer
access. No two OPERA users can have the same ID, and each person’s activities can be traced
MICROS SYSTEMS, INC. PAGE 10
AUGUST 2009
CONFIDENTIAL AND PROPRIETARY

---

Document Outline

• • ÿ
  • ÿ
  • ÿ
• • ÿ
  • • ÿ
  • ÿ
    • ÿ
    • ÿ
  • • ÿ
  • ÿ
    • ÿ
  • ÿ
    • ÿ
  • • ÿ
  • ÿ

---