Upload
phungkhanh
View
226
Download
3
Embed Size (px)
Citation preview
Microsoft Dynamics AX 2012 R3
Cumulative Update 11
PA-DSS
implementation
guide This document describes the requirements
that you must follow to implement Microsoft
Dynamics AX 2012 and Payment Services for
Microsoft Dynamics ERP in a manner that
complies with the Payment Card Industry
(PCI) Data Security Standard version 3.2.
White paper
January 2017
Send feedback.
www.microsoft.com/dynamics/ax
PA-DSS implementation guide 2
Contents
Get the latest release of this guide 5
For more information 5
Part 1: Setup 6
Install the software 6
All computers: Maintain security 6
All computers: Prepare for monitoring of event logs 7
All Windows 10 computers: Disable the Microsoft-Windows-WinINet-Capture event log 8
All computers: Set up auditing of file access, object access, and audit policy changes 8
Enable auditing of file access, object access, and audit policy changes 8
Audit access to system folders and files 9
Required services and protocols 10
Dependent hardware 10
Communication and database computers: Open the firewall 11
Open Windows Firewall 11
At the head office: Set up the password policy 12
At the head office: Set up database logging 13
At the head office: Enable SQL Server trace logging 14
Obtain a Payment Services for Microsoft Dynamics ERP subscription 15
Partner: In Partner Portal, create a Payment Services account for the retailer 15
Retailer: In Customer Portal, set up a merchant account with a payment provider 15
Partner: In Partner Portal, activate the payment provider 16
Retailer: In Customer Portal, test the payment service 17
At the head office: Set up payment processing and hardware devices for stores 18
Set up payment processing 18
Set up devices in the Retail module 20
Configure a terminal ID for specific registers 20
Set up payment methods for payment processing 20
Enable tender types and card types for specific stores 21
Send payment processing changes to the stores 21
Test payment processing 22
Store computers: Set up the password policy 22
Store computers: Set up password-protected screen savers 23
PA-DSS implementation guide 3
Store computers: Turn off System Restore 23
Store computers: Turn off Internet Explorer Automatic Crash Recovery 24
In Microsoft Dynamics AX, set up Payment services in Accounts receivable 24
In Microsoft Dynamics AX, set up Payment services in online stores 25
Store computers: Set up group policies to enable a kiosk session (optional) 26
Part 2: Features that facilitate PCI compliance 40
Protect stored cardholder data 40
Audit logging 41
Provide secure authentication features 41
Store user names, passwords, and authentication 41
Set up a new store user (manager or cashier) in Microsoft Dynamics AX 42
Data storage and deletion 43
Versioning methodology 43
Data transmissions 44
Payment data flow diagrams 45
Flow of payment data in Retail Modern POS when the full integration model is used 45
Flow of payment data in Retail Modern POS when the semi-integrated model is used 47
Flow of payment data in Retail Enterprise POS when the semi-integrated model is used 49
Flow of payment data in Retail Enterprise POS when the full integration model is used 50
Flow of payment data in Microsoft Dynamics AX Accounts receivable and call center 51
Flow of payment data in an e-Commerce Sample Web Storefront 53
Part 3: Connection limitations 54
Internet connections 54
Protect wireless connections 54
Remote access 55
Non-console administrative access 55
Part 4: Audit logging 56
Monitor Microsoft Dynamics AX activity 56
View information about user sign-in and user sign-out 56
View the audit trail 56
View the SQL Server trace log files 57
Monitor Retail POS activity 57
PA-DSS implementation guide 4
Monitor event logs 58
Part 5: Software updates and support 59
Software updates 59
Troubleshooting and support 59
Support personnel access the customer’s desktop 60
Support personnel travel to the customer’s place of business 60
Distribution of hotfixes 60
Appendix A: Version history 61
PA-DSS implementation guide 5
PA-DSS implementation guide
You must follow the requirements in this guide to implement Microsoft Dynamics AX 2012 and Payment Services for
Microsoft Dynamics ERP (the integrated payment solution from Microsoft) in a manner that complies with the
Payment Card Industry (PCI) Data Security Standard version 3.2.
Note: AX 2012 includes Microsoft Dynamics AX for Retail.
The requirements in this guide represent best practices that should be implemented even if you are not required to
comply with the PCI Data Security Standard.
This guide is intended for and disseminated to customers, Microsoft Certified Partners, resellers, and integrators who
are deploying AX 2012 in a retail organization where electronic credit card and debit card payments are accepted,
and where AX 2012 is used as the payment application. As a payment application, AX 2012 is subject to the PCI
Payment Application Data Security Standard (PA-DSS). The contents of this guide reflect that standard.
Important:
● Although this guide is made available to Microsoft customers, some of the steps in it are technical and should be
completed only by a Microsoft Certified Partner. Implementation by anyone other than a Microsoft Certified
Partner could be considered cause for concern by PCI Security Standards Council assessors, and could
compromise the security of both cardholder and proprietary information.
● AX 2012 has been validated for PCI compliance only with Payment Services for Microsoft Dynamics ERP, the
integrated payment solution from Microsoft. If you intend to use AX 2012 with another payment solution or
modify the out-of-box integrated payment solution, you must obtain separate compliance validation.
Get the latest release of this guide
This guide is reviewed annually, whenever a service pack or hotfix for AX 2012 is released, and whenever an update
to one of the Data Security Standards is released. For information about what has changed, see Appendix A: Version
history, later in this guide. To obtain the most up-to-date copy of this guide, go to
http://go.microsoft.com/fwlink/?LinkId=275035.
For more information
To read the full text of the PCI Data Security Standard or the PCI PA-DSS, go to http://www.pcisecuritystandards.org.
Microsoft provides training materials to our partners, resellers, and integrators to help them implement AX 2012. For
more information, go to http://go.microsoft.com/fwlink/?LinkID=188800.
PA-DSS implementation guide 6
Part 1: Setup
For PCI compliance, you must complete all the procedures in this part of the guide.
Install the software
To deploy AX 2012 in a manner that is PCI-compliant, follow the instructions in the Microsoft Dynamics AX 2012
Upgrade Guide, which is available for download at http://go.microsoft.com/fwlink/?LinkID=221465.
Important:
● For maximum security, AX 2012 must be installed in the Program Files folder or a location that has similar access
control protections.
● Requirement 8.5.8 of the PCI Data Security Standard specifies that group, shared, and generic accounts (for
example, the system administrator [sa] account for access to the database) must be disabled or removed.
All computers: Windows Lifecycle Policy
The Microsoft Lifecycle Policy gives you consistent and predictable guidelines for the availability of support
throughout the life of a product. You should review Microsoft support lifecycle policy
(https://support.microsoft.com/en-us/help/14085) to understand phases of the Support Lifecycle for Business,
Developer, Consumer and Multimedia Software, such as extended support will continue to provide Security Updates.
All computers: Maintain security
You must install security hotfixes and service packs as soon as they become available. For best results, turn on
Automatic Updates.
Strong cryptography must be used together with Transport Layer Security (TLS) 1.2 or above only.
1 If you are running Windows 7, Windows Embedded POSReady 7, Windows 8.1, Windows 10, Windows Server
2012, Windows Server 2012 R2, or Windows Server® 2008 R2, click Start, type regedit in the search box, and
then press Enter.
2 In the Registry editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
3 Create the registry keys and sub-keys for the following areas. If a registry key doesn’t exist, right-click the
Protocols key, and then enter a new key.
Key Subkeys
SSL 2.0 Client
Server
SSL 3.0 Client
Server
PA-DSS implementation guide 7
Key Subkeys
TLS 1.0 Client
Server
TLS 1.2 Client
Server
4 Create DWORD (32-bit) values for the following keys. To create a new DWORD, go to the key, right-click it, and
then click Edit > New >DWORD (32-bit) value.
Key DWORD name DWORD value
SSL 2.0 > Server Enabled 0
SSL 2.0 > Client Enabled 0
SSL 3.0 > Server Enabled 0
SSL 3.0 > Client Enabled 0
TLS 1.0 > Server Enabled 0
TLS 1.0 > Client Enabled 0
TLS 1.1 > Server Enabled 0
TLS 1.1 > Client Enabled 0
TLS 1.2 > Server Enabled 1
TLS 1.2 > Server DisabledByDefault 0
TLS 1.2 > Client Enabled 1
TLS 1.2 > Client DisabledByDefault 0
5 In the Registry editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.
6 Create a new DWORD (32-bit) value. Set the value name to SchUseStrongCrypto and the value to 1.
7 In the Registry editor, go to
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319.
8 Create a new DWORD (32-bit) value. Set the value name to SchUseStrongCrypto and the value to 1.
All computers: Prepare for monitoring of event logs
The event logging capabilities that are built into Microsoft Windows help you comply with Requirements 10.2 and
10.3 of the PCI Data Security Standard. Complete the following procedure on all computers to configure the
retention period for event logs.
Important: You should not disable event logging. Otherwise, your system will not comply with the PCI Data Security
Standard.
PA-DSS implementation guide 8
1 If you are running Windows 7, Windows Embedded POSReady 7, Windows 8.1, Windows 10, Windows Server
2012, Windows Server 2012 R2, or Windows Server 2008 R2, click Start, type Event Viewer in the search box, and
then press Enter.
2 If the Windows Logs folder is available, expand it, right-click Security, and then click Properties.
3 In the Maximum log size field, type 102400.
4 Select Overwrite events as needed, and then click OK.
All Windows 10 computers: Disable the Microsoft-Windows-
WinINet-Capture event log
If you are running Windows 10, you must disable event log WinINet (Microsoft-Windows-WinINet-Capture) >
Capture/Analytic.
1 If you are running Windows 10, click Start, type Event Viewer in the search box, and then press Enter.
2 Expand Applications and Services Logs > Microsoft > WinINet (Microsoft-Windows-WinINet-Capture),
right-click Capture/Analytic, and then click Properties.
3 In the Enable logging field, clear the check box.
4 Click OK.
All computers: Set up auditing of file access, object access, and
audit policy changes
All access to computers, servers, and databases by Dynamics AX 2012 must be controlled via unique user IDs
and secure authentication that complies with the PCI Data Security Standard.
To audit changes that are made to the computer’s audit policy, and access to log files and system objects, complete
both the following procedures on all computers.
Notes:
● In an implementation of AX 2012 that uses Payment Services for Microsoft Dynamics ERP, no cardholder data is
stored, and users cannot change the flow or security of cardholder data. Nevertheless, you must complete the
procedures in this section to comply with Requirements 10.2 and 10.3 of the PCI Data Security Standard, and to
help make organizational data more secure.
● For domain computers, work with the domain administrator to make sure that local audit policies are not
overwritten by less stringent domain policies.
● For information about how to view and manage log files, see Part 4: Audit logging, later in this guide.
Enable auditing of file access, object access, and audit policy changes
1 If you are running Windows 7, Windows Embedded POSReady 7, Windows 8.1, Windows 10, Windows Server
2012, Windows Server 2012 R2, or Windows Server 2008 R2, click Start, type Local Security Policy in the search
box, and then press Enter.
2 Expand the Local Policies folder, and then click Audit Policy.
PA-DSS implementation guide 9
3 Double-click Audit account logon events, select both the Success and Failure check boxes, and then click OK.
4 Double-click Audit account management, select both the Success and Failure check boxes, and then click OK.
5 Double-click Audit object access, select both the Success and Failure check boxes, and then click OK.
6 Double-click Audit policy change, select both the Success and Failure check boxes, and then click OK.
Audit access to system folders and files
Use the following procedure to turn on folder and file auditing. The folders that you must audit vary by operating
system.
For Windows 7, Windows Embedded POSReady 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2012, or
Windows Server 2008, you must audit the following folders:
● C:\Windows\System32\winevt\Logs.
● The folder where AX 2012 is installed (by default, C:\Program Files\Microsoft Dynamics AX or, on a 64-bit
computer, C:\Program Files (x86)\Microsoft Dynamics AX). See the note in step 8 of the procedure.
● The Microsoft SQL Server data directory (by default, C:\Program Files\Microsoft SQL Server\<instance
name>\MSSQL\Log).
Complete this procedure for each folder in the previous list.
1 In Windows Explorer, right-click the folder name, and then click Properties.
2 On the Security tab, click Advanced.
Note: If the Security tab is not available, on the Tools menu, click Folder Options, and then, on the View tab,
clear the Use simple file sharing check box.
