1. Manuals
  2. Brands
  3. Toast Manuals
  4. Touch terminals
  5. PCI
  6. Instruction manual

Toast PCI Instruction Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Toast PCI Instruction Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the PCI and is the answer not in the manual?

Questions and answers

Related Manuals for Toast PCI

Summary of Contents for Toast PCI

  • Page 1 Toast PCI Instruction Guide...
  • Page 2 Table of Contents  Purpose 3  What is PCI DSS & PA-DSS Merchant Reporting Requirements Toast POS Solution 8  Merchant General Responsibilities PCI DSS Controls Matrix 1​ 9   Appendix A: Sample Inventory PCI Instruction Guide  © Toast 2018    Page 2 of 44...
  • Page 3                       by PCI SSC and the Card Brands. We recommend that you use a PCI qualified Assessor to be sure                    ...
  • Page 4 The Payment Application Data Security Standard (PA-DSS), formerly referred to as the Payment                       Application Best Practices (PABP), is a standard developed by the card brands and the PCI SSC.                      ...
  • Page 5 14. Assign PA-DSS responsibilities for personnel, and maintain training programs for                   personnel, customers, resellers, and integrators. Toast has pursued PA-DSS validation for our POS application when hosted on a Toast-issued Elo                    ...
  • Page 6 Note: Please review processing statements for the previous fiscal year to estimate your transaction volume                               per Card Brand.  PCI Instruction Guide  © Toast 2018    Page 6 of 44...
  • Page 7       The SAQ type you are eligible to complete is based on how you accept payment cards.   Merchants who deploy and use Toast POS as recommended are eligible for one of two types of        ...
  • Page 8 SAQ-D for Merchants Eligibility SAQ-D is the ‘catch-all’ questionnaire appropriate for merchants that do not meet the eligibility  requirements for the other SAQs. Please refer to the PCI SSC website for information on the other  SAQs​ . ​ ​ ttps://www.pcisecuritystandards.org/ ...
  • Page 9                         and Ubiquiti Access points which will be used to setup an isolated network for the Toast POS                      ...
  • Page 10 If you have a wireless network or guest Wifi deployed on the same network as your Toast POS, a  firewall is required between the wireless network and the cardholder data environment. ...
  • Page 11                   requirements in order to maintain PCI DSS compliance:  ● Unique user IDs and passwords must be used for each user account. Group, shared, or              ...
  • Page 12 If you, as the merchant, decide to retain cardholder data outside of the application, you must  ensure that you meet PCI DSS requirements for the secure storage of this data and adhere to the  cryptographic key management guidelines identified in the latest PCI DSS standard, where ...
  • Page 13 Required Services, Protocol, and Dependent Software Toast POS does not require any additional software beyond what was delivered to you as part of                                  ...
  • Page 14                       scratched out. ● Provide basic inspection training to all employees using Toast POS so that they may                        ...
  • Page 15 ● The device Inventory must be updated to indicate that the device was removed. ● The device must be securely stored until it is returned to Toast or securely disposed of. Device Physical Security To ensure tampered devices are not introduced into your POS environment, PCI DSS requires ...
  • Page 16 If the shipment arrived from an unauthorized source or you suspect the packaging or device has  been tampered with, DO NOT deploy the device. Please contact Toast immediately to report your  suspicions. We will provide you an address for the return of the POI device so we may conduct a ...
  • Page 17 ○ Connection of unrecognized device ○ Failure of encryption mechanism ○ Failure failure of any device security control Disposal Toast will securely dispose of Toast-issued devices upon request. If you have a device for disposal,          ...
  • Page 18             may compromise Toast own PCI DSS validation and, in return, your PCI DSS compliance.  If you, as a customer, decide to collect sensitive authentication data as part of your own        ...
  • Page 19                               PCI DSS v3.2.1 requirements that most commonly apply to our customer base, how the use of                    ...
  • Page 20 1.2.1 ​ ​ R estrict inbound and outbound traffic  When deployed per the Deployment  .  for the cardholder data environment to that  Checklist, the Toast POS solution is setup  which is necessary (i.e. valid business  in an isolated network with firewall(s) in  purpose) and deny all other traffic. ...
  • Page 21 Internet and any system component in the  cardholder data environment.  1.3.1 ​ ​ I mplement a DMZ to limit inbound  The Toast POS is deployed within a  traffic to only system components that  network segment internal to your  provide authorized publicly accessible ...
  • Page 22 Toast Notes  What you will need to do  security parameters  2.1​ ​ Always change vendor-supplied defaults  Toast will change any default password or  If you elect to self-deploy  and remove or disable unnecessary default  accounts prior to or during the ...
  • Page 23 Appendix A2 must be  completed.   2.4 ​ ​ M aintain an inventory of system  You are responsible for  components that are in scope for PCI DSS.  maintaining an inventory of  system components that are  in scope for PCI DSS. ...
