BWAC PADSS IG 3.0 Rev001

BWAC
Payment Application Data Security

Standards (PA-DSS v3.2)
Implementation Guide
Version 3.0 (rev 001)

CR2 Limited
Block 9D, Beckett Way,

Park West Business Park,
Nangor Road,
Dublin 12,
Ireland.
Tel: +353 1 433 9100

Fax: +353 1 433 9101
Preface
PA-DSS - Overview...............................................................................................................................1
Overview of BWAC Payment Application.......................................................................................1
Information on Change Control Procedures...................................................................................1
Revision History....................................................................................................................................2
Executive Summary.............................................................................................................................2
Intended Audience..............................................................................................................................3
PA-DSS Compliant Product Versions..............................................................................................3
Supported Platforms...........................................................................................................................3
Reference Documents.........................................................................................................................3
Disclaimer..............................................................................................................................................3
PA-DSS - List.........................................................................................................................................3
Glossary..................................................................................................................................................5
Chapter 1 PA-DSS Requirement 1

PA-DSS Requirement 1: Do not retain full magnetic stripe, card verification code..............1
1.1.4 - Delete sensitive authentication data stored by previous payment application.......1
1.1.5 - Delete any sensitive authentication data (pre-authorisation data)...........................4

PA-DSS Requirement 2: Protect Stored Cardholder data............................................................1
Requirement 2.1: Securely delete cardholder data after expiration.........................................1
Requirement 2.2: Mask PAN when displayed so only personnel...............................................1
Requirement 2.3: Render PAN unreadable anywhere it is stored.............................................1
Essential Windows OS Security Settings.....................................................................................5
Requirement 2.4: Protect any keys used to secure cardholder data......................................11
Requirement 2.5: Implement key-management processes and procedures.........................11
2.5.1 – 2.5.7 Implement secure key-management function......................................................11
2.5.2a Review the PA-DSS Implementation Guide and verify it includes..............................11
2.5.4a Review the PA-DSS Implementation Guide and verify it includes............................11
2.6.b Examine final application product to verify the vendor provides a tool..................11
Requirement 2.6: Provide a mechanism to render irretrievable.............................................12
Chapter 3 PA-DSS Requirements 3/4

PA-DSS Requirement 3: Provide Secure Authentication Features...........................................1
Requirement 3.1: Use unique user IDs and secure authentication for admin..........................1
3.1.1 The payment application does not use (or require the use of) default........................2
Requirements 3.1.2 to 3.1.11..............................................................................................................4
PA-DSS Requirement 3.2: Software vendor must provide guidance......................................5
BWAC Tools - Summary.....................................................................................................................5
BWAgent - Overview...........................................................................................................................5
Certificate Requirement Summary..................................................................................................6
BWAC PA-DSS Implementation Guide I

PA-DSS Requirement 4: Log payment application activity......................................................12
Requirement 4.1: At the completion of the installation process.............................................12
Requirement 4.4: Facilitate Centralised Logging.......................................................................14

PA-DSS Requirement 5: Develop Secure Payment Applications...............................................1
Requirement 5.4.4: Implement and Communicate Application Versioning Methodology...1
BWAC Application - Versioning Summary and Examples..........................................................1
Definition of Major Releases.............................................................................................................1
Definition of Feature Releases.........................................................................................................1
Definition of Service Pack/Maintenance/Hotfix Releases........................................................2
Information on Release Build Number xx /HFX Build Number xx...........................................2
CR2 Policy on Wildcard Versioning...............................................................................................2
Chapter 5 PA-DSS Requirements 6 - 12

PA-DSS Requirement 6: Protect Wireless Transmissions............................................................1
Requirement 6.1: Securely Implement Wireless Technology......................................................1
Requirement 6.2: Secure Transmissions of Cardholder Data Over Wireless Networks.....2
Requirement 6.3: Provide instructions for Secure use of Wireless Technology.....................2
Requirement 7.2 Software vendors must establish a process for timely development.....2
Requirement 8.2: Use only necessary and secure services, protocols, components...........2
PA-DSS Requirement 9: Cardholder data must never be stored on a server..........................2
Requirement 9.1: Store cardholder data only on servers not connected to the Internet...2
PA-DSS Requirement 10: Facilitate Secure Remote Access.......................................................2
Requirement 10.1: Implement two-factor authentication for all remote access...................2
10.2.1 Securely deliver remote payment application updates..................................................3
10.2.3 Securely implement remote access software..................................................................3
PA-DSS Requirement 11: Encrypt Sensitive Traffic over Public Networks.............................4
Requirement 11.1: Secure transmissions of cardholder data over public networks...............4
Requirement 11.2: Encrypt cardholder data sent over end-user messaging technologies..4
PA-DSS Requirement 12: Encrypt all Non-console Administrative Access............................4
Requirement 12.1: Encrypt all non-console administrative access...........................................4
Requirement 12.2: Instruct customers to encrypt all non-console administrative access..4
Appendix A General Information
BWAC Application - Port Assignments...........................................................................................1

Third Party Components.....................................................................................................................1
Third Party Dependencies...................................................................................................................1
Third Party Dependencies - Website Information........................................................................2
Protocol Information - General.........................................................................................................3
Protocol Information - Schannel Guidelines..................................................................................3
II BWAC PA-DSS Implementation Guide

Software - Service Providers.............................................................................................................4
Software - XFS Middleware...............................................................................................................4
Software - Windows Services...........................................................................................................4
Services Triggered by BWAC Application.....................................................................................5
Dependent Hardware..........................................................................................................................6
Appendix B Checksum and Digital Certificate Checks
B.1 Introduction...........................................................................................................................................1
B.2 General Notes on Software Distribution........................................................................................1
B.3 Installation File Checking Procedures............................................................................................1
B.3.1 Check File Checksum and Digital Certificate.............................................................................1
(1) Check File Checksum OK..............................................................................................................2
(2) Check ISO File’s Digital Certificate............................................................................................5
(3) Install the CR2 Digital Certificate - Standalone ATM............................................................7
Install Digital Certificate - Domain-Based ATMs.........................................................................10
Appendix C Key Custodian Form
Key Custodian Form - Component 1.................................................................................................1

Key Custodian Form - Component 2...............................................................................................2
BWAC PA-DSS Implementation Guide III

Preface
PA-DSS - Overview
The Payment Application Data Security Standards (PA-DSS) are derived from the
Payment Card Industries Security Standards (PCI-DSS) Requirements and Secu-
rity Assessment Procedures, and are a subset of those that relate particularly to payment
applications.
As the vendor of a payment application (BWAC), CR2 has submitted the BWAC applica-
tion for evaluation by UL, an independent provider of information security evaluations.
This document provides guidance on how to implement the BWAC application in a PA-
DSS compliant manner that will facilitate a customer’s overall compliance in accordance
with PCI-DSS.
This guide addresses all steps detailed in the PA-DSS Requirements and Security Assess-
ment Procedures as they apply to the BWAC application.
Overview of BWAC Payment Application

