This page is maintained to detail the current minimum and recommended requirements for an effective business network for running the Merchant Plus! retail application suite including security recommendations that are so critical in the current technology environment that has become so reliant on Internet access that is open to compromise and security breaches.
Windows Server: Merchant Plus! operates in Client/Server environment where the client workstations access a centralize server (or servers) to operate the software and store the data in the database. This server must have enough power to support the number of client workstations connected to it, whether they are on a local network or in remote locations connected via the Internet. Providing guidelines for servers is challenging as it is dependent upon the number of workstations connected to it and how they are used. The following are general guidelines but a local network technician should be consulted to assure that all processing requirements are considered.
Server Memory: Memory is really dependent upon the number of users accessing the system and can have a substantial effect on performance. 2GB RAM is a minimum but at least 12GB is preferred. As more users are added, more memory is required.
Supported Windows Server Operating Systems: The following Microsoft Server operating systems are supported:
|Server Operating System||Microsoft Support Ends|
|Windows Server 2008/2008 R2||1/14/2020|
|Microsoft Windows Server 2012/2012 R2||1/10/2023|
Note: Operational limitations apply to Small Business Server and Essentials Versions.
Network Interface Card: The network Interface should be at least 100MPS though 1GBPS is preferred.
Terminal Servers: While Windows Server includes two licenses for limited remote access, a dedicated Terminal Server should be used for remote locations as it does the heavy lifting for remote sessions and minimizes the load on the server. Terminal Servers cannot be configured on a network if using a Small Business Server or Essentials Windows Server License. While minimal disk space is required, the Memory should be a minimum of 2GB plus 512MB per concurrently connected workstation. The network Interface should be at least 100MPS though a1GBPS backbone between servers is preferred.
Peer to Peer Servers: For small networks with less than 5 workstations a beefed up PC workstation can function as the Server to save on Microsoft licensing costs. In these environments, any supported workstation operating system and Workgroup editions of the supported Windows SQL versions can be used.
Server Processor: A minimum configuration would be a Single Core Intel Xeon processor but a Single Quad Core Xeon chip or better is preferred.
Server Disk Storage: Minimum 80GB; preferred 300GB.
Network Interface Card: The network Interface should be at least 100MPS, 1 GBPS is preferred.
Supported Windows Peer to Peer Operating Systems: The following operating systems are supported:
|Workstation Operating System||Microsoft Support Ends|
|Microsoft Windows 8.1 Pro||1/10/2023|
|Microsoft Windows 10 Pro||10/14/2025|
Note: Home and Media editions are not supported.
Workstations: Each workstation must be running a supported version of Windows Professional with at least a Pentium i3 Processor, and 2GB of memory though a dual core processor with at least 4GB of memory is suggested. Local disk storage space for Merchant Plus! is less than 1 GB. The network Interface should be at least 100MPS. It is important to make sure that the workstation includes enough ports or the proper type to support all peripherals being connected, whether used by Merchant Plus! or not.
Supported Windows Workstation Operating Systems: The following operating systems are supported:
|Workstation Operating System||Microsoft Support Ends|
|Microsoft Windows 7 Professional||1/14/2020|
|Microsoft Windows 8.1 Pro||1/10/2023|
|Microsoft Windows 10 Pro||10/14/2025|
Note: Home and Media Editions are not supported on a Windows Network, using either Windows Server or in a Peer to Peer environment.
Supported SQL Databases: Microsoft SQL is required on the server to manage the Merchant Plus! database. Currently supported versions include:
|Microsft SQL Versions||Microsoft Support Ends|
|Microsoft SQL Server 2005||4/12/2016|
|Microsoft SQL Server 2008/2008 R2||7/09/2019|
|Microsoft SQL Server 2012/2012 R2||7/12/2022|
Note: SQL Server MSDE and SQL Server Express Editions are not supported.
Remote Access: When remote locations are connected to the server a high speed broad band connection is required at both the host and remote locations. The recommended minimum speed requirement is 3 MPS for the first user plus 512 KBPS for each additional user. Preferred speeds should be at least twice as fast, though permanence and sustained speeds are most important. These are a minimum sustained speed for both download and upload speeds and exclude other demands on bandwidth. If multiple remote locations are supported, the bandwidth at the host must support the total of all remote users.
