Security Parameters

SAP POS supports the use of multiple encryption keys through a behind-the-scenes security module. This module maintains a library of encryption keys and allows the active encryption key to be changed at any time. The underlying assumption in a multiple key scenario is that there is only one key per transaction and that the key cannot be changed during a transaction.

Once an encryption key is established, there are two instances when it may need to be changed:

Regular security maintenance

The integrity of the key has been compromised

During regular maintenance, you cannot change the key value for historical data. A new decryption key is defined for data encryption. If the integrity of the key has been compromised, the data in the back office database is decrypted, and then re-encrypted with the new key. (This procedure is not extended to TLOG records or to the credit.saf file.)

You use the Security Parameters to set or modify encryption settings.

Structure

Security Parameters
Screen Element	Description
Real Time TLog Encryption	When the real time trickle function is configured, the POS Server application automatically converts TLOG records to an ASCII file format as they trickle to the POS Server. When the Payment Card Industry (PCI) security feature is enabled, by default this option is enabled and TLOG records are automatically encrypted. This option allows you to override the default action that encrypts the data in the ASCII TLOG file by deselecting the Real Time TLog Encryption option. For more information on setting up the Real Time trickle process, see Setting Up Real Time Trickle for Transaction Records.
Customer Information Encryption	This option allows you to override encryption of associated customer attributes. When set to No, this option overrides the encryption of customer information. Note This option applies to all defined attributes for a customer, it cannot be set to encrypt only some attributes. End of the note.
Export Hashed Employee Password	If this option is checked, the passwords of exported employees are hashed in the export file EMPXTXN.ASC. This is the default setting. Leave this option unchecked if, at the store level, a security container has not been installed. Otherwise, after the application of the downloaded EMPXTXN.ASC parameter file on the Xpress Server, employees will not be able to logon at the store level because their passwords are not expected to be hashed.
Encryption Key Token	The value of this setting represents the current, active encryption key on the POS Server. The allowable range for this setting is 0 to 255 (zero is represented by a blank.) Caution Entering a value of -1 as a means to stop the data encryption module once it has been activated is not allowed for this option. End of the caution.
Allow key token to be determined by key management system	If you leave this checkbox blank, the system uses the current active key token in the Encryption Key Token field above. If you select this checkbox, the system retrieves the current active key token from the TWSecurity COM object. The POS Server application polls the TWSecurity COM object at the following times: At the end of each transaction, to retrieve the active key token Every 5 minutes when the POS is idle, to retrieve the active key token At specified intervals, to check for new parameter files (default: every 30 seconds)