3 Click the Auditing tab. If you receive a security message, click Continue.
4 Click Add.
5 In the Enter the object name to select field, type Everyone, and then click Check Names.
6 If the name is valid, click OK.
7 In the Apply onto field, make sure that This folder, subfolders and files is selected.
8 In the Access list, select both the Successful and Failed check boxes for the following privileges, and then click
OK:
● Create files/write data
● Create folders/append data
● Delete subfolders and files
● Delete
● Read permissions
● Change permissions
Note: Do not enable Read permissions for the folder where Microsoft Dynamics AX for Retail POS is installed (by
default, C:\Program Files\Microsoft Dynamics AX\60\Retail POS).
9 If the previous settings provide more auditing than is otherwise set up for the folder, select the Replace all
existing inheritable auditing entries check box, and then click OK.
10 Click OK in the remaining dialog boxes.
PA-DSS implementation guide 10
Required services and protocols
The following table lists the services and protocols that are required by Microsoft Dynamics AX for Retail and its
components.
Retail components Required services and protocols
Retail Headquarters Dynamics AX 2012
Commerce Data Exchange: Async Server ● Internet Information Services
● SQL Server
(Default port: 1433)
Commerce Data Exchange: Synch Service ● Windows Sockets
● Internet Protocol security (IPsec)
(Default port: 16750)
● SQL Server
(Default port: 1433)
● Dynamics AX .NET Business Connector
Commerce Data Exchange: Real-time Service ● Microsoft .NET Remoting
(Default port: 1239)
● Internet Information Services
● Dynamics AX .NET Business Connector
Retail Enterprise POS SQL Server
(Default port: 1433)
Retail POS Offline Sync Service Microsoft Sync Framework 2.1
Retail POS Database Utility SQL Server
(Default port: 1433)
Retail Modern POS SQL Server
(Default port: 1433)
Retail hardware station Internet Information Services
Dependent hardware
The following Pin Transaction Security (PTS)-terminals can be used for AX 2012:
● VeriFone Mx925/Mx915, PTS-approval 4-10110
● Equinox Payment L5200, L5300, PTS-approval
PA-DSS implementation guide 11
Communication and database computers: Open the firewall
To establish communications between computers in the organization, open the firewall on any communications
server and on store database computers, as described in the following table.
Type of computer Open the firewall to these programs
Head office communications server ● Synch Service
● Real-time Service
Store communications server ● SQL Server, to enable connections to the message
database
● Synch Service
Store database server SQL Server
Store register with its own local database SQL Server, but only if Synch Service is on a different
computer
Notes:
● Instead of opening the firewall to Synch Service and Real-time Service, you might prefer to open the firewall to
the TCP ports that these programs use. In this case, you must know the port numbers that you specified when
you deployed the services. By default, the port numbers are 1433 for SQL Server, 16750 for Synch Service, and
1239 for Real-time Service.
● If you are using multiple instances of Synch Service on a single computer, we recommend that you open the
firewall to specific port numbers instead.
● Depending on the settings of your firewall, you might also have to open the firewall to outbound traffic on client
and register computers. To determine whether this step is required, consult your network administrator.
● The instructions in the rest of this section are for Windows Firewall. If you are using another firewall, see the
firewall documentation for more information.
Open Windows Firewall
To open Windows Firewall to a program on Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server
2012, or Windows Server 2012 R2, use the New Rule Wizard to create a rule that manages the connections that the
allowed program can receive. You can use the default settings for each rule, but you must provide the path of the
program and a name for the rule.
Program Typical program path Suggested rule name
SQL Server C:\Program Files\Microsoft SQL
Server\<instance
name>\MSSQL\Binn\Sqlservr.exe
SQL Server <instance name>
Async Server (if installed) C:\Program Files (x86)\Microsoft
Dynamics AX\60\CDX\Async Server
Commerce Data Exchange Async
Server
PA-DSS implementation guide 12
Program Typical program path Suggested rule name
Real-time Service (if installed) C:\Program Files (x86)\Microsoft
Dynamics AX\60\CDX\Real-time
Services
Commerce Data Exchange Real-time
Service
Note: On a 64-bit operating system, Async Server and Real-time Service are in the Program Files (x86) folder path
instead.
1 Sign in to the computer as a Windows Administrator.
2 Click Start, type wf.msc in the search box, and then press Enter.
3 Click Inbound Rules.
4 To create a new rule, click New Rule, select Program, and then complete the New Inbound Rule Wizard.
5 Repeat step 4 for the other programs that should be allowed through the firewall.
At the head office: Set up the password policy
Requirement 8.5.8 of the PCI Data Security Standard specifies that group, shared, and generic accounts must not be
used, and it provides test procedures for verifying that these accounts are not used.
Requirements 8.5.9 through 8.5.14 specify password and account security regulations for people who have
administrative access to the payment application. To comply with these requirements, contact the domain
administrator to establish group policies for the domain that meet the minimum requirements that are described in
the following table.
Policy Security setting
Enforce password history 4 passwords remembered
Maximum password age 90 days
Minimum password length 7 characters
Password must meet complexity requirements Enabled
Account lockout duration 30 minutes
Account lockout threshold 6 invalid sign-in attempts
Notes:
● Users of AX 2012 are subject to Active Directory Domain Services (AD DS) security policies. Therefore, users of AX
2012 are subject to the same password policy as domain users.
● You cannot install AX 2012 on a computer that is not part of the domain.
● These policies meet the minimum requirements of Requirements 8.5.9 through 8.5.14. You can use more stringent
settings.
● For more information about how to manage password policy via group policies, see Working with Group Policy
objects.
PA-DSS implementation guide 13
At the head office: Set up database logging
By modifying the audit trail in AX 2012, you can enable logging of the following events in the head office database:
● Changes to the audit trail settings – These settings are stored in the DATABASELOG table for the head office
and in the RetailFunctionalityProfile table for Retail components.
● Changes to the payment processing configuration – These settings are stored in the RetailHardwareProfile
table for both the head office and Retail store components.
● The creation, deletion, or modification of cashier user accounts and permissions – These settings are stored
in the RetailStaffPermissionGroup table for the head office and in the RetailStaffTable table for Retail
components.
Note: Although the logging of activity in the head office database is related to Requirements 10.2 and 10.3 of the
PCI Data Security Standard, it is beyond the scope of the PCI requirements because, in an implementation of AX 2012
that uses Payment Services for Microsoft Dynamics ERP, no cardholder data is stored, and users cannot change the
cardholder data flow or the security of cardholder data. Therefore, the following procedure is included in this guide
as an optional best practice that helps make organizational data more secure.
1 To set up logging in the head office database, click System administration > Setup > Database > Database log
setup.
2 Create the following new entries by following the wizard.
Table name Actual system name
POS functionality profile RetailFunctionalityProfile
POS hardware profiles RetailHardwareProfile
Component Item ID RetailStaffLoginLog
Staff permission group RetailStaffPermissionGroup
Staff RetailStaffTable
Audit trail setup SysDatabaseLogTableSetup
3 Click System administration > Setup > Licensing > Licensing configuration.
4 Under Administration, select the Electronic signature check box, and then click OK. If you are prompted to
synchronize tables, click Yes.
Notes:
● This procedure sets up logging on Insert, Delete, Update, and Rename Key actions. To view or modify this setup,
click System administration > Setup > Database > Database log setup.
● For each change to one of these tables, AX 2012 records the user who performed the action, the table that was
modified, the action that was taken, the attribute that was changed, the time and date of the action, and the ID of
the record that was modified or added. For each Update action, Dynamics AX also records both the previous
settings and the new settings.
PA-DSS implementation guide 14
● By default, any user who has database access can query a database log by using .NET Business Connector, X++,
or alerts, or by using direct database access. To help protect data, restrict permissions on the SysDatabaseLog
table. For more information, see Manage table and field access and Table Properties.
● For information about how to view logged actions, see Monitor AX 2012 activity, later in this guide.
At the head office: Enable SQL Server trace logging
To monitor access to the audit log, enable SQL Server trace logging by using the AxRetailTrace.sql file.
Notes:
● AxRetailTrace.sql is included in the AX 2012 download package and can be found in the RetailSecurityGroups
subfolder of the folder where you extracted the installation files.
● Although this procedure is related to Requirements 10.2 and 10.3 of the PCI Data Security Standard, it is beyond
the scope of the PCI requirements because, in an implementation of AX 2012 that uses Payment Services for
Microsoft Dynamics ERP, no cardholder data is stored, and users cannot change the cardholder data flow or the
security of cardholder data. Therefore, the following procedure is included in this guide as an optional best
practice that helps make organizational data more secure.
1 Copy AxRetailTrace.sql to the computer where the head office database is located.
2 Open Microsoft SQL Server Management Studio, and connect to the instance of SQL Server that is used in the AX
2012 deployment.
3 On the File menu, point to Open, click File, browse to and select the .sql file, and then click OK.
4 Click Execute.
Notes:
● The trace log files are located in the Log directory for the instance. SQL Server trace log files have a maximum size
of 100 MB. When the size of a log file exceeds this limit, a new log file is created by using a date-based
numbering scheme.
● For information about how to view and manage log files, see Part 4: Audit logging, later in this guide.
● A commented section at the end of the AxRetailTrace.sql script file contains the code for performing several
operations that are related to trace logging. These operations include manually starting and stopping the trace,
viewing the contents of the AX 2012 log tables, viewing the trace detail, and disabling the automatic start of
tracing. To complete one of these operations, copy the code for the operation into a new query file, modify the
script as described in the comments, and then click Execute.
PA-DSS implementation guide 15
Obtain a Payment Services for Microsoft Dynamics ERP
subscription
You can configure AX 2012 with Payment Services for Microsoft Dynamics ERP to process credit card and debit card
transactions at retail point of sale (POS) registers, in online stores, and in the Accounts receivable module in AX
2012. For more information about Payment Services for Microsoft Dynamics ERP, go to
http://go.microsoft.com/fwlink/?LinkID=188806.
Payment Services accepts various payment types, and you can select among several payment providers.
The process for setting up Payment Services consists of several tasks. Some of these tasks are performed by the
retailer, and others are performed by a Microsoft Dynamics AX partner. The tasks are performed in this order:
1 Partner: In Partner Portal, create a Payment Services account for the retailer.
2 Retailer: In Customer Portal, set up a merchant account with a payment provider.
3 Partner: In Partner Portal, activate the payment provider.
4 Retailer: In Customer Portal, test the payment service.
Note: When partners work with payment accounts for customers, they must use the customer’s Microsoft account
instead of their own Microsoft account.
Partner: In Partner Portal, create a Payment Services account for the retailer
1 Sign in to Partner Portal by using your Microsoft account email address and password.
2 Click Customer List, and then click New Customer to add the retailer.
3 Select the retailer in the list, click Add Service, and then create a Payment Services account for the retailer.
4 In the Add Service form, in the Purpose of account field, select Production.
5 Click Service List, select the payment service that you created in step 3, and then click Send Activation to send
an invitation to the retailer.
The retailer receives this invitation by email.
Retailer: In Customer Portal, set up a merchant account with a payment provider
1 In the invitation email message from your Microsoft Dynamics AX partner, click the invitation link to Payment
Services, and then sign in by using your Microsoft account email address and password.
2 Under Payment settings, click Payment providers.
3 Compare the payment providers, read their terms, and then click Sign up now for the provider that you want.
● If you select First Data (EMPS), your contact information is automatically sent to First Data Merchant Services
(FDMS). FDMS will contact you to process the application.
● If you select CyberSource, your contact information is automatically sent to CyberSource. CyberSource will
contact you to process the application.
● If you select another provider, follow the provider’s instructions to submit an application.
4 Sign in to Customer Portal by using your Microsoft account email address and password.
5 Click Service list, select the check box for the payment service, and then click Change Partner.
PA-DSS implementation guide 16
6 In the Change support partner form, select the partner in the list, select the Grant service access to the
selected partner check box, and then click Change Partner.
Note: If you do not find your partner in the list, tell your partner to register as a partner for online services for
Microsoft Dynamics ERP. For more information, see the Partner Portal Provisioning Guide.
7 Sign out of Customer Portal.
The payment provider will contact you to process your application and set up a merchant account for you. The
process of setting up a merchant account typically includes performing a credit check, discussing terms of service,
and signing a contract with the payment provider. This process might take several days. This process does not
involve any actions in AX 2012. After your merchant account is set up with the payment provider, the payment
provider provides the settings for the merchant account to you. Provide the settings for the merchant account to
your Microsoft Dynamics AX partner.
