Professional Documents
Culture Documents
Implementation Guide
B.1 Introduction...........................................................................................................................................1
B.2 General Notes on Software Distribution........................................................................................1
B.3 Installation File Checking Procedures............................................................................................1
B.3.1 Check File Checksum and Digital Certificate.............................................................................1
(1) Check File Checksum OK..............................................................................................................2
(2) Check ISO File’s Digital Certificate............................................................................................5
(3) Install the CR2 Digital Certificate - Standalone ATM............................................................7
Install Digital Certificate - Domain-Based ATMs.........................................................................10
Appendix C Key Custodian Form
PA-DSS - Overview
The Payment Application Data Security Standards (PA-DSS) are derived from the
Payment Card Industries Security Standards (PCI-DSS) Requirements and Secu-
rity Assessment Procedures, and are a subset of those that relate particularly to payment
applications.
As the vendor of a payment application (BWAC), CR2 has submitted the BWAC applica-
tion for evaluation by UL, an independent provider of information security evaluations.
This document provides guidance on how to implement the BWAC application in a PA-
DSS compliant manner that will facilitate a customer’s overall compliance in accordance
with PCI-DSS.
This guide addresses all steps detailed in the PA-DSS Requirements and Security Assess-
ment Procedures as they apply to the BWAC application.
Event Description
Executive Summary
This document serves as a guide to implementing the CR2 BWAC application in a man-
ner that facilitates and supports a customer’s PCI-DSS compliance.
Intended Audience
• CR2 bank customers
• All BWAC integrators/3rd party installers/resellers
• CR2 Professional Services
Reference Documents
• PCI Security Standards Council (2015) Payment Application Data Security Standard
Requirements and Security Assessment Procedures (version 3.2)
• BWAC Installation Guide
• BWAC Operations Guide
Disclaimer
CR2 acknowledges that some proprietary programs; products or services may be men-
tioned in this guide. These programs, products or services are distributed under trade-
marks or registered trademarks of their vendors and/or distributors in their respective
countries.
This guide is the intellectual property of CR2. You may not:
- disclose the contents of this guide to a third party
- use this document as the basis for systems design
- copy this guide (in hard-copy (paper) or soft-copy (electronic) format) without written
permission from CR2
PA-DSS - List
Customers should implement their BWAC application in compliance with PA-DSS, as
directed in this implementation guide, to facilitate overall compliance with PCI-DSS.
Requirement Description
2.2 Mask PAN when displayed so only personnel with a business need can
see the full PAN
2.4 Protect keys used to secure cardholder data against disclosure and
misuse
3.1 Use unique user IDs and secure authentication for administrative access
and access to cardholder data
3.2 Use unique user IDs and secure authentication for access to PCs, servers,
and databases with payment applications
8.2 Use only necessary and secure services, protocols, components, and
dependent software and hardware, including those provided by third
parties
9.1 Store cardholder data only on servers not connected to the Internet
4. Enter the details for the ‘Logs’ folder within the c:\ProgramData\CR2\BWAC direc-
tory:
- (1) target type - ‘Files in Folder’
- (2) browse to/select the ‘Logs’ folder
- (3) deselect the ‘Delete folder if empty’ setting
- (4) click OK
Log Files
BWAC application
Electronic Journal
Pre-Authorisation Encryption
During operations, the BWAC application temporarily stores a copy of an authorisation
message in it’s Recovery Store after an authorisation message is sent to the sub-host and
until the response is received from the sub-host.
The BWAC application will delete the content of the recovery store once it receives the
authorisation response from the sub-host.
If no authorisation response is received: BWAC builds the reversal message based on
the data from the recovery store. The reversal message is then routed to the Store and
Forward (SAF), which is responsible for the guaranteed delivery of the reversal message
to the sub-host.
Before storing the recovery message in the recovery store, all data is encrypted using
Microsoft Data Protection API (DPAPI).
Recovery Store - Location
Windows Registry: ‘HKLM\Software\CR2\BWAC\TransactionManager\Recov-
eryStore’
SAF - Location:‘C:\ProgramData\CR2\Bwac\Offline’
Post Authorisation
Note that encrypted pre-authorisation data is removed from the above locations immedi-
ately after BWAC receives responses to the authorisation messages. Crypto-erasure is
used to securely delete this data.