BWAC is a client application provides ATM-based services/functions to a bank’s custom-
ers.
Information on Change Control Procedures

CR2 ensure that this guide is reviewed/amended after the following events:
Event Description
PA-DSS Implementation Guide to be

New Releases reviewed by CR2 after each General
Availability (GA) release of the BWAC
application
Annual PA-DSS Implementation Guide to be

reviewed annually by CR2
PA-DSS Changes PA-DSS Implementation Guide is

updated after every change made to
the PA-DSS requirements
BWAC PA-DSS Implementation Guide 1

Revision History
Date Version Author Comment
20/05/2015 DRAFT01/02/03 Prepared IG for v3.1

requirements and
started completion for
BWAC application
27/11/2015 DRAFT04 Revisions to IG made

after weekly group
meeting
05/01/2016 DRAFT05 1st draft for auditors’

preliminary review
25/01/2016 DRAFT05 2nd draft for auditors’

preliminary review
27/01/2016 DRAFT06 Version 1.0 prepared for

auditors’
preliminary review
29/01/2016 Version 1.0 Next draft after first

auditor review
10/02/2016 Version 1.1 New draft with minor

changes
15/02/2016 Version 1.2 Robin Leitch Draft 1.3 after review

meeting ML/LC
16/02/2016 Version 1.3 Changes as per LC

email/other
18/02/2016 Version 1.4 Changes after QSA visit

Dublin
13/04/2016 Version 1.5 Initial changes for

BWAgent
23/05/2016 Version 1.6 Additional changes for

BWAgent
26/05/2016 Version 1.7 1st draft for auditors’

preliminary review
08/06/2016 Version 1.8 Additions after meet-

ings/reviews
15/06/2016 Version 1.9 Changes after latest QSA

review

review

review for PADSS
12/07/2016 Version 2.2 requirements v3.2
2 BWAC PA-DSS Implementation Guide

Date Version Author Comment
13/07/2016 Version 2.3 Additional QSA change

regarding customer
updates
27/02/2017 Version 2.4 Version 2.4 produced

after CR2 release
meeting for BWAC
application release 5.2
23/08/2017 Version 2.5 Added comment for

BWAC 5.2.x.y version
support to preface
Robin Leitch
12/09/2017 Version 2.6 Updated the ‘Supported
Platforms’ section of the
preface
25/03/2018 Version 2.7 Updated version num-

ber to 2.7 for BWAC 5.3
release. No changes
required for this release.
19/06/2018 Version 2.8 Minor update on request

of QSA
22/07/2019 Rev001 (draft) Draft for GA release
06/08/2019 Rev001 Official version for

BWAC 5.4.x.y release
Executive Summary
This document serves as a guide to implementing the CR2 BWAC application in a man-
ner that facilitates and supports a customer’s PCI-DSS compliance.
Intended Audience
• CR2 bank customers
• All BWAC integrators/3rd party installers/resellers
• CR2 Professional Services
PA-DSS Compliant Product Versions

• BWAC version 5.1.x.y

Supported Platforms
• Windows 7 Professional SP1
• Windows 10
Reference Documents
• PCI Security Standards Council (2015) Payment Application Data Security Standard
Requirements and Security Assessment Procedures (version 3.2)
• BWAC Installation Guide
• BWAC Operations Guide
Disclaimer
CR2 acknowledges that some proprietary programs; products or services may be men-
tioned in this guide. These programs, products or services are distributed under trade-
marks or registered trademarks of their vendors and/or distributors in their respective
countries.
This guide is the intellectual property of CR2. You may not:
- disclose the contents of this guide to a third party
- use this document as the basis for systems design
- copy this guide (in hard-copy (paper) or soft-copy (electronic) format) without written
permission from CR2
PA-DSS - List
Customers should implement their BWAC application in compliance with PA-DSS, as
directed in this implementation guide, to facilitate overall compliance with PCI-DSS.
Requirement Description
1.1.4 Delete sensitive authentication data stored by previous payment

application versions
1.1.5 Delete any sensitive authentication data (pre-authorisation) gathered as

a result of troubleshooting the payment application
2.1 Securely delete cardholder data after customer-defined retention period
2.2 Mask PAN when displayed so only personnel with a business need can
see the full PAN
2.3 Render PAN unreadable anywhere it is stored (including data on

portable digital media, backup media, and in logs)
2.4 Protect keys used to secure cardholder data against disclosure and
misuse
2.5 Implement key-management processes and procedures for

cryptographic keys used for encryption of cardholder data

Requirement Description
2.5.1 - 2.5.7 Implement secure key-management functions
2.6 Provide a mechanism to render irretrievable cryptographic key material

or cryptograms stored by the payment application
3.1 Use unique user IDs and secure authentication for administrative access
and access to cardholder data
3.2 Use unique user IDs and secure authentication for access to PCs, servers,
and databases with payment applications
4.1 Implement automated audit trails
4.4 Facilitate centralised logging
5.4.4 Implement and communicate application versioning methodology
6.1 Securely implement wireless technology
6.2 Secure transmissions of cardholder data over wireless networks
6.3 Provide instructions for secure use of wireless technology
8.2 Use only necessary and secure services, protocols, components, and
dependent software and hardware, including those provided by third
parties
9.1 Store cardholder data only on servers not connected to the Internet
10.1 Implement two-factor authentication for all remote access to payment

application that originates from outside the customer environment
10.2.1 Securely deliver remote payment application updates
10.2.3 Securely implement remote-access software
11.1 Secure transmissions of cardholder data over public networks

Glossary
Name Acronym Description
BankWorld ATM Client BWAC Customer interfacing software running on

ATMs controlled by each ATM Controller
Hardware Security An HSM is a device that manages digital

Module HSM keys for strong authentication and
provides cryptoprocessing without
revealing decrypted data
Protocol suite for securing Internet

Internet Protocol IPsec Protocol (IP) communications by
Security authenticating/encrypting each IP
packet of a communication session
Issuer Member IMD 6-digit ID number of the issuer

Descriptor organisation (also known as a Bank
Identification Number (BIN)
Primary Account PAN 16-digit account number for a bank debit/

Number credit card
Remote Desktop RDP Protocol used for remote desktop feature

Protocol provided with Windows
Secure Sockets Layer SSL Earlier iteration of cryptographic data

transmission security across a data
network
Schannel is a Security Support Provider

Secure Channel Schannel (SSP) containing a set of security
protocols used for identity authentication/
secure (encrypted) communications
Transport Layer TLS Latest iteration of cryptographic data

Security transmission security across a data
network

PA-DSS Requirement 1: Do not retain full magnetic stripe, card verifi-

cation code or value (CAV2, CID, CVC2, CVV2), or PIN block data
1.1.4 - Delete sensitive authentication data stored by previous payment ap-
plication versions
Aligns with PCI-DSS Requirement 3.2
It is possible that versions of the BWAC application prior to version 5.1 may have stored
sensitive data in electronic journals/diagnostic log files. This is particularly likely if the
debug/logging level was set by a customer to level ‘9’.
In this scenario, customers must use a Secure Delete tool to remove any sensitive data.
Secure delete tools such as Eraser 6.0 are recommended for securely deleting sensitive
authentication data from an ATM's hard disk.
Before any BWAC upgrade is carried out, use the secure delete tool to securely delete the
contents as follows:
Parent Directory
c:\ProgramData\CR2\BWAC
BWAC PA-DSS Implementation Guide Chapter 1-1

PA-DSS Requirement 1 Chapter 1
Target Folder
Logs
1. Install a current/compatible version of Eraser 6.0 on the target ATM.

