Configuring miscellaneous settings

Configure several miscellaneous settings to meet various PA-DSS requirements.

  1. In the user interface, click the Administration tab.
  2. Locate the User Accounts section.
    Figure 1. User accounts settings
    This image is explained in the surrounding text.
  3. Select the Password must contain lowercase, Password must contain uppercase, and Password must contain digits checkboxes.
  4. Click the Interfaces tab and scroll down to the Application Programming Interface section.
    Figure 2. API settings
    This image is explained in the surrounding text.
  5. Select the Cross-site request forgery protection checkbox. Make sure that Session timeout (seconds) is set to a value of 900 seconds or less.
    Note: If you want to use tested default and secure HTTP headers, ensure that Use custom HTTP headers is disabled.
  6. Scroll up to locate the Message Tracing section under Message Command Interface.
    Figure 3. Message Tracing settings
    This image is explained in the surrounding text.
  7. Select Disabled from the Dump message data drop-down list.
    Note: Dump message data needs to be disabled to comply with PA-DSS requirement 2.3.
  8. Scroll down to locate the MQ Interface section.
    Figure 4. MQ Interface settings
    This image is explained in the surrounding text.
  9. Select Disabled from the Dump message data drop-down list.
    Note: Dump message data needs to be disabled to comply with PA-DSS requirement 2.3.
  10. Scroll down to the Kafka Interface section.
  11. Select Disabled from the Dump message data drop-down list.
    Note: Dump message data needs to be disabled to comply with PA-DSS requirement 2.3.
  12. Click the Misc tab and scroll down to the Miscellaneous section.
  13. Verify that SSL cipher list has the following entries:
    ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    Note: This list might be outdated because new security leaks were discovered in the meantime. The OpenSSL website provides regular security advisories, including information about potential security leaks.

    http://www.openssl.org/

  14. If you are using the relational database interface, you must enable masking values of encrypted attributes.
  15. Click the Administration tab and select Mandators > Settings. Select a mandator.
  16. Scroll down to the Relational Database Interface section.
    Figure 5. Relational Database Interface settings
    This image is explained in the surrounding text.
  17. Select the Mask encrypted values checkbox.
    Note: Repeat for all mandators.
  18. Click the Cluster tab and select Interfaces > Outgoing channel configurations from the navigation menu.
  19. For every outgoing channel configuration, select the Mask values checkbox unless you have a business need not to do so.
    Figure 6. Outgoing channel configuration settings
    This image is explained in the surrounding text.
    Note: If you disable the Mask values option make sure that only notifications, case actions, and external queries with a business need are associated with that outgoing channel configuration. If you store unmasked data that is received from an outgoing channel configuration, you must make sure to protect it according to PCI DSS requirements 3.4.1, 3.5, 3.6 and all applicable subrequirements.