TranScend™ User`s Guide
Contents
1. uo ua Appendix H Optional Utilitity to Set Customized Database System Password Below sec Figure you will ce the window for the database user passward utility program This program is used o alter he user name and password that wil be used by the TPA Data Security Server when ik connects to the database server dh IMPORTANT NOTE This uitity should only be run on the host where the Data Security Server process of the TPA transaction processing system The reasons for this requirements are 1 This utility wil utilize the DSN and other connection information to add a new user to the used byTPA 2 This utility wil add command line arguments used by the data server so that the process can utilize the new customized user information specified by the user of this m as TA Spem Limie LE em i SU ES Fase Ore As you can see some ofthe fields are se with system defaults a a convenience to the user Each of these setings will be explained in the following section Using DSN This is the System DSN see ODBC Administrator Appliet in Control Panel that defines the dim used by TPA I you have not altered your System DSN after your installation then he default sening of TPAU should work TRAU Database This is the name ofthe main TPA database used by2. Menu Commands for Closed Transactions image shown below you can se that there are less commands available when transaction have been Menu Commands for Transactions that are On Hold Transactions can be put on bold due to AVS CVV system holds or from manually placing a transaction on hold In the image shown below you can se that there additional commands available for transactions that are on bold The first new command shown below is the Release Transaction command Selection of this command will remove the hold starus on the transaction and will alow the transaction to be included ia the next job The next new command is the Change Stats to Closed command Selection of this Menu Commands for Transactions in an Unknown Status The image below shows the transactions that are available when transactions are in an Unknown status Each ofthese commands has been explained in previous sections n Browse Batches The image above shows the Browse Batches window Notice that the column headings are different than those in the Browse Transactions window and the commands menu has different options The same soning feature that was mentioned above available for this list as well aawa casei stent EX EL Qiu Ex Oe Wo m ie d cima i w om tc 20002 E to Gm memes mei
3. ioo XE Wes feni o Hs WD m io Gum ees gets sm n Batch Management And Context Menus The image shown immediately below shows the commands that can be performed against Setlement Bucher with the Transcend client program Eun 1451 H 8 ETE Get Batch Details The image below shows the dialog that is displayed when the Get Bach Details command is executed This window shows a detailed list af the transactions that are included within he selected batch This dialog can be resized in order to show the numberof records desired This command is available for batches that are closed or are marked as having an error MAAD Jaw ao n Batch Summary by Card Type The image below shows another way that batch details can be summarized Selection of this command will cause a total calculated for ach card and transaction type contained in the bach These subtotals will be shown the display window presented Wm 01 E 1 07 E E Wa i E ina fun 3 Wem 0 Sau 1 30 Batch Summary By Department The image below shows another way that batch details can be summarized Note that the departments feature is not eurrentiy utilized in the product Due to this fact this display shows a single summary row that matches the bach display Tages Cane
4. 1 PANS not red procesador anemia stere sense uthentcson us subsequent auorzaton not even enyted PABP Implementation Guide Validated applications mast be capable of being implemented in a PCI DSS conpliant manner Software vendors are required to provide a PABP Implementation Guide to instruct their customers and esclrsnegrators on secure product implementation to document the secure configuration specifics mentioned throughout this document and to clearly delineate vendor resellerfintegrator and customer responsibilities for meeting PCI DSS requirements should detail how the customer andor tesellerfintegrator should enable security senings within customer s network for example the PABP Implementation Guide shoud cover responsibilities and bai features of PCI DSS password security even if this is not controlled by the application so that the customer or reseller integrator understands bow to implement secure passwords for PCT DSS compliance Payment applications when implemented according to the PABP Implementation Guide and when implemented into a DSS compliant environment should facilitate and support customers PCT DSS compliance Qualified Payment Application Security Professional QPASP Requirements 2 Only Qualified Payment Application Security Professionals QPASP employed by Qualified Payment Application Securty Companies QPASC allowed to perform PABP audits Pease
5. D 3 09 a B se Cannot Vent B 3 68 ss Cannot Very FIN B Card Number Ear E 3 016 Ns Bac serio E 3 05 Tai E Is 303 checking account son is savings accom E PIN A Teen sor pem Can E 3 58 Sysem E 3 04 G edid Merchant E 3 98 E Income PIN E Emulation Mode Auto Responses for Gift Cards These responses originate from within only in Emulation Mode Amount Response Code Response Text ata ur Card declined B som declinet D 3 089 3 5H Card Number Enor E 3 UR d 3 05 sr aper E 3 98 7 nor permis Can E 3 58 System sanction E 3 04 nva Merchant 1D Appendix E Security Best Practices Overview and History The following document is designed to give users of the Transcend application a better understanding of the recently implemented security policies n the payment processing industry The document outlines the evolution of today s standards describes the industry best practices for payment application and then instructs users of the Tronscenz application in areas not completely controlled by the payment application but necessary to implement the produet in CISP compliant manner Visa fist introduced the Cardholder Information Security Program CISP in 2001
6. PARP Requirements TT pex pata security standard 3 2 1 Si oe for that data element 11 2 Data Security Standard 3 2 2 D 113 114 Sha or PIN Block data stored By Data security standard 3 2 11 5 115 ADEL ore tl eati ual J Reseliere integrators must collect 24 06 BOE Data Security standard 3 3 dlepayed on any receipe regardera of m Strong erprography with associa 24 Application mast protect encryption eye m 25 31 Application mat require Data security Standard 8 1 and tor scene to servers wlth erchants Vendors tntegeators are hereby SEA sessions wich the Operating System 32 pata Security standard 8 1 and erchants Vendors tntegeators are hereby aplication tog att uer acces 42 Application mnt an automated Data security standard 10 2 and ns per teh security Project Por Data security standard 6 5 511 saz 513 514 not applicable to Transcend
7. application is subjected to The information is provided here also to provide assist to vendors integrators or merchants with regards to evaluating the facts of the industry s requirements that Transcend must comply with Finally this Information is provided that meschants integratora or vendors adopting the use of Transcend product can be provided with the specifie recommendations and requirements for CISP and PABP compliant deployments af the system Relationship Between PCI DSS and PABP The requirements for the PABP are derived from the Payment Card Industry Data Security Standard PCI 055 and the PCI DSS Security Audit Procedures These documents which can be found at sess peisocuritystandards og detail what is required to be PCI DSS compliant and therefore what a payment application must support to facilite application user s PCT DSS compliance and should be asa reference for the PCI DSS and supporting documentation Secure payment applications when implemented ina PCT DSS compliant environment vill minimize the potential far security breaches leading to compromises of full magnetic stripe data card validation codes and CAV2 CID CVC2 CVV2 PINS and PIN blocks and the damaging fand resulting from these breaches Scope of PABP The PABP applies to software vendors who develop payment applications that store process tansmit cardholder data as part of authorization or setiement Ie PAB doe not
8. data of Potentially sensitive is encrypted priar to being written the delta record log Backup of the TranScend Databases There is no practical way for TranScend to perform automated backups of your database This is because cach business has its owm operational hours and because backing up databases must occur within your system s maintenance window With this in mind cach customer must take a role in backing up the databases on a regular ass using the following schedules as recommended starting point Fal Backup performed at least once a week 5 IE using a Fall or Differential Model then Differential Backups and Transaction Log backups should be performed daily Based on the back up strategy in place at your organization the following operations would be needed to restore the database after a database crash or data corruption te customer wil have o 1 Restore the last foll backup 2 IE using aFll or Differential Model the next step is to restore the most recent differential backup 3 Replay all Transcend DelteRecond Files containing data that wore made the most recent differential backup Note that the nature of the SQL contained the Delta Recond Logs is designed to make the best use of the referential integrity into the Transcend database Therefore these SQL statements are formated such that there is no harm done by replaying Delta Record Log that
9. earlier occuring than the last differential backup as those changes as appear the delta record lo will simply bounce of the database However itis very important that ALL delta record Ig files made subsequent to the last differential backup applied during the restoration process so that the database image is restored to the maximum exeat possible and to mitigate to the highest degree possible the possibility of any data loss Afer any database restoration has become required the data within the database should be inspected to the degree possible to verify that there is in fact no data ost While Transcend sytem is designed eliminate these threats to the greatest degree possible there are many factors and failure modes that are simply beyond the control of Transcend and therefore can not be fally accounted for Customer Responsibility The customer must recognize and accept responsibility for the health and safety of the TranScend data for the following reasons 1 Itis important for the customer to recognize that the data created by TranScend is data that belongs to Your organization and since itis financial in natare it should be an important priority to your organization to monitor health and safety of tbe database and the data contained therein Should an unrecognized fault occur due to ac of attention to the database itself you must remember tat it primarily your business that wil
10. 2 Administrators who follow the best practice guidelines outlined in Payment Card Industry Data Security Standard dated January 2005 should educate the users and ensure policies according to the following Immediately change provided INTRIX Technology Inc default password for System Instruct users NOT to create a username and password that are the same Implement a process whereby passwords to the TranScend Client are changed every 90 days but do not allow the new password to be the same as any of the user s previous 4 passwords CISP Compliant Log Settings rranScend log settings are CISP compliant The logs are fully encrypted and log all access by Individual users especially those with administrative privileges and are able to link those activities to individual users In addition the application is configured with an automated audit to rack and monitor CISP Compliant Wireless Settings communications sent from the Transcend Client Utilities andor APT s encrypted from their pint of origin completely through the entire Transcend application As Wireless Security iss evolving INTRIX Technology Inc strongly recommends against using wireless transmission methods far sensitive transaction data Unsecured wireless networks sould never be used in conjunction with Transcend and any atiempt to do so wili result i an immediate Cease nd Desist Order from INTRIX Technology Ic Tn the event wireless networks
11. Click to enter primary Settlement IP address and Port as specified by the processor Click to add a secondary Authorization IP address as provided processor Click to add a secondary IP address as provided by the processor Connect Wait Times Connection Retries and Heartbeat settings should be left at the default values unless otherwise instructed to change the INTRIX Support Staff 1 your processor has required the use of a Password please enter it here and confirm the entry NOTE Not ll Leased Lines require a password login so consult te Leased Line installation representative 3 Click Save to save the changes 99999 os ASCII Gateway This configuration sereen allows the user to specify the appropriate input fle or Drop direetary Default is ClProgram Transcend SuperCharge 4 6 users who pass peo user data fields User Defined pr sees e mcis m Dee SEES omean po CEOs mima og o Legacy Messages Users wishing to take advantage of new features associated with the Transcend and have writen ote Enhanced Message Format new to Transcend will want to select the Enhanced messages option Data file extensions for either the legacy 46 ar the Tronscend format are user definable The default for 4 6 has alwa
12. Credit Card Ranges The credit card number length should be 13 16 digits Also individual card types use different opening digits Cedi Curd Type Lengh Range Stars win Ten Epen 15 Ties Cb SO SOS 340036559 380000 389999 Discover Te sores T T 3980 35897 Te 19903599 Vas 1316 484999 Appendix D Testing Environment Settings Emulation Mode Emulation Mode Test Card Numbers Cree Cand Type Ci Ca Naber MasterCard 5424 1802 7979 1765 4005 5500 00000019 American Epress 37323538 7881 007 Discover 000993043615 Emulation Mode AVS Responses These responses originate from within only in Emulation Mode Res Coder A 5 Zip Match nm a E E N Ne Ma Systm navale Ed V Adres Ino ot Y Zp Mach Fus mm ZZ Mach Pas G Taser does not papas ay os Emulation Mode CVV2 Responses These responses originate from within Tr Scena only in Emulation Mode 4424 Res Coder CVE Nac m N CWVINS 35 3 S Marca ar at Veo Code ino presen on card UG BO CTE awa OWT Via eaey Emulation Mode Auto Responses for Credit Cards These responses from wi
13. Self Healing Communications Channels The Transcend system is coded with the expectation that the network is unreliable With this i mind all data communication channels are checked and validated as of each message transmission If the channel is found to be down the session will be re created as part of the data transmission This approach ensures liable data transmission between processing nodes which serves to increase the overall robustness and reliably of the Transcend system Data Journaling and Delta Records The architecture of Transcend accounts for the fact that sometimes for reasons only known by the database management system vendors a database file can go corrupt This reality presents a huge risk to any company of catastrophic data loss In response to this risk Transcend utilizes several approaches designed to safeguard your company s data of these approaches to employ a delta record file for all updates and changes to the Transcend database The delta record fl alang with Transcend automated database backups can be used to quickly re create database image by providing replay capability of your transaction data 18 addition the Transcend system utilizes a system of journal les prevent loss of data prior to it being sucessfully stored in the database management systern In the event that any unit of work i not propery stoed n the database management system it be manuall
14. refer to the Qualified Payment Application Security Company QPASC list wv incom for more information 5 The QPASP must utilize the testing procedures documented in this Payment Application Best Practices document 5 Boh QPASP and software vendor must complete and sign the Confirmation of Report Accuracy Jeters available at ww sce and submit o Visa USA in a secure manner along with the Repon on Validation Once compliant Visa will include the software vendar and product version in the Validated Payment Application List at ssec for one year only The expiration date will be determined by he that Visa approves the Report on Validation Visa will send an acceptance letter 1o software vendor indicating approval of the report Software vendors must re validate their application for PABP compliance utilizing a QPASP they wish to be active on the Visa website Otherwise Visa will remove the software vendors listing from the website if re validation i not received by the doe date lise refer to Re Validation section Testing Laboratory The software vendor mus have a working seni production laboratory where the validation process is to occur The laboratory must include the following common implementitions including region country specific versions af the payment application To be tested Implementation of security devices At a minimum the following must be running per PCT DSS requirements firewall
15. Aaen aan iaae CERE D E TE E Archive Batch Selection ofthis command will the batch and all its detail records into the Archive database Itis important to note that once a batch has been archived it will no longer show up in the batch lists Resubmit Batch On very rare occasions and usualy only under the direction of your processor you may have to resubmit ath Selection of this command will i UM Patch to be deposited again Whenever this command is selected the warning message shown tthe right wil be displayed in order to point out the potential risks of performing this action As was mentioned above this command should oly be selected under very exceptional circumstances Make ere hn Close Batch Occasionally batches may be completed with an unknown status Typical causes of this could be a communications errar between Transcend and the processor with hs error occurring afier the batch has een delivered to processed by the processor When these kinds of events occur Transcend will ark the batch a being in an unknown stats When this occurs you should contact your processor and or anscend customer support for more assistance Hf the deposit was found to be successful then you would select this command against the batch with he unknown status and mark it as being closed
16. CVV values the last 3 digits located on the back of Visa MasterCard and Discover cards in the signature CID values are the 4 digit Unembossed number on the front of American Express cards always Jocated above the account number These additional measures help ensure physical card presence hereby reducing fraudulent usage during non face to face transaction Setting the CVV CID Filter E Click the appropriate responses to Release race niasa ron Fama Transactions When CVV Data Configure Duplicate Checking Transcend contains a duplicate transaction mechanism to help prevent unwanted duplicate transactions When configuring the duplicate transaction parameters user must take into account current business practices to ensure that the settings stringent enough to catch errors but lenient enough to allow for any necessary subsequent transaction processing For example ome merchants allow for heit customers to call Pack within a certain amount of time and add on to previously placed orders If this process involves a prior authorized amount a new transaction may need to be entered for the recently added goods or services In this Case the Duplicate Checking parameters might be set to trigger the duplicate if the dollar amount matches but not rigger if the dollar amounts differ The Duplicate Checking works against the user defined time interval Default is 8 hours I more time