Partner: In Partner Portal, activate the payment provider
1 Sign in to Partner Portal by using your Microsoft account email address and password.
2 In the Customer list, select the customer, and then click the link in the Services column.
3 Select the service, and then click Open Service.
4 Under Payment Settings, click Payment Methods.
5 Under Payment Provider Accounts, select an account, and then, under Actions, click Activate.
The Payment Services website displays the Payment Provider Account Activation form.
6 Depending on the payment provider, follow one of these steps:
● First Data – Use the following guidelines to enter the merchant account information that you received from
the retailer and the payment provider, and then click Activate:
● AcquirerBin – Enter the acquirer Bank Identification Number (BIN).
● AgentBankNumber – Enter the agent number.
● AgentChainNumber – Enter the chain number.
● City – Enter the city of the merchant.
● Country / Region Code – Enter the three-letter country/region code, such as USA or CAN.
● Email – Enter the email address that was provided to the payment provider.
● LanguageCode – Enter the two-letter language code, such as 00 for US English.
● LocationNumber – Enter the location number.
● MerchantAbaNumber – If the payment provider does not provide a value, leave this field blank.
● MerchantCategoryCode – Enter the merchant category, which is also known as the Standard Industry
Code (SIC). The payment provider provides this value.
● MerchantId – Enter the merchant number.
● MerchantName – Enter the name of the merchant.
● Postal Code – Enter the postal code of the merchant.
● Reimbursement – If the payment provider does not provide a value, leave the field blank.
● ServicePhoneNumber – Enter 8884777877.
● SettlementAgentNumber – If the payment provider does not provide a value, leave the field blank.
PA-DSS implementation guide 17
● SharingGroup – If the payment provider does not provide a value, leave the field blank.
● MerchantState – Enter the state or province of the merchant, such as WA for Washington.
● StoreNumber – Enter the store number.
● Street Address – Enter the street address of the merchant.
● TerminalId – Enter the terminal number of the merchant.
● VNumber – Enter the V number. The V number is seven digits and starts with 7.
● First Data/Express Merchant Processing Solutions (EMPS) – Use the following guidelines to enter the
merchant account information that you received from the retailer and the payment provider, and then click
Activate:
● DOPSIdentifier – Enter DOPSIdentifier.
● DOPSPassword – Enter DOPSPassword.
● MerchantCategoryCode – Enter the merchant category code, which is also known as the MCC code. The
payment provider provides this value.
● MerchantCity – Enter the city of the merchant.
● MerchantCountryCode – Enter the two-letter country/region code, such as US or CA.
● MerchantId – Enter the merchant ID. If there are two merchant IDs, do not enter Nashville MID.
● MerchantName – Enter the name of the merchant.
● MerchantPostalCode – Enter the postal code of the merchant.
● MerchantStateOrProvince – Enter the state or province of the merchant.
● MerchantStatus – Enter 1.
● MerchantStreetAddress – Enter the street address of the merchant.
● ServicePhoneNumber – Enter 8884777877.
● StoreNumber – If the payment provider does not provide a value, leave this field blank.
● TerminalId – Enter the terminal ID of the merchant.
● CyberSource – Use the following guidelines to enter the merchant account information that you received
from the retailer and the payment provider, and then click Activate:
● MerchantId – If the payment provider does not provide a value, enter MerchantId.
● RawProvisionData – Enter any value, such as 123abc.
● Note: You must have two CyberSource accounts: one for transactions where the card is present and one
for transactions where the card is not present. Both accounts must be activated in the CyberSource live
environment.
● PayPal – No action is required. A merchant account is automatically activated after the payment provider
creates and activates it.
7 Under Accepted Payment Methods, select the payment provider to use for each payment method.
8 Click Save and Close.
Retailer: In Customer Portal, test the payment service
1 Sign in to Customer Portal by using your Microsoft account email address and password.
2 Click Dashboard, and then click the Payment Services account.
3 Under Places, click Manage payments, and then click New Payment.
PA-DSS implementation guide 18
4 Under Card Information, enter the required information. This information includes a minimum payment amount,
such as $1.00.
5 Under Billing Address, enter the required information, and then click Process Payment.
6 Repeat steps 3 through 5 for each type of credit card that you accept in your stores.
7 Sign out of Customer Portal.
8 Contact the payment provider for each test transaction, and make sure that the transactions are processed
correctly. Also verify that the correct transaction fees are assessed, as specified in your payment provider
agreement.
9 Sign in to Customer Portal, click Dashboard, and then click the same Payment Services account that you clicked
in step 2.
10 Under Places, click Manage payments, and then select and refund each test transaction.
At the head office: Set up payment processing and hardware
devices for stores
In AX 2012, the only time that store employees have access to card numbers is at the time of sale, when the cashier
swipes the card. Payment information is sent directly from Retail POS to the processor at that time, and transactions
are settled immediately. Payment information in the AX 2012 database is limited to the customer’s name, the
payment amount, the card type, and the last four digits of the card number. The entire primary account number
(PAN) is never stored.
Set up payment processing
After auditing and other security measures are in place, the store can begin to accept card payments. To set up
payment processing, follow these steps.
1 Obtain a Payment Services for Microsoft Dynamics ERP subscription by following the instructions earlier in this
guide, and associate the subscription with the retail organization’s merchant account.
2 Click Retail > Setup > POS > Profiles > Hardware profiles, and then, in the left pane, select the hardware
profile for the store.
3 On the EFT service FastTab, in the EFT service field, select Payment Connector.
4 In the Merchant account ID field, enter the merchant account ID that you received from the payment provider.
5 In the Service account ID field, enter the service account ID that you received from the payment provider.
6 In the Microsoft account field, enter the same Microsoft account email address that was used to set up the
merchant account in Customer Portal.
7 In the Microsoft account password field, enter the password for the Microsoft account.
8 In the Supported currencies field, enter currency codes for the currencies that the payment service supports.
Separate the currency codes by semicolons, without spaces. For example, enter USD;CAD.
9 In the Supported payment methods field, enter the payment methods that the payment service accepts.
Separate the payment methods by semicolons, without spaces. For example, enter Visa;AmericanExpress;Debit.
10 Copy the contents of the Public key field.
11 Sign in to Customer Portal by using your Microsoft account email address and password.
PA-DSS implementation guide 19
12 Under Organization settings, click User management, and then, in the New group, click System User.
13 In the Public key field, enter the public key that you copied in step 10, and then click Save.
14 In the User management list, click the first name or last name of the system user that you created in step 13, and
then click Edit.
15 Under Services and Roles, select Payment Administrators in the Available Roles list, use the right arrow button
to add the role to the Selected Roles list, and then click Save.
16 Sign out of Customer Portal.
17 Associate a hardware profile with each register to enable payment processing and so that you can select devices.
For more information, see Set up devices in the Retail module.
18 Set up payment methods to use payment processing. For more information, see Set up payment methods for
payment processing.
19 Enable one or more payment processing tender types for each store. For more information, see Enable tender
types and card types for specific stores.
20 Turn on payment processing at stores by running scheduled jobs. For more information, see Send payment
processing changes to the stores.
21 Configure Accounts receivable for payment processing to support customer orders. For more information, see In
AX 2012, set up Accounts receivable for Payment Services.
Notes:
● These steps are not specifically required for PCI compliance. However, if you skip them, the store cannot use
AX 2012 to process the payments that are subject to the PCI Data Security Standard. The steps are described in
more detail later in this section.
● By using Payment Services for Microsoft Dynamics ERP, you can easily and securely accept and process credit and
debit card payments in your applications, online, from the head office, and in your stores. The PCI-certified service
lets you select among several payment providers and seamlessly incorporates multiple payment options without
requiring additional software or integration.
● When AX 2012 is used in the United States and Canada, the only processor that it communicates with is Payment
Services for Microsoft Dynamics ERP. This communication is configured in the Retail module, and then the
settings are sent down to the stores. During authorization and settlement, these settings are used to identify the
organization’s subscription and its associated merchant account. No cardholder data is included.
Important: AX 2012 has been validated for PCI compliance only with Payment Services for Microsoft Dynamics ERP.
If you intend to use AX 2012 with another payment solution, you must obtain separate compliance validation.
PA-DSS implementation guide 20
Set up devices in the Retail module
To complete this procedure, you must obtain the actual device names from the store. You can view device names on
the register by viewing the appropriate device class (MSR, PINPad, or POSPrinter) in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\OLEforRetail\ServiceOPOS
1 Click Retail > Setup > POS > Profiles > Hardware profiles.
2 In the list, select the correct profile.
3 Configure hardware devices, such as receipt printers, magnetic stripe readers (MSRs), and personal identification
number (PIN) pad devices. On the tab for each device, in the Device name field, type the appropriate device
name. A description for the device is optional.
Notes:
● In the hardware profile, you must use the same device names that you use when you configure the actual devices
on each terminal.
● If you have registers where payment processing will not occur, consider using a hardware profile that does not
have payment processing configured.
● You must create a separate hardware profile for each combination of devices that is used in the stores. If similar
devices are named differently on different registers or in different stores, you must create additional hardware
profiles.
Configure a terminal ID for specific registers
To enable payment processing and select devices, you must associate the hardware profile with each register.
1 Click Retail > Setup > POS > POS Registers.
2 Double-click the register to modify.
3 On the General tab, in the Hardware profile field, select the appropriate profile. Then, in the EFT POS register
number field, type one of the terminal IDs that you received from the payment provider.
Note: Some payment providers refer to electronic funds transfer (EFT) POS register numbers as terminal IDs.
However, in Retail POS, terminal ID refers to the terminal number that is shown on the General tab. The terminal
number and the EFT POS register number do not have to match, but both numbers must be unique for each
terminal.
4 Repeat steps 2 and 3 for other registers. When you have finished associating hardware profiles with registers,
close the form.
Set up payment methods for payment processing
Payment methods are the types of tender that the store accepts. In this case, the payment methods are credit cards
and debit cards. Card types are the specific credit cards that are accepted for a card tender type. For more
information about the steps in this procedure, see AX 2012 2012 Help.
1 Click Retail > Setup > Payment methods > Payment methods.
2 On the toolbar, click New.
PA-DSS implementation guide 21
3 In the new row, type a unique number and description for the new payment method. Then, in the Default
function column, click the arrow, and select Card.
4 Close the form.
5 Click Retail > Setup > Payment methods > Card types.
6 On the toolbar, click New.
7 In the new row, type a unique ID and name for the new card type. Then, in the Card types column, click the
arrow, and select the appropriate option.
8 While the new row is still selected, click Card number.
9 Create a verification mask for the card type by entering the range of digits that all cards of this type begin with.
For example, Visa card numbers begin with 4. Therefore, to verify that cards that are accepted as the Visa card
type are really Visa cards, you can create a mask value of 4.
10 Close the Card number form.
11 Close the Card type form.
Enable tender types and card types for specific stores
1 Click Retail > Common > Retail channels > Retail stores.
2 Select a store, and then, on the Setup tab, click Payment methods.
3 On the toolbar, click New, and then, on the General tab, in the Payment method field, select a payment method.
The information for the selected payment method is filled in automatically.
4 While the row for the new payment method is still selected, click Card setup.
5 On the toolbar, click New, and then, in the Card ID field, select the card type for this payment method.
6 Select the new card setup, and then, on the General tab, select the Check expiration date check box.
7 Close the Card setup form.
8 Close the Payment method form.
9 Repeat steps 3 through 8 for any other payment methods for this store.
Send payment processing changes to the stores
Payment processing changes do not take effect until the associated scheduled jobs are run and the information that
is included in the jobs is sent down to the stores. This procedure describes how to run the jobs manually.
1 Click Retail > Periodic > Data distribution > Create actions. The preactions that were generated when you
changed the payment processing settings are converted into actions, or jobs.
2 Click Retail > Periodic > Data distribution > Distribution schedule.
3 To send down the payment processing and device settings in the hardware profile, select the 1090 Registers job,
and then click Run directly.
4 To send down the payment methods, card types, and card numbers, select the 1070 Stores and tenders job, and
then click Run scheduler job directly.
PA-DSS implementation guide 22
Test payment processing
You can test payment processing by processing card transactions in test mode.
1 In a register or store database, in the POSHARDWAREPROFILE table, change the value in the EFTTESTMODE
column to 1.
2 Process a card transaction.
3 Verify that the transaction went through by visiting the Payment Services payment portal at
https://payments.dynamicsonline.com/Home/Dashboard.aspx.
Note: You can test payment processing only if Retail POS is running in production mode.
Store computers: Set up the password policy
Requirements 8.5.9 through 8.5.14 of the PCI Data Security Standard specify password and account security
regulations for people who have access to the payment application. To comply with these requirements, the
password policy on each store computer where Retail POS is installed must meet the minimum requirements that are
described in the following table.
