Security Policy Options & TCP Secure Connection Settings

This provides an explanation of the Security Policy options & TCP Secure Connection Settings available that work in-conjunction with the SwiftPOS Connect service. These need to be considered when configuring Touch POS Terminals in Back Office and when configuring Security Policy settings for KVS, Menu Boards, Reception and Touch Terminals.

Refer to TCP Secure Connections Overview for an overview of the TCP Connection scenarios that can be configured.

 

---

Subjects      ▼

• To Be Considered

• Security Policy Options

• TCP Secure Connection Settings

 

---

To Be Considered      ▲ ▼

• KVS, Menu Boards, Reception and Touch Terminals will always initiate their connection to the SwiftPOS Connect service.
• Certificates can be installed into one of the Local Machine Certificate Stores using Windows Certificate Manager application (certlm.msc).
• The server must have the private key for the selected certificate, or you won’t be able to select it.
• No extended certificate properties are required. Just a standard server authentication certificate is required.
• Binding is done between the the SwiftPOS Connect service and the Security Certificate. This means when a Security Certificate is renewed, it requires the newly issued Security Certificate to be selected the Touch POS Terminal settings in Back Office, and then the SwiftPOS Connect service to be restarted in order for it to bind to the new Security Certificate.

 

---

Security Policy Options      ▲ ▼

 

 

The following options are available:

• None
• Minimal
• Standard
• Strict

 

---

None      ▲ ▼

Select to ensure the TCP connection with KVS, Menu Boards, Reception and Touch Terminals, WILL ALWAYS be unencrypted. That is, the SwiftPOS Connect service will not be required to encrypt the TCP connection. This will also be the case, even if a Security Certificate has been configured in the Touch POS Terminal settings.

 

 

---

Minimal - (Default)      ▲ ▼

Select to ensure the TCP connection with KVS, Menu Boards, Reception and Touch Terminals, will be by default unencrypted. That is, the SwiftPOS Connect service will not be required to encrypt the TCP connection. However, if a Security Certificate has been configured in the Touch POS Terminal settings, and the TCP Secure Connection setting has been set to either Favour Secured or Force Secured (v10+ Only), the TCP connection will be encrypted.

 

 

---

Standard      ▲ ▼

Select to ensure the TCP connection with KVS, Menu Boards, Reception and Touch Terminals, is required to be encrypted. This will require Security Certificate to be configured and the TCP Secure Connection setting set to either Favour Secured or Force Secured (v10+ Only). Once set the following checks will be done to ensure encryption:

• The Security Certificate is valid and has not expired.

 

 

---

Strict      ▲ ▼

Select to ensure the TCP connection with KVS, Menu Boards, Reception and Touch Terminals, is required to be encrypted. This will require Security Certificate to be configured and the TCP Secure Connection setting set to either Favour Secured or Force Secured (v10+ Only). Once set the following checks will be done to ensure encryption:

• The Security Certificate is valid and has not expired.
• The DNS names match. That is, the host name of the server entered into the POS application must match the certificate.
• The Security Certificate has been signed by a trusted root certificate somewhere in the chain. This means self-signed certificate CANNOT be used.

 

---

Tcp Secure Connection Settings      ▲ ▼

 

 

The following options are available:

• None
• Favour Secured
• Force Secured (V10+ Only)
• Security Certificate
• Certificate Store
• Hardware Lock terminals

 

---

None      ▲ ▼

Select to ensure all TCP connections for KVS, Menu Boards, Reception and Touch Terminals are unsecured.

 

 

---

Favour Secured      ▲ ▼

Configured in Back Office > Touch POS Terminals.

Select to ensure an attempt is made to enforce the encryption of the TCP connection where possible. This will be attempted when a Security Certificate has been selected and the Security Policy Option for KVS, Menu Boards, Reception and/or Touch Terminals has been set to either Minimal (default), Standard or Strict. If set to None, the TCP connection will still be allowed but it will be unencrypted.

 

---

Force Secured (v10+ Only)      ▲ ▼

Same as the Favour Secured option above, except that if the Security Policy Option for KVS, Menu Boards, Reception and/or Touch Terminals has been set to None, the TCP connection will be rejected.

 

---

Security Certificate      ▲ ▼

Displays the security certificate that's been selected and will be used by the SwiftPOS Connect service when binding with the Security Certificate.

 

 

---

Certificate Store      ▲ ▼

Select from the drop-down list one of the Local Machine Certificate Stores which contains the certificateto be selected. Once the correct store has been selected, use the […] button to the right of the drop down to display all valid certificates within that store which can be selected for use by the Connect Service (expired certificates won’t be displayed). Common Certificate Store descriptions in swiftpos and what they convert too in the Windows Certificate Manager are:

 

 

Noteworthy 

• CertificateAuthority - Intermediate Certification Authorities store.
• My - Personal Certificate store.
• Root - Trusted Root Certification Authorities store.

 

---

Hardware Lock Terminals      ▲ ▼

Select to ensure a Hardware Lock is required to establish a connection to the Back Office. Once selected all Touch POS Terminals will require a Hardware Access Code to be entered when attempting to connect via the the SwiftPOS Connect service.

 

 

End of article.      ▲