8
Important Security Notice
• Back-out or product de-installation procedures
5.4 The payment application must not use or require use of unnecessary and insecure services and protocols (for
example, NetBIOS, file-sharing, Telnet, unencrypted FTP must be secured via SSH, S-FTP, SSL, IPSec and other
technology to implement end to end security). PCI Data Security Standard Requirement 2.2.2
6. Protect wireless transmissions
6.1 For payment applications using wireless technology, the wireless technology must be implemented securely.
Payment applications using wireless technology must facilitate use of industry best practices (for example, IE
←
-
EE 802.11i) to implement strong encryption for authentication and transmission. Controls must be in place to
protect the implemented wireless network from unknown wireless access points and clients. This includes testing
the end users wireless deployment on a quarterly basis to detect unauthorized access points within the system.
Change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and S
←
-
NMP community strings. Maintain a detailed updated hardware list. The end to end wireless implementation must
be end to end secure. The use of WEP as a security control was prohibited as of 30 June 2010. PCI Data Security
Standard Requirements 1.2.3, 2.1.1, 4.1.1, 6.2, 11.1a-e and 11.4a-c.
7. Test payment applications to address vulnerabilities
7.1 Software vendors must establish a process to identify newly discovered security vulnerabilities (for example,
subscribe to alert services freely available on the Internet) and to test their payment applications for vulnerabilities.
Any underlying software or systems that are provided with or required by the payment application (for example,
web servers, third-party libraries and programs) must be included in this process. Remove all test configurations,
samples, and data after testing and before promoting the changes to production. PCI Data Security Standard
Requirement 6.2
7.2 Software vendors must establish a process for timely development and deployment of security patches and
upgrades, which includes delivery of updates and patches in a secure manner with a known chain-of-trust, and
maintenance of the integrity of patch and update code during delivery and deployment.
8. Facilitate secure network implementation
8.1 The payment application must be able to be implemented into a secure network environment. Application must
not interfere with use of devices, applications, or configurations required for PCI DSS compliance (for example, pay-
ment application cannot interfere with anti-virus protection, firewall configurations, or any other device, application,
or configuration required for PCI DSS compliance). PCI Data Security Standard Requirements 1, 3, 4, 5, and 6.
9. Cardholder data must never be stored on a server connected to the Internet
9.1 The payment application must be developed such that the database server and web server are not required to
be on the same server, nor is the database server required to be in the DMZ with the web server. PCI Data Security
Standard Requirement 1.3.7
10. Facilitate secure remote software updates
10.1 If payment application updates are delivered securely via remote access into customers systems, software
vendors must tell customers to turn on remote-access technologies only when needed for downloads from vendor
#80152504-001 IDTech iOS SDK Guide for NEO2