17. ERTER s 2 s ss 56 s 6 Direct Marketing Transaction Entry E Commerce Transaction Entry Transaction Browsing Tools Browsing Transactions Transaction Management and Context Menus Export Selected Records Print Receipt Void Transaction Hold Transaction Adjust Transaction Adi Transaction Memo Menu Commands for Closed Transactions Commands for Transactions that are On Hold Menu Commands for Transactions in an Unknown Status Browse Batches Batch Management And Context Menus Get Batch Details Batch Summary by Card Type Buch Summary By Department Archive Bach Resubmit Batch Close Bach Enor Batch Power Search Running Reports Select Report to Run Merchant Selection Transaction Type Data Range Load Repon Authorization Aging Report Batch Detail by Operator Report Batch Detail Repon 5 s D 15 15 15 76 EI Deposit Record Report Deposit Summary Report Duplicate Orders Report Duplicate Transaction Report Transaction By Transaction Type Report Transaction Subtotal Status Report so Sample Report Display System Console m Connecting to TranScend s System Component Versions 2 System Updates 3 Appendix A License Agreement and Warranty ss License and Warranty E Appendix B TranScend Database Backup Strategy 93
18. MasterCard was quick to follow suite with their security program called Site Data Protection Plan SDP Nearly six years later the industry has now evolved into a single standard endorsed by nearly every payment industry participant Visa s Cardholder Information Security Program CISP CISP is the acronym for Visa s Cardholder Information Security Program if you store transmit process Visa cardholder data then CISP does apply to you By implementing CISP Visa is placing responsibility of protecting Visa cardholder data on everyone involved in the transaction process As we all know a chain is only as strong as its weakest ink and it only takes one open window for cardholder data to be compromised How CISP Compliance Works compliance is required of all merchants and service providers that store process or transmit Visa data The program to all payment channels including reti brick and mortar mailhelephone order and e commerce To achieve compliance with merchants and service providers must adhere to the Payment Card Industry PCD Security Standard which offers a single approach to Safeguarding sensitive dta for all card brands This standard is a result cf collaboration between Visa and MasterCard and is designed to create common industry security requirements incorporating the CISP requirements Othe card companies operating in the U S have also endorsed the PCI Dat
19. Overview Database Backup Tools At Your Disposal Making use of TanScend Features to Assist Database Restorations Backup of the TranScend Databases Customer Responsibility Appendix C Credit Card Validation Rules 96 Mod 10 Verification Credit Card anges 96 Appendix D Testing Environment Settings 98 Emulation Mode Emulation Mode Test Card Numbers Emulation Mode AVS Responses os Emulation Mode CVV2 Responses Emulation Mode Auto Responses for Credit Cards 100 Emulation Mode Auto Responses for Debit Cards Emulation Mode Auto Responses for Gift Cards Appendix E Security Best Practices 103 Overview and History Visa s Cardholder Information Security Program CISP Hos CISP Compliance Works 5 CIS Compliance Validation Details Merchant Levels Defined Compliance Validation Basics MasterCard s Site Data Protection Plan SDP Payment Card Industry Data Security Standard PCI Data Security Sundard Basic Requirements Payment Application Best Practice Best Practices Goal Visa Recommendations Validation Procedures and Documentation Payment Application Best Practices Summary Clic Implementation Documentation Complex Passwords How to create CISP Compliant Complex Passwords When to Use Complex Passwords Manage Complex Passwords Access To The Payment Application Compliant Log Compliant Wireless Stings Secure Remote Software Updates Se
20. Recommended Qualified Independent Scan Vendor Recommended 4 merchants must comply with CISP however compliance validation for merchants in this category Will be determined at the acquirers discretion MasterCard s Site Data Protection Plan SDP MaserCar s Site Data Protection Program SDP SDP provides comprehensive approach to evaluating and improving web site security The SDP Program provides acquiring members with the ability to deploy Security compliance programs ensuring that valine merchants and Member Service Providers are adequately protected against hacker intrusions and account data compromises The SDP Program includes the following elements The MasterCard Security Standard series of manuals providing security requirements and best practices dor participaring acquiring members online merchants Member Service Providers and data security vendors Evaluation Tools Paricipants can demonstrate MasterCard Security Standard compliance by using the MasterCard Security Self Assessment and Network Scanning Tools With these tools participants can self evaluate their security situation and conduct real time vulnerability assessments of their web infectum SDP Service The MasterCard Site Data Protection Service is a proactive cost effective global solution offered by MasterCard through its acquiring members The SDP Service network vulnerability Scans and alert services offered by ou SDP Service
21. Transcend including merchant and user communications and fraud mechanisms such as AVS and parameters a Logging In E Lees sannat Open Transcend Client Navigate the main system menu to locane and start the program as follows Click on START 9A Programs Technology gt TpaClient menu command to show the ogon sereen that appears on the left The login screen will retain the Last known good parameters with exception of the pasword which for Security purposes mast be entered each and every time a ser logs in The login can be attempted either by the Specific IP address of the Transcend servers or by DNS server name successful login wil retain the desired settings so user can simply enter the password and Click OK without needing to know the specifics for Server selection The Server Selection option can be hidden by clicking the Vicon resulting in a login sereen that looks ke this o minimize confusion for less capable users 2 Logon Failures H the credentials you supplied are not corect then you will see the message box shown at the far lefi appear on the screen After this you will be presented with the main logon screen again thar you can try again F there are to many logon attempts that fail then the workstation wil Beste locked out and you wil be shown 3 Dmm screen ike the one on the right Note s
22. User Report 9 Clicking onthe will allow you o print a hard copy othe Uer Report User Setup Report Em Transactions Entries and Browsing Functions Transactions The transactions tab is one of several entry points for processing new transactions in Transcend This screen has been designed to accept several different types of payment For example credit cards debit cars EBT and gift cards are all supported from this single sereen Supported payment types will be limited in Your chosen payment processor and the merchant configuration The transactions tab has also been designed to support the extra data elements as may be required for the various market segments Direct Marketing and E Commerce Example of each of these variants of he transaction entry screen are shown immediately below Transaction Screen Panels The transaction sereen is broken into 6 sections called panels Each Panel is outlined in its own area the screen Each panel also has a tide banner above it gt Required Information Panel in this section the card bolder credit card information is entered The yellow fields are required before the transaction can processed The green and white fields are optional gt Card Verification Panel you enter the CVV information in this section 2 Optional Retail Information Panel specific card holder information s entered in this section For exa
23. any unsaved changes and restore previously saved information Configure Fraud Filters 1n addition to the approved response provided by the Credit Card Processor you may be provided with an ANS Address VeriBication Service VBV Verified by Visa andor a CVV Card Verification Value response for wansactions containing tbe appropriate customer ORen times these additional responses will have no bearing on whether the transaction is approved or not For example a transaction can still be approved even if the address doesnt match To assist merchants redce fraudulent activity Transcend provides an optional filtering mechanism Which can take non desied AVS CVV or VBV responses and place the transaction in He Authorzedon bol status When a transaction is placed ina HeAuthorizedion bod status Transcend does not ready the transaction for sctlement The merchant can manually release a wansaction from a H Authorized on bold status after appropriate investigation through the APT Mechanism or Client in onder to allow the transaction see Please note the def setings ensure that all Mate type responses are released and therefore immediately eligible for settlement Theses setings can eer apply to an individual merchant or merchants These settings can quickly and easily be for any businesses rules or policies AVS Address Verification Service AVS is the process of verifying the address and or zip co
24. apply to payment software developed by merchants and agents if used only in bouse not sold to a third party since this in house developed payment software would be covered as part af the merchants agent s normal PCI DSS compliance NOTE validated payment application products must be general releases and not beta versions Data Retention Requirements The following table fom the PCT DSS illustrates commonly used elements of cardholder data and sensitive authentication data whether storage of that data is permitted or prohibited and Whether this data needs o be protected This table is not meant to be exhaustives its sole purpose isto illustrate be different type of Tequrements that apply to cach data clement The Primary Account Number PAN is the defining factor n the applicability of PCI DSS requirements and Be PARP I PAN is not stored processed or transmitted PCI DSS and PABP do not ap m memes Rem mx Amo meme mese o seara mee m These data elements mast be protected i stored in conunct n wih the PAN This protection shuld be per PCI DSS equeement or genera prtecton of carole daionaly oiher gisisto eq i nme persona dia roc hy Hon eor may egy sec raci n d is rper dsr a Company races F consume led personal dala s beng ated drm he case at PGI DSS however does rt
25. apport agreement in place with the DBMS vendor as the manufacturer of the DBMS is best quipped to ures issues affecting the database engine isl Appendix C Credit Card Validation Rules Mod 10 Verification Most creditcard numbers are encoded at the right end with a check digit there simple algorithm called Lr Mod 10 which can verify that a credit card number has been entered To pass Mod 10 check the sum of the digits divided by 10 mast yield an integer whole number Any value that is evenly divisible by 10 will be considered a successful creditcard amber entry The check digit allows the card issuer to guarantee that the algorithm result X will be evenly divisible by 10 For example in the sample below when the calculated value without the check digit is 71 we know that the check digi number must be 9 The sum would equal 80 which is evenly divisible by 10 Using the card number 4444555566667779 as an example here s how to calculate the result in the X Mod 10 formula Reading from right to left multiply the even positioned values by 2 and the odd positioned valves by 1 The following table demonstrates the first step Now add each single digit together to get the result X The following demonstrates this step 844484441404541404 54 142 6 14246 14447 1 4 9280 Last Perform Mod 10 on the Sum X Mod 10 0 340 mod 10 0 verified as correct
26. card bank management in a competitive environment spread of 75 can rapidly diminish to less than 25 with charge offs in the A8 range In a highly competitive rena back office arise principally from origination and collection The Old Way Tn the old days cedit card purchases were face to face transactions that required an imprinting bar across the whole mess Everybody gota physical copy of the transaction the merchant yo and the bank The banie copies were accumulated throughout the day in a batch which was ultimately taken physically to the ban or even mailed in an envelope The merchant was responsible for keeping each piece Of paper which served as an accounting record sales totals for the dy had to be tallied up for each slip manually The bank in tum had to manually tally up slips too so that the proper funds could be credited tothe merchants account The bank then had receivables against the various card issuers for the total amounts of the transactions The cardholder was then to the card ue for payment of the deferred Sale and far most of us this relationship af Liability to the card issuer will endure for the rest of lives The Electronic Terminal Too much paper Too much manoal labor Too many errors With the computer age came a much beter solution to credit card transaction processing Instead of using the meat slicer a merchant installed an electronic terminal which had nifty magnetic
27. err had happened The optional Alerts Services allows the system take more pro active approach in communicat to the ownerfadministrator that a non optimal systers state was detected The Log Server is also ofthe programmable components of the Transcend Application Server Purchasers of the Transcend Application Server Development Kit will be shown that behavior of the Log Server can be enhanced to perform functions specifie to your company requirements as part of observing and processing the system s log data stream When the extended log functionality is made part ofa larger system Integration that includes your external systems inserting custom messages into the Transcend then your system can offer a certain degree of customized closed loop processing With regards to customized programming of the Transcend system Starting and Stopping The TranScend Servers Before any processing can occur with Transcend system must be stared Transcend sips with utility program called the Control which serves a centralized control point for starting pausing and stopping the Transcend inesse 99 The image on the ef shows this program as it appears when all the Transcend Js Servers are stopped To start the system from this stats one only has to click om bc Start All Servers buton on the top of the program Een When this action is performed the Control Server w
28. implied warranties of merchantability and finess for a particular purpose and any warranty against infringement with regard to the software product This limited warranty gives you Specific legal rights You may have others which vary from Sta Tuisditon to State Jurisdiction CUSTOMER REMEDI INTRIX Technology Inc s entire liability and your exclusive remedy shall not exceed the price paid for the software product NO LIABILITY FOR DAMAGES To the maximum exeat permitted by applicable law in no event shall INTRIX Technology Inc or its suppliers be lable for any damages whatsoever including without limitation damages far loss of business profits business interruption loss of business information or any other pecuniary los arising out the se fo inability to use this INTRIX Technology nc produc even if INTRIX Technology Inc has been advised of the possibility of such damages Because some States Jurisdictions do not allow the excision or imitation or liability for consequential or incidental damages the above imitation may not apply to you MISCELLANEOUS 1E you acquired this product in the United States this agreement is governed by the laws of the State af California I this product was acquired outside the United States then local lav may apply Should you have any questions concerning this agreement or if you desire to contact INTRIX for any reason please contact the INTRIX subsidiary serving your country or writ
29. in hand before proceeding with the creation of a new merchant Create Merchant Step 1 Login to the Transcend client wy Click on the Configuration ab Click n tbe Configure Merchant tb Click on the Create Merchant tab Enter your merchant name and business address Click Nen te ee oe 99 99 9 o rs Stop 3 Select your Communication Methods HINT As you e select the methods meenen n em Te sure to put them in rank order senes Chick Next Gees E m Ege en a accepted payment ype Stop 5 3 Select the merchant s Privilege Groups Afer you have created your merchants within Transcend you will need to set up the privilege frou foe those merchants Privilege Groups are an important security feature within Transcend asit allows the system Create privilege Groups wanana veror E Under New Privilege Group Name type the name far the New Privilege group Click Create New Group baton Nea Coe ome Stop 3 4 Select the Privilege Group you wish to set from the Select Group to EdivView drop list 25 Check the boxes from the list that you want members of that group to have Click Apply to save your settings you made far the Privilege Group EI Edit Privilege Group Ste
30. must be utilized due to lack of infrastructure or wired networks network administrators must ensure that available wireless security mechanisms implemented othe fullest extent Wireless transmissions of cardholder data should be encrypted over both public and private networks Encrypt the vansmistons by using Wi Fi Protected Acces WPA technology if WPA capable or VPN or SSL at 128 4 Never rely exclusively on WEP to protect confidentiality and access to a wireless LAN Use af the above methodologies in conjunction with WEP at 128 bit and rotate shared WEP keys quarterly and whenever there are personnel changes technology is within the payment environment should be implemented securely Installation of perimeter firewalls between wireless networks and the payment card environment and configuration af these firewalls to deny or control E such traffic is necessary for business purposes any traffic rom the wireless environment Change wireless vendor defaults including but not limited to Wireless Equivalent Privacy WEP keys default Service Set Identifier SSID passwords and SNMP community strings and disabling Of SSID broadcasts Enable Wi Fi Protected Access WPA technology for encryption and authentication when WPA capable Secure Remote Software Updates Ta many instances Transcend updates are delivered via remote access into customers systems In the esent that a customer s requ
31. of the host machine 1 will then use the decrypted value to connect o the dbs mmea END OF DOCUMENT THIS PAGE IS LEFT INTENTIONALLY BLANK
32. other credit cards do not honor Reversals anly handled internally by Transcend as mentioned previous Step 2 Settlement preset merchants normally collect al af the authorization records into a batch and sete them at one particular time of the day High volume sales merchants however may need to run several batches throughout the day Capture is the process of converting an existing authorization into a setlement transaction record within the outgoing batch See the figure below for an illustration of the settlement procesa Credit card Processor Issuing Banks 11 NC A Financial ES mei fos e p Merchant Banke I a customer returns an item afer authorization and settlement the Merchant can issue a Credir ransaction to the Credit Cand Processor that will reum the funds Trom he Merchant Bank back the Card Holders sccount Prior to seulement it is possible to adjust he dollar amount down in the settlement which is useful for handling partial shipments TranScend Download and Registration Register to Download TranScend Open Web Browser eg Itemet Explorer 5 Inthe address field ype comfonline registration Register to Download Transcend tug Internet Explorer Accurately complete the registration frm and click on submit An email will be sent shorty afier registrati