Essential Windows OS Security Settings
Unintentional Cardholder Data Capture - Prevention
Customers should perform the following Windows OS tasks to prevent accidental capture
of cardholder data.
(A) Disable the Volume Shadow Copy Service
1. Log on to the ATM as an administrator.
2. Click Start.
3. Enter ‘services.msc’
4. Press Return on the keyboard:
Windows 10
1. Enter the string ‘cmd’ in the Search box.
2. Right-click and select ‘Run as administrator’:
Windows 10
1. Select Start - Programs - Windows Administrative Tools - Local Security Policy:
All OS
2. Select Local Policies - Security Options - Shutdown: Clear virtual memory page-
file:
8. Click OK.
9. Close the property sheet/Control Panel.
Windows 10
NOTE: System Protection is disabled by default on Windows 10.
As per Windows 7 using Control Panel (not Settings).
3.1.1 The payment application does not use (or require the use of) default
administrative accounts for other necessary software
For installation, upgrading and servicing requirements, some areas of the BWAC applica-
tion will require access by a Windows administrator user.
Customers must rename the default Windows administrator user account immediately
after installation of the BWAC application.
Windows 7
Select Control Panel - Administrative Tools:
Windows 10
Select Control Panel - All Control Panel Items - Administrative Tools:
Network Sharing is turned off in all network profiles (‘Control Panel - All Control Panel
Items - Network and Sharing Center - Advanced sharing settings’):
ATM ATM Support Tool5 is used to remotely manage and monitor each
Support BWAC-enabled ATM, including viewing log files and other diagnostic
Tool5 functions
ATM ATM Custodian5 is used to remotely view an ATM’s status, which will
Custodian5 include cash/consumable levels, any captured cards and overall service
status
All four tools use client/server architecture to establish and maintain data exchanges
between the host server/PC and each ATM.
Data exchange is controlled by the BWAC Agent (or BWAgent) application component.
BWAgent uses certificate validation as the secure ‘handshake’ mechanism between cli-
ent (BWAC tool) and server (BWAC ATM) before data exchange can begin:
*With Distributor5, the Super User is responsible for creating certificates and users.
**Customers should replace this password at the earliest opportunity.
6. Super User clicks Load and locates the new super user certificate.
7. Super User enter the original password for the imported certificate, followed by a new
password after the import (minimum length of 12 alphanumeric characters):
8. Super User clicks Import to import the new certificate:
NOTE: Customers must ensure the default certificate named “CR2 BWAgent Super User”
is deleted before proceeding further.
Add a new BWAC Tool User
Customers can create a set of tool users, each with a unique user ID and client certificate.
1. Super User logs on to the Distributor User Administration tool as default super user
“admin”:
5. Super User enters the password for the super user certificate.
6. Super User enters/confirms a new password for the client certificate (minimum length
of 12 alphanumeric characters).
- The new tool user will use this as their BWAC tool login password.
7. Super User assigns the ATM access privileges and clicks Issue:
• Two-Factor Authentication is now in place for BWAC tool users wanting to remotely
log on to the BWAC application.
• BWAC tool users can now log on to a BWAC tool using their unique user ID and valid
password (from the user’s client certificate).
PA-DSS Requirement 4: Log payment application activity
Requirement 4.1: At the completion of the installation process, the “out of the
box” default installation of the payment application must log all user access
and be able to link all activities to individual users
Aligns with PCI-DSS Requirement 10.1
BWAC Client - User Audit Logging on Windows OS
The BWAC application is a client application that does not use/require/manage a user
account system.
BWAC does not provide any user activity logging capability. Any activity logging is pro-
vided by the underlying Windows operating system.
However, customers must ensure Windows event logging is configured to meet the fol-
lowing PCI-DSS requirements - to record the following:
- all actions by privileged users
- invalid logical access attempts
- use of identification and authentication mechanism
- elevation of privileges
- changes, additions or deletions of any accounts with root or administrative privileges
- initialisation of audit logs
- stopping or pausing of audit logs
- creation and deletion of system level objects
- creation and deletion of system level objects
Customers should refer to the following resource for guidance on PCI-DSS compliant
logging:
http://resources.infosecinstitute.com/windows-logging-for-pci-dss/
BWAC Client - BWAgent User Logging
All data exchanges to/from the BWAC tools and BWAgent is logged by default by the
BWAC application on the host ATM.
