Configuring miscellaneous settings
Configure several miscellaneous settings to meet various PA-DSS requirements.
- In the user interface, click the Administration tab.
- Locate the User Accounts section.
- Select the Password must contain lowercase, Password must contain uppercase, and Password must contain digits checkboxes.
- Click the Interfaces tab and scroll down to the Application Programming Interface section.
- Select the Cross-site request forgery protection checkbox. Make sure that
Session timeout (seconds) is set to a value of 900 seconds or less.Note: If you want to use tested default and secure HTTP headers, ensure that Use custom HTTP headers is disabled.
- Scroll up to locate the Message Tracing section under Message Command Interface.
- Select Disabled from the Dump message data drop-down
list.Note: Dump message data needs to be disabled to comply with PA-DSS requirement 2.3.
- Scroll down to locate the MQ Interface section.
- Select Disabled from the Dump message data drop-down
list.Note: Dump message data needs to be disabled to comply with PA-DSS requirement 2.3.
- Scroll down to the Kafka Interface section.
- Select Disabled from the Dump message data drop-down
list.Note: Dump message data needs to be disabled to comply with PA-DSS requirement 2.3.
- Click the Misc tab and scroll down to the Miscellaneous section.
- Verify that SSL cipher list has the
following entries:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Note: This list might be outdated because new security leaks were discovered in the meantime. The OpenSSL website provides regular security advisories, including information about potential security leaks. - If you are using the relational database interface, you must enable masking values of encrypted attributes.
- Click the Administration tab and select . Select a mandator.
- Scroll down to the Relational Database Interface section.
- Select the Mask encrypted values checkbox. Note: Repeat for all mandators.
- Click the Cluster tab and select from the navigation menu.
- For every outgoing channel configuration, select the Mask values checkbox
unless you have a business need not to do so.
Note: If you disable the Mask values option make sure that only notifications, case actions, and external queries with a business need are associated with that outgoing channel configuration. If you store unmasked data that is received from an outgoing channel configuration, you must make sure to protect it according to PCI DSS requirements 3.4.1, 3.5, 3.6 and all applicable subrequirements.