Policy Security setting
Enforce password history 4 passwords remembered
Maximum password age 90 days
Minimum password length 7 characters
Password must meet complexity requirements Enabled
Account lockout duration 30 minutes
Account lockout threshold 6 invalid sign-in attempts
Notes:
● These policies meet the minimum requirements of Requirements 8.5.9 through 8.5.14. You can use more stringent
settings.
● For more information about how to set up a Windows account for each store user, see the Microsoft Dynamics AX
2012 Upgrade Guide, which is available for download at http://go.microsoft.com/fwlink/?LinkID=221465.
1 Follow one of these steps, depending on the operating system that you are running:
● If you are running Windows Embedded POSReady 2009, click Start, click Control Panel, switch to Classic
View, double-click Administrative Tools, and then double-click Local Security Policy.
● If you are running Windows 7, Windows Embedded POSReady 7, Windows 8, Windows 8.1, Windows Server
2008, or Windows Server 2012, click Start, type Local Security Policy in the search box, and then press Enter.
2 Expand Account Policies, and then click Password Policy.
3 To modify a policy, right-click the policy, and then click Properties.
PA-DSS implementation guide 23
4 Click Account Lockout Policy.
5 To modify a policy, right-click the policy, and then click Properties.
Store computers: Set up password-protected screen savers
At each register, set up a screen saver that appears when the register is idle, and that requires that cashiers enter the
password for their Windows user account to regain access to Retail POS.
1 In the C:\Windows\System32 folder, locate the screen saver (.scr) file to use.
2 If you are running Windows 7, Windows Embedded POSReady 7, Windows 8.1, Windows 10, Windows Server
2008 R2, Windows Server 2012, or Windows Server 2012 R2, click Start, type mmc in the search box, and then
press Enter.
3 On the File menu, click Add/Remove Snap-in.
4 Select Group Policy Object Editor, click Add, click Finish, and then click Close or OK.
5 Expand Local Computer Policy, expand User Configuration, expand Administrative Templates, expand
Control Panel, and then click Personalization (on Windows 7) or Display (on other operating systems).
6 Double-click Force specific screen saver (on Windows 7) or Screen Saver executable name (on other operating
systems), select Enabled, type the path and name of the screen saver (.scr) file that you selected in step 1, and
then click OK.
7 Double-click Password protect the screen saver, select Enabled, and then click OK.
8 Double-click Screen Saver timeout, select Enabled, type 900 or a smaller value, and then click OK.
Note: By completing this procedure on each computer in the store, you help satisfy Requirement 8.5.15 of the PCI
Data Security Standard. According to this requirement, 900 seconds (15 minutes) is the maximum time that the
register can be idle before it must be locked. You can specify a shorter time if you prefer.
Store computers: Turn off System Restore
System Restore is a Windows feature that restores your computer’s system files to the state that they were in at an
earlier time. However, the restore points that this feature saves are not considered secure by the PCI Security
Standards Council.
1 On the Start menu, right-click Computer, and then click Properties.
2 Click System protection.
3 Select the C: drive, click Configure, select Turn off system protection, and then click OK.
PA-DSS implementation guide 24
Store computers: Turn off Internet Explorer Automatic Crash
Recovery
The Automatic Crash Recovery (ACR) feature of Internet Explorer can help prevent the loss of work and productivity
in the unlikely event that the browser stops responding. However, data that this feature saves for a crash recovery is
not considered secure by the PCI Security Standards Council.
1 If you are running Windows 7, Windows Embedded POSReady 7, Windows 8.1, Windows 10, Windows Server
2008 R2, Windows Server 2012, or Windows Server 2012 R2, click Start, type Internet Explorer in the search box,
and then press Enter.
2 On the Tools menu, click Internet options.
3 On the Advanced tab, in the Browsing section, clear the Enable automatic crash recovery check box, click OK,
and then close the browser window.
In AX 2012, set up Payment services in Accounts receivable
1 Click Accounts receivable > Setup > Payment > Payment services.
2 In the Payment services form, click New, and then, in the Payment service field, enter a name for the payment
service.
3 In the Payment connector field, select Dynamics Payment Connector.
4 Under Payment service account, enter the following information:
● In the Merchant account ID field, enter the merchant account ID that you received from the payment
provider.
● In the Service account ID field, enter the service account ID that you received from the payment provider.
● In the Microsoft account field, enter the same Microsoft account email address that was used to set up the
merchant account in Customer Portal.
● In the Microsoft account password field, enter the password for the Microsoft account.
● In the Supported currencies field, enter currency codes for the currencies that the payment service supports.
Separate the currency codes by semicolons, without using spaces. For example, enter USD;CAD.
● In the Supported payment methods field, enter the payment methods that the payment service accepts.
Separate the payment methods by semicolons, without spaces. For example, enter
Visa;AmericanExpress;Debit.
Note: Information is entered automatically in the Assembly name, Environment, Portal URL, and Public key
fields. AX 2012 automatically generates the public key to encrypt the data that is sent to the payment service.
5 Copy the contents of the Public key field.
6 Sign in to Customer Portal by using your Microsoft account email address and password.
7 Under Organization settings, click User management, and then, in the New group, click System User.
8 In the Public key field, enter the public key that you copied in step 5, and then click Save.
9 In the User management list, click the first name or last name of the system user that you created in step 8, and
then click Edit.
PA-DSS implementation guide 25
10 Under Services and Roles, select Payment Administrators in the Available Roles list, use the right arrow button
to add the role to the Selected Roles list, and then click Save.
11 Sign out of Customer Portal.
12 In AX 2012, in the Payment services form, click Validate.
AX 2012 confirms that the validation is successful.
13 Click Credit card types, and then add all the credit cards that you accept.
In Dynamics AX 2012, set up Payment services in online stores
1 Click Retail > Retail channels > Online stores.
2 Select an online store, and then, on the Action Pane, click Edit.
3 On the Payment accounts FastTab, in the Connectors field, select Dynamics Payment Connector.
4 Click Add, and then, under Details, enter the following information:
● In the Merchant account ID field, enter the merchant account ID that you received from the payment
provider.
● In the Service account ID field, enter the service account ID that you received from the payment provider.
● In the Microsoft account field, enter the same Microsoft account email address that was used to set up the
merchant account in Customer Portal.
● In the Microsoft account password field, enter the password for the Microsoft account.
● In the Supported currencies field, enter currency codes for the currencies that the payment service supports.
Separate the currency codes by semicolons. For example, enter USD;CAD.
● In the Supported payment methods field, enter the payment methods that the payment service accepts.
Separate the payment methods by semicolons.
Note: Information is entered automatically in the Assembly name, Environment, Portal URL, and Public key
fields. AX 2012 automatically generates the public key to encrypt the data that is sent to the payment service.
5 Copy the contents of the Public key field.
6 Sign in to Customer Portal by using your Microsoft account email address and password.
7 Under Organization settings, click User management, and then, in the New group, click System User.
8 In the Public key field, enter the public key that you copied in step 5, and then click Save.
9 In the User management list, click the first name or last name of the system user that you created in step 8, and
then click Edit.
10 Under Services and Roles, select Payment Administrators in the Available Roles list, use the right arrow button
to add the role to the Selected Roles list, and then click Save.
11 Sign out of Customer Portal.
PA-DSS implementation guide 26
Store computers: Set up group policies to enable a kiosk session
(optional)
We recommend that you apply the following restrictions for Retail POS users:
● Restrict access to Control Panel.
● Restrict access to removable drives.
● Restrict access to command executing shells.
● Restrict access to application management.
The following group policies can help you enable a kiosk mode session. You can adjust these policies to fit your
requirements. Before you set up a kiosk, assess any security implications, or talk to a specialist.
Setting State Comment Path
Enable screen saver Disabled No \Control Panel\Personalization
Allow DFS roots to be published Disabled No \Shared Folders
Allow shared folders to be
published
Disabled No \Shared Folders
Add Search Internet link to Start
Menu
Disabled No \Start Menu and Taskbar
Show Quick Launch on Taskbar Disabled No \Start Menu and Taskbar
Show the Apps view automatically
when the user goes to Start
Disabled No \Start Menu and Taskbar
Show “Run as different user”
command on Start
Disabled No \Start Menu and Taskbar
Add the Run command to the Start
Menu
Disabled No \Start Menu and Taskbar
Show Start on the display the user
is using when they press the
Windows logo key
Disabled No \Start Menu and Taskbar
Show Windows Store apps on the
taskbar
Disabled No \Start Menu and Taskbar
Turn off shell protocol protected
mode
Disabled No \Windows Components\File
Explorer
Turn on menu bar by default Disabled No \Windows Components\Internet
Explorer
PA-DSS implementation guide 27
Setting State Comment Path
Turn on Script Execution Disabled No \Windows Components\Windows
PowerShell
Hide the “Add a program from CD-
ROM or floppy disk” option
Enabled No \Control Panel\Add or Remove
Programs
Hide the “Add programs from
Microsoft” option
Enabled No \Control Panel\Add or Remove
Programs
Hide the “Add programs from your
network” option
Enabled No \Control Panel\Add or Remove
Programs
Hide Add New Programs page Enabled No \Control Panel\Add or Remove
Programs
Remove Add or Remove Programs Enabled No \Control Panel\Add or Remove
Programs
Hide the Set Program Access and
Defaults page
Enabled No \Control Panel\Add or Remove
Programs
Hide Change or Remove Programs
page
Enabled No \Control Panel\Add or Remove
Programs
Go directly to Components Wizard Enabled No \Control Panel\Add or Remove
Programs
Remove Support Information Enabled No \Control Panel\Add or Remove
Programs
Hide Add/Remove Windows
Components page
Enabled No \Control Panel\Add or Remove
Programs
Disable the Display Control Panel Enabled No \Control Panel\Display
Hide Settings tab Enabled No \Control Panel\Display
Prevent changing color scheme Enabled No \Control Panel\Personalization
Prevent changing theme Enabled No \Control Panel\Personalization
Prevent changing visual style for
windows and buttons
Enabled No \Control Panel\Personalization
Prohibit selection of visual style
font size
Enabled No \Control Panel\Personalization
Prevent changing color and
appearance
Enabled No \Control Panel\Personalization
PA-DSS implementation guide 28
Setting State Comment Path
Prevent changing desktop
background
Enabled No \Control Panel\Personalization
Prevent changing desktop icons Enabled No \Control Panel\Personalization
Prevent changing mouse pointers Enabled No \Control Panel\Personalization
Prevent changing screen saver Enabled No \Control Panel\Personalization
Prevent changing sounds Enabled No \Control Panel\Personalization
Prevent addition of printers Enabled No \Control Panel\Printers
Prevent deletion of printers Enabled No \Control Panel\Printers
Hide “Set Program Access and
Computer Defaults” page
Enabled No \Control Panel\Programs
Hide “Get Programs” page Enabled No \Control Panel\Programs
Hide “Installed Updates” page Enabled No \Control Panel\Programs
Hide “Programs and Features”
page
Enabled No \Control Panel\Programs
Hide the Programs Control Panel Enabled No \Control Panel\Programs
Hide “Windows Features” Enabled No \Control Panel\Programs
Hide “Windows Marketplace” Enabled No \Control Panel\Programs
Turn off automatic learning Enabled No \Control Panel\Regional and
Language Options\Handwriting
personalization
Hide Regional and Language
Options administrative options
Enabled No \Control Panel\Regional and
Language Options
Hide and disable all items on the
desktop
Enabled No \Desktop
Remove the Desktop Cleanup
Wizard
Enabled No \Desktop
Hide Internet Explorer icon on
desktop
Enabled No \Desktop
Remove Computer icon on the
desktop
Enabled No \Desktop
Remove My Documents icon on
the desktop
Enabled No \Desktop
PA-DSS implementation guide 29
Setting State Comment Path
Hide Network Locations icon on
desktop
Enabled No \Desktop
Remove Properties from the
Computer icon context menu
Enabled No \Desktop
Remove Properties from the
Documents icon context menu
Enabled No \Desktop
Do not add shares of recently
opened documents to Network
Locations
Enabled No \Desktop
Remove Recycle Bin icon from
desktop
Enabled No \Desktop
Remove Properties from the
Recycle Bin context menu
Enabled No \Desktop
Don’t save settings at exit Enabled No \Desktop
Turn off Aero Shake window
minimizing mouse gesture
Enabled No \Desktop
Prevent adding dragging dropping
and closing the Taskbar’s toolbars
Enabled
Prohibit adjusting desktop toolbars Enabled No \Desktop
Force Start to be either full screen
size or menu size
Enabled No \Start Menu and Taskbar
Go to the desktop instead of Start
when signing in
Enabled No \Start Menu and Taskbar
Turn off personalized menus Enabled No \Start Menu and Taskbar
Lock the Taskbar Enabled No \Start Menu and Taskbar
Turn off notification area cleanup Enabled No \Start Menu and Taskbar
Remove Balloon Tips on Start
Menu items
Enabled No \Start Menu and Taskbar
Prevent users from customizing
their Start Screen
Enabled No \Start Menu and Taskbar
Remove common program groups
from Start Menu
Enabled No \Start Menu and Taskbar
PA-DSS implementation guide 30
Setting State Comment Path
Remove Favorites menu from Start
Menu
Enabled No \Start Menu and Taskbar
Remove Search link from Start
Menu
Enabled No \Start Menu and Taskbar
Remove frequent programs list
from the Start Menu
Enabled No \Start Menu and Taskbar
Remove Games link from Start
Menu
Enabled No \Start Menu and Taskbar
Remove Help menu from Start
Menu
Enabled No \Start Menu and Taskbar
Turn off user tracking Enabled No \Start Menu and Taskbar
Remove All Programs list from the
Start menu
Enabled No \Start Menu and Taskbar
Remove Network Connections
from Start Menu
Enabled No \Start Menu and Taskbar
Remove pinned programs list from
the Start Menu
Enabled No \Start Menu and Taskbar
Do not keep history of recently
opened documents
Enabled No \Start Menu and Taskbar
Remove Recent Items menu from
Start Menu
Enabled No \Start Menu and Taskbar
Do not use the search-based
method when resolving shell
shortcuts
Enabled No \Start Menu and Taskbar
Do not use the tracking-based
method when resolving shell
shortcuts
Enabled No \Start Menu and Taskbar
Remove Run menu from Start
Menu
Enabled No \Start Menu and Taskbar
Remove Default Programs link
from the Start menu.