2. Run Eraser.
3. Create a delete schedule - click New Task:
Chapter 1-2 BWAC PA-DSS Implementation Guide

4. Enter the details for the ‘Logs’ folder within the c:\ProgramData\CR2\BWAC direc-
tory:
- (1) target type - ‘Files in Folder’
- (2) browse to/select the ‘Logs’ folder
- (3) deselect the ‘Delete folder if empty’ setting
- (4) click OK
5. Set the task type to ‘Run manually’.

6. Click OK:

7. The task is listed as follows - right-click and select Run Now:
- Eraser should perform the secure deletion as requested.

1.1.5 - Delete any sensitive authentication data (pre-authorisation data)
used for debugging or troubleshooting purposes
Version 5.x.y.z of the BWAC application does not store any sensitive authentication data
on the ATM.
NOTE: PCI-DSS requirements do not allow storage of sensitive authentication data, such
as track data, card verification codes, PINs, or PIN blocks post-authorisation. Therefore,
customers must remove such data as described above to comply with PCI-DSS.
Customers must never send Sensitive Authentication Data and/or full Primary
Account Number (PAN) data to CR2 in any circumstances, as it is not required - even if
has been requested. CR2 prohibits any of its personnel to request or collect sensitive
authentication data and/or full PANs from customers.

PA-DSS Requirement 2: Protect Stored Cardholder Data

Requirement 2.1: Securely delete cardholder data after expiration of custom-
er-defined retention period
The BWAC application version 5.x.y.z does not store any cardholder data on an ATM.
Requirement 2.2: Mask PAN when displayed so only personnel with a business
need can see the full PAN
Requirement 2.3: Render PAN unreadable anywhere it is stored
Masked Pan - Locations
By default, the BWAC application renders PANs unreadable by replacing all digits with
an asterisk '*' masking character (except first 6/last 4 digits). This feature is hard-coded
and is not configurable.
NOTE: Unreadable PANs cannot be returned to the original values.
The PAN is displayed in masked form in the following locations only:
Electronic Journal (eJournal)
(C:\ProgramData\CR2\Bwac\Database\BWC_EJournal.mdb)

Customer Receipt
(C:\ProgramData\CR2\Bwac\Temp\unicode.bmp)
Diagnostic Log Files

(C:\ProgramData\CR2\Bwac\Logs\bwac.<YYYY-MM-DD-HHMM-SS>.log)

.mdb Files (C:\ProgramData\CR2\Bwac\Database)

- BWC_EJournal.mdb
Card PAN masking is performed by the following:
Table 2-1 PAN Masking Details
File containing PANs Masking Performed By
Log Files
BWAC application
Electronic Journal
Mdb Database files
Customer Receipts Host processing system
Full PANs Displayed

With the BWAC application, certain transactions may occasionally display full PANs on-
screen to the cardholder for essential business reasons.
However at no time are full PANs ever displayed to any customer personnel or service
providers.

Other Notes
Customer cardholders must never use card PANs as account names/nicknames.
NOTE: PCI-DSS requires a data retention policy to be in place. This policy requires a
retention period to be defined. Therefore, any cardholder data stored by the BWAC appli-
cation which exceeds this retention period/is no longer required for legal regulatory, or
business purpose as defined in the policy, must be securely deleted using a secure delete
tool such as Eraser 6.0:
Pre-Authorisation Encryption
During operations, the BWAC application temporarily stores a copy of an authorisation
message in it’s Recovery Store after an authorisation message is sent to the sub-host and
until the response is received from the sub-host.
The BWAC application will delete the content of the recovery store once it receives the
authorisation response from the sub-host.
If no authorisation response is received: BWAC builds the reversal message based on
the data from the recovery store. The reversal message is then routed to the Store and
Forward (SAF), which is responsible for the guaranteed delivery of the reversal message
to the sub-host.
Before storing the recovery message in the recovery store, all data is encrypted using
Microsoft Data Protection API (DPAPI).
Recovery Store - Location
Windows Registry: ‘HKLM\Software\CR2\BWAC\TransactionManager\Recov-
eryStore’

SAF - Location:‘C:\ProgramData\CR2\Bwac\Offline’
Post Authorisation
Note that encrypted pre-authorisation data is removed from the above locations immedi-
ately after BWAC receives responses to the authorisation messages. Crypto-erasure is
used to securely delete this data.
Essential Windows OS Security Settings
Unintentional Cardholder Data Capture - Prevention
Customers should perform the following Windows OS tasks to prevent accidental capture
of cardholder data.
(A) Disable the Volume Shadow Copy Service
1. Log on to the ATM as an administrator.
2. Click Start.
3. Enter ‘services.msc’
4. Press Return on the keyboard:
5. Locate the ‘Volume Shadow Copy’ service:

6. If it is running - click Stop to stop the service.
7. Right-click and select Properties:
8. Ensure ‘Startup type’ is set to ‘Manual’:
(B) Encrypting Pagefile.sys

Windows 7
1. Select Start - All Programs - Accessories.
2. Right-click on the Command Prompt and select ‘Run as administrator’:
3. Click Yes if a User Access Control prompt appears.

Windows 10
1. Enter the string ‘cmd’ in the Search box.
2. Right-click and select ‘Run as administrator’:
3. Type the following command: fsutil behavior set EncryptPagingFile 1

4. Press Return:
5. Reboot the ATM.

6. Check the page file is encrypted - type fsutil behavior query EncryptPag-
ingFile - Windows should return the value ‘1’:
(C) Clearing Pagefile.sys at Shutdown

All: Log on to the ATM as an administrator user.
Windows 7
1. Select Start - All Programs - Administrative Tools - Local Security Policy:
Windows 10
1. Select Start - Programs - Windows Administrative Tools - Local Security Policy:

All OS
2. Select Local Policies - Security Options - Shutdown: Clear virtual memory page-
file:
3. Change the value to ‘Enabled’.

