ComplianCe letter Dear Valued Aloha Customer,

The rising incidences of stolen cardholder account data are a major concern for all participants in the payment industry. As a result of these thefts, merchants and financial institutions suffer loss and unanticipated operational expenses. In addition, consumers experience significant inconvenience.

Payment Card Industry Data Security Standards (PCI DSS) state that it is your responsibility, as a merchant, to ensure your system is in compliance with data security requirements. PCI DSS is a set of security standards, developed by payment card companies, Visa, American Express, MasterCard, Discover, and JCB International, to establish common processes and precautions for handling, processing, storing, and transmitting payment card data. One of the most critical aspects of the 12 PCI DSS requirements is to ensure that full credit card track and CVV data is not stored in any form after authorization is complete. To protect your business and your customers, it is imperative that you are in compliance with the Payment Card Industry Data Security Standards (PCI DSS).

Any business that processes, transmits, or stores credit and debit card information is currently at risk of considerable fines and legal action, if their sites do not comply with the PCI DSS. There are several requirements that merchants need to address to become fully compliant with the PCI Data Security Standards. You can download a full copy of the Payment Card Industry Data Security Standards (PCI DSS) from the following Internet address: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

It is strongly recommended to use a POS system that has been validated against the Payment Application Data Security Standards (PA DSS), formerly supervised by Visa and known as Payment Application Best Practices (PABP). The PA DSS assists software vendors in developing payment applications that do not store sensitive cardholder data, thus ensuring their products are validated against the PCI DSS. Radiant Systems is pleased to say we are already listed as a vendor whose payment application has been validated against the Visa PABP. This list is available at www.visa.com/pabp.

This packet contains information to help you gain a better understanding of the importance of PCI compliance and educate you on some of the tools available from your authorized Aloha Dealer and Radiant Systems.

a Data Security Alerta PCI Quick Reference Guidea PCI DSS Aloha POS Configuration Checklista PCI DSS Network Configuration Checklista PABP-Validated Versions of Aloha POSa What’s Happening with FACTA Legislationa Software Membership Informationa Radiant Learning Center Overview

It is your responsibility to ensure your system is in compliance with the PCI DSS requirements. If you have any questions, or need assistance with making any of the changes necessary to comply with PCI DSS, please contact your local authorized Aloha Dealer. Please contact Radiant at 1-877-794-7237 if you would like the name of the authorized dealer in your area.Thank you and we wish you continued success.

Data SeCurity alert

Radiant Systems has been working with Visa on an emerging issue that could cause POS systems to be compromised. The specific vulnerability is related to Remote Desktop being enabled on BOH servers, POS terminals, and routers, which may allow intruders to gain access to POS systems. Once intruders gain access they could install malware such as packet sniffers to capture card holder data. Remote access to POS systems is critical to supporting sites, but can also provide a method for unauthorized users to obtain access to systems and potentially sensitive credit card data. Configuring and managing access to POS systems is extremely important.

Radiant Systems recommends the following to protect sites from this potential security threat:

a Disable Remote Desktop on routers, BOH servers, and POS terminals, if this remote access tool is not used to support the site.

a Use Command Center as the single means of remote access for Aloha POS systems to ensure the highest level of site security. Command Center has a number of inherent features that significantly increase your ability to support sites, and also significantly decrease the risks associated with accessing sites remotely. Some of the security elements of Command Center include:

◆ Only Outbound Connections – The Command Center architecture is not dependent on a waiting in bound connection, which is inherently insecure. Unlike other applications, no user interaction is required to establish an outbound connection.

◆ Above Store User Management – Each Command Center user has an individual account, which provides unique and specific access to multiple sites. Individual accounts can be authorized with unique permissions that define which actions can be taken at a site. Users are maintained at the enterprise level with additions, deletions, or permission changes automatically applied at each site.

◆ Multi-Factor Authentication – Strong authentication measures generally include “something you have,” such as a secure ID, and “something you know,” like a user password. Command Center uses an RSA Secure ID to generate the “something you have.” Users cannot log in without the number provided by the SecurID device, which changes every sixty seconds.