NOTE: Customers must never disable logging on a host ATM - doing so will result in
non-compliance with PCI-DSS.
(C:\ProgramData\CR2\Bwac\Logs\bwac.<YYYY-MM-DD-HHMM-SS>.log)
The BWAC application log files list all BWAgent-related activity, with the following
information provided in order (left to right):
- time/date of event
- BWAC application component e.g. “BWAgent”
- name of remote tool user e.g. “martin”
- IP address of remote machine e.g. “10.1.0.140”
- (verbose) details of request from client
Message
# Key Exchange Encryption
Integrity
Data exchanges between these tools and an ATM is performed by secure client/server
authentication, with TLS 1.1 and TLS 1.2 security in force.
For more details on implementing this requirement, customers should consult Chapter 3
PA-DSS Requirements 3/4 PA-DSS Requirement 3.2.
Launched/ Compiled
Item Version Description
Instantiated By By CR2?
Aspect-oriented
PostSharp.dll 3.0.32 programming ResourceManager.exe
library
No
System
PsInfo.exe 1.77 information run-bwac.bat
utility
Item Website
7za.exe http://www.7-zip.org/
A2iACheckReaderLib.dll http://www.a2ia.com/
EmvX.dll https://www.creditcall.com/
Gma.QrCodeNet.Encoding.Net35.dll
https://qrcodenet.codeplex.com/
ThoughtWorks.QRCode.dll
libeay32.dll http://indy.fulgan.com/SSL/
ssleay32.dll
opencv_*.dll http://opencv.org/
PostSharp.dll https://www.postsharp.net/
PsInfo.exe https://technet.microsoft.com/en-us/sysinter-
nals/
zlib1.dll http://www.zlib.net/
zip.exe http://www.info-zip.org/
unzip.exe
jquery.js https://jquery.com/
animate.css https://daneden.github.io/animate.css/
slick.js http://kenwheeler.github.io/slick/
Name Details
HTTPS For certain services, the BWAC application uses HTTPS for online
communications between an ATM and the controller sub-system e.g.
BankWorld ATM.
TLS 1.1* Ensure TLS 1.0 is disabled on all host ATM machines
1.2
*CR2 recommend the use of TLS 1.1 as a minimum when deploying Schannel security
TLS 1.2
Preferred
Cipher Cipher
Protocol Parameters
Strength Name
Accepted
Preferred
Accepted
Kalignite XFS All except NCR Kalignite is the XFS middleware layer that
BWAC uses on non-NCR ATMs
Item Description
Remote The RPCSS service is the Service Control Manager for COM and
Procedure Call DCOM servers. It performs object activations requests, object
(RPC) exporter resolutions and distributed garbage collection for COM
and DCOM servers.
Windows Services
BWLogger.exe
BWAgent.exe
BWAgentService.exe
SetWallpaper.exe
BWC_Init.exe
BWC_SvcChk.exe
ProcEndWait.exe
BWC_DvcMon.exe
BWC_IE5Sv2.exe
BWC_LogAgt.exe
BWC_ModeMgr.exe
BWC_MsgRoute.exe
BWC_SAFMgr.exe
BWC_SupApp.exe
BWC_TxnMgr.exe
EmvEngine.exe
BWCMonitor
Projector.exe
ResourceManager.exe
ServiceManager.exe
BWAC3Installer.exe
BWC_Shutdown.exe
BWC_WinHook.exe
CameraConfig.exe
FontInstaller.exe
BWInstaller.exe
HideConsoleWindow.exe
PrinterCalibrator.exe
LogCollector.exe
BWInstallerGUI.exe
BWACPlatformTester.exe
Dependent Hardware
Table A-11 Hardware - List
Item Description
B.1 Introduction
• To ensure secure delivery of BWAC software, each BWAC application software release is
supplied with a checksum file and a ‘CR2’ digital certificate.
• Use this appendix for information on how to perform the checksum file checking and
how to install the digital certificate.
NOTE: Customers only need to perform these checks the first time the BWAC application
is installed on an ATM.
• Customers should download a suitable file checksum tool from the following:
http://download.cnet.com/File‐Checksum‐Tool/3000‐2248_4‐75110491.html
4. Click Next:
6. Click Finish:
7. Click OK: