PA-DSS requirement 3.2

This requirement applies to the Maitre’D main back-office PC as well as Maitre’D Auxiliary Servers and Maitre’D Backup Servers. Although only the main back-office and backup server actually contains data, all 3 types of server allow access to cardholder data and therefore need to be protected by strong passwords.

Main back-office

On the main back-office, a user with administrative rights must be logged in all the time for Maitre’D to run, but also for other payment applications to run, such as Datacap DSIClientX, Datacap NETePay, Datacap EPay Admin, etc. It is very important that the username used for the main back-office PC is not used anywhere else on the network, and it also needs to be protected by a strong password, known only by the person logging in. Maitre’D supports multi-user environments, so any user with administrative rights will be able to run all necessary applications. Every manager that will be responsible for the main back-office PC must use a unique username and password to login to the main back-office PC. Additionally, the username and password used for the main back-office needs to be different than the one used for other PCs.

Backup server

The backup server PC contains a copy of the data from the main back-office, and all payment applications are in a dormant state. For this reason, the backup server needs to be protected by a strong, unique username and password, exactly like the main backoffice. Since the backup server also requires a user to be logged in all the time, make sure that only the restaurant owner or managers have a username and password that allows access to the backup server PC.

Auxiliary back-office

The auxiliary back-office does not contain any data. It is simply a terminal that allows access to the data that sits on the main back-office. Auxiliaries only work when installed on the same LAN as the main back-office. They cannot be used to access data from another main back-office on another network or across the internet.

Since the auxiliary back-office allows access to credit card numbers, the Windows computer on which an auxiliary sits must be protected by strong, unique usernames and passwords. Each user logging in to that auxiliary back-office PC must use a unique username and password.

POS Workstations

POS workstations do not store any data in any way, shape or form, and they do not allow any card information to be accessed or viewed in any way. However, to maintain the security of your network, strong and unique usernames and passwords must be used to login to Windows before the POS workstation software is started. Also, each employee using POS workstations must sign in with a unique employee code and a password.