◆ Security Specific Alerts – Security audits are generally manual, time-intensive projects that are conducted on an annual or bi-annual basis. This approach only measures compliance at the time of the audit, leaving status for the remainder of the year essentially unknown. Command Center includes security-specific alerts that continuously monitor site settings and proactively notify the help desk if changes that degrade the site security are made.

Data SeCurity alert For partners or clients who choose to support an alternative remote access software solution, systems can be managed effectively by adhering to the following best practices:

a Limit the number of people who can access the system remotely. Only allow and provide remote access to those who have a strong business need.

a Do not share remote access credentials. Ensure that each user with remote access has unique credentials and that complex passwords expire at least every 90 days.

a Disable remote access user accounts when no longer required.

a Never leave remote access software on and “listening” for incoming connections. It is strongly recommended to use a remote access package that requires a user at the client site to start or log in to initiate a remote access session.

a Implement two-factor authentication for remote access to the network by employees, administrators, and third parties.

Ensure a process exists to adequately protect systems from viruses and other malicious software. The objective of the PCI DSS requirement #5 is to ensure that antivirus software is deployed on systems commonly affected by viruses. Additionally, a process must exist to maintain anti-virus and other malicious software tools in a manner that ensures they remain up-to-date and are able to accurately log and provide notification in the event of a malicious software infection.

Important Note: You must properly configure the antivirus software before using it with the Aloha POS software. The required configuration ensures that the real-time scan does not interpret file changes caused by constant or regular Aloha updates as a virus or worm attack (such as the Trans.log or .dbf files), ensures that the antivirus is not scanning (and thus, prohibiting access) to files that Aloha constantly updates (such as the Trans.log or .dbf files), and opens the ports required for Aloha’s network traffic, specifically NetBIOS traffic.

Additional Information can be located on the Visa web site:Packet Sniffing Vulnerabilities:http://usa.visa.com/download/merchants/20080131_packet_sniffing.pdf ?it=c|/merchants/risk_management/cisp_alerts.html|Packet%20Sniffing%20Vulnerability-January%2031%2C%202008

What to Do if Compromised:http://broadcast01p.visabroadcasts.com/doc/20080508111154/3b0f2a1688f0fe4b75a33a8ec4d726b0

If you have any questions about the information contained in this document, please contact Radiant Product Management at ProdMgmt@RadiantSystems.com.

pCi QuiCk referenCe GuiDeFor Merchants Using Aloha POS

What is PCI and why should you care?The Payment Card Industry Security Standards Council (PCI SSC) facilitates the broad adoption of the PCI security standards in an effort to enhance payment account data security. This council was organized and founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. You are responsible for handling sensitive payment card data according to the PCI DSS standards. You could experience any, or all, of the following, in the event of a data security breach, depending on the circumstances and whether you have taken the necessary steps to comply with PCI:

a Heavy financial damages due to fines that range from $50,000 to $500,000a A loss of reputation; therefore, a decline in the number of guests visiting your restauranta A temporary or permanent loss of your ability to accept credit cards as a form of payment at your restaurant

Failure to comply with the PCI DSS standards could be very costly, and possibly even result in the loss of your business.

How can you protect your business?a Use a POS system that has been validated against the Payment Application Data Security Standards (PA DSS),

formerly supervised by Visa and known as Payment Application Best Practices (PABP). The PA DSS assists software vendors in developing payment applications that do not store sensitive cardholder data, thus ensuring their products are validated against the PCI DSS. Radiant Systems is pleased to say we are already listed as a vendor whose payment application has been validated against the Visa PABP. This list is available at www.visa.com/pabp.

More information about the PA DSS is available at ww.pcisecuritystandards.org/tech/pa-dss.htm.

a Ensure your system is set up to comply with the Payment Card Industry Data Security Standards (PCI DSS These standards are intended to help merchants proactively protect customer account data by helping you:

◆ Build and Maintain a Secure Network◆ Protect Cardholder Data◆ Maintain a Vulnerability Management Program◆ Implement Strong Access Control Measures◆ Regularly Monitor and Test Networks◆ Maintain an Information Security Policy

More information about the PCI DSS is available at www.pcisecuritystandards.org/tech/index.htm.