A dedicated workstation or terminal server at the host is required for minimal security of remote POS systems.
Two-factor authentication for all remote access (including remote support) is required for minimal system security. Two-factor authentication requires two methods of identification when connecting to a network. There are three types of authentication: something you know, something you have, and something you are. Something you know is something the user remembers such as a password or passphrase. Something you have would be an identifier such as a token, phone or smart card. Something you are is most commonly represented as a biometric identifier, such as a fingerprint, or other unique physical attribute.
Networks & Firewalls: Maintaining a reliable and secure network is of critical importance to an efficient operations as well as assuring credit card security as required for a retailer to maintain PCI-DSS compliancy (PCI Requirement :. Install and maintain a firewall configuration to protect cardholder data). It is also critical that good local network technicians be contracted to establish and maintain the network infrastructure. They should be familiar with PCI requirements and understand the importance of segmenting and securing point of sale workstations that process credit cards. Firewalls, either hardware or software based, should limit traffic and access to business needs only. For example, inbound emails and open web browsing are primary sources for virus infiltration and are thereby restricted by PCI standards. Connection speeds should be at least 100MPS though a1GBPS backbone between servers is preferred when more than one server is being used.
Internet Access: Internet access to the server and workstations on the network is required to properly support Merchant Plus and provide access for remote users, office and locations. Internet speeds are measured in both upload and download speeds; download speeds are usually faster and are usually the advertised speed but overall performance will be limited by the upload speed when supporting remote users. It is also important to understand that speeds may fluctuate at different times of the day for some service, especially DSL connections.
- Minimum requirement: Upload (and download) speed of 512KBPS plus 256KBPS per additional user.
Backup Solution: At minimum, backups must be maintained for the Merchant Plus! Database. Typically, a script will run that backs up the Merchant Plus! database nightly to the local disk when nothing is running. It is this copy of the data base that needs to be backed up.
If just the Merchant Plus! database is backed up, a full recovery might require that the Server be repaired or replaced and then reloaded with the operating system, SQL, Merchant Plus!, and any other drivers, files or programs that need to be restored to be operational. This process can take days. An alternative is a more comprehensive “block level” backup that allows for the entire environment to be restored, even to different hardware, in a much shorter period of time.
At minimum, off-site backups should be maintained, but local redundancy provides for quicker recovery times; large backups may take a long time to down load and in some cases it is more efficient to have large backup files mailed from the off-site location.
While, management of backups is the client’s responsibility, Smyth Retail offers and monitors two cloud based solutions for backups: Carbonite for simple file level backups or AppAssure for “block level” backups.
Antivirus: At minimum, every computer should be running an anti-virus program; if credit cards are processed on the network, PCI requires that the retailer maintain anti-virus software on all connected computers (PCI Requirement 5: Use and regularly update anti-virus software or programs). It is critical that any antivirus software be managed and routinely managed; it isn’t a case of installing it and leaving it alone. While workstations and peer servers can even use free anti-virus software, it usually requires significant manual management to get updates and run scans, and for that reason isn’t recommended. Furthermore, free anti-virus is usually not available for Windows Servers.
Managed anti-virus programs allow for the management of anti-virus of all computers on network at a centralized location, whether it’s on the server or in the cloud, and makes the management responsibility more practical, especially for larger networks.
When selecting an anti-virus solution, it is important to consider the added security requirements for Point of Sale where credit cards are processed. Our default security configuration includes network segmentation with limited access; many antivirus programs require more access than allowed by those settings.
Smyth Retail supports BitDefender, which is centrally managed in the cloud and can be configured to work with our default network segmentation guidelines. While it is the retailer’s responsibility to manage their anti-virus, we do periodically monitor the configuration and are available for technical support as needed.
Peripherals: Numerous peripherals are required to operate Merchant Plus! It is important to understand how and where each peripheral connects with and to make sure that the proper port is available. It is also important that only the supported drivers be used with Merchant Plus!, even if they aren’t the most current driver for the device. Various peripherals that have been supported in the past may not be available due to lack of adaption to newer operating systems and technology environments; future support is indeterminable and dependent upon the various manufacturers.
