PA-DSS requirement 9.1

The Maitre’D back-office PC needs to have internet access in order to be able to process credit cards. However, you have to make sure that this PC is behind a corporate firewall, which effectively makes it invisible to the outside world. Also, you need to make sure that the Maitre’D back-office software does not reside on the same PC as other services, such as a web server (IIS, Apache, etc.), DNS or DHCP servers, etc. Generally speaking, any server should have only one primary function, and this is especially important for the Maitre’D Back-Office server which contains sensitive data.

For clarifications as to the actual meaning of this requirement, please read the PCI PADSS v3.2, articles 9.1a and 9.1b.

Basically, you need to make sure that the Maitre’D Back-Office PC and all workstations are on the Local network, behind the corporate firewall. What this requirement is stating is that any PC containing any kind of cardholder data should never be located in the DMZ (De-Militarized Zone) or in any other network location which could be accessed directly from the internet or from the “outside world” in general.

Implications for Maitre’D Meal Zone

If Maitre’D Meal Zone is in use, (also know as “External Ordering Service”, Online Ordering Service or MDWebService), you need to make sure that this service IS NOT installed on the same PC as the Main Maitre’D back-office. Maitre’D Meal Zone should be installed on a different PC sitting in the DMZ. Failing to do this automatically puts your system is a non-compliant status towards PA-DSS requirement 9.1.

Ports and Exceptions list for firewalls

Here is a list of all default ports and processes commonly used in Maitre’D 7.08. Use this list to help in building rules and exception for firewalls and Anti-Virus software.

TCP Ports

TCP Port 1001

Traffic: Inbound and Outbound

Protocol: TCP

Services: Applications

Applications: BOSRV.EXE, POS.EXE, STARTER.EXE.

Network: LAN only

This is the default port used by the Maitre’D Back-Office server to initiate communication with the workstations and needs to be open for inbound and outbound traffic on the local network only. This port is user-configurable in Server Control / View/ Options / Advanced / TCP/IP Port.

TCP Port 1002

Traffic: Inbound and Outbound

Protocol: TCP

Services: Applications

Applications: All Maitre’D applications

Network: LAN only

This port is used by workstations to initiate communication with the Maitre’D Back-Office server and needs to be open for inbound and outbound traffic on the local network only. This port number could change depending on what has been configured as default communication port. The port number will always be Default Port + 1. For instance, if the default port is set to 5000, then workstations will use TCP port 5001 to initiate communications.

Ports for Electronic Funds Transfer (EFT)

Traffic: Inbound and Outbound

Protocol: Varies according to service provider

Services: Varies according to service provider

Applications: BOSRV.EXE, BOSRVEFT.EXE, varies according to service provider.

Network: LAN and Internet

Ports used for EFT vary according to processors / acquirers. Please review the documentation provided by your EFT processor / acquirer to learn which ports need to be opened. For some interfaces, the TCP port is user-configurable through EFT / View / Options / Interface. In all cases, ports used need to be opened for inbound and outbound traffic over the local network as well as over the internet.

Note on Threaded Communication

If your system has the Threaded Communication enabled (ThreadedComm=2 in the bo.ini) more ports are actually used by Maitre’D to communicate with workstations. With this option enabled, Maitre’D receives data over ports 1001 and 1002, and then replies to the workstation over another port so that TCP Ports 1001 and 1002 remain free

The port number that will be used by Maitre’D to reply to the workstation is determined by the Windows network driver. Typically, the first available port will be used. These extraneous ports are used for outbound communication only, so they should not be blocked by your local firewall.

Processes / Applications

Bosrv.exe

This is the Main Back-Office server process which needs to be running at all times for your Maitre’D system to work. This process needs to be excluded from virus scans and allowed through the firewall for inbound and outbound communication.

Bosrveft.exe

This is the process managing all Electronic Funds Transfer (EFT) transactions. This process needs to be excluded from virus scans and allowed through the firewall for inbound and outbound communication.

BoReport.exe

This application is actually the Report Center module. It does not need to communicate through firewalls, but it does need to be excluded from virus scans or other software which may interpret BoReport.exe’s behavior as a threat.

GHServer.exe

This is the process that manages E-Global Head-Office server communication with restaurants. If used, this process needs to be excluded from virus scans and allowed through the firewall for inbound and outbound communication.

GHClient.exe

This is the process that manages E-Global communication from the restaurant to the Head-Office server. If used, this process needs to be excluded from virus scans and allowed through the firewall for inbound and outbound communication.

MDProcessor.exe

This is the process that manages the Maitre’D Schedule and Table Management Interfaces. If used, this process needs to be excluded from virus scans and allowed through the firewall for inbound and outbound communication.