We recommend you obtain the CISP Compliance Best Practices Guide (soon to be known as Aloha POS Data Security Guide) that applies to the version of Aloha you are using, and use it as a starting point for configuring your sites for maximum security. We also recommend you take advantage of the ever improving security features by upgrading to the latest version of Aloha available.

a Undergo an onsite data security assessment by a Qualified Security Assessor (QSA) or complete a Self Assessment Questionnaire (SAQ), to identify any vulnerability within your system. The PCI DSS requires merchants to do this on an annual basis, to assist you with PCI DSS compliance. There are four versions of this questionnaire, each version specific to a particular business scenario. The council provides instructions to guide you through selecting the SAQ that best applies to your organization, and frequently asked questions, to help you better understand the purpose of the council, and the PCI DSS.

The SAQ, and all other materials, are available at www.pcisecuritystandards.org/tech/saq.htm.

a Undergo a network scan through a PCI DSS Approved Scanning Vendor (ASV). This is required on a quarterly basis, to ensure network security.

More information is available at www.pcicomplianceguide.org/pcicompliance-vendors.html.

pCi DSS aloha poS ConfiGuration CheCkliSt:

1. Install Aloha version 6.2, the latest PABP validated version of Aloha available. Versions later than 6.2 inherit the securing enhancements of this version.

2. Configure printer output to mask the card number and omit the expiration date. In Maintenance > Store Settings > Credit Card group > Voucher Printing 2 tab: Select Only show last 4 digits on all vouchers from ‘Credit Card Number Mask’ drop-down list.

3. Create secure payment card tenders.a In Maintenance > Payments > Tenders > Type tab: Select Use Magnetic Card ONLY and clear Print Expiration.a On the Identification tab – Clear Print on Check.a On the Security Verifications tab, if you are authorizing and settling direct to Amex:

◆ Select Enter Security Code. ◆ Select All Cards, if you require a security code for all transactions of this card type, not just transactions entered manually.◆ Type ‘4’ in # of Digits and type ‘CCV#’ in Prompt.

a On the Security Verifications tab, for processors who support AVS, currently Visanet, BA Merchant Services and RBS Lynk:

◆ Select Enter Address Verification Code.◆ Select All Cards, if you require a zip code for all transactions of this card type, not just transactions entered manually.◆ Type ‘5’ in # of Digits.◆ Select Numeric Only and type ‘Zip Code’ in Prompt.

4. Require each employee to use passwords for accessing the Front-of-House terminals and set them to expire regularly:

a In Maintenance > Store Settings > Security Group > POS Password Settings tab: Select Required and type a number in Min Password Digits. We recommend at least 7 digits.

a In Maintenance > Labor > Job Codes > Job Code tab:◆ Select Uses Password and select Password Expires.◆ Type at least ‘90’ in Renew after Days.

5. Configure alternate security devises for use on the FOH terminals, such as fingerprint scanners, when installed. Activate fingerprint scanners in Maintenance > Hardware > Terminals > Readers tab.

6. Configure back office security levels that provide no more access than required for each employee type in Maintenance > Labor > Back Office Security Levels.

7. You must use a unique user name and complex, expiring password to access Aloha Manager, unless a ‘super key’ is available. For Aloha v6.4, the Alt-X login method is no longer available. For Aloha versions earlier than v6.4, you must manually disable the ‘Alt-X’ login method. (Refer to RKS ID 6298).

8. Run DelTrack, preferably within Winhook as part of the End-of-Day (EOD) process to ensure you are not storing sensitive card data for longer than the recommended number of days.

9. Stop EDC event logging in Maintenance > Store Settings > System group > Aloha Settings tab.

1. Verify Windows® is configured to purge the paging file each time you restart the BOH file server. Information about how to do this is available in the Microsoft® Knowledge Base.