33. partner Ubizen Alternative Vendor Solutions As an alternative to the SDP Service participants may select any security Vendar solution that is compliant with MasterCard Security Standard If desire acquirers can ensure vendor compliance though the of an optional fee based vendor cenification program offered by MasterCard Web Insurance An optional discounted Marsh insurance policy offers financial protection in case of a compromise Payment Card Industry Data Security Standard The Payment Card Industry PCT Data Security Standard offers a single approach safeguarding sensitive data for all card brands This standard is a result of collaboration between Visa and MasterCard andis designed to create common industry security requirements incorporating the CIS requirements Other cad companies operating in the U S have also endorsed the PCI Data Security Standard within their respective programs PCI Data Security Standard Basic Requirements The PCI Data Security Stndar consists of twelve basic requirements supported by more detailed sub requirement Build and Maintain a Secure Network Install and maintain a firewall configuration to protect data 5 Do not use vendor supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect sored dta Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Progra
34. settled deposited Since this s an irreversible operation you Will have to conem that this action should be performed with the message box thut will be shown Hold Transaction Selection of this command will prevent the transaction fom being settled until its status is changed again to Ready status This command should be used to put a transaction into a suspended state while some research is being done or when the customer s goods have not yet been delivered case of an E Commerce or MOTO merchant type Adjust Transaction Selection ofthis command will present the dialog shown at right Completion af this screen will allow the amount ofthe transaction to be altered Note that this sereen can be to make he amount ess sever more This command should be used whenever the final settlement amount should be lower than the originally authorized amount One case where this may become needed is for a MOTO or Ecommerce merchant where has only been partially delivered Add Transaction Memo Selection of this command will allow additional notations tobe stored with the transaction This fere canbe sel for racking various types of informatio that hoald be associated with the wansaction These notations be displayed at any time I you examine the image below you wili sce that transactions that have Memos associated with them will have the word YES in the final Soluma of the Nist
35. shall control 4 DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS 41ALLOF THE SOFTWARE PRODUCT LIMITATIONS ON REVERSE ENGINEERING DECOMPILATION AND DISASSEMBLY You may not reverse engineer decompile or disassemble SOFTWARE PRODUCT except and only to the extent that such activity s expressly permitted by applicable Iaw notwithstanding this limitation SEPERATION OF COMPONENTS The SOFTWARE PRODUCT is licensed as a single produc ts COMPONENT parts may not be separated for use by more than one user ar for use on more than ane computer for server software PRODUCT USE The SOFTWARE PRODUCT may only be used for development purposes as described in Section 2 and may not be used in a production environment unless such use is allowed under the terms of the Component Agreement delivered with respective COMPONENT SUPPORT SERVICES INTRIX may provide you with support services related to the SOFTWARE PRODUCT Support Services Use of Support Services is governed the INTRIX policies and programs described in the user manual online documentation and or INTRIX provided materie Any supplemental software code provided to you as part af the Sapport Services shall be considered part of the SOFTWARE PRODUCT and subject to the tems and conditions of this agreement With respect to technical information you provide to INTRIX as part of the Support Services INTRIX may such information far its business purposes including for produc
36. stripe reader on the side and some buttons to punch in the amount of the sale The Terminal would then dial up to a credit card processing cemer using a standard phone Jine and receive authorization or refusal for the transaction The terminal printed a receipt for the customer to sign and both merchant and customer kept a paper copy of he transaction The terminal toole much of the work load by tansmit ng batch of transactions at the end of the day for Setlement consisted of the card processor depositing funds electronically to the merchants bank some paper involved but much of the risk of doing plastic business was alleviated Since authorizations were received electronically real me the merchant was assured of having a safe deposit able transaction This method is stil used predominantly today in point of sale situations such as restaurants fea sors gas stains Ny any place were a customer is present making a purchase wih cordiae Mail Order Telephone Order MOTO Blossoms The mail onder industry blossomed with the advent of electronic credit cand processing Orders for products oc services could be taken over the phone and the terminal still had a ole only the customer obviously coulda sign a receipt or present an actual card This represented a larger risk to the credit card processors and merchant bunks because charges could Be disputed favor usually smiled upon the cardholder because
37. successfully deposited Error Batch Selection ofthis command will markan unknown batch to an error state Ses the discussion above for why batches may be placed into an unknown state 15 Power Search This function allows te user to interact with more precise record lookup ol The can define any number of specifics for the record s being sought and then can request the systema to seach far any records hat match the specifie criteria For example user s looking to reconcile a transaction but only has limited information the purchase value 100 and type of MasterCard The user can utilize Power Search by selecting browsing type drop down box Select Browsing Type and right clicking on the box entitled BY and inserting the known information and selecting Search Now there are any wansactions that meet the given criteria they will appear on the screen provided 76 Running Reports Tanscenc Reports can be displayed dici on the screen printed exported to PDFs ds ifs XML ler or Exel spreadsheets Wich i eur are le o select report o Hew along with various mechan and wansaron types isis an essential element te Transcend hem allowing er keep cars of peviou mcns An explanation of each ofthe por ined contol il be proved below SSSI cene TTT ited here will allow you to specify what type of report and what Mer
38. tas The NEW USER will be added to all the TPA databases that are installed on he system Sce Figure Three below for an example of this m Fre Tee From figure above you can see thatthe NEW USER was also added as a user to the database The user will also be added to the TPAUARCHIVE database and to the TPAULOG if that database is present Using the utility performs the tasks necessary to provide your TPA system with a custom user NOTE About System Security The NEW USER and NEW USER PASSWORD are stored in an encrypted from in the system registry These values are encrypted with a key based on the haare signature of our server This additional leve of security prevents anyone from to replace this information With fraudulent values in order to gain acces to your companys daa us o order to make this security enhancement complete the encrypted values for NEW USER and NEW USER PASSWORD must be used by the TPA Data Server to connect to the database engine dhms See Figure Four below for a sample of how this is done rom the figure can see that we are looking at the command used by the TPA Data Server You can also see that new run line values for 304 has been added to the command lin The encrypted values For the entries stored here The data server will iit finds tbese entries on the aie will decrypt the ales using a key based on the hardware signature
39. the sytem you have not altered your default database fer your installation then the default seting of TPAU should work UserName This is where the user will have to enter a valid user n the by TPA See your database system administrator if you do not know a valid user on your system sa Password This is where the user will have to enter a valid password for the user If you do not know a valid password then you must consult with the database system administrator TRA System User Name This is where the user will enter NEW USER iba will be used by TPA to connect to the System User Password and Confirm TPA System User Password These two fields are Where the NEW USER PASSWORD for the NEW TPA USER wil be entered The password is tered twice to allow the user to confirm the value that will be used NOTE Tf the User Password and the Confirmation af the same do not match then the program will display amessage ox to that effect so that user can correct his error End Ettect of Using This Utility The NEW USER will be added as a valid Jogin to the database that is Velind the DSN entry This can be proven by looking at Enterprise Manager or similar utility In looking Figure Two below you can see that a new login was created by the ity xsu svona The utility program also performs dis
40. 1 Authorization Step 2 Setlement TranScend Download and Registration Register o Download TranScend TranScend Registration TranSeend Logs Starting and Stopping The TranScend Servers TranScend Client Overview Logging In Logon Failures Sereen Lock Login Commands and Help Menu Commands Change Password Help Menu Decode Product License Configuration TranScend Centralized Configuration Configure System Creating the Company 20 20 20 20 20 Configure Fes AVS Address Verification Service Setting the AVS Frand Filters VBV Verified By Visa Setting the VBV Files CVV Card Verification CID Cardholder ID Setting the Filter Configure Duplicate Checking Setting the Duplicate Transaction Parameters Configure Secure Sockets Configure Sockets Frame Relay or Leased Line Connections ASCI Gateway Allowed Addresses Setlemen Merchant and Privilege Group Information How do T obtain Merchant ID and other Merchant Information Configure Merchants Crente Merchant Privilege Groups Crea privilege Groups Edit Privilege Group Edit Merchant Merchant Report Configure User and User Report Information Configure Users Creste User De Acivating Users Editing Users User Reports Printing User Reports Transactions Entries and Browsing Functions Transactions Transaction Sereen Panels Retail Transaction Entry 3 E EI
41. 9 VERSION LIMITATION Tte Server Software contains certain version number such as version 3 57 This License permits you to install ne 0 copy ofthe Server Software i with the same or a ower version number as the Server Software version numer listed above 4 on a single compter for example iibe version number listed above 735 you may instal Server Software hat contains a 357 ar 2 0 version number but not a 3 6 version number The Distribution media on which SOFTWARE PRODUCT resides may contain a of other products produced by INTRIX Note that in order to install ar use this software you mast acquire separa license for these products You may not disclose the results of any benchmark test of either the Software to any third party without INTRIX s prior writen approval Note Regarding the Use of Run Time Software INTRIX hereby grants to you a limited nonexclusive royalty free right to reproduce and distribute those files required far run time execution of compiled applications Run Time Files in conjunction with and as part of your application software product that is created using the INTRIX SOFTWARE PRODUCT provided that you do not use INTRIX s name logo or trademarks to market your software product b include a valid copyright notice in your software product c if your software product contains any Tedistiboae files mus include a valid copyright notice you must distribut
42. 9 999 uptime This translates into much lower cost of ownership for customers of Transcend Following are a list the fault tolerant approaches utilized in the implementation of TranScend along with What they provide to the customer Fail Fast Strategy Some programs will till attempt to run even afer they have encountered a fatal condition intemally The architects of Transcend sytem view this as a bad approach to the implementation af mission critical System design because one should not a wounded program any more than they should tust a wounded animal So he approach adopted in all TranScend process is to last wich means that they will quickly exit on any abnormal processing condition and will not continue to mp along in a wounded state the chance that process in this state is jast as likely to do as much harm as good in continuing in an abnormal processing condition Watch Dog Process Recognizing that processes can fai fast exit quickly on purpose due to some abnormal condition or simply crash due to an undiscovered corner case AKA a very well hidden program the Transcend architecture employs a process watch dog as a key component of the desig The Transcend control serve is charged with making certain that all server processes in the Transcend server are alive and Kicking If any process is found to be down the control server wil restart it automatically without requiring any intervention
43. Browsing Transactions Ta the Browse Transaction screen you will be able to view your Transactions based on merchant also in the Find option you will be able to scc the retrieval of eco or only todays records You click on the column headers on the top of the list to sort by any column in the ist Ir you want to perform more than ote column as sorting crireria simply hold down the CTRL key while you click any additional columns to included in the overall sorted list displays You can sort on many columns as you d like with this E Transaction Management and Context Menus Export Selected Records Selection ofthis command wil allow the currently selected records the List to be exported from the client and saved into ail The currently supported formats are Excel Worksheet and Comma Separated Values CSV Since File Dialogs are commonly understood no image is provided for that sereen Print Receipt Selection of this command Will cause a Reprinted Receipt to be displayed for the selected transaction You can see that Reprinted receipts will show that word prion This so tha one can Immediately be able to recognize kinds of receipts from the original nes produced by the system Void Transaction Selection ofthis command will cause the transaction not be This command should be used to reverse a transaction that has not yet been
44. Settings Transcend requires use of the TCP IP network protocol for communications Prior to installation of Transcend TCPIIP must be installed Your network configuration may currently have settings statically assigned manually configured or dynamically assigned automatically configured through DHCP Dynamic Host Configuration Protocol your network has TCP IP settings statically assigned have Your TCPAP information available when configuring Transcend Sites that use DHCP will need to assign oe reserve a statie 1 adress for their Transcend server processes NOTE Contact your Networks Administrator to verify satisfy the requirements mentioned here Transcend is designed to work in a network environment but it does not require a NIC Network Interface Car to operare prope Emulation Mode installing Transcend you will otic that it is running in Emulation Mode This mode is a testing environment all transactions are simulated and the actual communication to the Credit Card Processar does not occur This allows for extensive testing of Transcend features and also development of a custom interface with your products Transcend will constantly remind you that you are in emulation mode when the server is started Within the transaction message response you will see indicator FAKE activate Transcend for realtime credit card processing call your Sales or Support representative at INTRIX Techn
45. TE SC 51 6 517 engen Um 1 519 52 ror security standard 6 521 IISI Merchants vendors Integratars are hereby m erchants Vendors tneageators are hereby 525 erchants Vendors tntegeators are hereby 527 erchants Vendors tntegeators are hereby 53 nets security Standard 6 erchants Vendors tntegeators are hereby 54 Fr anothers o Data Security Standard 2 2 2 erchants Vendors tntegeators are hereby 55 Ensure that ell wab tacing applications BE for coma rrinerabltities ror security standard 6 6 erchants Vendors tntegeators are hereby Protect Wireless Transmissions PARP Rage by using Wi Fi Protected iaa conjunction with terchants vendoce tntegestors are Test Applications to Address Vulnerabilities PARP Rage Comma 71 patches aad aparada Updates and Data security standard 6 2 terchants vendoce tntegestors are m Facilitate Secure Network Implementation PARP Rage onmant Application must m Car
46. TranScend User s Guide Revision 2 122007 INTRI Technology Inc Table of Contents Table of Contents 2 Preface 10 Introduction n System Requirements and Recommendations n History of Payment Processing n The Architecture amp Brief History of the Credit Card Industry n The Old Way The Electronic Terminal Mail Onder Telephone Order MOTO Blossoms Goodbye Terminal m Internet Commerce m Now In Simple Terms m Essentials of TranScend 15 Speed Security amp Simplicity is Speed is Security 8 Data Security is Session Leve Security Data Storage Security 16 User Security 16 Allowed IP Adresses List 16 Message Validation with fail fast session teardown on message validation failures Fault Tolerance all Fast Strategy Watch Dog Process Self Healing Communications Channels Data Journaling and Delta Records Automated Data Base Consistency Checks and Archival Processes m Data Mirrors 18 Stateless Servers m Distributed Computing Tolerance m Software That Grows With Your Requirements m Redundancy and Scalability Multiple Outbound Communications Chanel Optional Configurations Fully Distributed Computing is Supported Processor Portability Split Dial TCPIP Settings Emulation Mode Transaction Processing The Card Present Transaction Process The Non Card Present Transaction Process Credit Card Transaction Process Summary Step
47. Validation Executivo Summary Include the following Software vendor name Software vendor contact information Software vendor mailing address QPASP name and contact information Product Name Product Version Gf applicable List of resellers and or integrators for this product Operating system with which the payment application was tested Include other applications required by the payment application 5 Database software used or supported by the application Brief description of the payment application family of products 2 3 sentences Brief description ofthe software vendo or QPASC s Laboratory 2 3 sentences A network diagram of atypical implementation of the software not necessarily a specific implementation ar a merchant s site that includes at high level connections into and ofa merchant s network and the implementation components within the merchant s network including implementation ot POS devices systems databases and web servers as applicable Descebetiagram cach piece of the communication ik including 1 LAN WAN or interet 2 host to host software communication and 3 within host where software is deployed e g how two difieren processes communicare with each other on the same hos Al tows of cardholder data All payment application related software components including third party software dependencies End wo end authentication including application authentication mech