Enabled No \Start Menu and Taskbar
Remove Documents icon from Start
Menu
Enabled No \Start Menu and Taskbar
PA-DSS implementation guide 31
Setting State Comment Path
Remove Music icon from Start
Menu
Enabled No \Start Menu and Taskbar
Remove Network icon from Start
Menu
Enabled No \Start Menu and Taskbar
Remove Pictures icon from Start
Menu
Enabled No \Start Menu and Taskbar
Do not search communications Enabled No \Start Menu and Taskbar
Remove Search Computer link Enabled No \Start Menu and Taskbar
Remove See More Results / Search
Everywhere link
Enabled No \Start Menu and Taskbar
Do not search for files Enabled No \Start Menu and Taskbar
Do not search Internet Enabled No \Start Menu and Taskbar
Do not search programs and
Control Panel items
Enabled No \Start Menu and Taskbar
Remove programs on Settings
menu
Enabled No \Start Menu and Taskbar
Prevent changes to Taskbar and
Start Menu Settings
Enabled No \Start Menu and Taskbar
Remove Downloads link from Start
Menu
Enabled No \Start Menu and Taskbar
Remove Homegroup link from
Start Menu
Enabled No \Start Menu and Taskbar
Remove Recorded TV link from
Start Menu
Enabled No \Start Menu and Taskbar
Remove user’s folders from the
Start Menu
Enabled No \Start Menu and Taskbar
Remove Videos link from Start
Menu
Enabled No \Start Menu and Taskbar
Force classic Start Menu Enabled No \Start Menu and Taskbar
Remove Clock from the system
notification area
Enabled No \Start Menu and Taskbar
Prevent grouping of taskbar items Enabled No \Start Menu and Taskbar
PA-DSS implementation guide 32
Setting State Comment Path
Do not display any custom toolbars
in the taskbar
Enabled No \Start Menu and Taskbar
Remove access to the context
menus for the taskbar
Enabled No \Start Menu and Taskbar
Hide the notification area Enabled No \Start Menu and Taskbar
Prevent users from uninstalling
applications from Start
Enabled No \Start Menu and Taskbar
Remove user folder link from Start
Menu
Enabled No \Start Menu and Taskbar
Remove user name from Start
Menu
Enabled No \Start Menu and Taskbar
Remove links and access to
Windows Update
Enabled No \Start Menu and Taskbar
Remove the “Undock PC” button
from the Start Menu
Enabled No \Start Menu and Taskbar
Remove Notifications and Action
Center
Enabled No \Start Menu and Taskbar
Disable showing balloon
notifications as toasts.
Enabled No \Start Menu and Taskbar
Remove the Security and
Maintenance icon
Enabled No \Start Menu and Taskbar
Remove the networking icon Enabled No \Start Menu and Taskbar
Remove the battery meter Enabled No \Start Menu and Taskbar
Remove the volume control icon Enabled No \Start Menu and Taskbar
Turn off feature advertisement
balloon notifications
Enabled No \Start Menu and Taskbar
Do not allow pinning Store app to
the Taskbar
Enabled No \Start Menu and Taskbar
Do not allow pinning items in Jump
Lists
Enabled No \Start Menu and Taskbar
Do not allow pinning programs to
the Taskbar
Enabled No \Start Menu and Taskbar
PA-DSS implementation guide 33
Setting State Comment Path
Do not display or track items in
Jump Lists from remote locations
Enabled No \Start Menu and Taskbar
Turn off automatic promotion of
notification icons to the taskbar
Enabled No \Start Menu and Taskbar
Lock all taskbar settings Enabled No \Start Menu and Taskbar
Prevent users from adding or
removing toolbars
Enabled No \Start Menu and Taskbar
Prevent users from rearranging
toolbars
Enabled No \Start Menu and Taskbar
Do not allow taskbars on more
than one display
Enabled No \Start Menu and Taskbar
Turn off all balloon notifications Enabled No \Start Menu and Taskbar
Remove pinned programs from the
Taskbar
Enabled No \Start Menu and Taskbar
Prevent users from moving taskbar
to another screen dock location
Enabled No \Start Menu and Taskbar
Prevent users from resizing the
taskbar
Enabled No \Start Menu and Taskbar
Turn off taskbar thumbnails Enabled No \Start Menu and Taskbar
Remove Task Manager Enabled No \System\Ctrl+Alt+Del Options
Code signing for device drivers Enabled No \System\Driver Installation
Turn off Windows Update device
driver search prompt
Enabled No \System\Driver Installation
Disallow selection of Custom
Locales
Enabled No \System\Locale Services
Disallow changing of geographic
location
Enabled No \System\Locale Services
Disallow user override of locale
settings
Enabled No \System\Locale Services
CD and DVD: Deny read access Enabled No \System\Removable Storage Access
CD and DVD: Deny write access Enabled No \System\Removable Storage Access
Floppy Drives: Deny read access Enabled No \System\Removable Storage Access
PA-DSS implementation guide 34
Setting State Comment Path
Floppy Drives: Deny write access Enabled No \System\Removable Storage Access
Removable Disks: Deny read access Enabled No \System\Removable Storage Access
Removable Disks: Deny write
access
Enabled No \System\Removable Storage Access
All Removable Storage classes:
Deny all access
Enabled No \System\Removable Storage Access
Tape Drives: Deny read access Enabled No \System\Removable Storage Access
Tape Drives: Deny write access Enabled No \System\Removable Storage Access
WPD Devices: Deny read access Enabled No \System\Removable Storage Access
WPD Devices: Deny write access Enabled No \System\Removable Storage Access
Prevent access to the command
prompt
Enabled No \System
Prevent access to registry editing
tools
Enabled No \System
Prevent the wizard from running. Enabled No \Windows Components\Add
features to Windows 10
Turn off Program Compatibility
Assistant
Enabled No \Windows Components\Application
Compatibility
Search, Share, Start, Devices and
Settings don’t appear when the
mouse is pointing to the upper-
right corner of the screen
Enabled No \Windows Components\Edge UI
Disable help tips Enabled No \Windows Components\Edge UI
Turn off tracking of app usage Enabled No \Windows Components\Edge UI
Do not show recent apps when the
mouse is pointing to the upper-left
corner of the screen
Enabled No \Windows Components\Edge UI
Prevent users from replacing the
Command Prompt with Windows
PowerShell in the menu they see
when they right-click the lower-left
corner or press the Windows logo
key+X
Enabled No \Windows Components\Edge UI
PA-DSS implementation guide 35
Setting State Comment Path
Turn off switching between recent
apps
Enabled No \Windows Components\Edge UI
Turn on or off details pane Enabled No \Windows Components\File
Explorer\Explorer Frame Pane
Turn off Preview Pane Enabled No \Windows Components\File
Explorer\Explorer Frame Pane
Do not display the Welcome Center
at user logon
Enabled No \Windows Components\File
Explorer
Turn on Classic Shell Enabled No \Windows Components\File
Explorer
Remove CD Burning features Enabled No \Windows Components\File
Explorer
Remove DFS tab Enabled No \Windows Components\File
Explorer
Hide these specified drives in My
Computer
Enabled No \Windows Components\File
Explorer
No Entire Network in Network
Locations
Enabled No \Windows Components\File
Explorer
Remove File menu from File
Explorer
Enabled No \Windows Components\File
Explorer
Do not allow Folder Options to be
opened from the Options button
on the View tab of the ribbon
Enabled No \Windows Components\File
Explorer
Remove Hardware tab Enabled No \Windows Components\File
Explorer
Hides the Manage item on the File
Explorer context menu
Enabled No \Windows Components\File
Explorer
Remove Shared Documents from
My Computer
Enabled No \Windows Components\File
Explorer
Remove “Map Network Drive” and
“Disconnect Network Drive”
Enabled No \Windows Components\File
Explorer
Remove the Search the Internet
“Search again” link
Enabled No \Windows Components\File
Explorer
PA-DSS implementation guide 36
Setting State Comment Path
Remove Security tab Enabled No \Windows Components\File
Explorer
Remove Search button from File
Explorer
Enabled No \Windows Components\File
Explorer
Remove File Explorer’s default
context menu
Enabled No \Windows Components\File
Explorer
Prevent access to drives from My
Computer
Enabled No \Windows Components\File
Explorer
Turn off Windows+X hotkeys Enabled No \Windows Components\File
Explorer
No Computers Near Me in
Network Locations
Enabled No \Windows Components\File
Explorer
Request credentials for network
installations
Enabled No \Windows Components\File
Explorer
Prevent users from adding files to
the root of their Users Files folder.
