Aloha DelTrack v6.4.

1
Use with Aloha versions 5.3.1 and later

Table of Contents
About Aloha DelTrack ............................................................................................................. 3 Configuring Aloha DelTrack .................................................................................................... 5 Best Practices for Removing Card Data from Aloha, v5.2.8 or Earlier ................................ 8 Best Practices for Removing Card Data from Aloha, v5.3.1 or Later................................... 8 Understanding DelTrack and the Audit Report ....................................................................... 9 Feature History .................................................................................................................... 10

Page 1

Copyright 2008, Radiant Systems, Inc. The information contained in this publication is confidential and proprietary. No part of this document may be reproduced, disclosed to others, transmitted, stored in a retrieval system, or translated into any language, in any form, by any means, without written permission of Radiant Systems, Inc. Radiant Systems, Inc. is not responsible for any technical inaccuracies or typographical errors contained in this publication. Changes are periodically made to the information herein; these changes will be incorporated in new editions of this publication. Any reference to gender in this document is not meant to be discriminatory. The software described in this document is provided under a license agreement. The software may be used or copied only in accordance with the terms of that agreement. Radiant Systems, Inc., 2008. All Rights Reserved. ALOHA is a U.S. Registered Trademark of Radiant Systems, Inc. Microsoft, and Windows are registered trademarks of Microsoft, Inc. IBM is a registered trademark of International Business Machines Corporation. Other products mentioned are trademarks or registered trademarks of their respective companies.

Aloha DelTrack

Page 2

About Aloha DelTrack

The Aloha DelTrack utility provides considerable help, at the site level, in the efforts of merchants to comply with Payment Card Industry Data Security Standards (PCI DSS). The role of DelTrack is to remove payment card information from stored files, where present, to make theft of cardholder information as difficult as possible. The most effective way to use DelTrack is to configure the user interface to create a from a command line for subsequent use in a batch file. You can run the batch file from Winhook, as part of the End-of-Day (EOD) process, or you can use the Microsoft Windows Scheduling Service to automate running the batch file after EOD completes. When you use the DelTrack utility, it removes sensitive payment card information. Once removed, the data is unavailable for future reporting or other method of access. Historically, there are two versions of the DelTrack utility, v1.0.2, and v6.4.1, with both program files having the same file name, DelTrack.exe. You can easily determine the version by double-clicking the program file in Windows Explorer. If the program file opens to a user interface, you have the newer version. DelTrack v1.0.2 is only appropriate for use with data created by Aloha versions 5.2.8 and earlier. These earlier versions of Aloha store all payment card information in plain text in the Trans.log and settlement files. DelTrack v1.0.2 successfully removes track data from stored versions of the Trans.log and settlement files, but leaves the card numbers, cardholder names, and expiration dates in plain text. To ensure you are in compliance with the PCI DSS, you must remove the credit card information from these stored files. Refer to Best Practices for Removing Card Data from Aloha, v5.2.8 or Earlier on page 8. The newer version of DelTrack, v6.4.1, successfully removes track data, if present, and sensitive payment card information from stored versions of the Trans.log and settlement files created by Aloha versions 5.3.1 or later. Refer to Best Practices for Removing Card Data from Aloha, v5.3.1 or Later on page 8 to ensure the removal of all payment card information from these files. DelTrack v6.4.1 also provides additional functionality that was not available in Deltrack v1.0.2. Refer to the table entitled Configuring Aloha DelTrack on page 5 to determine the new parameters available to you in v6.4.1. Versions of Aloha earlier than v5.3.15, by definition, are not capable of complying with the Payment Card Industry Data Security Standards (PCI DSS). For this reason, you must upgrade Aloha to successfully remove sensitive cardholder information from all stored data. The Aloha DelTrack utility is available as a .zip file from the Radiant Systems FTP site, per your normal process. Extract the file to a convenient directory within the %Iberdir% on the Aloha BOH file server, as it uses .dll files in the Aloha directory structure. Please be aware that if you place the file in the %Iberdir%Bin directory, Aloha will copy it to your order entry terminals unnecessarily.

Aloha DelTrack

Page 3

How DelTrack Impacts Card Data in Aloha POS

Aloha DelTrack

Page 4

Configuring Aloha DelTrack

Configuring Aloha DelTrack v6.4.1 is very simple, involving a user interface that you can use immediately to clear the data in the specified file structure on the host computer, or to generate a command line to copy to a batch file for repeated, routine use.