4. Click Apply/OK:

(D) Disabling System Restore
All OS: Log on to the ATM as an administrator user.
Windows 7
1. Select Control Panel - System:
2. Click System Protection:
3. Select the main system disk (usually the ‘C’ drive).

4. Click Configure:

5. Select ‘Turn off system protection’.

6. Click Apply:
7. Click Yes when prompted as follows:
8. Click OK.
9. Close the property sheet/Control Panel.
Windows 10
NOTE: System Protection is disabled by default on Windows 10.
As per Windows 7 using Control Panel (not Settings).

Requirement 2.4: Protect any keys used to secure cardholder data against dis-
closure and misuse
Requirement 2.5: Implement key-management processes and procedures for
cryptographic keys used for encryption of cardholder data
2.5.1 – 2.5.7 Implement secure key-management function
2.5.2a Review the PA-DSS Implementation Guide and verify it includes in-
structions for customers and integrators/resellers on how to securely dis-
tribute cryptographic keys.
The BWAC password is used to encrypt the master encryption key. Customers should
note that the BWAC password is automatically changed each time an ATM is rebooted.
The password is therefore always hidden from customers at all times.
2.5.4a Review the PA-DSS Implementation Guide and verify it includes the
following instructions for customers and integrators/resellers...
Customers should define their own cryptoperiod, which equates to the lifetime for each
BWAC password.
Customers should reboot each ATM at the end of this cryptoperiod to force a change of
the BWAC password.
Customers should also perform a manual reboot of each ATM to change the password, if
the integrity of the key has been weakened or there has been known or suspected compro-
mise of the key.
2.6.b Examine final application product to verify the vendor provides a tool
and/or procedure with the application to render cryptographic material ir-
retrievable
If an ATM is decommissioned, the entire contents of all hard disks should be securely
destroyed. CR2 recommend that customers use a tool such as DBAN (http://
www.dban.org/).
Requirement 2.6: Provide a mechanism to render irretrievable any cryp-
tographic key material or cryptogram stored by the payment application
BWAC is a client application that provides a cardholder with banking services at an ATM
only.
For working key entry, customers must ensure the BWAC application is installed on an
ATM with a PCI-approved PIN pad.
Customers must also ensure the adoption of industry-best key management practices,
such as those documented in NIST Special Publication 800-57.
NOTE: All other key management functions and key generation is handled by/is the
responsibility of the host processing system.
Customers can use the sample key custodian forms as supplied in Appendix C to store
the working key components.

Chapter 3 PA-DSS Reqs. 3/4
PA-DSS Requirement 3: Provide Secure Authentication Features

Requirement 3.1: Use unique user IDs and secure authentication for adminis-
trative access and access to cardholder data
BWAC is a client application providing cardholder services at the ATM only. A key fea-
ture of the BWAC application is the implementation of the BWAC Security Policy.
The main functions of the security policy are as follows:
(1) Create a single client user for auto-logon and running the BWAC application (known
as the “BWAClient” user).
(2) Configure the client user as a member of the Administrators group.
(3) Set appropriate permissions for the Administrators group that restrict Windows envi-
ronment access when client user is logged on - see next:
- Set random complex password for BWAClient User on installation
- Restrict access to Windows desktop for BWAClient User so that interaction is
restricted via keyboard and mouse
- Disable Windows key
- Disable shell access
- Remove task bar
- Remove start menu
- Disable mouse pointer
- Enable auto logon
- Lock down access to removable storage devices, including USB
- Disable Sticky Keys and toggle key accessibility features
- Set windows event logs to fixed size
- Enable SMB signing requirement
- Disable Administrator shares

PA-DSS Reqs. 3/4 Chapter 3
NOTE: BWAC applies the security policy during installation. Should the policy need to be
re-applied e.g. if changes were made to an ATM, install the following package from the
<BWAC installation CD> - Software - Packages folder:
BWACSecurityPolicy - 5.4.x.y.dpk
3.1.1 The payment application does not use (or require the use of) default
administrative accounts for other necessary software
For installation, upgrading and servicing requirements, some areas of the BWAC applica-
tion will require access by a Windows administrator user.
Customers must rename the default Windows administrator user account immediately
after installation of the BWAC application.
Windows 7
Select Control Panel - Administrative Tools:

Windows 10
Select Control Panel - All Control Panel Items - Administrative Tools:
1. All OS: Open Computer Management:
2. Rename the ‘Administrator’ account:

- Assign a strong 12-digit password (including uppercase, lowercase, numerals and
symbols):
e.g. “2De5$3*fg8WS”
Requirements 3.1.2 to 3.1.11

The BWAC application is a client application that does not use/require/manage a user
account system. Therefore these requirements are not applicable.
Other Notes
Customers should also ensure the following are actioned on each BWAC ATM.
(i) Remote Desktop and Remote Assistance services are deactivated:
Windows 7 - ‘Control Panel - System - System Properties - Remote Settings’
Windows 10 - ‘Control Panel - All Control Panel Items - System Properties - Remote
Settings’

Network Sharing is turned off in all network profiles (‘Control Panel - All Control Panel
Items - Network and Sharing Center - Advanced sharing settings’):
PA-DSS Requirement 3.2: Software vendor must provide guidance to

customers that all access to PCs, servers, and databases with payment
applications must require a unique user ID and secure authentication
BWAC Tools - Summary
CR2 provide four ATM-related tools for maintenance and inspection:
Table 3-1 BWAC Tool Summary
BWAC Tool Description
Distributor5 Distributor5 is used to remotely distribute files to each ATM hosting

BWAC, including hotfixes and branding components
ATM ATM Support Tool5 is used to remotely manage and monitor each
Support BWAC-enabled ATM, including viewing log files and other diagnostic
Tool5 functions
ATM ATM Custodian5 is used to remotely view an ATM’s status, which will
Custodian5 include cash/consumable levels, any captured cards and overall service
status
eJournal eJournal Viewer5 is used to remotely monitor an ATM’s electronic

Viewer5 journal
All four tools use client/server architecture to establish and maintain data exchanges
between the host server/PC and each ATM.
Data exchange is controlled by the BWAC Agent (or BWAgent) application component.