48. a Security Standard within their respective programs Using the PCI Data Security Standard as its framework CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise across entire payment industry CISP Compliance Validation Details Separate and distinct from the mandate to comply with CISP requirements is the validation af compliance It ias fundamental and critical functioa that identifies and corrects vulnerabilities and protects customers by ensuring that appropriate levels of cardholder information security are maintained Visa has prioritized and defined levels of CISP compliance validation based on the volume of transactions the potential risk and exposure introduced into the Visa systern by merchants and service providers Acquirers are responsible for ensuring that all of their merchants comply with CISP however merchant Compliance validation has been prioritized based on the volume of wansactions the potentia risk ad Exposure introduced ito the Visa system Merchant Levels Defined Acquirers are responsible for determining the compliance validation levels of their merchants merchants vl fall into oc ofthe four merchant leves based on anual Visa transaction volume The taasaction Volume is based on the aggregate number of Visa tantos from a Doing Business As DBA or a chain of stores not of a corporation that has several chains Merchant levels are def
49. aining security Within the Configuration Tab you will notice the following items Configure System Configure Merchants and Configure Users In this of the next section you wili become familiar with the Configuration Options for initial set up and ongoing service TranScend Centralized Configuration 7 mea 2 Any Market Where Payment Terminal Devices Are Used Today or Diagrams ot TeanSeend ud Died Configurations Configure System The Configure System Tab contains options for configuring Company information Frand Filters Processor communication options which include Secure Sockets Internet 351 communications to the processor and Sockets Leased Line connections to the processor The Application Programming Interface option known ASCII Gateway ha some user configurable options Allowable Addresses configuration san integral of the security features of Transcend And finally Settlement allows for batch times to be set for various merchant groups Creating the Company Login to the Transcend client utility Click on the Configuration ub Click on Configure System tab 2 Click on Company ub 3 Click Save when done Enter all pertinent company information and click the Save button This information can be drawn upon and used later when configuring merchant accounts as well Clicking Cancel will back out
50. am Aerea our serrent you aow be ale ocius wit the appropriate processor specifie sep information n TranScend Logs After TranScend has been downloaded installed and registered the installation process will have created a directory structure similar to the diagram below Assumes default install path was chosen during installation The Log Server provides a system wide logging mechanism for Transcend Since there a number of processes included in the system that each will generate messages to be stored in the system log there is 2 need for single process to collect and manage this information This funcion is provided by the Log Server The Log Server provides log datu storage fles for casy quick views of log output from the System The log server creates 3 text files for cach day s operations the security log file the audit log file and the errors and warnings og Sile The security log is file that contains information about each Jogin attempt to the system I also logs which IP addresses are allowed to connect to your system The audit Jog contains only those messages which are audit events encountered during processing Audit events are those messages which have to do with either money or card processor communications Money messages encompass any log message that has to do with the transfer and or handling of electronie payment processi
51. an chou fare reared by epi VISA and PABP andthe cn net be psd or removed Once norton hs een ck at the he Stem ada wie endo eth aly ds rbd im Append f edam The next tme that a logon is attempted from any locked out workstation the user attempting the logoa willbe shown the sereen to the left This wil occur even if the user credentials good because the her s name has already ben added to the lockout tis also worth noting that User Lockout will be automatically expired by the system in one half an hase Ser foa nien ana hour So if user locks themselves out and the administrator can not be located to correct the Stain with use of tbe LIN utility ten that user account will become automatically re enabled by the System after one half hour passes There is another type of lockout that is more permanent This is called a Ia this kind of lockout the workstation itself was judged to insecure through repeated failed logon temps In onder to prevent data break ins from an insecure terminal the workstations address is added to the lockout is station ock out never expires and must be removed esteem eun by system administrator with the LIN program This Paparan n saren security feature is designed to prevent atacks from unknown or not properly secured cien For more m information on clearking stations lock please see Appendix G for more info
52. anism authentication datubase and security of data storage Describe the typical merchant that this product is sol to for example arge small if industry specifi Internet brick and mortar and vendor s customer s base market segment big customer names Description of Scope of Validation and Approach Taken Describe scope of review as defined at Scope o Assessment above Describe region country specific implementations covered Timeframe of validation List of documentation reviewed Findings and Observations AILQPASPs must use the following template to provide detailed report descriptions and findings Describe tests performed other than those included in the testing procedures column Contact Information and Report Date 5 Software vendor contact information include URL phone number and email adress 5 QPASP contact information include phone number and email address Daeofreport Re Validation No change Visa does NOT curently require re validation for previously validated product versions no changes were made to the compliant payment application version However Visa will require a Confirmation of Report Accuracy from the software vendar prior to the expiration date indicating that no changes were made o the validated payment application Changes made do not affect any of the 14 PABP requirements If changes were made to a previously validated payment aplication version but do not impact t
53. ansaction processing industry with specie atenton paid to PABP Payment Application Best Practices requirements In addition system update process is also designed to provide additional security to users of Transcend trough the following features 1 The Addresses for the Update Servers are built into the system to reduce the possibility that malicious code can come from any other non authorized source 2 The communications protocol between the update client and the update server leverages SSL and standard HTTPS but utilizes a proprietary data exchange protocol that no other non authorized Servers can eal replicate This combined with 1 above provide the utmost security with regards to the source far any system updates 3 Access to Updates is password protected with a three way credential that utilizes unique usermames and passwords In addition these credentials are also associated with the system s license key so as o protect the merchant s identity with an aditional authentication factor 4 Accesso Server and Client Updates can be segregated among users within a merchant profile with tix For example consider that you d Fred to be able to update clients at your location but not have the ability to update servers Also you d like Gary to be able to update both servers and clients at your location when these download accounts et up on the atis Update Servers you specify which users are allowed to up
54. atically discover other processes that form the core af the Transcend data processing system In addition this solution leverages the very unique distributed compating system start up and control system built into the Transcend control sever Processor Portability Over ime you may find that competition within the payment processor marketplace wil allow your business to gain a significant perransacton cos reduction by switching to another payment processor allow you To benefit from these opportunites Transcend cam be easily reconfigured to send your transactions to another payment processor contact ranscend sales for the curent ist of processors supported hy Transcend Since this a simple reconfiguration of the Transcend system and does not involve any other changes to your system there is virtually no isk in executing a mid stream change of this nature Split Dial some cases businesses that accept multiple payment types seck the best prices when selecting processors to perform interchange services for different payment types In the most extreme of these cases 20 the business may have a different card processor for each payment type accepted To allow your business to benefit from these possibilities Tran cen is designed with several levels of split dial capability which the term we use when your business has a desire to employ multiple targets for different payment types TCP IP
55. between programs the two programs negotiate a unique session data encryption key This data encryption key is unique between each two programs and valid only for the duration of that specifie Data Storage Security All dua that is stored in the Transcend database is encrypted prior to being stored in the database management system The implementation ofthis data encryption scheme the AES encryption algaridim AES elec fore pria as she recommended alor for data choro NIST The algorithm fuer strengthened by use of a rotating key schedule cach alae uique 258 ley far cach data encryption operation Here again because fed bey schedule ls avoided in Bis scheme the of dhe data i fures enhanced User Security The Transcend system utilizes several techniques in regards to user evel access andi control in an effort to provide further protection to the data stored in the Transcend database First with regards to user login Ds and passwords both of these values are passed through exhaustive multi MD S oscillator Which creates a one way hashing algorithm that prevents theft of user names passwords as a means of compromising sytem security Next the rights and permissions foreach user can strictly controlled through assigning each user roles and permissions appropriate to their staff position within your organization This approach wil furthe
56. bove the worm dictionary seduce 196 could guess 906 ofl passwords ide UNIX servers ht latched Toda here sa wide clean of des idoneos ca the lee Sine the done by programs bei daya ale 2 that srong passwords shal not conta can found in dicor Rule 3 Good passwords are song passwords tat can be easly remembered We can quickly create strong password like 18EWE qPA but we wil son forget t A good strategy is to stat with phrase that you know well Try using old songs that not widely known Taking the first ofeach word produces a complex password that we can recreate without Bete yet create our own unique phrases and take away etes or add character 109 When to Use Complex Passwords We strongly urge customers to assign strong application and system passwords whenever possible and the following best practices should be followed at all times applications should require a unique username and complex password for all administrative access and to cardholder data Manage Complex Passwords Access To The Payment Application Access o the Transcend Client should granted to those individuals whose job function requires them to o so A unique wemame should be assigned to each person accessing the utilities and only Active semames with the proper password will be allowed ito systern other access will be denied
57. butable Code provided that you comply with Section 8 3 DISTRIBUTION REQUIREMENTS Jf you are authorized to redistribute the Reistbauble Code collectively REDISTRIBUTABLE COMPONENTS as described in Sections 6 and 7 above you must 1 distribute the REDISTRIBUTABLE COMPONENTS only in conjunction with and as of jour software product that adds primary and significant functionality tothe REDISTRIBUTABLE COMPONENTS b not permit fuer redistribution ofthe REDISTRIBUTABLE COMPONENTS by your end user customers c not use name logo or trademarks to software application product d include valid copyright notice your software product e agree to Indemnity hold harmless and defend INTRIX from and against any claims or lawsuits including attorney s fees that arise or result from the use or distribution af your software product 0 otherwise comply with the of this license agreement and g agree that INTRIX reserves all rights not expressly granted Notwithstanding subsection 80 above you may further redistribution of the REDISTRIBUTABLE COMPONENTS by your distributors to your end user customers if your distributors only distribute the REDISTRIBUTABLE COMPONENTS in conjunction with and as part of your Application and you and Your distributors comply with al other ems of this agreement 9 COPYRIGHT tide and copyrights and tothe SOFTWARE PRODUCT including b
58. ccording to the Payment Applicaton Best Practices document This document is also to be used as the template for the Report on Validation The scope of Validation is described in the Payment Application Best Practices download Assessors performing payment application reviews must contact Visa far approval before proceeding with the andit specified inthe Payment Application Best Practices Visa will not accept audits witout this pre approval Payment Application Best Practices Summary The following are the high level best practices to fallow order to ensure the Payment Application complies with the Payment Application Best Practices document Each high level best practice has several additional ements that are tested during the certification process The requirements for Payment Application Best Practices validation are derived from the Payment Card Industry PCD Data Security Standard and the PCT Security Audit Procedures These documents detail what is required to be CISP compliant and therefore Whar a payment application should do o a merchants compliance and should be ara reference for CISP standarde Validated applications must be capable of being implemented in a CISP compliant manner 1 Do not retain full magnetic stripe or data Protect stored data Provide secure password features Log application activity Develop secure applications Protect wireless Test app
59. chant Selection lows the operor 1o determino which merchants tonne E fora repo Fiat res sacks Transaction Type TBs he ist of transaction pes to include in a reports results E NOTE List options vary depending on which report is selected to Dus Data Range m option is used define the range of dates to include in the The From Date defines the start date Tor the data records MEUS 827707 to be included in the report results The To Date defines the end for the data records to be included n the report results Load Report Once all the report parameters are defined then clicking this button issues a report command to system The resulting report data will be displayed in the space the right hand side of the sereen EI Authorization Aging Report The Authorization Aging Report displays authorizations that are waiting to be settled for example P Purchase or Auth Only The amount held against the cardholder s account will naturally expire in 7 12 days occasionally some processors may have a diferent expiration period Authorizations that expire When item ison bark order will neod a new Authorization submited Batch Detail by Operator Report The Batch Detail by Operator Report allows you to view details of transactions created by each Operator This may be used w keep wack of the workload and efficiency of cach individual
60. cure Remote Access To The Networks Secure Data Do Not Store Cardholder Data On Internet Accessible Systems SSL amp Secure Data Transmission Over The Internet Appendix F PABP Compliance Recommendations and Requirements Relationship Between PCI DSS and PABP Scope of PABP Data Retention Requirements PABP Implementation Guide Qualis Payment Application Security Professional QPASP Requirements Testing Laboratory Instructions and Content for Report on Validation Description of Scope of Validation and Approach Taken Findings and Observations Contact Information and Report Date E Re Validation PABP Requirements m m 12 m 116 2i 23 24 25 m m az si Em 512 513 m sis 516 515 52 521 522 523 us ns ns ns 524 525 us 526 us 522 us ns m ns us Protect Wireless Transmissions 10 10 Test Applications to Address Vulnerabilities E m E Facilitate Secure Network Implementation m m m Data Must Never Stored on A Server Connected To The Internet m m Facilitate Secure Remote Software Updates 1 1 Facilitate Secure Remote Access to Application us na us na us us Encrypt Sensitive Traffic Over Public um En 17 Encrypt Console Administrative Access us Ba us Maintain Instructional Documentation and Training P
61. d Servers must be running in order to se Transcend Client to process credit card transactions You can proces numberof different types payment transactions Processor Dependant which may include Credit Cards Gift Cards EBT and Checks Credit Card wansactions in most cases include purchases credits authorizations batch releasesSetlement or Capture and reversals Gift Card transactions in most cases include activations redemp ons and balance inquis Gift cards in most cases activation issuance redemption balance inquiries and deactivations EBT transactions include sale prior sale retums and balance inquiries Checks incide Point of Purchase POP and Accounts Receivable Conversion ARC ansaction sets With just fone click of a boton Transcend Client sends credit card information to the TranScend Server for processing and displays the results within seconds Taea TnT Cec Cara FES The Transcend Client also has some information such as Console for showing Transcend Server Status and Up Times Statistics as well as measurements of transaction throughput times A extensive eporing tool for printing receipts detailed transaction data and batch information for reconciling Tionscend plays a number of useful roles within eneterprise You can use it as a point of sale mechanism or to browse create modify and purge transactions Iis used to configure many of tho
62. date which componens of the system 9 The Update program is transactional design will either completely apply an update or the entire update job wil be rolled back completely and not applied to the target machine all This feature incorporated to reduce the chances that a partial update is applied the system 9 The Update program is designed to preserve all files to the maximum extent possible Files that are shout to be overwritten copied back up directories whenever possible the sereen shots that follow the server update process is examined in detail The server update process and the client update process operate in ner identical fashion except they are specifically built to manage only one type of update client update or server update Any sereen shot that is specific to only single type of update will be pointed out as such A s The ist screen that will be seen is a typical Welcome Screen This sereen is common to both versions of the instaler s inode eta ances open eon product IE the credentials you entered into the logon screen were incorrect then you would be shown a message box indicating thar the information provided was not accepted Goto Intrix Home Page Eag entip mielan i etn You must NOT be remotely logged in while updating this machine 1 the user credentials you supp