Reports Printers – Most printers supported by windows will print the Merchant Plus reports, though some brands may line up slightly different. HP printers are preferred as they have been used exclusively by our development team. It is important to know that a printer must support RDP (or Terminal Services) if it is being used at a remote location.
Point of Sale Printers – Specific Point of Sale receipt printers are required unless that “laser receipt” uses a regular reports printer (see above). Supported devices include:
- Epson TM88 III, TM88 IV or TM88 V – These are the most common thermal receipt printers being used as they are quick, quiet and very reliable. USB and parallel versions are supported; however, the parallel port must be native on the computer’s motherboard as add-in parallel cards are not supported by the manufacturer.
Tag Printers – A variety of merchandise tag printers are supported. For convenience, we recommend a dedicated printer for each type of tag stock, and some can’t effectively swap between tags. Supported printers:
- Zebra LP 2824 – This printer must be dedicated to using either hand or adhesive tags.
- Zebra LP 2844 – This printer can be used to swap between hand and adhesive tags.
- Zebra TLP 2844 – This printer is used to support he fabric rat tail jewelry tags that requires a printer ribbon. While it can be used to swap between hand and adhesive tags as well, the ribbon costs are wasteful.
- Paxar Tag Printers – The Paxar (formerly Monarch) tag printers are heavy duty printers that support cutters and stackers and are designed for high volume. Individual configurations should be confirmed as all these printers haven’t been tested in all environments.
Barcode Scanners – Barcode scanners are used to scan system and manufacturer generated tags. Merchant Plus! supports the UPC-A symbology and drops the check digit (the last number on the tag. Other barcode symbologies might be required if other tags are used. Most scanners can be programmed to work with Merchant Plus! but Smyth Retail supports a representative number of devices including:
- Honeywell 1202G Voyager Bluetooth
- HP (Symbol) LS2208-SR2036-1R or LS2208-sr20007R-UR
Portable Data Terminals – While Merchant Plus supports a generic import format for physical inventory counts, the following devices are currently supported.
- Metrologic Optimus S MK5502-79B639
- AML LCX10
Credit Card Readers – The Merchant Plus! credit card solutions utilizes Point to Point encryption which encrypts the cardholder data within the device and sends it to the NETePay software where it communicates with the bank processing network. No sensitive cardholder data is ever exposed to the Merchant Plus! software, and hence Merchant Plus! is out of scope for PCI requirements. However, it is important that the retailer protect the network the data is passed across as well as the NETePay environment (if it is hosted on the merchant’s computers). The following devices are supported:
|Device||PCI Version||PCI Expiration Date|
|UIC 795 encrypted P2Pe||2.X||4/30/2017|
|IDTech Secure Mag-Stripe Reader||3.X||4/30/2020|
|Verifone VX805||3.X||08/28/16 or 10/28/19|
|Ingenico iSC250||3.X||08/28/16 or 10/28/19|
EMV Support – While EMV is not a PCI requirement, it is supported using the Verifone VX805 and Ingenico iSC250 devices.
NETePay: NETePay is the third party software provided by Datacap Systems that is used to process credit cards. While Merchant Plus! is “out of scope” as it never sees sensitive cardholder information, NETePay does process card holder information and is in scope for PCI requirements. Newer installations most likely requires that the NETePay software be installed and configured on the merchant’s network and therefore must be secured according to Datacap’s manufacturer specifications and QIR Implementation Statement is required. Additional security might be required for some of these third party solutions utilize “Terminal Based” processing where card holder information is stored in the NETePay software until the batch is settled at the end of the day.
Obsolescence: It is important to understand that all of these requirements are subject to change based on evolving technologies. PCI-DSS compliancy demands that retailers maintain current versions of software for security purposes. Microsoft had planned obsolescence as published as their Support Lifecycle. Every time Microsoft changes operating systems, all hardware and software manufacturers have to either update their products or stop supporting them in the newer environment. It is a cycle of obsolescence that must be planned for; the days of using the same system for more than 10 years are behind us.
While the Smyth Retail Support plan is designed to evolve with these changes to protect obsolescence, not all of the supported products will do the same. For example, many peripheral companies never supported Windows Vista or Windows 8 for their products.
See https://www.smythretail.com/obsolescence/ for an updated list of past and impending obsolescence dates.