TIM security guide

Owned by Robert
Last updated: Sept 24, 2013 by Michiel Hillebrand (Unlicensed)
5 min read

The TIM application for iPod, iPhone and iPad is a mobile ordering and payment suite that can be connected to an Aloha Point of Sale system using devices running the Apple iOS operating system. By using the Linea Pro 4, the TIM application can even be configured to accept credit card payments at the table.  

This guide is intended to assist you in configuring TIM and network safely. It is extremely important that you follow this guide to ensure that you are not only compliant, but more secure than any hacker is willing to invest time and effort in. 

Please note that this guide is exactly that: a guide. Being secure is not a one-time thing but a process and state of mind. It requires that you continuously monitor and improve your security, change passwords and write down and follow procedures. It is very important to keep vigilant of your security after having implemented TIM or an other piece of software for that matter.

 

 

PCI Compliance

What is PCI DSS?

PCI DSS is short for Payment Card Information Data Security and Storage and is a set of rules all merchants are obliged to adhere to if they accept electronic payments in any shape or form. Depending on the environment, some sections of PCI DSS may or may not be relevant to a merchant. PCI DSS has been created by the PCI Security Council and more information can be found at: 

http://www.pcisecuritystandards.org

Why is this important for me?

As a TIM user you are required to use Aloha Point of Sale and it is likely that you accept electronic payments. It is therefore important as a merchant to establish in what shape or form you are required to adhere to PCI DSS and ensure that you are actually compliant. This guide will help you setup and maintain your TIM application and environment in a compliant manner.  

Compliance is a state of mind

As stated in the introduction, this guide itself is not a guarantee that you are compliant. Setting up TIM in a compliant way and then forgetting about it is, unfortunately, not an option. Being compliant is an on-going process that requires evaluation, standard operating procedures and protocols. Be aware of possible threats and ensure that the procedures suggested in this document are implemented. Also, always be on the look out for best practices, updated documentation and security news 

If at any moment questions arise, don’t hesitate to contact your reseller. It’s always better to be safe than sorry!

Table of contents

 

 

System configuration

Operating systems

At the moment of writing Windows XP is still under maintenance of Microsoft and the Professional version qualifies as a compliant OS. Be aware though that maintenance for Windows XP SP 3 ends on 8 April 2014.

Windows Security

Make sure your operating system is up to date and patched. Security measures like firewalls and malware detection are mandatory and make sure these are updated regularly. Remove all available shares that are not essential to your business software. Also remove all vulnerabilities that are not required by the business software and can pose a risk. Examples are simple file sharing, FTP- access, restrictions on internet access etc.

Accounts

Ensure all user and service accounts are restricted to only allow the functionality they need. Ensure strong passwords are enforced where possible and configure session timeouts where possible so users are logged out or require re-authentication when not being active for a designated time period. Ensure that all default vendor user accounts are disabled or removed before using the system in your production environment.

 For passwords adhere to the following:

  • Use strong passwords, minimally a 8 character password containing letters, numbers and special characters
  • Change your passwords on a scheduled interval
  • Do not document passwords or share amongst users
  • Try to use at least 8 characters for your passwords, assuming that it uses letters, numbers and special characters. 
  • Do not re-use old passwords, ensure passwords have not been used before

 For your user accounts in general, keep the following in mind:

  • Securely manage all your users and accounts
  • Make sure accounts are disabled when employees no longer need access to a system
  • Use unique accounts for each user, try not to generate ‘group’ accounts
  • Ensure accounts do not have more access rights than strictly needed

WiFi Network

Devices running TIM rely on a WiFi network to access their backoffice web service. It is therefore essential that the following points are considered when implementing and configuring a WiFi network for TIM: 

  • Use the WiFi network only for TIM devices. No other devices should be allowed to connect to this network or SSID,
  • Do not allow direct access to the internet through this WiFi network,
  • Hide your SSID. Although this is no real countermeasure to any capable hacker, it doesn’t have to be made easier,
  • Use only professional grade access points and change all default passwords and other security settings immediately upon installation. 
  • Make sure all Access points are secured tightly and can not be removed without a visual indication or a hardware reset can be performed,
  • Create a procedure to check your access points to see if they have been tampered with or replaced,
  • Configure a firewall between WiFi network and LAN,
  • If possible, disable the console function,
  • If possible, perform MAC address filtering,
  • Use WPA2 with AES as your WiFi encryption method with a long, complex password. We advise a 13-character password using letters, numbers and special characters. Rotate this password according to PCI DSS standards. Make sure a procedure is in place for changing this key if it is compromised or anybody with knowledge of this key leaves the company,
  • Use a WiFi vendor that uses IDS/IPS to detect and report rogue devices or accesspoints.

 

Aloha Point of Sale

As TIM requires Aloha Point of Sale to function it is necessary that you ensure that the Aloha Point of Sale environment is compliant. A guide to configuring Aloha POS compliant can be found through your Aloha reseller and is out of scope for this document.

 

TIM configuration and maintenance

 

The TIM application in combination with the Linea Pro or Linea tab is able to process credit card transactions. However, it is important to note that all credit card data is encrypted on the Linea Pro device before it is sent to Aloha. The iPod, iPhone or iPad has no keys stored and is therefore not very vulnerable to attack. Also note that not using TIM for credit card payments still requires you to make sure the TIM environment is secure. As the TIM environment has direct access to your cardholder environment, TIM does not fall out of scope when you are not using a Linea pro or Linea Tab.

TIM Configuration 

The TIM application must be installed by following the steps in the default TIM installation manual. 

However, it is important to ensure you take the following steps during installation:

  • Register the TIM service account to a dedicated administration account that has rights to the BOOTDRV share. Preferably the same account you registered the CTLSVR or EDCSVR to. Remove the ability for this account to log on to this machine.

Device Management

A possible vulnerability for TIM is the actual Linea Pro or Linea Tab itself. Technically this device can be targeted by persons with wrong intentions so it is therefore essential that these devices are secured. Take into accounts the following measures to make sure the devices stay secure:

  • Never leave Linea Pro devices, with or without the iPods, unattended. Make sure all devices are always accounted for and stored securely.
  • Mark the devices in such a way that they can be easily recognized. Ensures these markings can not be mimicked or falsified. 
  • Create a procedure to check for these markings daily or even per shift. 
  • Ensure knowledge of the markings is limited to only a select group of individuals and ensure there is a procedure to change these markings if necessary.
  • The TIM backoffice has a security measure in place to not allow communication with iOS devices that have not been manually approved. Restrict access to this application and create a procedure to verify that no devices have been allowed other than designated ones.