Enabled No \Windows Components\File
Explorer
Turn off Accelerators Enabled No \Windows Components\Internet
Explorer\Accelerators
File menu: Disable closing the
browser and Explorer windows
Enabled No \Windows Components\Internet
Explorer\Browser menus
File menu: Disable Save As... menu
option
Enabled No \Windows Components\Internet
Explorer\Browser menus
File menu: Disable Save As Web
Page Complete
Enabled No \Windows Components\Internet
Explorer\Browser menus
File menu: Disable New menu
option
Enabled No \Windows Components\Internet
Explorer\Browser menus
File menu: Disable Open menu
option
Enabled No \Windows Components\Internet
Explorer\Browser menus
Help menu: Remove ‘Send
Feedback’ menu option
Enabled No \Windows Components\Internet
Explorer\Browser menus
Help menu: Remove ‘For Netscape
Users’ menu option
Enabled No \Windows Components\Internet
Explorer\Browser menus
PA-DSS implementation guide 37
Setting State Comment Path
Help menu: Remove ‘Tip of the
Day’ menu option
Enabled No \Windows Components\Internet
Explorer\Browser menus
Help menu: Remove ‘Tour’ menu
option
Enabled No \Windows Components\Internet
Explorer\Browser menus
Turn off Shortcut Menu Enabled No \Windows Components\Internet
Explorer\Browser menus
Hide Favorites menu Enabled No \Windows Components\Internet
Explorer\Browser menus
Disable Open in New Window
menu option
Enabled No \Windows Components\Internet
Explorer\Browser menus
Turn off Print Menu Enabled No \Windows Components\Internet
Explorer\Browser menus
Turn off the ability to launch report
site problems using a menu option
Enabled No \Windows Components\Internet
Explorer\Browser menus
Disable Save this program to disk
option
Enabled No \Windows Components\Internet
Explorer\Browser menus
Tools menu: Disable Internet
Options... menu option
Enabled No \Windows Components\Internet
Explorer\Browser menus
View menu: Disable Full Screen
menu option
Enabled No \Windows Components\Internet
Explorer\Browser menus
View menu: Disable Source menu
option
Enabled No \Windows Components\Internet
Explorer\Browser menus
Turn off Developer Tools Enabled No \Windows Components\Internet
Explorer\Toolbars
Turn off toolbar upgrade tool Enabled No \Windows Components\Internet
Explorer\Toolbars
Hide the Command bar Enabled No \Windows Components\Internet
Explorer\Toolbars
Hide the status bar Enabled No \Windows Components\Internet
Explorer\Toolbars
Disable customizing browser
toolbars
Enabled No \Windows Components\Internet
Explorer\Toolbars
PA-DSS implementation guide 38
Setting State Comment Path
Disable customizing browser
toolbar buttons
Enabled No \Windows Components\Internet
Explorer\Toolbars
Turn off add-on performance
notifications
Enabled No \Windows Components\Internet
Explorer
Do not allow users to enable or
disable add-ons
Enabled No \Windows Components\Internet
Explorer
Disable changing Advanced page
settings
Enabled No \Windows Components\Internet
Explorer
Turn off Favorites bar Enabled No \Windows Components\Internet
Explorer
Prevent per-user installation of
ActiveX controls
Enabled No \Windows Components\Internet
Explorer
Turn off Reopen Last Browsing
Session
Enabled No \Windows Components\Internet
Explorer
Turn off Tab Grouping Enabled No \Windows Components\Internet
Explorer
Prevent managing the phishing
filter
Enabled No \Windows Components\Internet
Explorer
Turn off Managing SmartScreen
Filter for Internet Explorer 8
Enabled No \Windows Components\Internet
Explorer
Prevent managing SmartScreen
Filter
Enabled No \Windows Components\Internet
Explorer
Turn off the Security Settings
Check feature
Enabled No \Windows Components\Internet
Explorer
Enforce full-screen mode Enabled No \Windows Components\Internet
Explorer
Disable Import/Export Settings
wizard
Enabled No \Windows Components\Internet
Explorer
Prevent Internet Explorer Search
box from appearing
Enabled No \Windows Components\Internet
Explorer
Turn off Quick Tabs functionality Enabled No \Windows Components\Internet
Explorer
PA-DSS implementation guide 39
Setting State Comment Path
Turn off tabbed browsing Enabled No \Windows Components\Internet
Explorer
Disable changing Automatic
Configuration settings
Enabled No \Windows Components\Internet
Explorer
Disable changing Temporary
Internet files settings
Enabled No \Windows Components\Internet
Explorer
Disable changing Calendar and
Contact settings
Enabled No \Windows Components\Internet
Explorer
Disable changing certificate
settings
Enabled No \Windows Components\Internet
Explorer
Disable changing default browser
check
Enabled No \Windows Components\Internet
Explorer
Disable changing color settings Enabled No \Windows Components\Internet
Explorer
Disable changing connection
settings
Enabled No \Windows Components\Internet
Explorer
Disable changing font settings Enabled No \Windows Components\Internet
Explorer
Disable changing language
settings
Enabled No \Windows Components\Internet
Explorer
Disable changing link color settings Enabled No \Windows Components\Internet
Explorer
Disable changing Messaging
settings
Enabled No \Windows Components\Internet
Explorer
Prevent managing pop-up
exception list
Enabled No \Windows Components\Internet
Explorer
Turn off pop-up management Enabled No \Windows Components\Internet
Explorer
Disable changing Profile Assistant
settings
Enabled No \Windows Components\Internet
Explorer
Prevent changing proxy settings Enabled No \Windows Components\Internet
Explorer
PA-DSS implementation guide 40
Setting State Comment Path
Disable changing ratings settings Enabled No \Windows Components\Internet
Explorer
Turn off the auto-complete feature
for web addresses
Enabled No \Windows Components\Internet
Explorer
Turn off suggestions for all user-
installed providers
Enabled No \Windows Components\Internet
Explorer
Turn off the quick pick menu Enabled No \Windows Components\Internet
Explorer
Search: Disable Find Files via F3
within the browser
Enabled No \Windows Components\Internet
Explorer
Search: Disable Search
Customization
Enabled No \Windows Components\Internet
Explorer
Turn off ability to pin sites in
Internet Explorer on the desktop
Enabled No \Windows Components\Internet
Explorer
Turn off the offer to update to the
latest version of Windows
Enabled No \Windows Components\Store
Turn off the Store application Enabled No \Windows Components\Store
Prohibit New Task Creation Enabled No \Windows Components\Task
Scheduler
Part 2: Features that facilitate PCI compliance
This part of the guide describes some of the features in AX 2012 that facilitate merchant compliance with the PCI
Data Security Standard.
Protect stored cardholder data
AX 2012 provides the following capabilities to help protect cardholder data:
● For the storage of cardholder data:
● AX 2012 does not store sensitive authentication data.
● AX 2012 does not store PANs.
● AX 2012 stores truncated PANs (the last four digits) and cardholder names.
PA-DSS implementation guide 41
● For the display of cardholder data:
● Retail Modern POS and Retail Enterprise POS display masked PANs (the first six and last four digits) on the
following pages:
● Payment screen
● Sales receipt
● The AX 2012 client displays cardholder names, truncated PANs (the last four digits), and expiration dates in the
following forms:
● Accounts receivable – Customer credit cards form
● Call center – Enter customer payment information form
Audit logging
Logging of PCI-relevant activity at the register is automatic. For more information, see Monitor Retail POS activity,
later in this guide.
Provide secure authentication features
AX 2012 provides the following secure authentication features.
Store user names, passwords, and authentication
● Stores and cashiers have no administrative access, and no access to reports. They have access to card numbers
only when a card is swiped.
● Users of AX 2012 are subject to AD DS security policies. Therefore, users of AX 2012 are subject to the same
password policy as domain users.
● Employee user names and passwords are set up in the Retail module of AX 2012. Only approved AX 2012 users
have access to these features.
● AX 2012 does not provide any default accounts or passwords. Instead, a unique user name and password are
required for every user, even the user who sets up the software.
● Customers and integrators/resellers must comply with PA-DSS Requirements 3.1.1 through 3.1.11 when they
manage authentication credentials and create strong authentication for all application-level and user accounts
that have administrative access, and all accounts that have access to cardholder data, as follows:
● PA-DSS Requirement 3.1.1: You must not use any default administrative accounts for AX 2012.
● PA-DSS Requirement 3.1.2: You must enforce the changing of all default application passwords for all
accounts that are generated or managed. This requirement applies to all accounts, such as user accounts,
application and service accounts, and accounts that the vendor uses for support purposes.
● PA-DSS Requirement 3.1.3: You must assign unique IDs for user accounts.
● PA-DSS Requirement 3.1.4: You must use a user name and password to authenticate every user.
● PA-DSS Requirement 3.1.5: You must not require or use any group, shared, or generic accounts and
passwords.
PA-DSS implementation guide 42
● PA-DSS Requirement 3.1.6: You must require that passwords meet the following standards:
● They must have a minimum length of seven characters.
● They must contain both numeric and alphabetic characters.
● Alternatively, passwords/phrases must have complexity and strength that is at least equivalent to the
preceding parameters.
● PA-DSS Requirement 3.1.7: You must require changes to user passwords at least one time every 90 days.
● PA-DSS Requirement 3.1.8: You must require that new passwords differ from the last four passwords that
the user used.
● PA-DSS Requirement 3.1.9: You must limit repeated access attempts by locking out user accounts after no
more than six sign-in attempts.
● PA-DSS Requirement 3.1.10: You must set the lockout duration to a minimum of 30 minutes, or until an
administrator enables the user ID.
● PA-DSS Requirement 3.1.11: If a payment application session has been idle for more than 15 minutes, AX
2012 must require that the user reauthenticate to reactivate the session.
● Activities that are related to setting up new employees, deleting employees, and changing employee user names
or passwords are logged. For more information, see Monitor AX 2012 activity, later in this guide.
● When cashiers sign in to Retail POS at the store, their employee user names and passwords are securely
authenticated by either Real-time Service or Synch Service, depending on employee settings. Cashier passwords
are always hashed (obscured).
Set up a new store user (manager or cashier) in AX 2012
1 Click Retail > Common > Workers.
2 Click Hire new worker, and then type the new cashier’s name.
3 Enter information about the employee on the tabs, as required.
4 In the Worker form, click the Retail link, and then select a layout ID and a language for the employee.
5 In the Employment type field, select Cashier, and then, in the Name on receipt field, type a name.
6 In the Password field, type the employee’s password.
7 Click POS permissions, and then select a position for the cashier.
Important: When you set up Windows user accounts for employees, and when you set up employee accounts in AX
2012, you must use a “least privilege” approach. In other words, you must grant employees only those privileges that
they require to perform their duties. For example, although trusted management personnel might require
Administrator privileges on store computers, employee sign-in accounts must belong to a group that does not have
these privileges.
For more information about user accounts for employees, see the Microsoft Dynamics AX 2012 Upgrade Guide, which
is available for download at http://go.microsoft.com/fwlink/?LinkID=221465.
PA-DSS implementation guide 43
Data storage and deletion
Several requirements in the PCI Data Security Standard are related to the protection of sensitive cardholder data.
These requirements call for the safe storage, encryption, and removal of cardholder information, such as magnetic
stripe data, card validation codes (CVCs)/Card Verification Values (CVVs), PINs, and PIN blocks. In particular,
Requirements 1.3 and 1.3.4 prohibit the storage of cardholder data on servers that are connected to the Internet. The
database server cannot also be a web server.
AX 2012 helps merchants comply with the PCI Data Security Standard that are related to data storage and retention
in the following ways:
● PANs are not retained. Therefore, no periodic purging is required. This behavior helps satisfy Requirement 3.1 of
the PCI Data Security Standard.
● Sensitive authentication data is never retained, cannot be reproduced from within the program, and is not
available in log files or debug files.
● Credit card numbers are tokenized and secured by the connector for Payment Services, and are never sent to
AX 2012 as plain text. Tokens expire 120 days after the last time they were used.
● Card numbers are truncated after authorization, so that only the last four digits remain. Card numbers on both
printed and journaled receipts are always truncated.
● Like this release of AX 2012, the previous release (Microsoft Dynamics AX for Retail) did not retain any sensitive
authentication data. Compliance with Requirement 3.2 of the PCI Data Security Standard does not require the
removal of historical data.
● Because cardholder data is not retained, no encryption is required. Therefore, periodic deletion of the encryption
key is not required. This behavior helps satisfy Requirement 3.6 of the PCI Data Security Standard.
Versioning methodology
The Microsoft Dynamics AX versioning methodology consists of three elements that are grouped into a major and
minor version.
● The first two elements define the major version:
a A four-digit year, which is determined by the last year that the application received a significant feature
update.
b A release number, which consists of an “R” and then up to two numeric digits for the release number. The
release number is based on the current release number that is being validated.
● The third element is the minor version, which represents a minor change. The minor version number consists of
“CU” (which stands for “Cumulative Update”) and then up to two numeric digits.
All elements are separated by spaces.
For Microsoft Dynamics AX 2012 R3 CU11, the versions are as follows:
● 2012 R3 is the major version. The application received its last significant feature update in 2012, and this release is
the third release.
● CU11 is the minor version. In this case, the cumulative update is for the eleventh minor change.
PA-DSS implementation guide 44
The values in the versioning methodology are incremented as follows:
● Major – The value is incremented when there is major release and a new PA-DSS validation.
● Minor – The value is incremented when there are new hotfix updates that are not related to security or PA-DSS.
No wildcards are used in the versioning methodology.
Data transmissions
All AX 2012 transmissions of cardholder data, whether over a private network or a public network, are secured by the
use of TLS 1.2. This behavior helps satisfy Requirement 4.1 of the PCI Data Security Standard.
AX 2012 does not allow or facilitate the transmission of PANs via email or other end-user messaging technologies.
Any such transmission that occurs must be encrypted to satisfy Requirement 4.2 of the PCI Data Security Standard.
Important:
● Strong cryptography and security protocols must be used for data transmission over public networks.
● Only trusted keys and/or certificates can be accepted.
● You must use only secure versions and secure implementations of security protocols.
● You must prevent fallback to an insecure version or configuration. (For example, if TLS is used, the application
must not allow fallback to Secure Sockets Layer [SSL]).
● You must use appropriate encryption strength for the encryption methodology.
PA-DSS implementation guide 45
Payment data flow diagrams
Flow of payment data in Retail Modern POS when the full integration model is used
Figure 1 shows the flow payment data in Retail Modern POS when the full integration model is used.
