Notice: Undefined variable: parent_title in /home/retaila/domains/ on line 12

PCI Action Items

The following are steps that must be taken and implemented on your network and computers, complements of X-Charge.

X-Charge Installation Location
The X-Charge Server must be installed in a secure location in your internal network. The X-Charge
Server is not approved for installation in a DMZ or other Internet-accessible location. For example,
the X-Charge Server must not be installed on web servers.

It is recommended that the X-Charge Server be installed on an independent server that is kept
locked down with Windows Security and even physical security, such as keeping the server locked
in a server room. It is not recommended that the X-Charge Server be installed on workstations
used by users, such as a point-of-sale workstation. X-Charge may be installed as a client on pointof-
sale and other workstations.
Enable X-Charge Security
It is required that X-Charge Security be enabled to control access to X-Charge and its features.
Security is enabled by opening the X-Charge Server, Setup, General Options, Security page and
selecting the ‘Enable User Security’ option. Individual users can be granted access to only the XCharge
features that they need to perform their duties. Features such as Setup, Reports, and
Transaction Lookup should be given only to users who directly need those features.

Use Windows Security
Windows Security must be utilized to provide workstation and server security. Each user is
required to have a unique Windows user password that does not grant administrator rights.
Passwords must be routinely modified at least every 90 days to control access to X-Charge,
workstations, and network servers. Default X-Charge and Windows passwords must be changed.
Complex passwords with a mix of numbers and letters, and a minimum password length of seven
characters must be used to increase password security.

Strong complex passwords have the following characteristics:
·  Contain at least seven characters. Longer passwords are better.
·  Contain characters from three of the following five groups:
Group Example
Lowercase letters a, b, c, …
Uppercase letters A, B, C, …
Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Non-alphanumeric (symbols) ( ) ` ~ ! @ # $ % ^ & * – + = | \ { } [ ] : ; ” ‘ < > , . ? /
Unicode characters €, ?, ƒ, and ?
·  Contain at least one symbol character in the second through sixth positions.
·  Must be significantly different from prior passwords.
·  Cannot contain your name or user name.
·  Cannot be a common word or name.

Control Access to X-Charge for IP Transaction Requests
Transaction requests sent to X-Charge must never pass across a public network, such as the
Internet. If remote transaction requests are required or desired, a VPN must be used to secure the
data transmission across the Internet.
Control Access to Workstations and Network Servers
It is required that Windows security be used to control access to individual workstations. Each
workstation must require a password before access can be gained to the computer. Access to the
network and network resources, such as drives and files, must also be password protected.
Older versions of Windows that do no require security to gain access to the computer, such as
Windows 98 or Windows Me, are not supported. Windows XP Home is not supported for the same

Wireless Security
If your network utilizes wireless technology, the wireless connections must be secured using WEP,
WPA, or SSL security to prevent unrestricted access to the network. However, WEP encryption
must only be used when WPA, SLL or other stronger encryption methods are not possible.
Encryption keys with a minimum length of 128 bits in length are required. Default router passwords
must be changed and SSID broadcasts should be disabled.

Virus Protection
Workstations and servers must have virus protection to protect the computer and its data from
tampering and theft. Virus programs must be regularly updated with the latest virus definition
information to keep computers protected from the latest virus.

Spyware Protection
Workstations and servers must have spyware protection to protect the computer and its data from
tampering and theft. Anti-Spyware programs must be regularly updated with the latest spyware
definition information to keep computers protected from the latest spyware threats. Some
recommended anti-spyware programs:
Windows Defender –
AdAware –
Spyware Blaster –
SpyBot Search and Destroy –
Webroot Spy Sweeper –

Networks and computers must be secured with a firewall to protect the computer and network from
unwanted incoming Internet traffic. The firewall must be configured to allow outgoing traffic only to
secure and trusted sites, including the processor used for credit card processing.

Mobile Computers
Mobile computers and devices must be protected with the same password, virus, spyware, and
firewall protections as other computers that are always connected to the network.

Verify Digital Signatures
Updates for X-Charge program that are manually copied or downloaded must be verified as having
the correct “CAM Commerce Solutions, Inc.” digital signature. This may be done be viewing the file
properties for the installation executable and viewing the Digital Signatures information. This
ensures that the source of the update is actually CAM Commerce Solutions.

Sensitive Data Storage
Sensitive Data, such as track information, CV codes, and debit PIN information must never be
retained and stored. This sensitive information must not be retained in point of sale, or other