Figure 1 DelTrack Utility User Interface

As you configure the user interface, the read-only text box DelTrack command line changes to reflect your selections. This process is building a command line for you to use in batch files. Each of the arguments has a specific function. The DelTrack user interface contains numerous options you can use to configure this utility to suit your specific business needs: %Iberdir% or Specified path Specifies the path DelTrack scans, as it runs. The %Iberdir% environment variable is the default setting, but you can specify different locations. DelTrack supports a UNC path. Scan subdirectories Instructs DelTrack to scan subdirectories beneath the specified directory. Force (Ignore DELTRACK marker)? Causes DelTrack to re-scan directories previously scanned and marked for omission with the DELTRACK marker file. DelTrack v1.0.2 ignores the Data directory, and creates the marker file in scanned directories only if run in EOD mode. DelTrack v6.4.1 ignores the Data, NewData, VBO, and FTP directories, and always creates the marker file in scanned directories, when it runs.
Aloha DelTrack Page 5

Both LOGs and STLs Causes DelTrack to scan all LOG and STL files in the location defined for the directory to scan. LOGs only Causes DelTrack to scan only LOG files in the location defined for the directory to scan. STLs only Causes DelTrack to scan only STL files in the location defined for the directory to scan. Skip the last _ business days. Specifies the number of days you want DelTrack to exclude from its scan, beginning with the most recent day, and including the specified number of recent days. For example, if you exclude 30 days, and if the date of business today is February 1, DelTrack begins scanning the specified path for data stored on or before January 1. All tenders Instructs DelTrack to scan all transactions paid with all tenders for critical data. Exclude selected tenders Instructs DelTrack to ignore transactions paid with specified tenders from its scan. Include selected tenders Instructs DelTrack to include transactions paid only with the specified tenders in its scan. DelTrack command line Displays a read-only command line that exactly reflects the configuration in the user interface. Click Copy to copy the contents of this text box to the Windows Clipboard, for subsequent use in a batch file. Run Button that instructs DelTrack to run immediately, using the configuration in effect at the moment. Copy Button that instructs DelTrack to copy the contents of the DelTrack command line text box to the Windows Clipboard. Close Button that closes the DelTrack user interface. When configuration is complete, you have the following options: Click Run to immediately run DelTrack on the host computer. This selection causes the utility to run only one time, accomplishing the tasks specified in the user interface at that moment. These actions affect only the computer on which you are running DelTrack, unless you use a UNC path to scan files on another computer, such as \\FileServerName\%Iberdir%\20080121. Click Copy to copy the contents of the DelTrack command line text box to the Windows clipboard. Paste this string into a batch file for use locally, or to export the batch file across your corporate network, to run DelTrack on all Aloha BOH file servers in your installed base. Click Close to close DelTrack, discarding any changes made in the utility. If you routinely use DelTrack from the user interface, you must reconfigure it each time. When DelTrack runs, a progress indicator appears, showing the progress of the scan. It is not possible to cancel or exit out of the scan process, once it begins.

Aloha DelTrack

Page 6

The scan outputs its status and progress notes to %Iberdir%\Tmp\Debout.cc for future troubleshooting, if required. The first output line contains the date and time, and the command line parameters used. The file includes information about successfully cleaned files and the number of transactions modified after each checking entry. DelTrack formats this debout in standard CLF-CSV format. The file is accessible from the Debout Viewer in AlohaMGR, or you can view the contents with any appropriate application, such as Windows Notepad or WordPad. If DelTrack v6.4.1 encounters a log file from an earlier, unsupported version of Aloha (v5.2.8 or earlier), it inserts messages in the debout file, as follows: Jan 18, 09:44:22,,09:44:22 [3704] ProcessDirectory dir C:\bootdrv\TS5.2.8\20070118. Jan 18, 09:44:22,, [INFO],,"ConvertTransLog() - Detected log version '5.2.7.267'" Jan 18, 09:44:22,, [INFO],,"ERROR, Clean Log process: version '5.2.7.267' is not supported." Jan 18, 09:44:22,, 09:44:22 [3704] LOG File FAILED

If DelTrack cannot process a possible Aloha file (e.g., corrupted Trans.log), it inserts the following message in the debout file:
Feb 25, 17:27:46,, [INFO],,"LOG File FAILED" Feb 25, 17:27:46,, [INFO],,"Unable to process suspected Aloha log file C:\bootdrv\20071120\trans.log."