1a. Track, PIN
via swipe or EMV
2a. PAN,
Name, Track,
PIN
via HTTPS
(AES256 TLS
1.2);
Token returns
Internet
1b. Track, PIN
via swipe or
EMV
2b. Pan, Name, Track, PIN,
via HTTPS (AES256 TLS 1.2);
Returns token
2b.Token,
no CHD
3b. Token, no
CHD
Only during
offline
3a. Token,
no CHD
3b. token, no
CHD
Retail Hardware Station
Payment Connector
AS7 PA-DSS
Retail Modern POS
Payment Connector
SQL
Retail Modern POSOffline database
1a. PAN, name,
expiry and card
validation codes/
values manually
input
1b. Track, PIN
Via swipe, EMV
1a. Track, PIN,
via swipe or EMV
3b. Token, no
CHD
Dynamics AX
Retail Server
Payment Gateway(not in scope)
SQL
Retail Channel Database
3a. Token,
no CHD
3b. token, no
CHD
2a. Token,
no CHD2a. Token,
no CHD
Details
1 Retail Modern POS, which includes Retail Hardware Station, receives cardholder data through the following
channels:
a For Retail Modern POS:
● Track or track-equivalent data via PIN pad for card-present credit transactions
● PIN-based transactions via PIN pad for debit transactions
● PAN, expiration date, and CVCs/CVVs that are manually entered via the POS user interface
PA-DSS implementation guide 46
b For Retail Hardware Station:
● Track or track-equivalent data via PIN pad for card-present credit transactions
● PIN-based transactions via PIN pad for debit transactions
2 Retail Modern POS, which includes Retail Hardware Station, processes a payment transaction in one of the
following ways:
a Retail Modern POS creates authorization requests and sends them to a payment gateway (AES256 TLS 1.2) via
a payment connector. The payment connector is provided by the third-party payment solution provider and is
installed on the same computer. Authorization requests include track or track-equivalent data, PIN blocks,
PANs, expiry information, and CVCs/CVVs. Retail Modern POS receives an authorization reply that includes a
card token and a transaction approval message.
b Retail Hardware Station creates authorization requests and sends them to a payment gateway (AES256
TLS 1.2) via a payment connector. The payment connector is provided by a third-party payment solution
provider and is installed on the same computer. Authorization requests include track or track-equivalent data,
PIN blocks, PANs, expiry information, and CVCs/CVVs. Retail Hardware Station receives an authorization reply
that includes the truncated PAN (first six and last four digits), card token, and transaction approval message.
Retail Hardware Station then forwards the truncated PAN, card token, and transaction approval message to
Retail Modern POS.
3 One of the following events occurs:
a From Retail Modern POS, the card token, cardholder name, and truncated PAN are sent back to Microsoft
Dynamics AX Retail Server. Retail Server stores only the last four digits of the truncated PAN in the retail
channel database.
b If Retail Server cannot be reached, the last four digits of the truncated PAN, and the card token, are stored in
the Retail Modern POS offline database. After the connection is restored, the truncated PAN and card token
are sent to the Retail Server and stored in the retail channel database, and the data is deleted from the Retail
Modern POS offline database.
PA-DSS implementation guide 47
Flow of payment data in Retail Modern POS when the semi-integrated model is used
Figure 2 shows the flow of payment data in Retail Modern POS when the semi-integrated model is used.
Internet
2b.Token, no CHD
3b. Token, no CHD
Only during offline
3a. Token, no CHD
3b. token, no CHD
SQL
Retail Modern POS offline database
1b. Track, PIN, Name,
via swipe, EMV;Token returns
3b. Token, no CHD
Retail Hardware Station
Payment Connector
AS7 PA-DSS
Retail Modern POS
Payment Connector
2a.Token, no CHD2b.Token,
no CHD
1a. Track, PIN, Name,
via swipe, EMV;Token returns
1b.make a
payment
1a.make a
payment
Dynamics AX Retail Server
Payment Gateway(not in scope)
1a.Track, Name, PIN, visa swipe or EMV,
or PAN, expiry & cardvalidation codes/values
manually input
1b.Track, Name, PIN, visa swipe or EMV,
or PAN, expiry & cardvalidation codes/values
manually input
SQL
Retail Channel Database
3a. Token, no CHD
3b. token, no CHD
1b. Token, no CHD
1a. Token, no CHD
PA-DSS implementation guide 48
Details
1 Either Retail Modern POS (1a) or Retail Hardware Station (1b) sends the payment request to the PIN pad that is
asking for a payment. No cardholder data is involved at this point. The PIN pad asks for the payment through the
following channel:
● Track or track-equivalent data for card-present credit transactions, which include EMV
● PIN-based transactions for debit
● PAN, expiry information, and CVCs/CVVs that are manually entered via PIN pad
The PIN pad sends the authorization request to a payment gateway (AES256 TLS 1.2) and receives the
authorization reply that has no cardholder data. Authorization requests include track or track-equivalent data, PIN
blocks, PANs, expiry information, and CVCs/CVVs.
2 The PIN pad truncates the PAN, and sends the truncated PAN (first six and last four digits), card token, and
transaction approval message directly to Retail Modern POS (2a), or to Retail Hardware Station, which forwards
the data to Retail Modern POS (2b).
3 One of the following events occurs:
a From Retail Modern POS, only the card token and truncated PAN are sent back to Retail Server. Retail Server
stores only the card token and truncated PAN (last four digits) in the retail channel database.
b If Retail Server cannot be reached, the truncated PAN (last four digits) and card token are stored in the Retail
Modern POS offline database. After the connection is restored, the truncated PAN, cardholder name, and card
token are sent back to Retail Server and stored in the retail channel database, and the data is deleted from the
Retail Modern POS offline database.
PA-DSS implementation guide 49
Flow of payment data in Retail Enterprise POS when the semi-integrated model is
used
Figure 3 shows the flow of payment data in Retail Enterprise POS when the semi-integrated model is used.
Internet
1. Track, PIN, Name
via swipe, EMV, or PAN, Name, expiry & card
validation codes/values;
Token returns
2.Token, no CHD
1.make a payment
Payment Gateway(not in scope)
1.Track, PIN, via swipe or EMV,
or PAN, Name, expiry & cardvalidation codes/values
manually input
Retail Enterprise POS
1. Token, no CHD
SQL
Retail Channel Database
3. Token, no CHD
Details
1 Retail Enterprise POS sends the payment request to the PIN pad that is asking a payment. No cardholder data is
involved at this point. The PIN pad asks for the payment through the following channel:
● Track or track-equivalent data for card-present credit transactions, which include EMV
● PIN-based transactions for debit
● PAN, expiry information, and CVCs/CVVs that are manually entered via PIN pad
PA-DSS implementation guide 50
The PIN pad sends the authorization request to a payment gateway (AES256 TLS 1.2) and receives the
authorization reply. Authorization requests include track or track-equivalent data, PIN blocks, PANs, expiry
information, and CVCs/CVVs.
2 The PIN pad sends the truncated PAN (first six and last four digits), card token, and transaction approval message
to Retail Enterprise POS.
3 The card token, cardholder name, and truncated PAN (last four digits) are stored in the retail channel database.
Flow of payment data in Retail Enterprise POS when the full integration model is used
Figure 4 shows the flow of payment data in the Retail Enterprise POS when the full integration model is used.
Internet
2. Track, Name, PIN
via swipe or EMV
3. Pan, Name, Track, PIN,via HTTPS;
Token returns
2. Track, Name, PIN
Via swipe, EMV1.make a payment
Payment Gateway(not in scope)
Retail Enterprise POS
3. Token, no CHD
Retail Channel Database
4. Token, no CHD
PA-DSS implementation guide 51
Details
1 Retail Enterprise POS requests that a payment device make a payment.
2 The customer performs a card-present credit or debit transaction on a payment device that is connected to Retail
Enterprise POS.
● Track or track-equivalent data for card-present credit transactions, which include EMV
● PIN-based transactions for debit
3 Retail Enterprise POS sends cardholder data (track or track-equivalent data, and PIN block) to the payment
gateway (AES256 TLS 1.2) for authorization. Retail Enterprise POS receives an authorization response and a card
token.
4 Retail Enterprise POS stores the card token, cardholder name, and truncated PAN (last four digits) in the retail
channel database.
Flow of payment data in AX 2012 Accounts receivable and Call Center
Figure 5 shows the flow of payment data in Accounts receivable and Call Center.
Dynamics AX client
Internet
2..Token,
no CHD
Dynamics AX Application Object
Server
Payment Connector
4.
Capture,
void a
payment
with token
SQL
Dynamics AX Database
3.Token,
no CHD
Payment Gateway(not in scope)
1.PAN, name, expiry & card
validation codes/values
manually input
Payment Connector
1. Token,
no CHD
1.PAN, name, expiry & card
validation codes/values;
Returns a token
or authorization reply
PA-DSS implementation guide 52
Details
1 Cardholder data, which includes the PAN, name, expiration date, and CVV2, is entered manually in the AX 2012
client. The CVV2 is optional. The client sends cardholder data (which includes the PAN, name, expiration date, and
CVV2) to the payment gateway’s payment accepting website for payment authorization and/or tokenization.
2 The client receives a card token and an authorization reply from the payment gateway, and sends the card token
and truncated PAN (last four digits) to the AX 2012 Application Object Server (AOS) service.
3 The card token, cardholder name, and truncated PAN (the last four digits) are stored in the AX 2012 database.
4 The payment connector uses the card token and truncated PAN (last four digits) to perform other payment
operations, such as void or capture.
PA-DSS implementation guide 53
Flow of payment data in an e-Commerce Sample Web Storefront
Figure 6 shows the flow of payment data in an e-Commerce Sample Web Storefront.
AS7 PA - DSS
Internet
Dynamics AX Application Object Server
Payment Connector
5. Capture,
void a payment
with token
SQL
Dynamics AX Database
2.Token, no CHD
4. token, no CHD
E-Commerce website
Payment Gateway(not in scope)
1.PAN, name, expiry & cardvalidation codes/values
manually input
2.PAN, name, expiry & cardvalidation codes/values;
Returns a token or authorization reply
1.PAN, name, expiry & cardvalidation codes/values
manually input
SQL
Retail Channel Database
3.Token, no CHD
E-Commerce browser client
Inte
rnet
2. Token, no CHD
Details
1 Cardholder data, which includes the PAN, name, expiration date, and CVCs/CVVs, is entered manually in an e-
Commerce web client. CVCs/CVVs are optional. The e-Commerce web client sends cardholder data (which
includes the PAN, name, expiration date, and CVCs/CVVs) to the e-Commerce website.
2 The e-Commerce website sends cardholder data (which includes the PAN, name, expiration date, and CVCs/CVVs)
to a payment gateway for payment authorization and/or tokenization.
3 The e-Commerce website receives a card token and an authorization reply, and stores the card token, cardholder
name, and truncated PAN (last four digits) to the retail channel database for the e-Commerce website.
PA-DSS implementation guide 54
4 The card token and truncated PAN (last four digits) are transmitted from the e-Commerce database to the AX
2012 database.
5 The payment connector uses the card token and truncated PAN (last four digits) to perform other payment
operations, such as void or capture.
Part 3: Connection limitations
Internet connections
AX 2012 does not require a web server. A perimeter network, which is also known as a DMZ (demilitarized zone) and
a screened subnet, can be used to separate the Internet from systems that transmit cardholder data. Cardholder data
is never stored, even on the internal network and the perimeter network. The database server should never be on a
web server, or on a perimeter network that contains a web server, and AX 2012 does not require these
configurations. This behavior helps satisfy Requirement 1.3 of the PCI Data Security Standard.
Protect wireless connections
AX 2012 does not require or support wireless connections.
If wireless connections are part of the store’s local area network (LAN), even if they are not used with AX 2012, you
must install a firewall and use compliant wireless settings, as described in Requirements 1.2.3, 2.1.1, 4.1.1, and 6.1 of
the PCI Data Security Standard. Here are some specific requirements:
● Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure
these firewalls to deny or control any traffic from the wireless environment into the cardholder data environment.
● Change wireless vendor default settings. These settings include, but are not limited to, default wireless encryption
keys, passwords, and Simple Network Management Protocol (SNMP) community strings.
● Make sure that wireless device security settings are enabled for strong encryption technology for authentication
and transmission.
● Use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and
transmission.
● Make sure that procedures for changing wireless encryption keys and passwords are followed whenever someone
who has knowledge of the keys/passwords leaves the company or changes positions. These keys/passwords
include SNMP strings.
