PA-DSS Changes with 3.0

As we go through PA-DSS recertification, several changes are being made to the onePOS system listed below. We are taking compliance very seriously, and it is likely that we will require our partners to install only compliant system by the end of the year in order to remain being a onePOS partner. Please start to think of what changes might need to be made in quoting, installing, and supporting your sites today to accomplish this. As I have stated many times before, someone is going to loose many people are loosing their business over this, and I don't want it to be any of our partners.

Back Office renamed to onePOS Management Console

To better reflect what the existing Back Office software does, and to avoid confusion with the manger workstation (ie: back office pc), the Back Office Application has been renamed to onePOS Management Console and will be abbreviated MC (as opposed to BOH).

Creation of onePOS Server

A new application, onePOS Server, is created that will process database requests over SSL connections from each terminal. This means that Windows File Sharing or SFTP an Windows users accounts are no longer required for the POS to work properly.

Installation is simplified on each terminal as only 3 files are loaded onto a c:\onePOS folder (Launcher.exe, Terminal.cfg, and onePOS.cer) and a single application is added to the registry to auto-start (c:\onePOS\Launcher.exe). While installation is technically this simple, for PA-DSS compliance we will offer a dramatically different SetTerm to lock down the desktop, services, networking, etc..

The onePOS Server also incorporates the onePOS Payment Server Application, the onePOS Replicator Server Application, onePOS PMS Gateway Application, the onePOS Order Server Application, and the Verifone code from the oneFusion Application.

Creation of onePOS Launcher

A new application, onePOS Launcher, resides on each machine, including the Manager Workstation, which automatically connects to the server, downloads the latest version of each onePOS Application necessary to operate, and launches them. If one of the applications unexpectedly quits, the Launcher will automatically relaunch it and record the event. Launcher works over SSL and handles all onePOS software distribution outside of the "server".

oneConnect Remote Access

We are ensuring and certifying our oneConnect remote access solution is PA-DSS compliant. This is a very complicated process and setup and is more than just using a product that claims it can be setup in a PCI secure manner.

Over and above what most providers are offering, we offer complete logging, including session video recording, and data retention for a period of 1 year. If there is a data issue or breach, we have the logs and video to prove conclusively that you are or are not at fault.

We offer 2 factor authentication via SMS text paging for logging into oneConnect. No hardware tokens or dongles are required, just your cell phone. And if you SMS gets lost or deleted, you can have a new one sent via logging into a secure web page.

We are part of the existing "chain of trust" that is required for compliance. You will need to ensure, likely via letter from the vendor, that they understand the critical and sensitive nature of their role in data security accept the responsibility and liability in the event of a breach on their end.

And, we offer a solution where each tech will use the SMS 2 factor for logging into the onePOS Management Console and the reseller does not have to have a unique user for each support person in each in-store database. As per the specs, each help desk or support tech must have their own unique login to the onePOS system which has to be removed immediately on job change or termination. Managing this across several hundred sites would be a nightmare, so created a technician user database on our servers that the 3.0 product will auth against for technician access. Techs can be removed from the server in a quick, single operation and that tech will no longer have access at any customer sites. This also means that a global "9998" or "POS Tech" user is never in the database and therefore an employee that learns the ID or password can never compromise the system.

Enhanced Employee Database Encryption

Employee passwords are currently encoded by the HASP serial number preventing usage of another site's data to circumvent security. With 3.0 we are enhancing the encryption even further preventing any editing of an employee's data through outside tools.