Aloha DelTrack

Page 7

Best Practices for Removing Card Data from Aloha, v5.2.8 or Earlier
As previously stated, DelTrack v6.4.1 is not capable of removing sensitive information from data created by older versions of Aloha, that is 5.2.8 and earlier. Also, running DelTrack v1.0.2 on these files removes track data from these files, but does not remove the remaining card data that enables you to meet the requirements of PCI DSS. It is of utmost importance that you remove the cardholder names, card numbers, and expiration dates from these files, as they are vulnerable to compromise. As a best practice, we recommend upgrading to the latest version of Aloha that has been validated against the PCI DSS and then using DelTrack v6.4.1 to remove the remaining card data in these files. If you are using Aloha v5.2.8 or earlier: 1. Ensure that all transactions are complete, that all batches are settled, and that EOD has run. 2. Run DelTrack v1.0.2 to remove all track data from the dated subdirectories created by the older version of Aloha. 3. Upgrade Aloha to v5.3.15 or later. As a best practice, we recommend upgrading to the latest version of Aloha available that has been validated against the PCI DSS. 4. Regrind all dated subdirectories. This process upgrades them to the new version of Aloha. 5. Run DelTrack v6.4.1 against all dated subdirectories that are older than any exclusion period you may establish for the new DelTrack, e.g. 30 days. You may need to force DelTrack to run, ignoring the old DelTrack marker files. 6. Configure WinHook to run DelTrack as part of EOD, to ensure you are continually removing sensitive data from these files on a regular schedule. You can configure DelTrack to omit dated subdirectories already cleared, and only clear data that is older than the exclusion period.

Best Practices for Removing Card Data from Aloha, v5.3.1 or Later
DelTrack v6.4.1 removes track data, if present, and other sensitive payment card information from data created by Aloha version 5.3.1 and higher. As a best practice, we recommend upgrading to the latest version of Aloha that has been validated against the PCI DSS and using the new version of DelTrack to remove this data from these files. If you are using Aloha v5.3.1 or later: 1. Ensure that all transactions are complete, that all batches are settled, and that EOD has run. 2. Upgrade Aloha, per your current plan. As a best practice, we recommend upgrading to the latest version of Aloha available that has been validated against the PCI DSS. 3. Run DelTrack v6.4.1 against all dated subdirectories that are older than any exclusion period you may establish for the new DelTrack, e.g. 30 days. 4. Configure WinHook to run DelTrack as part of EOD, to ensure you are continually removing sensitive data from these files on a regular schedule. You can configure DelTrack to omit dated subdirectories already cleared, and only clear data that is older than the exclusion period.

Aloha DelTrack

Page 8

Understanding DelTrack and the Audit Report

Aloha displays full credit card numbers and expiration dates in the Audit report, as extracted from .log files. You can use DelTrack to remove information from the .log files Aloha uses to generate the Audit report, except for current-day information. Although you are free to configure this report in accordance with your own needs, you can quickly visualize the presence or absence of credit card numbers on the Audit report by selecting a date for the report, then configuring the report output dialog box as follows:

Figure 2 Audit Report Configuration (TableService)

The following example shows an audit report generated from test data using this configuration, after selecting a date not yet modified by DelTrack:

Figure 3 Example of Audit Report Before Running DelTrack

Aloha DelTrack

Page 9

Although fictionalized in this example, you can see credit card numbers and expiration dates are present in the report. The same report appears as follows, after running DelTrack:

Figure 4 Example of Audit Report After Running DelTrack

Note the substitution of X characters for critical strings.

Feature History Released Versions

6.4.1

Enhancement Description
Initial release of a new version of DelTrack for use with data created by versions of Aloha v5.3.1 and later. DelTrack now includes a user interface you can use to create lines for batch files.

Note: DelTrack is now part of the general Aloha build process. Its version number matches that of the version of Aloha with which it is generated. Major changes to the utility will be noted in the table above, along with the version of Aloha that includes those changes.

Aloha DelTrack

Page 10