2. Disable the ‘Guest’ user in Control Panel. Procedures for doing this vary slightly from one operating system to another.

3. Reconfigure all Aloha data and program directories relevant to remove the ‘Everyone’ user from them. Verify their configuration permits access only by the system administrator or other authorized accounts.

4. Install antivirus software and obtain updates for it routinely and often. Daily is not too often.

5. Change all default passwords in routers, remote administrative software, or other third-party hardware or software, as appropriate.

6. Install Aloha(QS) in a secondary directory beneath the root, as in C:\Bootdrv\Aloha(QS).

7. Configure Aloha EDC to use an alternate path, outside the BootDrv share, to prevent network access to the EDC files. Accomplish this by creating a new environment variable (EDCProcPath) and moving the contents of the current EDC folder to the new location. (Refer to RKS ID 8755).

8. Ensure procedures are in place to prevent opening a direct Internet connection from any computer on the Aloha network.

9. Create a Windows user account specifically for use in the Aloha network, independent of other network requirements.

10. Configure CtlSvr, EDCSvr, RFSSvr, and any other Aloha related services, devices and BOH user accounts to use the network user account created specifically for this purpose.

11. Delete any default Windows user accounts provided by Radiant Systems or affiliated companies for use in initial configuration.

12. Disable Remote Desktop on routers, BOH servers and POS terminals, if this remote access tool is not used to support the site. Radiant Systems strongly recommends using Command Center as the single means of remote

access for Aloha POS systems to ensure the highest level of site security.

13. Disable the System Restore feature in Windows.

pCi DSS network ConfiGuration CheCkliSt

As of April 15, 2008, the Payment Card Industry Security Standards Council (PCI SSC) added a new standard for payment application software, the Payment Application Data Security Standard (PA DSS), which is based on Visa’s Payment Application Best Practices (PABP).

Currently, all Aloha PCI-validated versions were validated against the Visa PABP standards. According to the PCI SSC, payment applications validated under the PABP standards will be grandfathered onto the PA-DSS validation list, but are required to undergo a PA-DSS validation within a 12 month, 18 month, or 24 month period, depending on the PABP version they were validated against.

If the PCI SSC publishes the PA-DSS list in August, as planned, the following expiration dates will apply to Aloha POS versions that are currently PABP-validated:

The Aloha POS maintains a single code base which means that each maintenance release is built from the previous release. As such, each maintenance release inherits all of the features and functionality related to PCI security standards previously available in the validated version.

Refer to the PCI PA-DSS FAQ on the following Web site for answers to frequently asked questions regarding the plans for grandfathering PABP-validated payment applications:https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml

Important Note: PCI Security Standards continue to evolve. Radiant Systems is committed to continuously increasing security to protect cardholders and merchants. We strongly encourage clients to adopt the most recent market ready Aloha release to stay current with security-related enhancements.

12 months

24 months

Aloha v6.1

PABP v1.4

Aloha v5.3.15 Pre-PABP v1.3

18 months

August, 2009

August, 2010

March, 2010PABP v1.3

Aloha v6.2

POS VERSION NUMBER: PABP VERSION THE POS WAS VALIDATED AGAINST:

PA-DSS VALIDATION MUST OCCUR WITHIN MONTHS AFTER THE INITIAL PUBLICATION

OF THE PCI SCC APPROVED LIST:*

CURRENT PABP VALIDATION WILL EXPIRE ON:

paBp-ValiDateD VerSionS of aloha poS

what’S happeninG with faCta leGiSlation

Section 1681 c(g) of the Fair and Accurate Credit Transactions Act (FACTA) provides that “no person that accepts credit or debit cards for the transaction of business shall print more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction.” The purpose of this provision is to reduce the likelihood of credit and debit card fraud and identity theft, by reducing access to such key information.