BWAgent - Overview
The tools exchange data with the BWAC application using BWAgent as the secure com-
munications method. BWAgent is part of the BWAC application on the server side:
BWAgent uses certificate validation as the secure ‘handshake’ mechanism between cli-
ent (BWAC tool) and server (BWAC ATM) before data exchange can begin:

Certificate Requirement Summary

CR2 installs default certificates for initial functionality - one for BWAgent (BWAC), the
other for Distributor5.
Customers must replace these default certificates to comply with PA-DSS requirements.
Refer to the following notes for information (see next page).
Server Certificate for BWAgent (on the ATM)

The customer must create a X.509 server certificate signed by the bank's trusted certifi-
cate/recognised certification authority.
NOTE: This is a requirement for each ATM running the BWAC application.
Customers should install the certificate under the ‘Local Computer - Personal’ certificate
store with both a public key and a private key.
The certificate thumbprint is required during the installation of BWAgent. Customers
should also note that the full chain of the certificate must be installed on the ATM, with a
maximum permitted chain length of 4.
NOTE: Each ATM running the BWAC application requires a server certificate.
‘Super User’ Client Certificate: for Distributor5
The customer must create a Super User X.509 certificate signed by the bank's trusted
certificate/recognised certification authority.
Customers should install the certificate under the ‘Local Computer - Personal’ certificate
store with only a public key.
Note again that the thumbprint is required during the installation of BWAgent to validate
the certificate. Customers should also note that the full chain of the certificate must be
installed on the ATM, with a maximum permitted chain length of 4.

Distributor5 Client Certificate/s
The customer must also create a set of client certificates (one for each BWAC tool user)
which are signed by the super user certificate. These certificates will be installed in the
Distributor5 database.
Install new Super User Certificate
1. Administrator logs onto a host PC/server running the Distributor5 application.
2. Administrator selects the Distributor User Administration tool:
3. Administrator logs on to the Distributor User Administration tool as the default

Super User* “admin” with the default admin password as supplied with Distributor5**.
*With Distributor5, the Super User is responsible for creating certificates and users.
**Customers should replace this password at the earliest opportunity.

4. Super User selects Menu - Issuer Certificate - Manage Issuer Certificate.

5. Super User clicks New Certificate:
6. Super User clicks Load and locates the new super user certificate.
7. Super User enter the original password for the imported certificate, followed by a new
password after the import (minimum length of 12 alphanumeric characters):
8. Super User clicks Import to import the new certificate:

- The new certificate is listed as follows:
NOTE: Customers must ensure the default certificate named “CR2 BWAgent Super User”
is deleted before proceeding further.
Add a new BWAC Tool User
Customers can create a set of tool users, each with a unique user ID and client certificate.
1. Super User logs on to the Distributor User Administration tool as default super user
“admin”:
2. Super user clicks New User.

3. Super User enters a valid user name (alpha characters - minimum 5/maximum 12).
4. Super User clicks the Issue a certificate button:

5. Super User enters the password for the super user certificate.
6. Super User enters/confirms a new password for the client certificate (minimum length
of 12 alphanumeric characters).
- The new tool user will use this as their BWAC tool login password.
7. Super User assigns the ATM access privileges and clicks Issue:
8. User assigns the BWAC tool privileges and clicks Save:

- Distributor User Admin lists the users plus matching client certificates:
• Two-Factor Authentication is now in place for BWAC tool users wanting to remotely
log on to the BWAC application.
• BWAC tool users can now log on to a BWAC tool using their unique user ID and valid
password (from the user’s client certificate).
PA-DSS Requirement 4: Log payment application activity
Requirement 4.1: At the completion of the installation process, the “out of the
box” default installation of the payment application must log all user access
and be able to link all activities to individual users
BWAC Client - User Audit Logging on Windows OS
The BWAC application is a client application that does not use/require/manage a user
account system.
BWAC does not provide any user activity logging capability. Any activity logging is pro-
vided by the underlying Windows operating system.
However, customers must ensure Windows event logging is configured to meet the fol-
lowing PCI-DSS requirements - to record the following:
- all actions by privileged users
- invalid logical access attempts
- use of identification and authentication mechanism
- elevation of privileges
- changes, additions or deletions of any accounts with root or administrative privileges
- initialisation of audit logs
- stopping or pausing of audit logs
- creation and deletion of system level objects
- creation and deletion of system level objects

Customers should refer to the following resource for guidance on PCI-DSS compliant
logging:
http://resources.infosecinstitute.com/windows-logging-for-pci-dss/
BWAC Client - BWAgent User Logging
All data exchanges to/from the BWAC tools and BWAgent is logged by default by the
BWAC application on the host ATM.
NOTE: Customers must never disable logging on a host ATM - doing so will result in
non-compliance with PCI-DSS.
(C:\ProgramData\CR2\Bwac\Logs\bwac.<YYYY-MM-DD-HHMM-SS>.log)
The BWAC application log files list all BWAgent-related activity, with the following
information provided in order (left to right):
- time/date of event
- BWAC application component e.g. “BWAgent”
- name of remote tool user e.g. “martin”
- IP address of remote machine e.g. “10.1.0.140”
- (verbose) details of request from client

In this example, user “martin” is installing remotely a data package on the target ATM:
Requirement 4.4: Facilitate Centralised Logging

Customers should note that the BWAC application logs activity in a single file. This can
be collected from the ATM using the Distributor Scheduler tool, which facilitates cen-
tralised logging.

PA-DSS Requirement 5: Develop Secure Payment Applications

Requirement 5.4.4: Implement and Communicate Application Versioning
methodology
BWAC Application - Versioning Summary and Examples
<Version Name> <A><B><C><D>
A: major release (1 - 9)
B: feature release (0 - 99)
C: maintenance/hotfix release number (0 - 999)
D: release build number (0 - 999) (internal use only)
NOTE: Release build numbers are for internal reference only
Examples
BWAC 5.0.0.27 - BWAC 5.0 GA: major release (build 27)
BWAC 5.0.1.5 - BWAC 5.0: hotfix release 1 (build 5)
BWAC 5.1.0.12 - BWAC 5.1 GA: BWAC 5 feature release 1 (build 12)
NOTE: Hotfix releases are always cumulative.
Definition of Major Releases
Major releases will contain the following:
Significant new capabilities (including binary-incompatible changes) - including:
- Major new features and functionality
- Additional operating system or database support
- Additional product modules, significant work flow or user interface improvements etc.
- Defect corrections
- Changes that impact security or PA-DSS requirements.
Definition of Feature Releases
Feature releases will contain the following:
New capabilities and enhancements (binary-compatible)- including:
- Additional operating system or database support
- Additional product modules
- Defect corrections
- Changes that impact security or PA-DSS requirements.

Definition of Service Pack/Maintenance/Hotfix Releases
Primarily to support payment brands compliance.
May contain customer modifications and product feature changes.
May contain defect corrections to existing features and functionality
Do not contain changes that impact security or PA-DSS reqs
Include a wildcard field for PA-DSS purposes
Information on Release Build Number xx /HFX Build Number xx
Will contain only defect corrections to existing features and functionality
Does not contain changes that impact security or PA-DSS reqs
Include a wildcard field for PA-DSS purposes
CR2 Policy on Wildcard Versioning
During PA-DSS version 3 validation, CR2 will adopt wildcard versioning for all major
and feature releases
Wildcards will be used for elements of the version number that represent non-security
impacted changes.
CR2 will use the third and fourth digits as the wildcard number. This will represent the
service pack, hotfix release or build number.
e.g. BWAC 5.1.xx.yy releases will be PA-DSS validated and will not need re-certifica-
tion by the PCI Council.
NOTE: Software changes that impact either security or cardholder data will only be
released as part of a major or feature release.

