Implementation Guide for Integrators

DK-8111 3.4.07 - 27 February 2013

Point Development

POINT TRANSACTION SYSTEMS A/S

Knapholm 7, 2730 Herlev, Tlf.: 44 53 16 10 Fax: 44 53 46 20 www.point.dk
Reg.nr. A/S 202086 CVR nr. 15 40 12 81

Content
Objective ......................................................................................................................... 3
Completing the Integration Step by Step ..................................................................... 3
Step 1 Select an Integration Technique ................................................................... 3
Step 2 Signing the Development Agreement ........................................................... 4
Step 3 PCI DSS & PA DSS Requirements ............................................................... 4
Step 4 Technical Development ................................................................................ 4
Step 5 Certification ................................................................................................... 5
Step 6 Additional information required by PCI-SSC ................................................. 5
Step 7 Using PA DSS approved PSAMs .................................................................. 6
Step 8 Terminal logging ........................................................................................... 6
Other documents ............................................................................................................ 6

Objective
The objective of this guide is to describe all the steps needed in order to create an Electronic
Cash Register Integration (Merchant Application) to a Point payment terminal. It will guide you
to make the best choice of integration for your needs including how to fill in and sign the
Development Agreement. Additionally it will provide an overview of the PCI rules and a general
FAQ.
Point will also provide technical manuals with examples for all the various integration
techniques, which will offer an overview of the different approaches.

Completing the Integration Step by Step

Step 1 Select an Integration Technique
Firstly you must choose which technique you will use to build your Merchant Application.
Basically this choice is a question of how much you want to design and program yourself or how
much you want to reuse the applications made by Point.
The technical development guides in the appendixes will help you choose the right technique for
your Merchant Application.
Here are the different techniques supported by Point:
1. PointWareEkspedient (PWE): a standalone Windows application you control with a
command/answer text file interface.
2. PointTerminalOCX: a fast way of integrating a POS running on Windows 32/64 bit (2003
to Win7).
3. FlexDriver: a DLL which will take longer to develop but will provide you with more
flexibility regarding your own layout of dialogs. Currently 32/64 bit Windows 2003 to
Win7 and Linux supported.
4. Local Payment Protocol (LPP): for the most experienced programmer who is able to
handle COM and TCP/IP communication, packet coding/decoding, dialogs and printers.
This technique is mainly used by proprietary systems, ROM based or non
Windows/Linux based POS.

Typical time consumption for each development process using the different techniques:
PWE development takes from 1 week to several weeks.
OCX - development takes from 1 week to several weeks.
DLL development takes from 1 month to several months.
LPP development takes 6 months or more.
Please feel free to contact Points development department at udvikling@point.dk if you have
any questions regarding the different integration techniques.

Step 2 Signing the Development Agreement

When you have decided which integration technique you want to use, you will have to fill in and
sign a Development Agreement. Please contact Points sales department at salg@point.dk, and
they will help you with the Development Agreement.

Step 3 PCI DSS & PA DSS Requirements

PCI DSS (Payment Card Industry Data Security Standard) is a set of global requirements
created to ensure a high level of account data protection. The standards are published on
www.pcisecuritystandards.org among other web pages.
Account Data (Cardholder Data and Sensitive Authentication Data) is sensitive and Point
payment terminals do not store this data in the terminal, and furthermore all such data that is
sent from the terminal is masked. Point payment terminals are PTS approved.
NB - If a Merchant Application allows input of Cardholder Data it will affect the need for PA DSS
approval.
NB - If the Merchant Application is based on an existing solution that used to store Cardholder
Data, the integrator must remove all critical data in order to be PCI DSS compliant.
The decision whether or not a Merchant Application requires a PCI DSS approval rests with the
Acquirer.

Step 4 Technical Development

You are now ready to develop a solution based on PointWare Ekspedient, OCX, DLL or
LPP. See the appendixes for the Technical Guides and programming examples.
Points development department (udvikling@point.dk) will help you with all the questions you
may experience during the development. You can also see the FAQ in this document it will
answer the most common questions.

Step 5 Certification
When the solution is complete it must be certified to make sure it meets all requirements for
Card Data security and that it functions correctly.Nets Certification is handled by Nets (formerly
PBS). Point can assist you with the right contact to Nets.

Step 6 Additional information required by PCI-SSC

The RTL system used for the authenticated remote software distribution should be evaluated by
a QSA as part of a PCI DSS assessment. The terminal comes with certain audit trails enabled.
The log is automatically sent to Point. The logs are available by calling the customer support. If
you are using wireless network within your business network you must make sure that firewalls
are installed that deny or control (if such traffic is necessary for business purposes) any traffic
from the wireless environment into the rest of the network environment.
In case you are using a wireless network you must also make sure that:
-

Encryption keys were changed from vendor defaults at installation

Encryption keys are changed anytime someone with knowledge of the keys leaves the
company or changes position

Default SNMP community strings on wireless devices are changed

Firmware on wireless devices is updated to support strong encryption, WPA/WPA2.

Please note that WEP must not be used for new installations and is not allowed after
June 30, 2010.

Other security related vendor defaults are changed

Your Point terminal allows transmission over public networks, e.g. Internet. To protect sensitive
data your Point terminal uses the PSAM chip provided by PBS. This chip uses triple DES
encryption with a unique key per transaction. To connect your Point terminal to public networks
you do not need to take any further action regarding encryption.
Before exchanging or updating the Nets PSAM, in order to remove any historical data stored by
previous versions of the PSAM it is absolutely necessary for PCI DSS compliance to remove the
historical data. This can be performed by going into the Menu, Option (4) Admin, Option(10) Slet
Datastore, Option (11) Flyt/Slet Advice.
It is very important for PCI-DSS compliance that all accounts allowing access to any PCs,
servers, and databases with payment applications and cardholder data must be unique. You
must not use generic or shared user accounts with unsecure stored passwords. The Point
solution does not hinder nor affects these requirements in any way.

Procedure to facilitate Centralized Log Management (PCI-DSS Requirement 10.5.3)

DK-8111 facilitates centralized log management to a Syslog compatible centralized log

management server. All the logs can be offloaded to such a server by accessing the Menu,
Option (4) Admin, Option (14) Send Event Log. Then you will be prompted for the IP address of
the Syslog server.
The following Atos Worldline payment terminals are supported:
Hardware PIN Entry Devices terminals:
Atos Worldline Banksys XENTA Hardware #: 90640000xx 90640000xx REV_L, PTS 1.x
approval 4-30001
Atos Worldline Banksys XENTA Hardware #: 90640100xx Rev 0, 90640100xx rev. A, PTS 2.x
approval 4-30051
Atos Worldline Banksys Xentissimo Hardware #: 9066000xx rev A<BR> 90660000xx rev F
90660000xx rev G, PTS 1.x approval 4-30007
Atos Worldline Banksys YOMANI Hardware #: 90670000xx rev.1 90670000xx rev. A, PTS 2.x
approval 4-30046

Step 7 Using PA DSS approved PSAMs

The PSAM card used in terminals is delivered by Nets. The version used in the terminals should
be PA DSS approved to ensure compliance.

Step 8 Terminal logging

In order to be PA DSS 2.0 compliant, the terminal will log various information related to events
and actions on the terminal. It is possible to print this log information and it is also possible to
send it as syslog format to an IP address specified.

Other documents
FAQ(s)
Frequently Asked Questions
Technical Guides

PointWare Expedient
PontTerminal OCX
FlexDriver DLL
Local Payment Protocol LPP