Chat Transcript - June 2008
Product: Microsoft Dynamics Retail Management System (RMS)
Topic: PCI Compliance and RMS SP2
Date: Thursday, June 5, 2008
Did you know? You can find helpful articles and announcements about upcoming chats and product releases on the Using Microsoft Dynamics RMS Web site.
Questions about PCI compliance and RMS 2.0 SP2
Q: Will you please discuss RMS 2.0 with Service Pack 2’s new features regarding PCI – password policy management, audit logging, and improved encryption of payment data?
A: Password policy management is one of the PCI compliance requirements.
Q: Which versions of RMS are PCI compliant?
A: RMS 2.0 SP2.
Q: How does "password policy management" help make RMS PCI compliant?
A: Password policy management supports PCI DSS Requirement 8: “Assign a unique ID to each person with computer access.” This requirement specifies such things as changing passwords at least every 90 days, using passwords containing both numeric and alphabetic characters, and limiting repeated access attempts.
Q: We have current customers that installed RMS before the new PCI compliancy took place. Does this mean that we have to go and upgrade all of those customers to be compliant?
A: For their systems to be PCI compliant, they must be running a program that has been PABP validated, which means that they need to be upgraded to SP2.
Q: If we need to upgrade all of our customers to be compliant, how can we limit our liability?
A: It is the retailer's responsibility to be compliant with PCI DSS. I would suggest you consider your business policies on limiting your liability.
Q: What encryption guidelines do you suggest? I've had payment processors in the past require that we disable certain SSL protocols on the servers to make sure that we don't support protocols under 256 bit.
A: PCI requires a minimum key length of 256, but does not specify a specific encryption algorithm.
Q: Could you also elaborate on encryption of payment data?
A: We use 3-DES for encrypting all the payment related data.
Q: I've noticed that certain banks have their own guidelines that seem out of sync for ensuring security with CC data & transmission, and they won't allow it any other way. I believe that a bank required 512 bit about six months ago.
A: Per the PCI Security Standards Council, retailers are responsible for being compliant with PCI DSS. Please refer to https://www.pcisecuritystandards.org/. Retailers should work with their banks if they have specific requirements.
Q: To be PCI compliant, is it required to disable certain ports?
A: Please refer to https://www.pcisecuritystandards.org/ on the PCI DSS requirements. This guide has a wealth of information that can answer all of your questions outside the scope of the payment application.
Q: Is there a way to turn off “audit logging”? Also, how do you pull the audit logs?
A: There is no way to turn off audit logging in RMS. You can use the backup of the RMS database to pull the audit logs out.
Other questions
Q: I have not installed RMS SP2 yet. Where I can find detailed information about the changes and enhancements?
A: The Service Pack page on CustomerSource should have what you need: https://mbs.microsoft.com/customersource/downloads/servicepacks/rms-20-sp2.htm?printpage=false.
Q: Is RMS 2.0 SP2 compatible with Microsoft Windows XP SP3 and Microsoft Windows Vista SP1? I heard that there are still database corruption problems. If so what are the issues?
A: To run Microsoft Dynamics RMS on Microsoft Windows XP SP3 and Microsoft Windows Vista SP1, you must install the update described in KnowledgeBase article 952287, which can be found at http://support.microsoft.com/kb/952287/ . We have gone through extensive testing on Windows Vista SP1 and Windows XP SP3 with KB 952287 and have not found any issues.
Q: I have at least three outstanding issues with possible bugs in RMS. Is there a list of outstanding issues and bugs.
A: It is a Microsoft policy to not publish such lists. You can contact Microsoft Support to follow-up on issues that you have reported.
Q: Please advise us on the status of RMS 3.0.
A: We can't announce any details about RMS 3.0 at this time, but the roadmap will be published in the near future.
Q: Regarding the Ingenico i6550, it seems that the unit operates “bare bones" with no functionality to display prompts, special announcements, or anything else. When can we expect extra functionality.
A: RMS 2.0 supports only the basic functionality provided by the Ingenico OPOS drivers. There will be additional functionality in an upcoming release.