Chapter 5 PA-DSS Reqs. 6 - 12
PA-DSS Requirement 6: Protect Wireless Transmissions

The BWAC application uses TCP/IP for communications/data links with it’s host pro-
cessing system. It is therefore possible for the customer to deploy wireless communica-
tions on any of these links although not recommended by CR2.
In addition to securing TCP/IP communications with IPsec*, additional security associ-
ated with wireless transmissions should be configured appropriately.
If BWAC is to be deployed on a network that uses Wireless Access Point technology,
the ATM running the BWAC application must be strictly separated from any network
segments connected to wireless access points.
Requirement 6.1: Securely Implement Wireless Technology
Aligns with PCI-DSS Requirements 1.2.3 and 2.1.1
Customers employing the use of wireless devices on the BWAC application-enabled
ATMs must ensure the following:
- Encryption keys used to secure wireless communications must be changed from the
default provided by the wireless vendor/whenever persons with knowledge of the keys
have left the company or changed position.
- SNMP community strings on wireless devices must be changed from the default pro-
vided by the vendor.
- Passwords or passphrases used to gain access to a wireless device must be changed
from the default provided by the vendor.
- Ensure firmware on wireless devices is regularly checked and updated to ensure sup-
port of the latest strong encryption for wireless communications
- Ensure any other applicable security configuration is changed from the default pro-
vided by the vendor.
Customers should ensure that firewalls are implemented between wireless networks and
servers that may contain cardholder data and should ensure the following:
- Firewalls are correctly configured to restrict traffic from the wireless network into the
servers that may contain cardholder data (except where such traffic is necessary for
business purposes).
- Firewalls are correctly configured to manage traffic from the wireless network into the
servers that may contain cardholder data if there is a specific business need.

PA-DSS Reqs. 6 - 12 Chapter 5
Requirement 6.2: Secure Transmissions Of Cardholder Data Over Wireless
Networks
Aligns with PCI-DSS Requirement 4.1.1
If customers are accessing an ATM running the BWAC application using an internal/in-
house wireless access method, they must use WPA2 Enterprise with 802.1x authenti-
cation as the minimum standard.
If any wireless technology is used to transmit data from the BWAC application to the pro-
cessing host, strong encryption must be used to secure the transmission channel. The
encryption method used must follow industry best practices for the associated technol-
ogy.
Careful consideration must be taken when choosing wireless technologies and associated
devices which allow for the implementation of strong cryptographic algorithms and pro-
tocols.
Requirement 6.3: Provide instructions for customers about secure use of wire-
less technology
- Refer to Requirement 6.1 (previous page)
Requirement 7.2 Software vendors must establish a process for timely devel-
opment and deployment of security patches and upgrades
Customers should refer to Appendix B Checksum and Digital Certificate Checks for
details on secure procedures when installing BWAC application software.
Requirement 8.2: Use only necessary and secure services, protocols, compo-
nents, and dependent software and hardware, including those provided by
third parties.
See Appendix A for a full list of these items used by the BWAC application.
PA-DSS Requirement 9: Cardholder data must never be stored on a
server connected to the Internet
Requirement 9.1: Store cardholder data only on servers not connected to the
Internet
Aligns with PCI-DSS Requirement 1.3.7
The BWAC application does not store any cardholder data on any machine connected to
the Internet.
PA-DSS Requirement 10: Facilitate Secure Remote Access
Requirement 10.1: Implement two-factor authentication for all remote access
to payment application that originates from outside the customer environ-
ment.
The BWAC application is supported/administered by four tools:
- Distributor5
- ATM Support Tool5
- ATM Custodian5
- eJournal Viewer5

Remote user access to the BWAC application/ATM is secured by two-factor authentica-

tion, using a unique client certificate and it’s private key password.
For more details on implementing this requirement, customers should consult Chapter 3
PA-DSS Requirements 3/4 PA-DSS Requirement 3.2.
10.2.1 Securely deliver remote payment application updates
Aligns with PCI-DSS Requirement 1 and 12.3.9
The BWAC application does not include remote access as part of it’s standard update/
upgrade solution.
10.2.3 Securely implement remote access software
The BWAC application does not include remote access as part of it’s standard specifica-
tion. However, for technical support, CR2 Customer Support can provide customers with
a secure remote-support solution.
NOTE: This tool is used in exceptional circumstances only, and usually on test environ-
ments.
Notes on Using TeamViewer
1. Customer initiates telephone call to CR2 Customer Support.
2. Customer given unique remote access code by CR2 Customer Support over telephone.
3. Customer downloads TeamViewer executable onto PC.
4. Customer runs TeamViewer executable.
NOTE: Customers must operate TeamViewer using two-factor authentication to meet
PCI-DSS requirements. For a description and full instructions, customers should refer to
the following online resources.
Explanation of two-factor authentication for TeamViewer
https://www.teamviewer.com/en/help/398‐what‐is‐two‐factor‐authentication‐for‐
your‐teamviewer‐account
Activate/deactivate two-factor authentication for TeamViewer account
https://www.teamviewer.com/en/help/402‐How‐do‐I‐activate‐deactivate‐two‐factor‐
authentication‐for‐my‐TeamViewer‐account.aspx
5. TeamViewer returns ID/temporary password:

PA-DSS Reqs. 6 - 12 Chapter 5
6. Customer advises CR2 Customer Support person of ID/temporary password.
7. CR2 Customer Support person enters ID/temporary password.
- remote access session is established between customer and CR2 Customer Support.
NOTE: TeamViewer connections are secured using 2048-bit RSA key exchange and 256-
bit AES session encoding.
PA-DSS Requirement 11: Encrypt Sensitive Traffic over Public Networks
Requirement 11.1: Secure transmissions of cardholder data over public net-
works
Customers must ensure the BWAC application is only operated on a secured network.
This can be achieved either using SSL on Sparrow-connected hosts (with support for
TLS 1.1 or higher (BWAC 5.4 supports TLS 1.2)), or by using IPsec security on Bank-
World-connected hosts. IPsec must be configured so that it implements only industry-
accepted strong cryptographic methods with sufficient key length.
CR2 recommend customers choose one of the following configurations:
Table 5-1 Secure Network Configurations
Message
# Key Exchange Encryption
Integrity
1 ECDH P-384 AES-GCM256 AES-GCM 256
2 ECDH P-256 AES-GCM 128 AES-GCM 128
3 DH Group 14 AES-GCM 128 AES-GCM 128
Requirement 11.2: Encrypt cardholder data sent over end-user messaging

technologies
The BWAC application does not require the use of/support end-user messaging technolo-
gies at any time.
PA-DSS Requirement 12: Encrypt all Non-console Administrative Ac-
cess
Requirement 12.1: Encrypt all non-console administrative access with strong
cryptography
Requirement 12.2: Instruct customers to encrypt all non-console administra-
tive access with strong cryptography
The BWAC application is supported/administered by the four BWAC tools:
- Distributor5
- ATM Support Tool5
- ATM Custodian5
- eJournal Viewer5

Data exchanges between these tools and an ATM is performed by secure client/server
authentication, with TLS 1.1 and TLS 1.2 security in force.
For more details on implementing this requirement, customers should consult Chapter 3
PA-DSS Requirements 3/4 PA-DSS Requirement 3.2.