The effective date for all businesses to comply with this provision was December 1, 2006. Since that date, approximately 130 class action lawsuits have been filed in federal courts in California, and approximately 75 in other federal courts in Pennsylvania, Illinois, New Jersey, Nevada, Maryland, and Kansas, in response to the alleged “willful violations” of this provision. A class action lawsuit is one for which the rights and awards for damages, if any, are determined through litigation, for a large number of people with a common question of law.

Businesses are being forced to defend themselves against these lawsuits, where plaintiffs seek statutory damages of $100 (minimum) to $1,000 (maximum) for each violation alleged, plus punitive damages and attorney’s fees. If a class action lawsuit is lost by a defendant, the statutory awards could be so large as to put the defendant out of business. While some federal courts are granting certification for class action lawsuits, meaning they find that the plaintiffs have just cause for the lawsuit, others are denying the class certification because “the disproportionate consequences to defendant’s business and the lack of any actual harm suffered by members of the potential class.” On June 3, 2008, President Bush signed the Credit and Debit Card Receipt Clarification Act, which amends FACTA such that receipts printed with credit card expiration dates prior to the date the amendment was signed will not be considered a willful violation of FACTA.

what’S happeninG with faCta leGiSlation

Here is a link to the bill that was passed:http://www.govtrack.us/congress/billtext.xpd?bill=h110-4008

It is important to note that printing credit card expiration dates after June 3, 2008 may subject merchants to new FACTA lawsuits. Also, there are some state laws similar to FACTA that remain unaffected by this federal law amendment.

What do you need to do in the Aloha POS system to be FACTA-compliant?It is imperative that you configure the Aloha POS system to comply with FACTA. To accomplish this, you must do the following:

a In Maintenance > Payments > Tenders > Type tab > Options group box, clear the Print Expiration check box.a In Maintenance > Store Settings > Credit Card group > Voucher Printing tab, select the Suppress Expiration Dates

check box.a In the same location in Store Settings, immediately beneath the ‘Suppress Expiration Dates’ option, select Only show

last 4 digits from the ‘Credit Card Number Mask’ drop-down list.

Beginning with Aloha v6.1.19 and later, and v6.2.8 and later, the affected settings change automatically to the FACTA-compliant state any time you upgrade the Aloha database for a U.S. installation.

If your installation is outside the U.S., we recommend you verify the legal requirements in your area with regard to printing or suppressing the expiration date and the payment card number. If the regulations under which you operate do not require printing this information, we recommend you configure Aloha to omit printing the expiration date, and to mask all but the last four digits of the payment card number, as a best practice to protect your customers and your business.

Bibliography:Federal Trade Commission: FTC Business Alert “Slip Showing? Federal Law Requires All Businesses to Truncate Credit Card Information on Receipts” May 2007 http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt007.shtm

GovTrack.us. H.R. 4008--110th Congress (2007): Credit and Debit Card Receipt Clarification Act of 2007, GovTrack.us (database of federal legislation) http://www.govtrack.us/congress/bill.xpd?bill=h110-4008 (accessed Apr 22, 2008)

Pillsbury Linthrop Shaw Pittman LLP “New Litigation Update: Fair Credit Reporting Act Class Actions Seek Staggering Damages Awards” 05 February 2007 Article by Daveed A. Schwartz http://www.mondaq.com/article.asp?articleid=45912 (accessed Apr 21, 2008)

Paul Hastings, “Stay Current, A Matter of FACTA: Part III – Legal and Legislative Crossroads” January 2008 Article by Joshua Hamilton, John Gibson, Charles Patrizia, Dara Freling, Lawrence Sidman, and Jason Rosenstock http://www.paulhastings.com/assets/publications/674.pdf ?wt.mc_ID=674.pdf (accessed Apr 21, 2008)

Software memBerShip

Payment security has become an increasingly important issue to restaurant operations…and it’s not going away. Your customers expect to have the confidence that their financial information and identity is safe at all times. The last thing you want to experience is a loss in customer confidence or a financial hit to your business.

