RPOWER User Security

From RPOWERWiki

Jump to: navigation, search

With the release of Version 14, to provide PCI compliance, and to secure all things RPOWER, including SQL reports and the RPOWER Dashboard, RPOWER User Security is introduced.

Part of RPOWER User security is the concept of a PCI employee. In most cases a PCI employee will hold the privileges of a system employee, but in addition will be permitted to exit the POS system to the Windows desktop. For PCI compliance, non-PCI employees will never be permitted to exit the system.

Upon official release of RPOWER Version 14, a required submission during software ordering will be the restaurant owner's email address or SMS cell phone number. This information will then be encrypted into the stamp, and will allow the system to email or text the owner the SysAdmin password. Without this password, no additional PCI employees may be created, nor will exiting the system to the Windows desktop be possible.

Setup Sysadmin

Upon the initial attempt to exit the system, the operator will be presented the message displayed at right.

Selecting No returns the operator to the point of sale...

...Selecting Yes prompts the operator for entry of the day's 99 code.

Upon successful entry of the day's 99 code, the system emails a password to the restaurant owner.

Touching OK prompts for user name and password. In this case, i.e., the creation of the initial PCI employee, the user name is sysadmin (NOT case sensitive).

Upon successful entry of name and password, the operator is notified that the password will now need to be changed. Selecting Cancel returns the operator to the point of sale...

Selecting OK presents the user profile entry panel, with the cursor active in the Password field, although all fields are required entries.

The Name entry may be changed if desired during this operation, possibly to something more easily remembered. Again, it is NOT case sensitive.

The Contacts fields will also be used in the event the user's password is forgotten. They are the destination email address or SMS number to which a new password will be sent. Email or SMS should contain whatever destination will be most convenient for the user to retrieve a new password from. Emergency could also be labeled Alternate, and should contain an alternative email address or SMS number.

  • Note: When entering an SMS telephone number, no hypens, dashes, or any other punctuation is accepted, only a ten digit number.

The password must contain a minimum of seven characters, including at least one letter and at least one numeral. Note that passwords ARE case sensitive! PCI recommends that the supplied password be written down and stored in a safe.

  • Note: The password will expire after 90 days and will need to be re-entered then, this being another PCI requirement.

RPOWER warns if a weak password entry is attempted.

Fields PIN #1 and PIN #2 are used to enter the answers to security questions that the user himself or herself supplies, but they really could be anything. Common entries are mother's maiden name, name of first pet, favorite sport or hobby, etc. The PIN's will be used as security challenges should the user forget their password in the future. Both fields must be populated and contain different answers...

...Attempting to use the same entry twice results in a warning.

The PCI compliant checkbox must remain checked for completion of this, the initial PCI employee.

Touch Save to save the entry. Touch Cancel to abort entry and return to the point of sale.

RPOWER prompts for confirmation of the new password. Touch OK to confirm and exit RPOWEWR to the desktop or touch Cancel to return to user profile entry.

Setup Additional PCI Employees

Once sysadmin has been created, additional PCI level employees, including the dealer and high level managers, may be created. These are employees that are permitted to exit RPOWER to the Windows desktop in order to maintain the system, or have other job requirements that make this permissable.

Employees are setup normally, completing, at minimum, the ID# and Name fields before touching Security.

The new user profile is then completed as described above. When the PCI compliant? box is checked, the operator is prompted for entry of PCI compliant credentials.

Enter PCI compliant credentials to proceed. Touch Save to save the entry. Touch Cancel to abort entry and return to employee setup

RPOWER prompts for confirmation of the password. Touch OK to confirm and exit RPOWER save the new profile or touch Cancel to return to user profile entry.

Employee setup is then completed normally

  • Important Note: Only PCI compliant employees may create new PCI compliant profiles. Once created, PCI profiles may only then be edited by their owner.

Forgotten Passwords

Should the employee forget their password they may touch Forgot Password.

To which RPOWER responds with prompts for entry of PIN #1 or PIN #2. If Send to "emergency" contact is checked, RPOWER will do so.

Touch Send Password to proceed or Cancel to abort.

  • Note: It is not necessary for the user to remember which previously supplied PIN is which. Either entry may be used in either field.

RPOWER displays a confirmation that the password has been sent and to where.

The restaurant owner is also notified by email or text that a PCI employee's password has been changed.

Views
Personal tools