Appendix A General Information
BWAC Application - Port Assignments

Table A-1 Port Assignments - Component Level
Component/Connection Server Ports to Open Default? Configurable?
Comms 8000 Yes Yes
BWAgent 8443 Yes Yes
Third Party Components

Table A-2 Third Party Components - List
Item Version Description
Microsoft Windows 10 OS Enterprise Appropriate OS supplied by ATM

Vendor
Microsoft Windows 7 OS Professional
Microsoft Visual C++ 8

Redistributable (x86) Visual C++ runtime library for running
BWAC
Microsoft Visual C++ 14.0.23026
Redistributable (x86)
Microsoft .Net Framework 4.6 .Net environment for BWAC
Microsoft Internet Explorer 11 Web page functionality for BWAC
Microsoft Windows Installer 5.0.7601.188 Up-to-date Windows installer for

96 BWAC
Third Party Dependencies

Table A-3 Third Party Dependencies - List
Launched/ Compiled
Instantiated By By CR2?
7za.exe 6.2 File compression PrinterCalibrator.exe

utility
No
A2iACheckReader- 1.0.0.0 Cheque-reading ResourceManager.exe
Lib.dll library
EmvX.dll 3.1.2.1 EMV core EmvEngine.exe

functions library

Launched/ Compiled
Instantiated By By CR2?
libeay32.dll 2.1.1.1 OpenSSL toolkit BWInstaller.exe

ssleay32.dll 1.0.1i
opencv_*.dll 2.42 Graphics utility ServiceManager.exe

library
Aspect-oriented
PostSharp.dll 3.0.32 programming ResourceManager.exe
library
No
System
PsInfo.exe 1.77 information run-bwac.bat
utility
zip.exe 2.32 File compression BWAC3Installer.exe

unzip.exe 5.52 utility
jquery.js 3.4.1 JavaScript and CSS

Animation libraries used by
animate.css 3.7.2 utilities HTML pages as
slick.js 1.9.0 displayed by the
BWAC Projector
module
Third Party Dependencies - Website Information

Table A-4 Website Information
Item Website
7za.exe http://www.7-zip.org/
A2iACheckReaderLib.dll http://www.a2ia.com/
EmvX.dll https://www.creditcall.com/
Gma.QrCodeNet.Encoding.Net35.dll
https://qrcodenet.codeplex.com/
ThoughtWorks.QRCode.dll
libeay32.dll http://indy.fulgan.com/SSL/
ssleay32.dll
mscomm32.ocx Microsoft (VB6 control)
opencv_*.dll http://opencv.org/
PostSharp.dll https://www.postsharp.net/
PsInfo.exe https://technet.microsoft.com/en-us/sysinter-
nals/
zlib1.dll http://www.zlib.net/
zip.exe http://www.info-zip.org/
unzip.exe
jquery.js https://jquery.com/

Item Website
animate.css https://daneden.github.io/animate.css/
slick.js http://kenwheeler.github.io/slick/
Protocol Information - General

Table A-5 Protocol List
Name Details
The BWAC application uses TCP/IP for communications with remote

clients (for remote support), Hardware Security Modules (HSMs) and
TCP/IP controller sub-systems e.g. BankWorld ATM.
Note: CR2 recommend customers implement IP Security (IPsec) for all

TCP/IP-based links.
HTTPS For certain services, the BWAC application uses HTTPS for online
communications between an ATM and the controller sub-system e.g.
BankWorld ATM.
Protocol Information - Schannel Guidelines

Table A-6 SChannel Guidelines
Name Version Notes
TLS 1.1* Ensure TLS 1.0 is disabled on all host ATM machines
1.2
*CR2 recommend the use of TLS 1.1 as a minimum when deploying Schannel security
SSL Cipher Information
TLS 1.2
Preferred
Cipher Cipher
Protocol Parameters
Strength Name
TLS v1.2 128 bits AES128-SHA256
Accepted
128 bits AES128-SHA
256 bits AES256-SHA256

TLS v1.2 256 bits AES256-SHA
128 bits ECDHE-RSA-AES128-SHA256

Curve P-256 DHE 256
128 bits ECDHE-RSA-AES128-SHA

TLS 1.1
Preferred
TLS v1.1 128 bits AES128-SHA
Accepted
256 bits AES256-SHA

TLS v1.1
128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Software - Service Providers

Table A-7 Service Providers - List
Item ATM Manufacturer Details
ProBase must be installed and configured by

Wincor ProBase Wincor Wincor prior to installing Kalignite and the
BWAC application.
Appropriate versions supplied by ATM

vendor.
APTRA NCR AptraXFS and Aptra ActiveXFS must be

installed on ATM.
Appropriate versions identified by NCR and

verified by CR2
Agilis XFS Diebold Appropriate versions supplied by ATM

vendor
Other All Other Appropriate versions supplied by ATM

Manufacturers vendor
Software - XFS Middleware

Table A-8 Middleware - List
Item ATM Manufacturer Description
XFS middleware layer that BWAC uses on

APTRA Active XFS NCR NCR ATMs
BWAC runs on top of APTRA XFS software
Kalignite XFS All except NCR Kalignite is the XFS middleware layer that
BWAC uses on non-NCR ATMs

Software - Windows Services
Table A-9 Windows Services - List
Item Description
Remote The RPCSS service is the Service Control Manager for COM and
Procedure Call DCOM servers. It performs object activations requests, object
(RPC) exporter resolutions and distributed garbage collection for COM
and DCOM servers.
Services Triggered by BWAC Application

Table A-10 Triggered Services - List
BWAC Triggered Services
Windows Services
BWLogger.exe
BWAgent.exe
BWAgentService.exe
Before BWAC Starts
SetWallpaper.exe
BWC_Init.exe
BWC_SvcChk.exe
ProcEndWait.exe
When BWAC is Running
BWC_DvcMon.exe
BWC_IE5Sv2.exe
BWC_LogAgt.exe
BWC_ModeMgr.exe
BWC_MsgRoute.exe
BWC_SAFMgr.exe
BWC_SupApp.exe
BWC_TxnMgr.exe
EmvEngine.exe
BWCMonitor
Projector.exe
ResourceManager.exe
ServiceManager.exe