63. de submitted with the transaction against the dires andor zip code listed on the cardholder s monthly statement Direct Marketing and industries have always benefited from this service and retail is now finding ways to utilize this feature during a Retail wansactio and the card cannot be read the merchant may receive preferred rates by including the zip code with the wansaction Setting the AVS Fraud Filters 2 Click on responses to Release for NUSS Domestic AVS Responssand Demo International Transactions pomi prie Cickon Message Seer mter a suitable message which Sate renmed a penc partot the tansicon response ere pue 2 Click Save to save the changes 0097 VBV Verified By Visa BV isthe process of validating card holder created password that is submited with an online transaction The cardholder must enroll into the program to establish the password for the card and the merchant must participate and have the necessary plugins on their website These Optional measures applies to participating merchants in the Electronic Commerce industry MasterCard has a similar feature known as MasterCard SecureCode Setting the VBV Filters Mov 2 Vested Traci When por Ee Save ove te changes CVV Card Verification Value CID Cardholder ID
64. der s name and the expiration date E oa Cosas erat Ly Credit Card Transaction Process Summary Following is a basic scenario for credit can transaction Consumer decides to purchase service or products from Merchant Submits information to merchant The merchant sends the consumer information to the Credit Cand Processor for authorization The Credit Card Processor either authorizes a certain amount of money issues an authorization code cor declines the transaction IF the transaction is authorized a capture takes the information fom the succesful authorization and charges the authorized amount of money to the consumer s credit card n consumer cancels the oder before it is captured a void is generated the consumer retums after the ransacon has been captured a credit is generated Then Settlement occus Captures and credits usually accumulate into batchi and are settled as a group When a batch is submitted the merchant s payment enald server connects with the Credit Card Processor to finalize the transactions and transfer monies to the Merchant bani account Step 1 Authorization Although no card present transactions are not usually settled at the time of order taking itis a good idea for he merchant to get an immediate authorization pror to shipping the
65. dholder Data Must Never Be Stored on A Server Connected To The Internet Commen 91 fay dlsteibveed depiopmant Data security standard 1 3 and Facilitate Secure Remote Software Updates Coen 101 Data security standard 1 3 9 and any spanten at be erchants vendoce tntegestors are m Facilitate Secure Remote Access to Application PABP or pata security standard 112 112 Data security standard 8 3 teschants vendocs tntegeators are ns Encrypt Sensitive Traffic Over Public Networks Reet 121 Security standard 4 3 PCI pata security Standard 4 2 m Encrypt All Non Console Administrative Access PARP RSS Commen 131 Data security standard 2 3 SSL TLS for encryption of non conscle E Maintain Instructional Documentation and Training Programs for Customer Resellers and Integrators PARP Rea Tane m 1414 Addresses all requirements in this document Wherever the PABP Implementation Guide is referenced 1412 142 Appendix G Lin exe Usage Introduction to the Lin exe Utility
66. e asks for which was designed for You may install copies of the SOFTWARE PRODUCT on up to ten 10 Computers provided that you the only individual using the SOFTWARE PRODUCT ation INTRIX grants to you as an individual a personal nonexclusive icense to make and use an unlimited number of copies of any documentary material fm the documentation portion of the SOFTWARE PRODUCT Documentation provided that such copies shall be used only for personal purposes and are not to be repablished or distributed either in bard copy or electronic form beyond the user s premises and with the following exception you may use the Documentation identified with the produc solely in connection with your use of the software provided however that the Documentation Shall not be used in the development of a competitive application 3 ADDITIONAL COMPONENT LICENSING TERMS Each COMPONENT may have its own license agreement included with such COMPONENT Component Agreement In event of inconsistencies between this agreement and any Component Agreement he terms of the Component Agreement shall control except for the following 0 For all of the SOFTWARE PRODUCT Section 4 1 of this agreement shall cont For all UPDATES and COMPONENTS received through the any distribution or resale channel Section 10 a this agreement shall contol and For all COMPONENTS included in this distribution all af the provisions af is agreement
67. e INTRIX Technology Inc 2260 Douglas Blvd Suite 240 Roseville CA 95661 Appendix B TranScend Database Backup Strategy Overview The obvious goal of database backups is to ensure the safety and integrity of the data held in the database The less obvious goal is to minimize the time taken to restore the database in the event of a Failure while do keeping costs of backing up the database reasonable Costs in this context are the demands placed on the database engine related to database backup operations Database Backup Tools At Your Disposal MS SQL Server offers 3 different kinds f backups which are 1 Full Database Backup 2 Differential Backups wherein all the differences from the ast full backup are backed up 3 Transaction Log Backups backs up the database transactions since the last ful diferential or ansacton log backup Now to restore a database a typical approach that utilizes SQL Server s these tools would be as follows 1 Restore last ful backup 2 Restore differential backups that were made subsequent to the last ful backup 3 Restore transaction log backups that were made subsequent to the last differential backup However restoration of transaction og backups is a very expensive operation and consumes a significant amount of system resources Therefore Transcend s Development Team has devised additional strategies that are designed to create more rapid database restoration afier a Fault
68. e all components specified in the Readme file in conjunction with your software product d you do not charge separately for the Run Time Files 9 you do not modify tbe Run Time Files and Dyou agree to indemnify Bold harmless and defend INTRIX and its suppliers from and against any claims or lawsuits including attorney s fees that arise or result from the use or distribution of your application software product 5 PRERELEASE CODE Portions of the SOFTWARE PRODUCT may be identified as prerelease code Prerelease Coe Such Preise Code is not the level of performance and compatibility of the final generally available product offering The Prerelease Code may not operate correctly and may e substantially modified prior to first commercial shipment INTRIX isnot obligated to make this any later version ofthe Prerelease Code commercially availabe The grant of license to use Prerelease Code expires upon availability of a Commercial release of the Prerelease Code from INTRIX 6 SAMPLE CODE INTRIX grants to you a nonexclusive royalty free right to use and modify source code version of and to reproduce and distribute the abject code version o the Sample Code provided that you comply with Section D 7 REDISTRIBUTABLE CODE INTRIX grants to you nonexclusive royalty free right to reproduce and distribute the DLL files included spat of the Sample Code and additional rights tothe SOFTWARE PRODUCT designated as Redistri
69. e user must enter the current password o prevent unauthorized password changes and the new password tice that the new value can be confirmed Here are some things to know when creating anew password Change password fist 2 Make password unique by combining leners rectas and numbers 5 Password must be at 8 characters long 2 Passwords can only last 90 days Change Your Password This important to note that when a user changes their password it will uke effect on their next logon Ifa ser changes their password then remains logged the system and their client enters a sereen locked siate then the user mast use their current password to unlock the client program Help Menu Decode Product License Tavoking this command will displaya dilog like the one shown below Here the user can test system license keys in order to discover what the users oF that are licensed to do with their installation of Transcend Keys can ier be pasted from the clipboard or the system s currently installed key can be read from the Transcend system servers and decoded in the window Shown below Configuration The Configuration Options are your tools to configure your system for rand filters configure merchants and to set up your users You will find that Administration Menu is valuable to enable you to make tb est of what Transcand Product can do for you while maint
70. eds please contact Transcend and discuss your requirements so that we can provide your organization wita tbe most appropriately sized deployment Software That Grows With Your Requirements Many other vendors offer several different products to address diferent business data throughput or transaction type needs This approach can create difficult understand mix of products which makes it hard to determine exactly which versn of a product you will need Over time the worst ease scenario for your business if using ane of these product is that your sucess will cause you to out grow the product being used and you then forced to purchase up to a completely difieren offering from that company A worse potential still that these products may not even be compatible with each other even though they may come fom the same vendor or are not easily upgraded which puts your company s transactions data at Tisk of os andor premature retirement counter this possibility Transcend afers a unique and more beneficial product plan wherein the Transcend system can grow in capability as your business grows Transcend offers a single code base or a feature rich produet The features of the product are controlled by the product key Therefore if initially your business demands for your payment processing system are minimal you can purchase Transcend with some af the more advanced product fearures disabled and or rod down Then as your busin
71. ence being that wherever possible tbe entries n the screens pre filled with the senings that are ready Comment for the user whose sings are being changed Therefore to edit a user that needs to be done is to Double Clc the list showing all the users already configured in the system Once this action is performed the selected user s settings wal be used to pref the settings in each of the wizard screens Therefore to edit the settings for a user simply though each of these screens exactly as you would if you were using the user creation wizard only you have the opportunity to change any seting each of the Screens order to make the necessary changes Step 1 Len wie tense tet sy togas ub EE Select the Configure User tb Select the Edit User tab 1 Latis empty ick e Reload Widow bon Dos Cic one wer cord areae changed Si Nar o 999 o Step2 3 Navigate through the Wizard Screens making any changes that are appropriate Click the Seve button at the end of the wizard to save your senings you made for the User User Reports This screen will allow you to quickly view a summary of the users configured on your system You also have the option of printing the User Report from this sereen Printing User Reports Click the Reload Window button to view users 5 Double Click the desired user to access their
72. ess grows you simply ned to purchase more feature rich product key that enables the features that best your new expanded requirements With this approach simply installing a new valid license key will enable you to upgrade your installation without having to change a single bit of installed code This more thoughtful approach to product packaging allows your business a more robust and reliable and simplified upgrade path and also prevents the ris of any dta oss de o any upgrades In addition it allows You to select which features are important to your business and provides you with much more flexibility in What you purchase as part of your payment processing system Tn the next section we l look at some related features of the system design that allow the system to scale These features will allow your Transcend system to grow in capability and processing power Gata throughpur as your business grows is important to keep in mind that many of these features are controlled bythe product license key and depending on bow your system requirements evolve you may need to purchase new more feature enabled product keys Redundancy and Scalability Ina previous section the fault tolerance techniques used in TranScend were explained to provide you with Information on how the system design approaches a maximum upime philosophy Those features are Included in the Transcend product so that the product s reliability becomes near ze
73. essage box is dismissed the program will exit Appendix A License Agreement and Warranty License and Warranty You must agree to the License Agreement before you can use Transcend MASTER END USER LICENSE AGREEMENT IMPORTANT READ CAREFULLY This License Agreement is a legal agreement between you either an individual or a single entity and INTRIX Technology Inc INTRIX for the software product s accompanying this installation which computer software and may include online or electronic documentation associated media and printed materials SOFTWARE PRODUCT installing copying or otherwise using the SOFTWARE PRODUCT or any UPDATES as defined below you agree to be bound by the terms of this agreement If you do not agree the terms of this agreement do not install or use the SOFTWARE PRODUCT and prompdy etm the entire unused SOFTWARE PRODUCT to your place of purchase for a full refund addition by installing copying or otherwise using subscription updates that you have received as part of the SOFTWARE PRODUCT UPDATES you agree to be bound the additional license terms that accompany such UPDATES I you do not agree to the additional license terms that accompany such UPDATES you may not install copy or use such UPDATES SOFTWARE PRODUCT LICENSE The SOFTWARE PRODUCT is protected by copyright laws and international copyright weaties as well as ter intellectual property
74. f all the system components that compose the Transcend Processing Architecture TPA Connecting to TranScend 4 Click Fike fom top level command 2 Click Connect trom drop down meno This connection allows the console to completely communicate with ll componens of Transcend a System Component Versions With the Console View being active the user can discover version information about server side componens of the Transcend installation locate version information click Help from the top level command menu With Console connected the About Transcend can provide critical system information hat you may be required to send INTRDX Support the even that yon are asked provide this Information to support use the Copy To Clipboard option and then paste this information into an email vanes fana ditiis Sretene Group Fue Samius MRE Replication Original ee EXE fier Proman Filso tso Tropsoan0 S1e roster The image above shows a typical dialog that will be displayed when the About TranScen commands inated with the option of Copy To Clipboard 2 System Updates Transcend a customized system update proces that was designed meet the very specific industry requirements of the tr
75. gure User and User Report Information Configure Users Create User Transcend allows you to create users for user that wil be interacting with the system Each user can be affliated wit a set of functions that are assigned the privilege that the user is associated wih is a security feature of the Transcend system such any user s access to system functions should be limited to only those that would be required them to perform their job functions The series of usted instructions that follow provide you with the information required to create users far tbe Transcend system Step 3 Login to the Transcend client 2 Click on the Configuration tab 2 Click on the Configure User tab 2 Click on the Creste User tab Deme DEC Step3 SSS em ee n Baw Stop 4 Pick your Privilege Groups that this wil be associated ES Chick Next De Activating Users Login to the Transcend client ity Select he Configuration tab Select the Configure User ub Select the Edit User tab he User List is empty click the Reload Window button Right Click on the record far the user that should e deactivated Select the De Activate Use menu Command s Editing Users general eit function uses same wizard screens that were used to create user with he main differ
76. h consists of merchants who accept the card and to whom he network forwards prompt payment when cardholder makes a purchase The network charges the merchant fee usually percentage of the sale for this service This fee s the primary source of revenue for the network and the merchant acquirere who manage the merchant base The network also maintains member financial nsitutione or banks that issue networks credit card The banks in tarn soli and build up customer base of cardholders who will use their credit cards to make purchases from the merchant base and to obtain cash advances The bank borrows fund from the money market and other sources and pays for the purchase at time rand then collects from the cardholder at time days where n is typically between 30 and 120 The assets of the credit card issuer consist of the debt of the cardholders to the banik The liability side consists of ans t too from the money markt to pay the netwodk far the purchase It profits from a spread in the interest rate betweea the asset and lability sides and from seasoning assets that is maintaining a high value of n Tt may also generate revenue by charging various types of fees n The spread that he bank actually carns is significantly reduced by charge offs and back office expenses The management of these expenses particularly charge offs is he crucial factor credit
77. has occured that requires database NOTE customers are advised and encouraged to real about al topics related to BACKUP and RESTORATION in SQL Server Books Online To find the curent location of this very important resource do the following Perform an internet search for the topic SQL Server Books Online and BACKUP Navigate to the appropriate location on the Microsoft Site Read andy to understand the information provided in tems of your business needs for data backup and restoration techniques Making use of TranScend Features to Assist Database Restorations The Transcend system keeps complete delta og of all the records written to the system The Tionscend log is a set of text files that contain each SQL statement that applied to the Transcend database This data format can be directly played into a SQL Server database which allows the user of Transcend an improved restoration approach beyond what SQL Server tols by themselves can provide Because of this customers will restore databases in following sequence 1 Restore ast full backup 2 Musing any Fall or Differential Restoration Motel then next you should restore the most recent differential backup made subsequent to the last full backup 3 Restore rranScend s Delta logs that were made subsequent to the differential backup NOTE There is no security risk for the data records in the Transcend delta log file as
78. he merchants peat of sale unit Each point of sale device has separate terminal ID for credit card processors to be able to route data hac to that particular unit 3 A sale draft or slip is printed out by the point of sale unit or cash register The merchant asks the uyer to sign the sale draft which obligates them to reimburse cand issuing bank for the amount of the sale 9 At a later time probably that night when the stre is closing up the merchant reviews all the Authorizations stored in the point of sale unit against the signed sales drafts When all the credit card authorizations have been verified to mateh actual sales drafts the merchant will capture or transmit the data on each authorized credit card transaction to the acquiring bank for deposit This is in ieu o depositing the actual signed paper drafts with the banik 10 The acquiring bak performs what is called an interchange for each sales draft with the appropriate cant issuing bank The banik transfers the amount of the sales mimus an Interchange fee to the acquiring bank 11 The acquiring bank then deposits the amount of the the sales drafts submitted by the merchant Jess a discount fee imo the merchants bank account The overview presented above is far from complete It does not cover the role of the financial networks nor Of the bankcard associations Also geared towards and MasterCard transactions There is no cand