● Make sure that you configure firewalls to deny traffic between the wireless environment and the cardholder data
environment. If such traffic is required for business purposes, configure the firewalls to permit only authorized
traffic between the environments.
Note: For new wireless implementations, implementation of Wired Equivalent Privacy (WEP) has been prohibited.
PA-DSS implementation guide 55
Important:
● Encryption keys must be changed from their default settings at installation. They must also be changed whenever
someone who has knowledge of the keys leaves the company or changes positions.
● Default SNMP community strings on wireless devices must be changed.
● Default passwords/passphrases on access points must be changed.
● Firmware on wireless devices must be updated to support strong encryption for authentication and transmission
over wireless networks.
● Other security-related default settings for the wireless vendor must be changed, if applicable.
Remote access
AX 2012 does not provide features that allow or facilitate remote connections into the payment environment, and
Microsoft does not support such connections. If you choose to use a remote connection, you must use multi-factor
authentication (user name and password, plus an additional authentication item, such as a token), as required by
Requirement 8.3 of the PCI Data Security Standard.
If partners or resellers use remote access software, security features must be implemented and used. Here are some
examples of remote access security features:
● Change default settings in the remote access software (for example, change default passwords, and use unique
passwords for each user).
● Allow connections only from specific (known) IP/MAC addresses.
● Use strong authentication, and establish user password policies, according to Requirement 8 of the PCI Data
Security Standard.
● Enable encrypted data transmission, according to Requirement 4.1 of the PCI Data Security Standard.
● Enable account lockout after a specific number of failed sign-in attempts, according to Requirement 8.5.13 of the
PCI Data Security Standard.
● Configure the system so that a remote user must establish a virtual private network (VPN) connection via a
firewall before access is allowed.
● Enable logging.
● Restrict access to user passwords to authorized reseller/integrator personnel.
Non-console administrative access
Non-console administrative access to AX 2012 is not supported and could prevent PCI compliance. If you choose to
use non-console administrative access, you must implement and use multi-factor authentication and encrypt the
connection by using Secure Shell (SSH), VPN, or TLS, as required by Requirement 2.3 of the PCI Data Security
Standard.
PA-DSS implementation guide 56
Part 4: Audit logging
To comply with Requirement 10 of the PCI Data Security Standard, you must enable logging as described in the
following sections of this guide:
● All computers: Prepare for monitoring the event logs
● All computers: Set up auditing of file access, object access, and audit-policy changes
● At the head office: Set up database logging
You must monitor and manage the log files that are produced.
Monitor AX 2012 activity
At the head office, audit logged information according to the schedule that is described in Requirement 10 of the
PCI Data Security Standard.
Note: Although the procedures in this section are related to Requirement 10 of the PCI Data Security Standard, they
are beyond the scope of the PCI requirement because, in an implementation of AX 2012 that uses Payment Services
for Microsoft Dynamics ERP, no cardholder data is stored, and users cannot change the cardholder data flow or the
security of cardholder data. Therefore, the following procedures are included in this guide as optional best practices
that help make organizational data more secure.
View information about user sign-in and user sign-out
View the user log in AX 2012 to see sign-in information for each authorized user.
1 Click System administration > Inquiries > Users > User log. The sign-in dates and times that are shown are
also the dates and times when the log was initialized.
2 To view the date and time when a particular user signed out, select the sign-in event that you are interested in,
and then click the General tab.
View the audit trail
Use the database log in AX 2012 to view changes to the tables that you selected for auditing, as described in At the
head office: Set up database logging, earlier in this guide.
1 Click System administration > Inquiries > Database > Database log.
2 Select the record to view, and then click the History tab.
PA-DSS implementation guide 57
View the SQL Server trace log files
Monitor the SQL Server trace log files to see which users accessed the log files. Each entry in the trace log file
includes the user who signed in to access data, the type of event, the specific database query that was used to access
data (this information indicates whether data was read or modified), the date and time of access, the success or
failure of the operation, the origination of the event (client application), and the identity or name of the resource
(database table) that was accessed.
1 In SQL Server Management Studio, on the File menu, point to New, and then click Query with Current
Connection.
2 In the right pane, type the following text. Replace C:\<path> with the actual location of the trace file and <date>
with the date string of the correct trace file.
select * FROM ::fn_trace_gettable('C:\<path>\pos_trace_pmt_<date>.trc', default)
3 On the Query menu, click Execute.
The results of the query provide the audit log.
Note: The SQL Server trace log files are saved in a secure location that only administrators can access. Typically, the
path of the files is C:\Program Files\Microsoft SQL Server\<instance name>\MSSQL\Log.
Monitor Retail POS activity
Activity in Retail POS is logged in the AX.RetailTransactionTable table in the store or register offline database. This
table provides logging of the events that must be monitored for PCI compliance. These events are as follows:
● Employee sign-in and sign-out
● Failed sign-in attempts
Note: The logging can be modified only at the head office, via changes to the functionality profile for each terminal.
Confirm that Audit logging is still assigned to each functionality profile in the Functionality profile form (Retail >
Setup > POS > Profiles > Functionality profiles).
Important: You should not disable logging. Otherwise, your system will not comply with the PCI Data Security
Standard.
At the store, events are logged in the AX.RetailTransactionTable, AX.RetailAuthenticationLog, and AX.RetailLog
tables. For each event in the table, the following information is logged:
● The type of event
● The date and time when the event occurred
● The origination of the event (store and terminal)
● For sign-in events, the ID of the cashier who signed in. This cashier is associated with all events after the sign-in
event, until a sign-out event occurs.
Logged events in stores are transmitted to the central back office and stored in the RetailTransactionTable,
RetailAuthenticationLog, and RetailLog tables.
PA-DSS implementation guide 58
In the back-office database, use a query in SQL Server Management Studio to view the RetailTransactionTable table.
For each event in the table, the following information is logged:
● The type of event
● The date and time when the event occurred
● The origination of the event (store and terminal)
● For sign-in events, the ID of the cashier who signed in. This cashier is associated with all events after the sign-in
event, until a sign-out event occurs.
Important: AX 2012 facilitates centralized logging by sending all audit logs to the central AX 2012 database. You
must configure the P-Job to include the RetailAuthenticationLog and RetailLog tables.
Monitor event logs
You must monitor the event logs on every computer in the AX 2012 system. You can view Windows user sign-in and
sign-out events, and other user management events, from the Windows event log. When access to files and system
objects is audited, you can also use the event log to monitor access to the auditing files themselves.
The event log also shows initialization of the log file in AX 2012. This initialization is indicated by the event for AOS
startup, because logging is turned on when the AOS service is running. The event is Event ID 149, “Object Server
<server name>: Ready for operation.”
1 If you are running Windows 7, Windows Embedded POSReady 7, Windows 8.1, Windows Server 2008 R2,
Windows Server 2012, or Windows Server 2012 R2, click Start, type Event Viewer in the search box, and then
press Enter.
2 If the Windows Logs folder is available, expand it, and then click Security.
Each event has a unique event ID, and Windows Event Viewer provides a filter tool that makes it easier to view
occurrences of specific events. The following table identifies the event IDs that are logged, based on corresponding
operations in Windows.
For each event, the following information is logged and can be viewed in Event Viewer:
● The Windows user account that was involved in the operation
● The type of event
● The date and time when the event occurred
● The success or failure of the operation
● The origination of the event
● The identity or name of any affected data, component, or resource
● The user group that a user was added to or removed from, if this information is appropriate
Operation Event ID
Windows Embedded POSReady 7, Windows 7, Windows 8.1, Windows Server 2012, Windows Server
2012 R2, or Windows Server 2008 R2
Logon attempt 4776
PA-DSS implementation guide 59
Operation Event ID
Logon success 4624
Logon failure 529, 535, 539
Logoff 538
User password reset 4724
User account created 4720
User account disabled 4725
User account deleted 4726
User account added 4728
User account changed 4738
User account locked out 4740
Member added to user group 4732
Member removed from user group 4733
Object access (update or deletion of monitored files) None
File modified and saved 4663
Audit policy changed None
Domain policy changed 4739
Event Viewer Security log cleared 1102
Part 5: Software updates and support
Software updates
Updates to AX 2012 are not delivered via remote connection. Instead, updates are either downloaded from a secure
website, at the merchant’s specific request, or installed from a CD. Software updates must not be downloaded via
remote connection. The integrity of patches and updates is maintained via code signing of all releases of patch or
update code.
Troubleshooting and support
AX 2012 does not enable the collection or storage of sensitive authentication data for troubleshooting purposes.
This section outlines the process that Microsoft and its Certified Partners must follow when an AX 2012 customer
requires troubleshooting of a specific problem. This process is designed to help guarantee the security of sensitive
PA-DSS implementation guide 60
information in the database (such as employee passwords and payment-related data) and helps satisfy
Requirement 3.2 of the PCI Data Security Standard. Support personnel must collect only the limited amount of data
that they require to solve the specific problem that is being reported.
The remaining paragraphs in this section describe the process that Microsoft support personnel and the AX 2012
product team follow. Microsoft Certified Partners must implement support processes and tools with that have
security measures in place. Here are some of these measures:
● Collect sensitive authentication data only when it is required in order to solve a specific problem.
● Store such data only in specific, known locations that have limited access.
● Collect only the limited amount of data that is required in order to solve a specific problem.
● Securely delete such data immediately after it is used.
● Encrypt sensitive authentication data while it is stored. (AX 2012 stores no sensitive data. Sensitive data refers to
any data that might be stored via third-party add-ins or other sources.)
When a customer contacts Microsoft Technical Support, the support engineer creates a record of the issue and
initiates an investigation. The product team then attempts to reproduce the issue on test databases and, if this step
is required, by using test credit card accounts. If the issue cannot be reproduced on test databases, support
personnel use one of the following processes, depending on the situation:
● Support personnel access the customer’s desktop.
● Support personnel obtain a copy of the store database. (The copy contains no sensitive cardholder data.)
● Support personnel travel to the customer’s place of business.
In all scenarios, access to the database is restricted to the following support personnel: Escalation Engineers, Support
Escalation Engineers, Tech Leads, and Team or Service Delivery Managers.
Support personnel access the customer’s desktop
With the customer’s specific approval, a support engineer can use Microsoft Skype for Business to access the
customer’s desktop and investigate the issue directly. The support engineer does not have access to the customer’s
card number or card data.
Support personnel travel to the customer’s place of business
The support engineer investigates the issue on-site, and the customer’s data never leaves the store.
Distribution of hotfixes
When a resolution becomes available for a reported issue, a hotfix is released. Hotfixes are distributed via secure
download from the Microsoft website at the customer’s specific request.
PA-DSS implementation guide 61
Appendix A: Version history
The following table summarizes the changes that have been made to this guide since it was originally published in
January 2012.
Product version PA-DSS listing Change data PA-DSS version
The information has been updated
for the release of Microsoft
Dynamics AX 2012.
Reference #: 12-01.00087.013 January 2012 2.0
The information has been updated
for the release of Microsoft
Dynamics AX 2012 R2.
Reference #: 12-06.00087.014 September 2013 2.0
The information has been updated
for the release of Microsoft
Dynamics AX 2012 R3.
Reference #: 14-01.00087.016 May 2014 2.0
The information has been updated
for the release of Microsoft
Dynamics AX 2012 R3 CU8.
Reference #: 14-01.00087.017 October 2014 2.0
The information has been updated
for the release of Microsoft
Dynamics AX 2012 R3 CU8.
Reference #: 14-01.00087.017 December 2015 2.0
The information has been updated
for the release of Microsoft
Dynamics AX 2012 R3 CU11.
Pending January 2017 3.2
Send feedback.
Microsoft Dynamics is a line of integrated, adaptable business
management solutions that enables you and your people to make
business decisions with greater confidence. Microsoft Dynamics works
like and with familiar Microsoft software, automating and streamlining
financial, customer relationship, and supply chain processes in a way
that helps you drive business success.
United States and Canada toll-free: (888) 477-7989
Worldwide: (1) (701) 281-6500
www.microsoft.com/dynamics
© 2017 Microsoft Corporation. All rights
reserved.
This document is provided “as-is.”
Information and views expressed in this
document, including URL and other
Internet Web site references, may
change without notice. You bear the risk
of using it.
Some examples are for illustration only
and are fictitious. No real association is
intended or inferred.
This document does not provide you
with any legal rights to any intellectual
property in any Microsoft product. You
may copy and use this document for
your internal, reference purposes.