BWAC Triggered Services
Other BWAC Processes
BWAC3Installer.exe
BWC_Shutdown.exe
BWC_WinHook.exe
CameraConfig.exe
FontInstaller.exe
BWInstaller.exe
HideConsoleWindow.exe
PrinterCalibrator.exe
LogCollector.exe
BWInstallerGUI.exe
BWACPlatformTester.exe
Dependent Hardware
Table A-11 Hardware - List
Item Description
PIN Pad PCI PTS-validated PIN pads only

Appendix B Checksum and Digital
Certificate Checks
B.1 Introduction
• To ensure secure delivery of BWAC software, each BWAC application software release is
supplied with a checksum file and a ‘CR2’ digital certificate.
• Use this appendix for information on how to perform the checksum file checking and
how to install the digital certificate.
NOTE: Customers only need to perform these checks the first time the BWAC application
is installed on an ATM.
B.2 General Notes on Software Distribution

CR2 Customer Support (CS) will inform customers via their support portal login page
when a new release of BWAC application software, hotfix or patch release is available for
download.
For any security or PADSS-related impact in releases, updates or patches, CS will also
email customers of availability.
The support portal login page contains lists of the latest versions of each piece of software
as well as downloadable release notes for the customer.
All releases of BWAC application software, including hotfixes and patch releases, are
made via Secure FTP (SFTP).
CR2 CS also will ensure that installer and checksum are sent to the SFTP server sepa-
rately to prevent tampering of the checksum.
B.3 Installation File Checking Procedures

• Customers must test the downloaded BWAC master installation files against the check-
sum file downloaded from the SFTP server:
• Customers should download a suitable file checksum tool from the following:
http://download.cnet.com/File‐Checksum‐Tool/3000‐2248_4‐75110491.html

B.3.1 Check File Checksum and Digital Certificate
This is a three part process:
1. Check the ISO file’s internal checksum against the CR2 checksum file (‘hash.txt’).
2. Check file’s digital certificate.
3. Install the digital certificate (first-time BWAC installations only).
(1) Check File Checksum OK
1. Run the file checksum tool:
2. Browse to the ISO installation file:

3. Select the hashing algorithm correctly to ‘SHA-256’:
4. Open the ‘hash.txt’ file:
5. Copy the checksum value:

6. Paste the value into the ‘Verify With’ field as follows.
7. Click the Compare button:
- The file checksum tool runs the check:

- The file checksum tool should report a successful check:
(2) Check ISO File’s Digital Certificate

1. Extract the BWAC ISO files:

2. Right-click on ‘Setup.exe’ and select ‘Properties’:
3. Click the Digital Signatures tab.

4. Check that the ‘Name of signer’ is set to “CR2”:

(3) Install the CR2 Digital Certificate - Standalone ATM
1. Click the Details button:
2. Click View Certificate:

3. Click Install Certificate:
4. Click Next:

5. Click Next:
6. Click Finish:
7. Click OK:
8. Close the property sheets for the ‘Setup.exe’ file.

• The checksum is now verified and the ‘CR2’ certificate installed on the target ATM
machine.
• Customers can proceed safely with the normal BWAC installation procedure.
Install Digital Certificate - Domain-Based ATMs
For details on installing the CR2 certificate on multiple ATMs belonging to a Windows
domain, customers should refer to the following link:
http://technet.microsoft.com/en‐us/library/cc754841.aspx

Appendix C Key Custodian Form
Key Custodian Form - Component 1

Key Custodian Form - Component 2

BWAC PADSS IG 3.0 Rev001

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BWAC PADSS IG 3.0 Rev001

Uploaded by

Copyright:

Available Formats

BWAC

Payment Application Data Security

Version 3.0 (rev 001)

Block 9D, Beckett Way,

Tel: +353 1 433 9100

Chapter 1 PA-DSS Requirement 1

Chapter 2 PA-DSS Requirement 2

Chapter 3 PA-DSS Requirements 3/4

BWAC PA-DSS Implementation Guide I

Chapter 4 PA-DSS Requirement 5

Chapter 5 PA-DSS Requirements 6 - 12

BWAC Application - Port Assignments...........................................................................................1

II BWAC PA-DSS Implementation Guide

Key Custodian Form - Component 1.................................................................................................1

BWAC PA-DSS Implementation Guide III

Overview of BWAC Payment Application

Information on Change Control Procedures

PA-DSS Implementation Guide to be

Annual PA-DSS Implementation Guide to be

PA-DSS Changes PA-DSS Implementation Guide is

BWAC PA-DSS Implementation Guide 1

20/05/2015 DRAFT01/02/03 Prepared IG for v3.1

27/11/2015 DRAFT04 Revisions to IG made

05/01/2016 DRAFT05 1st draft for auditors’

25/01/2016 DRAFT05 2nd draft for auditors’

27/01/2016 DRAFT06 Version 1.0 prepared for

29/01/2016 Version 1.0 Next draft after first

10/02/2016 Version 1.1 New draft with minor

15/02/2016 Version 1.2 Robin Leitch Draft 1.3 after review

16/02/2016 Version 1.3 Changes as per LC

18/02/2016 Version 1.4 Changes after QSA visit

13/04/2016 Version 1.5 Initial changes for

23/05/2016 Version 1.6 Additional changes for

26/05/2016 Version 1.7 1st draft for auditors’

08/06/2016 Version 1.8 Additions after meet-

15/06/2016 Version 1.9 Changes after latest QSA

21/06/2016 Version 2.0 Changes after latest QSA

08/07/2016 Version 2.1 Changes after latest QSA

2 BWAC PA-DSS Implementation Guide

13/07/2016 Version 2.3 Additional QSA change

27/02/2017 Version 2.4 Version 2.4 produced

23/08/2017 Version 2.5 Added comment for

25/03/2018 Version 2.7 Updated version num-

19/06/2018 Version 2.8 Minor update on request

22/07/2019 Rev001 (draft) Draft for GA release

06/08/2019 Rev001 Official version for

PA-DSS Compliant Product Versions

BWAC PA-DSS Implementation Guide 3

1.1.4 Delete sensitive authentication data stored by previous payment

1.1.5 Delete any sensitive authentication data (pre-authorisation) gathered as

2.1 Securely delete cardholder data after customer-defined retention period

2.3 Render PAN unreadable anywhere it is stored (including data on

2.5 Implement key-management processes and procedures for

4 BWAC PA-DSS Implementation Guide

2.5.1 - 2.5.7 Implement secure key-management functions

2.6 Provide a mechanism to render irretrievable cryptographic key material

4.1 Implement automated audit trails

4.4 Facilitate centralised logging

5.4.4 Implement and communicate application versioning methodology

6.1 Securely implement wireless technology

6.2 Secure transmissions of cardholder data over wireless networks

6.3 Provide instructions for secure use of wireless technology

10.1 Implement two-factor authentication for all remote access to payment