Making sure you are current with your Aloha Software Membership is just one step in the process to help protect your business against financial loss. It gives you uninterrupted access to PCI DSS (Payment Card Industry Data Security Standard) validated software and technology that grows with your restaurant operations. Membership also ensures that you receive the latest product upgrades – features that can make a real difference to your bottom line.

We’ve added many exciting and essential benefits into Aloha’s Software Membership program that include:

a Reduction of Training Time & Costs with Online Training – Access our new online training center designed to provide you and your employees with anytime, anywhere access to training tools and lessons focused on operations and maintenance.

a Ongoing Newsletters on Compliance Information & New Releases – Learn about new upcoming

releases, up-to-date compliance information and tips and tricks for maximizing the benefits of your Aloha POS Software.

a Peace of Mind with Enhanced Security Measures – Ensure you are always using the latest versions of Aloha POS Software verified against the Payment Card Industry (PCI) Data Security Standards.

a Access to New Technology – Receive the latest features and modules each time a new software version is released.

Ordering additional years of membership at the same time also offers you the best value and a significant discount compared to renewing on an annual basis. Call your local Aloha dealer today to learn more about the new benefits included in software membership or give us a call at 1-877-794-7237.

raDiant learninG Center

What is the Radiant Learning Center?The Radiant Learning Center is one of many benefits included in our Aloha Software Membership Program. Available 24/7, anywhere you have Internet access – you can use this online training solution to:

a Develop a consistent process that effectively trains your new hiresa Quickly reference how to use the POS to perform your daily tasksa Increase your self-sufficiency and satisfaction with your POS and back officea Find ways to provide better quality service to your customers – increasing revenue and streamlining operations

at your site

What is included in the Radiant Learning Center?

a Targeted training modules that cover the basic functions of the systema Downloadable documentation and training aids available to be distributed to your staff with no

access to a computera Quizzes that test your knowledge and validate how well your employees retain the information they’ve learneda Biannual customer newsletters that provide insight into technology trends and new features of your solution

Key Training Modules:The Radiant Learning Center has more than 200 training modules that provide training on all aspects of our product solutions. The training modules that you will see will be related to the solution at your site but can include key operational topics such as:

Aloha QuickService POS Training:

a Shift Maintenance a Back of House Reportsa Front of House Reports a Managing Cash Drawersa Managing Depositsa Managing Employeesa Managing Guest Checksa Managing Schedulesa Using Quick Counta Managing Time Punches

Aloha TableService POS Training:

a Basic Labor Schedulera Shift Maintenancea Cash Drawer Managementa Changing Pricesa Managing Back of House Reportsa Managing Front of House Reportsa Managing Employeesa Managing Guest Checksa Bartender Operationsa Managing Time Punches

Documentation Available:Reference guides and training tools are also available to help you gain access to as much information about your solution as possible. From within the Learning Center, you can access documentation that complements your training modules from the Documentation link on the home page or menu.

The Radiant Learning Center is available through our Aloha Software Membership Program. Contact your local Aloha dealer today to update your membership today or give us a call at 1-877-794-7237.

Copyright ©2008, Radiant Systems, Inc. The information contained in this publication is confidential and

proprietary. No part of this document may be reproduced, disclosed to others, transmitted, stored in a

retrieval system, or translated into any language, in any form, by any means, without written permission of

Radiant Systems, Inc.

Radiant Systems, Inc. is not responsible for any technical inaccuracies or typographical errors contained in

this publication. Changes are periodically made to the information herein; these changes will be incorporated

in new editions of this publication. Any reference to gender in this document is not meant to be discriminatory.

The software described in this document is provided under a license agreement. The software

may be used or copied only in accordance with the terms of that agreement.

© Radiant Systems, Inc., 2008. All Rights Reserved. ALOHA® is a U.S. Registered Trademark of Radiant

Systems, Inc. Microsoft®, and Windows® are registered trademarks of Microsoft, Inc.

While the content in this document has been obtained from sources believed to be reliable, no warranty is

provided concerning such content and it does not constitute legal advice. Legal advice concerning specific

situations should be obtained by your legal counsel.