79. he compliance of any of the 14 PABP requirements Visa will require the software vendor to submit a description of each change in addition to Confirmation of Lener Accuracy indicating so Major changes and product version upgrade Changes made to a previously validated payment application version which impact any of the 14 PABP requirements will require a completely new and separate PABP validation performed by QPASP AII PABP validation requirements apply Definitions The following definitions pertain to the Validation Procedures and Reporting Best Practices Recommended practices for software vendor to create secure payment applications to heip their customers comply with Testing Procedures A process tobe followed by an independent security audit to address individual Best Practices and testing considerations m Comment Please provide brief description of Best Practices found to be Comment IFa Best Practice Not Applicable to the software please explain why and define where control should be implemented og this server based coniro s the customers responsibility Not Comment Please provide a brief description of Best Practices that are not Comment Target DateComments For those Best Practices Not Comment inchde a target date that the application vendor expects to have Comment Any additional notes or comments may be included bere as wel PABP Requirements
80. il surt and then it wil start all 14 he other servers in the systern The Server also monitors the running siate a OF all other system servers and if any of them down the Control Server wil estat them in order to keep the system rea to process your transactions ae simply click an the Stop All Servers but L S Tostop te Transcend servers simply click the Stop Servers button on she bottom ofthe Control Tray Program If the Control Tray Program is minimized me it will sl appear System Tray as a pair of leaf lovers so that the ied stus can sil be viewed at lance MT geen The buttons to the farsight of the indicar lights can be used to open server sew window The server view window allows the user to watch messages that are teem produced by the various servers as the system is running Sever Views can be pema eloa bor inthe upper sight comer o teir capion ar When the servers running the Control Tray should appear like the image the 192 Here you con see that all the green indicator lights are showing thatthe system servers are up and running ire Finally the Control Tray can be used to Pause and Resume the system asit is Meses ju rumning I the Transcend senes are paused what tis means that is
81. ined as Merchant Lev Description Any merchant regardless channel processing over 6000000 Visa transactions per year Any merchant that has suffered a ack or an attack that resulted in an account data compromise Any merchant that Visa atis sole discretion etermines should met the Level 1 merchant requirements to minimize risk to the Visa system Any merchant identified by any other payment card brand as Leve Any merchani processing 150107 1 6 900007 Visa e commerce transactions per year Ay merchant pa 250603150087 Visa e commerce transactions per year merchant peaa Fever 20007 Vis e commerce transactions per year and al other merchants processing up to 6000000 Visa transactions per year CISP Compliance Validation Basics addition to adhering to the twelve security requirements and sub equirements compliance validation is required for Level 1 Level 2 and Level 3 merchants and strongly recommended for Level merchans Lee Validation Action Sie Securty dependen Seay Assessor or Audit Internal Audit if signed by Officer of the company Quarterly Network Sean Qualified Independent Scan Vendor Annual Self Assessment Merchant 2and3 Questionnaire Quarterly Network Scan Qualified Independent Scan Vendor Annual Self Assessment Merchant Questionnaire
82. ired to use a modem to perform this action the following usage policies for critical employe facing technologies soch as modems should be established To define proper use of tbese technologies far all employees and contractors ensure these usage policies require Explicit management approval Authentication for use of the technology 5 A ist of all such devices and personnel with access Labeling of devices with owner contact information and purpose Acceptable uses of the technology Acceptable network locations for these technologies Alisofconpany approved products Automatic disconnect of modem sessions after a specifie period of inactivity Activation of modems for vendors only when needed by vendors with immediate deactivation after Altematively if software updates are received via VPN or other high speed connection customers are advised to properly configure a personal firewall product to secure always on connections This sume policy of installing persona Brewal software on any mobile and or employee owned computers with direct connectivity to the Internet for example laptops by employees which are used to access the organization s network should be followed Secure Remote Access To The Networks I employees administrators or vendors can access the application remotely access should be authenticated 2 factor authentication mechanism Use technologies such as Remote Au
83. is necessary to ensure non duplicstes the number of hours should be adjusted accordingly Setting the Duplicate Transaction Parameters 2 Click Enable Duplication Check 4 Click to adjust the Keep Alive hours Click to adjust Fields tobe included in duplicate checking Click Save to save the changes NOTE The Authorization Server mast be restarted for the changes to take effect Configure Secure Sockets The Secure Sockets configuration is intended for merchants who have slready configured their merchant account with a processar for interet processing Transcend standard SSL encryption to protect the dta prior to sending the Information to the merchant s processor This screen allows a merchant to set up the connection parameters that Transcend can Connect to the internet via the merchant s intemal network An Always On or Broadband connection is highly recommended and can produce transaction response times on the order of 2 5 seconds o o 99 oe Drop Dowen rset Cla Cogan Nam ume tie SSL configuration appropriately crecer primary URL as seid by e processor Click seconda URL pid by processer Ener he URL lpn information provided by the proces NOTE Noa is wey si oc shad ee dci vas ere acted dung by he INTRO Suppor Su 3 per evita ee a Proy Ser
84. issuing bak with American Express and Discover These shortcomings aside he sequeace f events 2 outlined above provides a good overview of be credit card payment process It wil also give you something To look back at s this documeat discusses methods far performing oaline credit card transactions The Non Card Present Transaction Process Non card present transactions require two steps authorization and after product has been shipped also called funds capom The merchant is legally bound to wait the product ships before Setlement can take place The credit card process consists of ive different parties V Card Holder or customer who makes a purchase using a credit card Issuing Bank extends credit and provides the Card Holder with a credit card Merchant X Merchant Bank issues a merchant account to the Merchant Credit Card Processor manager ough financial pd some cases the Merchant Bank and Credit Card Processar are combined and referred to as the Acquiring Bank The Merchant Bank however can assign another institution Credit Card Processor to act on its behalf for handling transactions tough the financial networks Codi card data can be manually entered into an electronic cash register software program or swiped via a magnetic stripe reader The magnetic stripe on a credit card normally has several racks of data that are parsed to get the card number cardhol
85. l be affected by any subsequent data loss that may occur 2 While the Transcend Development team took database safety and restoration into account during their design and implementation it is stre that tbe system runs at customer s siie and becase of this CUSTOMER BECOMES THEIR OWN FIRST LINE OF DEFENSE so far as monitoring the actual state of be database As database backup processes are run they can produce output reflecting the success of he database backup operations Itis up to the customer to review these logs daily basis to verify that there no errors Feporied during these operations ANY REPORTED ERROR in these log iles should be treated as Potential threat to your company s data and should be understood and corrected as soon as possible Iis also important to note that any errors that are reported during back up and restoration activities errors reported by SQL Server engine While Technology Inc can atemptto help with the identification of any problems reported by the DBMS it is important to understand that Technology Ic can not directly address or repair any of these issues directly Ris also important o understand that any maintenance agreement your company may have with Technology DOES NOT INCLUDE THE REPAIR of database files caused by any fans encountered within the database engine Because of this limitation the customer is expected to have any appropiate
86. lable Hand Disk space for log growth database and virtual memory use Available Serial Port for optional pin pads or receipt printer SQL Servers Users should adhere to optimum SQL Server configurations which may be higher Windows 2003 XP 2000 Current Updates MS SQL either Full or Express Anti Virus applications should be cleared with INTRIX Support prior to use in conjunction with Transcend History of Payment Processing Welcome to the work of payment processing Whether you are an old hand at payment processing or new to the industry this section will give you some relevant background asit relates to the payments industry The Architecture amp Brief History of the Credit Card Industry The credit card industry was born in the 1960s Creditcard banks ie bunks that exist primarily to issue credit cards and non bank issuers were an innovation of the BOs current architecture of the credit cand industry evolved when the Bank of America renamed its Banik Americani as Vis and invented the payment nctwork simplified model ofthis architecture is shown in Figure 1 below E MERCHANT FINANCIAL s 223 zag The payment network is the glue that binds the system together The major ems in this arena are Visa MasterCard American Express and Discover American Express and Discover are also issuers The payment network maintains a merchant base whic
87. laws and eatis The SOFTWARE PRODUCT is licensed through INTRIX not Sold The SOFTWARE PRODUCT consists of product documentation sample applications books miscellaneous technical information operating systems applications and other miscellaneous tools nividall identified as COMPONENT and collectively as COMPONENTS The COMPONENTS contained in the SOFTWARE PRODUCT determined by the product s you have elected to receive The tights regarding the COMPONENTS of the SOFTWARE PRODUCT are described below unless otherwise indicted 4 APPLICABILITY OF LICENSE This agreement is applicable to licensees of the SOFTWARE PRODUCT through INTRIX Depending on the product s you have elected to receive the SOFTWARE PRODUCT may include anyone or more of the following components Samples Programs Documentation and Tools 2 GRANT OF LICENSE To extent that you have elected to receive a SOFTWARE PRODUCT from INTRIX INTRIX grants to you as an individual a personal nonexclusive license to make and use copies of the SOFTWARE PRODUCT in the manner provided below TF you are an entity INTRIX grams to you the right to designate one individual within your organization to have the right to use the SOFTWARE PRODUCT in the manner provided below INTRIX grants to you as an individual a personal nonexclusive license to make and use copies of the software portion of the SOFTWARE PRODUCT for the sole purposes of using the products only for th
88. lications to address vulnerabilities Facilitate secure network implementation Cardholder data must never be stored on a server connected to the Internet EORUM 10 Facilitate secure remote software updates 11 Facilitate secure remote access to the application 12 Encrypt sensitive traffic over publie networks 13 Encrypt all non console administrative access Client Implementation Documentation In accordance with Visa regulations software vendors are expected to provide product documentation to instruct their customers on secure product implementation This documentation should clearly delineate vendor and customer responsibilites for meeting CISP requirements should detail the responsibilities of he customer to enable security senings within their own network such as password security which may not be controlled by the application but are required for CISP compliance The following instructions are designed to assist the users in areas not completely controlled by the payment application but necessary to implement the product in a CISP compliant manner Complex Passwords How to create CISP Compliant Complex Passwords When it comes to pasword you usually hear what yu should NOT do give your password to others choose short passwords use lowercase eters only use obvious passwords that are easy to guess reuse the same passwords write passwords down Here some sensible rules to follo
89. lied to the update server were accepted then you may be shown an information screen like the one shown directly above However it is worth noting that this screen may vary foreach update placed on the update servers So in some cases the appearance of this screen will be very different than the example shown above In other cases the screen may not be shown at all Note In all cases the update should nor be run remotely I the server update job requires a database change then you wil be shown a message box alerting you to the fact that the database will be modified If you click the button on this message box the update will quit and the program will exit you lick Yes to this message box you will be dismissed and you see the screen which is shown immediately below s a lt The screen shown immediately above will only be sen on server updates This is because client updates never expected to update the system database You also see that al the edits pre filled with working eft vales However if you have created a customized installation at your location then you may have to change some of these values I is important that these values be correct because if they are not the database updates may not work properly leaving system in an inconsistent stae Prior to running a database update complete user table snapshot of al ranscend tables will be stored in the sy
90. m Use and regularly update anti virus sofware Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to data by business need to know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor al access to network resources and cardholder Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security 1 Payment Application Best Practice The following has been taken directly from the VisuCISP web site Visa has developed Payment Application Practices to address security and the risks associated when fall magnetic data or values stored afier authorization y payment applications The best practices sts software vendors in creating secure payment applications that ensure merchant compliance Best Practices Goal The goal of the Payment Application Best Practices is to help software vendors create secure payment applications considered secure these applications must not retain full magnetic stripe data or CVV2 and must support a merchans ability to comply with requirements Acquirers are responsible for ensuring that thelr merchants and service providers confirms the security of their payment applications using Payment Application Best P
91. mple card holder name and address gt Optional information Pand this section is where you would enter additional information about the transaction being processed For example more detail about the transaction or persoa register processing the transaction gt Extra Information Panel allows you to attach a memo to the transaction This is essential if there ae special instructions related to the ransaction gt Status Panel located on the far right his section will show you the satus of the transaction afier it is submited Printing a receipt is also available in this section Retail Transaction Entry With the Retail panel data fields optional Even though they are optional itis beneficial to enter values in the CVV and Postal Code fields for non swiped transactions Direct Marketing Transaction Entry With the Direct Marketing Tanscton Entry all data fields are optional Although these fields are optional itis advantageous to enter CVV and Postal Code fields for no swiped transactions E Commerce Transaction Entry Unlike the Retail and Direct Marketing Transactions E Commerce Transaction Entries require many data fields like the others the CVV field optional keep in mind it is valuable to enter the values in the Transaction Entry Processing a new transaction and taking a closer Jook at the transaction window and its various sections Stop 1 4 Select a me
92. ness may have been specified by your processor and should be entered here in military time format Under special circumstances for Paymentech Tampa customers you may need to tun on batch randomization This in effect randomizes your batch sizes to bypass Paymeatech s duplicate bach checking methodologies EXTREME CAUTION should be used when selecting option Duplicate batches can result causing your customers to become very upset Ifyou are unsure what this option does please contact INTRIX support 800 546 879 Click Save or Caneel to either commit changes or to begin the configuration again as Merchant and Privilege Group Information How do I obtain a Merchant ID and other Merchant Information Contact your merchant s bank to obtain valid information when you are ready to go ie and process credit ard transactions using Transcend What you do with the information depende on the device yu wil use communicate wit the bank Configure Merchants The Merchant Configuration Wizard will guide you through the merchant configuration procedure The Wizard has been designed to only show you the configuration screens necessary for the payment processor you have chosen for you business Also note that your processor communications SSL Sockets ar Modem Should hae already been configured prior to starting to configure your merchants setings NOTE Plas be sure to have your Merchant Configuration Sheet
93. ng The errors and Warnings Jog contains only those logged messages that are either warnings or Errors reported by the system Normally the error and warning log should contain bo messages whatsoever any messages are found in this file then this indicates a potential estem issue that should e investigated The log server manages these files automatically thereby making the system more et managng which reduces the burden on the user af the system with regards to the management of these files and the disk space they consume The first way these files are managed is that the Log Server employs midnight processing Which means that each day yesterday s log files are automatically compressed and added to a zip file Therefore the zipped log contains a single day s data files for longer term storage Secondi the ripped logs that are older than 60 days this ie the default value the actual numberof daya isa configurable parameter are automatically erased from the system 1 you have elected to utilize optional Alerts Services of TranScend then the og server will also provide an additional service which is to generate an email alert whenever a message i writen to the rors and warnings log This purchase option benefits the user in that the systern will let the user know When an error or warning has occurred Without this feature the user will bave to examine the error and waring log to determine if any system
