Creating an HS-PCI-Enabled Site

When you run Server and Site creation wizards, you have the option to create a Site with or without PCI DSS HS compliance. If you choose to create an HS-PCI-enabled Site, the Site Setup wizard also determines the status of the Auditing and Reporting Module (ARM); if PCI is enabled, but ARM is not, a warning message appears to inform you that you must enable ARM on the Server before creating the Site.

For details of configuring Servers and Sites, and enabling ARM on the Server, refer to the following topics:

Server Setup Wizard

Configuring the Auditing and Reporting Module

Before creating an HS-PCI-enabled Site, review the other topics in The HS-PCI Module.

You will need the following information to create and configure an HS-PCI-enabled Site:

  • IP address and port for Auditing and Reporting database (ARM (Auditing and Reporting Module; captures the transactions passing through EFT Server and provides an interface in EFT Administrator where you can use preconfigured or your own custom reports to query, filter, and view transaction data.) must be enabled for HS-PCI-enabled Sites)

  • If the SMTP server requires authentication, you will need to know the administrator e-mail address and SMTP server name, port, and login information (for e-mailing the compliance Report).

  • If you use default values for administrator port (1100), DMZ Gateway port (44500), FTP banner message, or SFTP banner message, a warning appears in which you must change the value or provide a reason for using the default. The reason that you provide will appear in the Description field of the compliance report.

    The wizard performs several checks and asks you to provide information based on the results of those checks, including:

    The wizard is quite intuitive and provides instructions where necessary. The wizard pages change based on your selections. The procedure below walks you through the most common scenarios.

    Since EFT Server does manage NT/LDAP accounts, when you create an HS-PCI-enabled Site that uses LDAP or Windows Active Directory authentication, the following features are not available and not audited for the compliance Report:

    Complex Passwords

    Password History


    Password Reset


    Removing Inactive User Accounts

     

    To setup an HS-PCI-enabled Site

    1. Do one of the following:

    2. The Site Setup wizard Welcome page appears.

    3. In the Site name box, type a name a unique name for the Site. The default name is MySite, but you change it to anything you want. The name you provide here will appear in the Server tree in the left pane of EFT Administrator and in reports and messages.

    4. In the Listening IP box, specify the IP address the Site should listen on, or leave the default of All Incoming.

    5. Click Next. The Site Root Folder page appears.

    6. In the Site root box, leave the default or click Browse to specify the root folder.

    7. In the Additional options area, select the check boxes as needed:

    8. Click Next. The User Authentication page appears.

    9. In the Authentication type list, specify one of the following authentication methods that this Site will use to authenticate user connections:

    10. Click Next. The EFT Server Authentication settings page appears.

    11. The default path to store the user database appears in the box. If you want to store the user database in a different location, click the Browse icon or type the path in the box.

    12. Click Next. The Perimeter Network Security page appears.

    13. Specify whether to connect the Site to EFT Server's DMZ Gateway.

    14. Click Next. If you specified a default port for DMZ Gateway, the Vendor Defaults page appears.

    15. Change the port number to a non-default number, or provide a reason for keeping the default port. (The reason will appear in the Description box of the PCI DSS Compliance report.)

    16. Click Next. If the Server was configured with the default Administrator port of 1100, the Vendor Defaults page appears for you to change the Administrator port or provide justification for using the default.

    17. Click Next. The Data Retention and Disposal page appears.

    18. Do one of the following:

    19. Click Next. The Administrator Account Password Security page appears.

    20. Keep the default of enabling the administrator account password security settings or click Continue without changing administrator account password security settings, then provide the justification and compensating control. (The reason will appear in the Description box of the PCI DSS Compliance report.)

    21. Click Next. The Daily PCI DSS Audit Report page appears.

    22. Do one of the following:

    23. Click Next. The Data Sanitization page appears.

    24. Do one of the following:

    25. Click Next. The Connection Protocols page appears.

    26. Select one or more check boxes for the protocol(s) and specify the port numbers that this Site will use to connect to EFT Server.

    27. If you specify plain-text FTP or HTTP, after you click Next, EFT Server will prompt you to disable these unsecure protocols or continue and supply justification.

    28. Click Next. The Vendor Default page appears if the default SFTP banner message is used on the Server.

    29. Do one of the following:

    30. Click Next. The Site Setup Completed page appears.

    31. You are offered the option of continuing to the User Creation wizard or quitting the wizard. Click an option, then click Finish. If you chose Run New User Creation wizard, the User Creation wizard Welcome page appears.

    The HS-PCI-enabled Site appears in the tree on the Server tab.