  • Page 24 Toast Notes  What you will need to do  data  3.1 ​ ​ K eep cardholder data storage to a  Toast POS does not retain cardholder  This requirement only  minimum by implementing data retention  data in electronic form.  applies if cardholder data ...
  • Page 25 The solution cannot be configured to store  transactions) after authorization.  this data.   3.2.3 ​ ​ D o not store the personal identification  Toast POS solution securely deletes PIN  number (PIN) or the encrypted PIN block  or Encrypted PIN block upon  after authorization. ...
  • Page 26 • General Packet Radio Service (GPRS)  • Satellite communications  4.1.1 ​ ​ E nsure wireless networks transmitting  Toast POS encrypts data at the POI or  If you elect to self-deploy  cardholder data or connected to the  upon manual entry into the solution. All ...
  • Page 27 Perform periodic scans  ● requirements.  Generate audit logs which are retained  ● per PCI DSS Requirement 10.7.  5.3​ ​ Ensure that anti-virus mechanisms are  .  If you elect to deploy  actively running and cannot be disabled or  anti-virus software on your ...
  • Page 28 ● user, administrator, etc.) for accessing  users.  resources.  Note: Toast POS limits user access to a  truncated PAN.   7.1.2​ ​ Restrict access to privileged user IDs to  Users with Administrator access can  It is your responsibility to ...
  • Page 29 8.1.1 ​ ​ A ssign all users a unique ID before  During install, Toast will invite you via the  You are responsible for the  allowing them to access system components  email on record to create a unique ...
  • Page 30 8.1.6​ ​ Limit repeated access attempts by  The Toast POS solution is setup by default  locking out the user ID after not more than  to lock out user accounts after 6 failed  six attempts.  attempts.    8.1.7​ ​ Set the lockout duration to a minimum ...
  • Page 31 • Instructions to change passwords if there is  any suspicion the password could be  compromised.  8.5​ ​ Do not use group, shared, or generic IDs,  Toast POS supports unique accounts for  You are responsible for  passwords, or other authentication methods  each user. ...
  • Page 32 9.1.2 ​ ​ I mplement physical and/or logical  Toast will restrict access to unused  It is your responsibility to  controls to restrict access to publicly  network ports on networking equipment ...
  • Page 33 9.8​ ​ Destroy media when it is no longer  needed for business or legal reasons as  follows:  PCI Instruction Guide  © Toast 2018    Page 33 of 44...
  • Page 34 Device serial number or other method of  ● unique identification.  9.9.2 ​ ​ P eriodically inspect device surfaces to  Toast ships all hardware in tamper-proof  You are responsible for  detect tampering (for example, addition of  packaging. Delivery is handled by a ...
  • Page 35 Toast Notes  What you will need to do  data  10.1​ ​ Implement audit trails to link all access  The Toast POS solution is setup by default  to system components to each individual  to implement PCI DSS compliant logging.  user.  10.2 ​ ​ I mplement automated audit trails for all ...
  • Page 36 10.3.5​ ​ Origination of event  The Toast POS solution is setup by default  implement PCI DSS compliant logging.  10.3.6​ ​ Identity or name of affected data,  The Toast POS solution is setup by default  system component, or resource.  implement PCI DSS compliant logging. ...
  • Page 37 Additional documentation may be required  to verify non-remediated vulnerabilities are  in the process of being addressed. For initial  PCI DSS compliance, it is not required that  four quarters of passing scans be completed  if the assessor verifies 1) the most recent ...
  • Page 38 Vendor (ASV), approved by the Payment  refer to the PCI SSC website  Card Industry Security Standards Council  for a list of approved  (PCI SSC). Refer to the ASV Program Guide  scanning  published on the PCI SSC website for scan  vendors.  ...
  • Page 39 11.5​ ​ Deploy a change-detection mechanism  Toast has implemented security controls  You are responsible for  (for example, file-integrity monitoring tools)  designed to monitor for changes per PCI  security of networking  to alert personnel to unauthorized  DSS and PA-DSS requirements and alert ...
  • Page 40 You are responsible for  technologies for vendors and business  require remote access for  maintaining appropriate  partners only when needed by vendors and  troubleshooting, you will be provided with  policies and processes.  PCI Instruction Guide  © Toast 2018    Page 40 of 44...
  • Page 41 12.8​ ​ Maintain and implement policies and  procedures to manage service providers,  with whom cardholder data is shared, or that  could affect the security of cardholder data,  as follows   PCI Instruction Guide  © Toast 2018    Page 41 of 44...
  • Page 42 .  12.8.5​ ​ Maintain information about which PCI  This table provides a list of PCI DSS  You are responsible for  DSS requirements are managed by each  requirements that the Toast POS solution  maintaining appropriate  impacts. ...
  • Page 43 What you will need to do  TLS  A2.1 ​ ​ F or POS POI terminals (and the SSL/TLS  Toast POS does not use SSL or early TLS.  Solution utilizes TLS 1.2 for all  termination points to which they connect)  communication over the internet.
  • Page 44 Jane Doe  Inventory updated  02/01/2018  Updated by  on:  Jane Doe  08/2018  Annual  John Smith  Annual Inspection  6/01/2017  No issues  Inspection  Performed on:  Performed by:  John Smith  06/01/2018  No issues  PCI Instruction Guide  © Toast 2018    Page 44 of 44...

Table of Contents