94. no new 88555 ransaction processing can be accepted by the system However work any pre existing wansactions that are curently being performed when the system i put into stus will be allowed to complete Toontown a The purpose of pausing the system iso allow for any orderly shutdown of the Transcand system for periodic maintenance or system updates in order to cese 9 minimize the possibility that any wansactons in flight wil be lost when the System needs to topped The best way to stop the system is put panse it then stop all connected clients then when the Batch Server and the Gateway Server report they are idle it is safe to stop e system completly Once the system is Paused the Gateway may not go to a complete idle state until Al clients stopped Also the ASCII Gateway is specialized form of system iat that can be stopped in an orderly manner as follows 1 Click the Servers bution to stop the Control Server Once itis stopped the Red Tndicator in the top row will ight up 2 Click the StopiSa Ascii Gateway button to stop the ASCI Gateway Shortly afier this servers stops the Gateway will become idle unless there are more clients running somewhere in the network E TranScend Client Overview Transcend Client runs in unison with the Transcend Servers thus the Transcen
95. ology Inc 800 546 8749 during or afer purchase a Transaction Processing Card preset ratacon on cad present tansacion proces and transaction proces summary The Card Present Transaction Process Steps involved in a card present transaction 1 Merchant calculates be amount of purchase and asks buyer for payment 2 Buyer presents merchant with a credit card 3 Merchant runs credit cand through the point of sale The amount of the sale is either hand entered or transmitted by the cash register 4 Merchant transmits the credit card data and sales amount with a request for authorization of the sale to their acquiring bank Point of sale units are usually set to request authorization at the time of sale and cally capture he salos draft at a later time 5 The acquiring bank that processes te transaction routes the authorization request to the card issuing banik The credit card number identifies type of card issuing bank and the cardholder s account 6 IF the cardholder has enough credit in their account to cover the sale the issuing banik authorizes the transaction and generates authorization code Thi code is sent back to the acquiring bank The issuing bank puts hold the carbolders account for the amount of the sale Note that the account has not been actully charged yet 7 The acquiring banik processing the transaction and then sends the approval ar denial code to t
96. on By Transaction Type Report The Transaction By Transaction Type Report will display based on what is specified in the set up the report will show subtotals for each merchant Transaction Subtotal By Status Report The Transaction Subtotal By Status Report will display the status of transactions your database between the date ranges specified within the Reports screen in Transcend Sample Report Display The image shown immediately below shows what the report display window looks like when a report has completed execution with the given parameters so System Console The System Console offers the most comprehensive view into operations of TranScend The System Conan connect to the Log Server san observer of steam which means that each message received inthe log will be echoed to the System Console This allows System Consol to have a real ime view into the operation of the system asit is running As cach command message is processed the Gateway Server wil generate a command procesing imingrecord fr that tansacion mig Teco shows the total processing time for that request and as complete a break down as posible of the message processing ime or each system component that was involved in processing at command Finally the System Console interacts wit the Consol Server to get a view of be time satus thus providing the System administrator with a way to observe state o
97. on to the email address provided The email wil contain a link with download and installation information Once downloaded and installed you now have all the necessary components to install and Operate the Transcend software in Emulation Mode TranScend Registration A significant time and focus has been paced on the raae eine aaa ability to move Transcend from an Emulation test mode configuration into bera ful production sytem aaa ran end to end processor test configuration INTRIX Support wil provide a Key hts locked to a specifie piece of hardware For aoo expting keys f otter ent Payment mst be received prior to go live date pa always we offer a Try before You Buy options In arder Eemer PI to register perform the following tps 26 Stop 1 CC EE AU Progam mem defer im tami 00 Step2 TM m buon pem FE airman som amd payment a Reston key wi Step3 WR prm remesas ug cec Sass mene em 3 2 Cek on citer Copy From phous or Loud From Pie Depending upon how te INTIK Spon 9 ep Wi Key ee dat hit wil og you on 1o the TranScend system sobe aa Sree loon comet product key wil be loaded imo te yours op and using Tey progr
98. operator e provide commision for operators Below is asampl report to show an example of the information Batch Detail Reports The Batch Detail Reports allow you to view details of batches between the dates ranges specified This may used to keep track of the amount of transactions completed during seulement You can view total Payments received as well as credits given Below i a sample report to show an example of the information You will see Deposit Record Report The Deposit Record Report allows you to print a report based on total amount by Merchant transaction and date This report wil also show you a breakdown of dollars settled by card type and transaction Deposit Summary Report The Deposit Summary report will display a report based on merchant selection and date preferences Duplicate Orders Report Occasionally duplicate ordens may be entered The Duplicate Orders Repor you to view the duplicate order numbers between the date range specified within the Reporta sereen in Transcend The Duplicate Order Report wil select transactions where the Order Number is the sume Duplicate Transaction Report Occasionally duplicate tansactons may be The Duplicate Transaction Report allows you to view the duplicate wansactions between dates specified within Reports screen Te Duplicate Transactions Report wil select transactions where the credit card number amount and wansaction are he same Transacti
99. or tfi filtering devices Network Address Translators NAT Port Address Translators PAT anti virus software and encryption Establishment of PCLDSS compliant operating systems and applications necessary to run the sofware The Laboratory implementation must include all systems where the application is implemented For example standard implementation of software vendor s payment application might include a client server environment within a retail storefront and Pack office or corporate network The laboratory must simulate the total implementation Tt is required that laboratory is capable of simulating and validating all functions af the software to include generation af all eror conditions and log entes NOTE Altematively the software vendor may elect to have the validation performed at the QPASC s Jaboratory provided that the above requirements are met Instructions and Content for Report on Validation document is to be used by QPASP s as the template for creating the Report on Validation and must be Submited to Visa securely software vendors and product versions which have validated full compliance us pith PABP wil be included on the list of validated payment applications published at www visa No software vendor and product version will be included unti all PABP controls validated to be Comment AIL QPASP s must follow the instructions for report content and format when completing a Report on
100. ossible within the system Because of these processing optimizations Transcend can process transactions at very high rutes In our least powerful configuration testing as shown transaction processing speeds as Fast as 150 milliseconds per Security of payment processing speed Information Security Program Security methodologies are quickly becoming compromised the ability to purchase database tools that allow informed users to decrypt database information Thnk of it as a Sae fll of cash and safecrackers have leamed how to open the safe Transcend encrypts the data prior to entering the data into the database so if it was compromised all that could be seen is a vast number of incoherent characters Imagine a safe Full of weasure maps written in a foreign Language that would e nearly impossible to tans Following some of the specific approaches adopted in the implementation of Transcend that address the need of secure data handling Data Security Data Security is becoming ever more important in all areas of commerce Data Security is being demanded by the card associations various governmental agencies buses desire to mitigate undue risks and by consumers as well This being the case TranScend was designed from the pound up with a strict approach to data security Session Level Security All data communications between software components af Transcend data is secure Prior to transmission of any data
101. p 1 Click he Reload Merchants button to display Merchants 5 Selecta Merchant from the Merchant drop it Step 2 Select the Privilege Group you wish to set from the Select Group to Edit View Check the boxes from thelist that you want members of that group to have Click Apply to save your settings you made for the Privilege Group s Edit Merchant This screen wil allow you to existing merchant on the system and make any necessary updates or Corrections already existing merchant configurations general the edit merchant function uses the same wizard screens that were used to create a merchant with the main difference being that wherever possibile the entries the screens are with the settings that are already Comment for the merchant whose settings ane being changed Therefore to a merchant all that needs to be done is to double click tbe list showing al the merchants slready configured in the system Once this action is performed selected merchant s settings wil be used To pref the settings in each of the wizard screens Therefore to edit the settings for a merchant simply complete each of these screens exactly as you would if you were using the merchant creation wizard only you have the opportunity to change any setting on cach of the screens in onder to make the necessary changes 5 5 Confi
102. produc The merchant electronically submits a request the Credit Card Processor to find out if the customer has enough credit The Credit Card Processor in tum contacts the ang Bank and passes on the cand number expiration date and purchase amount The Credit Cand Processor gets back an Approval Code and informs the merchant This Whole process only tes a few seconds penan pi pom P EE Eur Ea etchant pel Auten Although Authorization slone does ot cause exchange of funds it does reduce the cardholders Open to Buy amount the credit available from the suing Bank This works to the advantage of the current merchant since later purchases with other merchants cannot use the allocated authorization amount I the Authorization of a transaction never goes to settlement the amount held against the cardholder s account will normally expire in 7 10 days NOTE For authorizations that expire when an item is on back arder a new Authorization can be submited Reversal or void ransacon can be made against an Authorization but not al Issuing Banks support Whether or not the issuing bank honors the Reversal transcend will remove the Authorization transaction from the Setlement batch A sted transaction cannot be reversed but see Credit transactions below NOTE Transcend wansmits data on Reversals for Visa transactions Visa honors Reversals
103. r safeguard payment though preventing casual browses of dala by any person that does not have express permission to do so Allowed IP Addresses List To prevent unknown systems from attempting to connect to andor attack the system the system not on the allowed address list will mot be allowed o connect to the system 16 Strict Message Validation with fail fast session tear down on message validation failures All messages received by any process component of the Transcend system wil be validated using several checks I any of these data check fails process detecting the error will immediately and silently tear down the communications session This approach of silent death of the connection s the approach recommended to thwart denial af service attacks as well as other common atempied system exploits The approach also is designed to catch any data errors that may occur during message transmission and will prevent sending garbage if garbage comes in Fault Tolerance To ares customers very valid expectations along with the stark realities of laws in large software systems Transcend is designed to be a fault tolerant and self healing system In fact several of the techniques adopted in the Transcend design were only previously available on much larger computing the soci mini computer and mainframe platforms systems The fanit tolerant aspect af the Transcend System is designed to provide our customers with 9
104. ractices Visa Recommendations Visa has been actively working to educate soffre vendors and to provide best practices far secure payment applications where sensitive track data and CVV2 values are never stored subsequent to authorization Visa strongly recommends that Software vendors validate their payment applications against recommendations outlined in Visa s Payment Application Best Practice Visa makes no endorsement of applications or products and disclaims all Warranties Members remain responsible for performing their own evaluation and due diligence to ensure CISP compliance of their merchants and service providers Acquires share the Payment Application Best Practices with both cad reset and online merchants and encourage them tous it to evaluate their current payment applications as well any pending payment application implementation Acquirers and merchants can also encourage software vendors to paricipate in Visa s validation effort Acquirers refer to Visa s List of Validated Payment Applications and encourage their merchants to use CISP vaidud payment applications Validation Procedures and Documentation Software vendors seeking to validate their payment applications must engage a Visa qualified independent security assessor to perform an onsite review and submi the required documentation t Visa Compliance validation takes place at software vendors expense as follows The Anual On Site Security Audit must be completed a
105. rchant from the Select Merchant drop down menu 2 Select a payment type from the Payment drop down menu the type of transaction fom the Transaction Type drop down estacion Deal B The example above show a card approval fom the payment processor in the stus panel area You are also given the option to Print Receipt by clicking on the selecting the bunion anytime thar the transaction dara is displayed in the results summary panel A sample ceptis shown to the left Note that if your organization requires customized receipts you may want o discuss these options with your sales prescnatwe 1 you need to resubmit another transaction fom the sume card holder clicking on the Same Card button wil retain the holder s information from the previous transaction Only anew amount is required be charged and then click on Send Transaction Ride SameCand a mistake is made at any point or you want to sat the transaction over click on the Clear Sereen boton to reset the sereen Browsing Tools The Browse Tab will enable you to view the Transactions and Batches that are in your Transcend database You wil have the option to Browse Transactions or Browse Batches and sort by Merchant and then selecting the option under Find M ES i i
106. rmation on the of his Screen Lock Login The Transcend Client features an additional safety measure known as a Sereen Lock Timeout When a client program is logged in and has been idle for a given period of time the client will lock itself The Tock tme s user definate from 1 60 minutes with default of 15 minutes The user can also immediately lock their client screen by clicking on the command File gt Lock Screen The client lock out screen is shown below Note that if there too many failed logon attempts from the screen lock the workstation will be viewed as ot and the workstation address will be added to the locked out list For assistance with clearing locked out stations and users see Appendix G for usage of the LIN vii user can change the Screen Lock timeout at any time In order to accomplish this the user would click the menu command Fl 3Set Screen Lock Time The dialog shown below will then be shown to the user which offers a wide ange of possible timeout vales to select from Technology Inc LL Commands and Help Menu Commands Menu Change Password A logged on can change their password at any time In order to accomplish this the user would invoke the command found in Commands Change Password in order to display the dialog shown immediately olov In order to change the password th
107. ro concer fo the Another major concer for business owners of any product that becomes a coe component of the business The Tast thing that any business owner wants s to disrupt their business in order to replace a key component that can no longer keep up with the new demands of the business Recognizing 19 the concern the Transcend system is designed to scale in processing power in many ways Therefore scalability Became a key consideration m the architecture and implementation of the system There are many Approaches to product scalability utilized in Transcend which listed below Multiple Outbound Communications Channels The connection to the card processor is by far the slowest of the system processing performed by Transcend In fact internal testing Shows that if a typical transaction is processed in 200 milliseconds beter than rhat time is spent exchanging data with the card processing company To account for this factor all processes that connect to the card processors employ a connection pooling strategy where multiple connections to the processors are made if the card processor allows this Each of these communication can execute parallel for separate client requests which serves to boost the throughput of the system overall Optional Configurations The Transcend system allows for multiple instances of some processes For example if your installation has a large number of sim
108. rograms for Customer Resellers and Integrators 139 m um pm um um 142 um Appendix G Lin exe Usage 140 Introduction to the Liz exe Utility m Appendix H Optional Utilitity to Set Customized Database System Password End Effect of Using This Utility m Preface Information i this document is subject to change without nae No porn of dis document may be reproduced or rented orm ce by any means without te exprese winen pessoa o INTRIX Technology c Copyright 2007 INTRI Technology ighas reserved AILINTRIX products trademarks or registered denar of INTRIX Technology Other poduceand names adem of her peine owners 10 Introduction Congratulations your purchase of Transcend Transcend is the newest most powerful and most flexible electronics payment system from INTRIX Technology Ine Transcend incorporates many features that redesigned provide constant and reliable payment processing services for your business Transcend consists of a set of dedicated system services and a of client tools to enable quick deployment of the software system using any number of different deployment models as well as to provide casy to understand configuration and monitoring utilities that you can tune the system to meet your own Specific requirements Intel or AMD Processor 10 Gs Or Greater 1GBRAM Or Greater 10 Or Greater GB of avai
