PCI Compliance
RTS and PCI Compliance / Trustwave Scans
- Ports 2235, 80, and 443 must be the only ports forwarded to the server.
- Older locations may have port 2237 forwarded to the server. This port is no longer required and should be removed.
- The Trustwave scan must include the hostname, not just the IP address, as your RTN page is hosted on your RTS Server. This means the scan must be setup to include an ecommerce website.
- Your hostname will look like this "RTN.formovietickets.com:2235", except swap out RTN with your RTN number.
- As of the latest update, the top left of the RTS screen looks like this now:
- The first number is the terminal number, a number assigned by the RTS server to this computer that helps our technicians identify the machine. This number has nothing to do with what stations are on the machine and it will never change.
- The second number after the hyphen is your RTN.
All of these solutions require a restart of the Internet Server in order to be applied.
Instructions on how to restart the Internet Server can be found at the following link:
In RTS you will need to follow these steps to be PCI compliant.
- Go to Setup -> Ready Ticket Network -> Options
- Web Server Port must be set to 80
- Web Server Port SSL must be set to 443
- Block Unencrypted must be set to True
- Force TLS 1.2 must be set to True
- Click Save to save these settings.
- Restart Your Internet Server On Your RTS Server Computer
Additional settings may need to be configured if you see the following as failure points in your PCI Compliance scan.
Failure Due To:
Weak SSL/TLS Key Exchange
THREAT:
QID Detection Logic:
For a SSL enabled port, the scanner probes and maintains a list of supported SSL/TLS versions. For each supported version, the scanner does a SSL handshake to get a
list of KEX methods supported by the server. It reports all KEX methods that are considered weak and List all server supported ciphers for each weak key exchange
method supported by Server.
The criteria of a weak KEX method is as follows:
The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 112 bits of security, which
translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges or 224 bits for Elliptic Curve Diffie Hellman key exchanges.
Steps To Resolve
- Go to Setup -> Ready Ticket Network -> Options
- Disable Weak Ciphers must be set to True
- Click Save to save these settings
- Restart Your Internet Server On Your RTS Server Computer
Failure Due To:
HTTP Security Header Not Detected
THREAT:
This QID reports the absence of the following HTTP headers according to CWE-693: Protection Mechanism Failure:
X-Content-Type-Options: This HTTP header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header.
Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) allows web servers to declare that web browsers (or other complying user agents)
should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
QID Detection Logic:
This unauthenticated QID looks for the presence of the following HTTP responses:
The Valid directives are as belows: X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=< [;includeSubDomains]
Steps To Resolve
- Go to Setup -> Ready Ticket Network -> Headers
- Set Strict-Transport-Security to Enabled with IncludeSubDomains
- Set X-Content-Type-Options to NoSniff
- Click Save to save these settings
- Restart Your Internet Server On Your RTS Server Computer
Reflected Cross-Site Scripting (XSS) in HTTP Header (Port 80 and Port 443)
THREAT:
XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might
include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters
that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the
browser. Its payload is inside of one of the "injectable" headers of the HTTP protocol.
Steps To Resolve
- Go to Setup -> Ready Ticket Network -> Headers
- Set X-XSS-Protection to Enabled.
- Click Save to save these settings
- Restart Your Internet Server On Your RTS Server Computer
Related Articles
New Customer Setup Checklist
New Customer Setup Checklist This document is designed to assist you with your RTS setup. The steps highlighted in red are critical for the RTS setup, while those highlighted in green represent additional features available with your licensing ...New Customer Resource Guide
New Customer Resources This document is designed to assist you with getting familiar with the information relevant to starting with RTS as your new POS provider. For any assistance, please feel free to contact RTS at any time; we offer 24/7/365 ...Restarting The Internet Server - How To And Why
Restarting The Internet Server Certain actions in RTS will require, or be quickened, by a restart of the internet server. This process restarts a background service that runs in Windows on your RTS Server computer and does not actually restart the ...Installing RTS
This section will explain how to add RTS on to a workstation or office computer. If you're a new site installing RTS for the first time, be sure to reference out Setup Checklist (Article Needed) to make sure you're using all RTS has to offer. ...Assigning Signage To Your Chromecasts
Assigning The Sign To The Chromecast To assign a sign to a Chromecast, you must go to Setup -> Digital Signage -> Chromecast. This will open up the Manage Chromecast Window. Select the Chromecast you you wish to assign the sign to from the Available ...