109. st practices dictates that both he payment application and database should not be stored on the same server or in the DMZ with the web SSL amp Secure Data Transmission Over The Internet Information transmitted to the processors is required to be sent using SSL In addition i s required that data passed to Transcend or ranemitd using the Internet as of the network must be sent using SSL Transcend encrypts al data as itis tnasmited throughout the application itself but any cardholder information that travels across any network prior to entering the Clint or one the Transcend API mechanisms should also be wansmined using SSL Any senstve data pulled fom the application sould never e sent via unencrypted e mail Public eneryption tools such as are recommended for use when wansmining this sensitive dala A copy of the application can be downloaded at ve n m Appendix F PABP Compliance Recommendations and Requirements Portions ofthe text below in this section was copied from the Version L4 January 007 version of he VISA Curibolder Information Security Program CISP Payment Application Best Practices PABP document that can be downloaded from a visa com dowmload merchantski ioes doe The information is included here primarily to point out how TranScend complies with the requirements as stated in that document as well as to ilustrate the rigorous scrutiny that
110. st way to understand the payments industry s to determine whether or not the card is present when the transaction is completed Typically we view the amount of risk associated with eard present transaction to much less than one that is present Over the past few years growth has occurred in cach of these segments and with the advent of smart cards wireless networks self serve kiosks security Standards icr payments ete 12 likely that the payment industry will continue to grow significantly i the next several years p Essentials of TranScend Transcenct was developed with the maximum focus placed on the three S s security and simplicity Speed Security amp Simplicity The overall goul was to create a payment processing application able to support organizations regardless of their sizo technical expertise complicated configurations or existing reliance on legacy application Speed Most application vendor s measure speed in terms of the total number of transactions processed over a given period tme Transcend can produce very admirable numbers using this formula When configured Properly and connected to a certified processor using an always high speed connection the merchant Can experience multiple transactions per second The Tanscena system utilizes several techniques to boost the data throughput of the system Key among these approaches is the inclusion of asynchronous processing wherever p
111. stem database After the update is completed another table snapshot will be performed This is done in the event that th bles may bavo o be seed aes part o manualy ug fled abus is the ast message you will be shown prior to the installation job being applied to your system Since the system files may be replaced by the update the programs must be stopped However te only safe way fo stop tbe system is for the user to do o This being true the user is asked to confirm bat the system is stopped priar to starting the update The update program will wait here indefinitely while the system is Stopped T you click No this message box hen te update process will stop and no further actions will performed IF you click Yes to this the update will immediately begin and you will activity in he progress bar shown in the above image behind the message box Once the progress ar reaches 100 the the progress bar will begin to countdown while the update is removed from the system and the system is Once the update job is completed you may choose to review the messages shown in the message list The messages are also preserved in a log that was created while the update job was being executed HE you check for any newer updates with the update program and no new updates have been loaded onto the Update Servers at Iri then you will see the message box shown immediately above and when that m
112. t support and development INTRI wil ot utilize such technical information in a form that personally identifies you TERMINATION Without prejudice to any other rights INTRIX may terminate this agreement if fail to comply with the terms and conditions af this agreement In such event you must destroy all copies of the SOFTWARE PRODUCT and all of its component part 42 RESTRICTED USE OF SOFTWARE PRODUCT With respect tothe SOFTWARE PRODUCT COMPONENTS of the SOFTWARE PRODUCT cach copy of such COMPONENT may be used no more than two 2 processors of each computer on which such copy is installed You may the SOFTWARE PRODUCT as interactive Workstation software on cach computer on which the SOFTWARE PRODUCT is installed a Workstation Computer but not as server s software However you may permit a maximum of computers as referenced in the license key purchased to Connect to the Workstation Computer to access and services of the SOFTWARE PRODUCT The connection maximum includes any indirect connections made though software or hardware that pools or connections NO COMMERCIAL USE You may not the Software as part of or as the basis for a commercial public access data network that consists af two more servers and that carries end to end electronic information rfc such as messaging data replication fx EDI ar telex unless you obtain a separate use license from INTRIX
113. thentication User Service RADIUS or Terminal Access Controller Access Control System TACACS with tokens VPN ith individual certificates Additionally if INTRIX personnel are allowed to remotely access a customer s site for application support he vendor should establish processes implemented to Restrict access to passwords to authorized vendor personnel Protect customers pasword from unautborized use n Establish customer passwords according to best practice Previous Section summary customers who allow remote acces to their networks should implement restrictive policies and se stringent security measures that govern remote acces Level 1 amp 2 merchants should use a combination of unique username and complex password in addition to an additional dem authentication Token et Level 3 merchants should use a combination of nique username and strong password in addition to highest security senings for remote access contol software such as PCAnywhere GUTeMyPC etc Secure Data Do Not Store Cardholder Data On Internet Accessible Systems Proper precautionary methods should be followed in securing access to the Transcend database and application We recommend restricted physical and remote access to the server where the Transcend Andor database reside Only the most tasted personnel should be given access to this database of the Cardholder data is encrypted inside of the Transcend database however be
114. there was no proof of the actual credit card being present forthe transaction and no signature by the purchaser For dis reason it has been historically difficult for catalog and direct mail businesses to establish merchant account with a bak Goodbye Terminal H didn t take long for mail order establishments to discover that having each phone operator use a terminal to punch in a transaction the magnet stripe reader was obviously useless was not very efficient They were 1 also probably re entering that sume information into an order processing application of some kind a desktop PC or mainframe terminal What made more sense was to have the operator type tbe credit cand information into the computer application and somewhere in a back room he transactions were all gathered into one point where they were transmitted to the processing company for approval using a computer to do he job rather than a terminal Simply write some software that makes the computer talk the same language that the termina did Internet Commerce Today seling products and services over the Internet is commonplace Is really no different than a mail establishment except that the customers enter their own onder and payment information at their leisure The web server application presents buyer with an array of choices The buyer selects the desired producs or services and types in a credit card number Now In Simple Terms The easie
115. thin only in Emulation Mode Amount Response Code Response Text ata 3 oor Card declined B som por card decline B 30m 5 3 09 7 T 3 00 lr Hai Cul T som far T Hai Cul T 3 0m EA Veriicaion Er E Ady Revered SRE E sanr aT aT Card Number Ear E sos e BV teasers Cai tack nor aval E 3 07 ER Veriton Enor Check Digi E E som fe Venesia CD Format son s maid duc E som E 3 92 e Gener ear E 3 99 Epica E 3 03 7 Dessin nor oan E ss fi nai vanacton E INoacou E 05 u Vas to Rack our transaction E Unable no mah sos m Taint da E su s No eee asa E 3 05 Ts Nos ier E Te anier E su Sei violon E Transaction no pem Cand E 3 08 s Transaction ao permis Temi E 3 0 je Sytem E 3 04 mai Merchant E 3 03 NT CVVI Valor sapped avait E 3 09 r Vicltion amor come E Emulation Mode Auto Responses for Debit Cards These responses originate from within only in Emulation Mode Amount Response Code Response Text Suus som or ET
116. ultaneous users then you can purchase additional processing power in the form of allowing multiple system gateway servers to run simultaneously With this configuration you could set up Your system that users are load balanced across multiple gateway servers This configuration will allow The system to provide improved response times to user requests by distributing the lod related to the number of connected users across multiple system connection points Another example of an optional configuration hat can boost system throughput is to allow for multiple authorization and Patch servers to run simultaneously Since we already recognize that the connection to the processor is the primary contributor to transaction processing times lad sharing simultaneous request to the card processor across multiple authorization servers will increase the throughput of processing transactions in larger installations Fully Distributed Computing Model is Supported The Transcend system is designed allow fully distributed installation your system has exceptional volumes andor throughput requirements you also opt to purchase a system license that will alow You to distribute the Transcend processes across multiple servers gain additional processing power from the system This configuration is made possible by the self discovery mechanisms built into the Transcend systems that allow he components of the TranScend system to autom
117. ut not limited to any images Photographs animations video audio music text and apples incorporated into the SOFTWARE PRODUCT the accompanying printed materials and any copies of the SOFTWARE PRODUCT are owned by INTRIX its supplies The SOFTWARE PRODUCT is protected by copyright avs and international treaty provisions Therefore you must the SOFTWARE PRODUCT any otber copyrighted material except that you may either 1 make af the SOFTWARE PRODUCT solely for backup or archival purposes or b instal the SOFTWARE PRODUCT on a single computer provided You keep the orginal solely for backup or archival purposes You may not copy the printed materials ccompanying SOFTWARE RODUCT 10 UPDATE LICENSE TERMS Additional icense terms may accompany UPDATES as defined in the first paragraph of this agreement By installing copying or otherwise using any UPDATE agree to be bound by the terms accompanying cach such UPDATE Ir you do not agree to the additional cease terms accompanying such UPDATES do not install copy or otherwise such UPDATES 11 SUBSCRIPTION UPDATES You may use or transfer the UPDATES only in conjunction with your then existing SOFTWARE PRODUCT The SOFTWARE PRODUCT and all UPDATES ar licensed as a single product and the UPDATES may not be separated from the SOFTWARE PRODUCT for use by more than one user at any 12 EXPORT RESTRICTIONS You agree thut neither you nor
118. ver foe eh ccs your rem astro cine persoanei othe appropriate norman cone ny einge NOTE Reval catia ny Sore Gier sas ee change a Configure Sockets Frame Relay or Leased Line Connections The Sockets configuration is intended for merchants wbo have already made with the processor to provision a dedicated Leased Line to the processor Advantages of the dedicated connection include 24 7 monitoring by be processor ly seamless failover as many routers havo either analog or ISDN modems connected and a blazing fast transaction response time of 1 3 seconds Tn most cases the processors alert customers of Leased Line Communicarion related issues before the customers are even aware they are experiencing issues The configuration can easy be completed ance the processors provided all af the necessary connection information NOTE the computer itself wil require information to be added to the IP Route Table in order for the IP addresses entered into this sereen to be reached The Leasod Line installer will cover al of this during testing and the processors network support staff can sist with changes made to the Leased Line connection parameters Click Drop Down to select Processor Click Configuration Name field to name the Socket configuration appropriately Example Processor Nanc IP or Lease Line Click to enter primary Authorization IP address and Port as specified by the processor
119. w for developing and remembering complex passwords ule 1 Passwords shouid bo aaa b characters long and contain a ot upper and character ips speciai characters When a password is created it is encrypted using a hash function and stored in this form Later a user is granted access if the hash of the supplied password agrees with the stored vale Hash functions are Constructed in such way that hey cannot be reversed Instead the attacker must use the brute force approach and try every single combination 1 Ther are approximately 324 different passwords consisting of 6 lowercase letters cracker using prac can test them all in less than 5 minutes 2 There are approximately 6090 different passwords consisting of 8 printable ASCH characters would take decades to them all even with today s computers Following Rule 1 should therefore foil brute force attacks assuming the password system is implemented consc Pale 2 vod passa hat can be guessed Sone fous passwords ae Jon Jo account rer to accounts were pasword ithe samme as the user ae President wed el know ame ot dog Buddy when signing commerce P These just god a leaving the key under the at avai tis were advised in the 90 s sly Nations tasto to dot passworda e pasword rad backward bain pres Using de ons a
120. y capud from the delta record ar automatically captured fom the Transcend journal files Automated Data Base Consistency Checks and Archival Processes Transcend includes an entire set of data management and database healtb checks as part of its core processing system These processes are designed to monitor and protect the data once it has ben stored in he database management system In addition tbese processes Delp to maintain healthy database by executing processes to detect and correct any non fatal flaws detected in the database itself Data Mirrors An optional TranScend module can provide complete database redundancy to the system With the processes in the Transcend System are stateless servers Distributed Computing Fault Tolerance The processing model of the Transcend system can allow note this feature is a purchase option far a fully distributed deployment af the Transcena process components The fault tolerance capabilities of the Transcend control server include the ability to keep fully distributed system up and running in 2 seamless manner such that the distributed system can be made to behave as a single virtual server This technology is unique in the industry so that TranSeend users that elect to utilize this feature are using the most advanced softwar system available for processing their electronic payment transactions If you think this deployment model best suits your ne
121. y unauthorized attempts to connect to the system Attempts arare not granted access inthe allowed ares lis will ot be lowed to connect to the system Logging wil record cach atempt in order for the threat to be dealt with 2 Click Host Name or Address to enter the allowed DNS name or IP Address 2 Provide a Description for each new entry 3 Pross Save to add new address Entries can be removed by highlighting the entry and performing a Right Mouse Click and selecting delete Settlement The Settlement Configuration allows user to setup Auto Settle parameters for Transcend Click Senle Delays when your processor has indicated to do so This is the minimum allowable interval specified by processors from when a transaction can be authorized and then settlement can be performed Click Cutoff Time specify the time which begins the new transaction period for the day Far example if all business up to 30 PM i considered today s business this entry should be 15 00 IF ll transactions received prior to midnight are considered a day s transactions leave this entry at 23 59 Click Batch Retries only if instructed to do so by INTRIX Technology Inc personnel Otherwise this entry may result in mutpesetlemeat scenarios and upset your customer base Click Auto Settle Time to adjust the tme Tvanscena will automatically begin the settlement phase of uansaction processing The optimal ime for your busi
122. your customers intend will directly or indirectly export or transmit the SOFTWARE PRODUCT or related documentation and technical data or any part thereof your software application product as described above or amy part thereof process ar service that is the diet product of the SOFTWARE PRODUCT to country to which such export or transmission s restricted by any applicable U S regulation or statute without the prior written consent if required of the Burea of Export Administration of the U S Deparment af Commerce or such other governmental entity as may have jurisdiction over such export or transmission 13 US GOVERNMENT RESTRICTED RIGHTS The SOFTWARE PRODUCT and documentation are provided with RESTRICTED RIGHTS Use duplication or disclosure by the Goverment is subject to restrictions as set forth in subparagraph CY of The Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 or subparagraphs KEND and 2 of the Commercial Computer Software Resticted Rights at 48 CFR 52227 19 as applicable Manufacturer is INTRIX Technology Inc at 2260 Douglas Blvd Suite 240 Roseville CA 95661 916 577 1315 DISCLAIMER OF WARRANTY NO WARRANTIES The software product is provided as is without warranty of any kind To the maximum extent permitted by applicable law INTIRX Technology and its suppliers disclaim all warranties either express or implied including but not limited to
123. ys Deen for requests and sp fo response files Two additional options are to have Transcend delete the clear text transaction request upon file load completion Recommended for PCICISP Best Practices Users may also override Transcend Duplication Checking See Section 3 5 3 While this is NOT recommended there may be strong business cases that necessitate this feature being disabled Click Input File Directory to change for appropriate file drop zone Default is C Program les Trancend Click Parse User Field Data i you data fields on SuperCharge 46 for processor specific data elements Contact INTRIX Support if you have specifie questions The default will cause no harm Click ASC Gateway Socket Interface Options to specify Legacy Messages SuperCharge 4 6 Format or Enhanced Messages options New Transcend Format and then specify an Input Port Default is 2000 Click Data File Extensions either 4 6 format or TranScend to specify appropriate file extensions Default SuperCharge 46 is rs for request and for response Transcend defaults are xp for request and response for response file Allowed Addresses prevent unknown systems uses rom connecting to andlor attacking the system system administrators an lect to provide a specifie list of Addresses tat are allowed to connect to the Tronscend system For systems configured to this feature an
Download Pdf Manuals
Related Search