3 - planning and preparation – MagTek EC2000 99875600 User Manual
Page 14
3 - Planning and Preparation
ExpressCard 2000| Instant Issuance Card Personalization System | User Installation and Operation Manual
Page 14
One of the requirements is a required security measure, and the other is an optional feature:
The EC2000 includes an authorization feature which allows card personalization to be deactivated in
the event of a security breach. The device ships in the unauthorized state, and requires a call to
MagTek Support Services to authorize. The device must then regularly connect to MagTek’s
Certificate Authority (CA) via the Internet at pre-determined intervals to re-authorize.
When used with MagTek’s web-based card personalization service QwickCards.com, the EC2000
regularly polls the QwickCards service via the Internet to retrieve card processing transactions.
MagTek recommends selecting one of two internet connection topologies to support these processes. In
both topologies the EC2000 uses Secure Sockets Layer (SSL) for all Internet-bound traffic, and in neither
case does MagTek require the EC2000 to have an Internet-routable network connection:
Network Security Topology Option #1: No Proxy Server. In the first configuration option, the
EC2000 transmits SSL requests directly to MagTek’s CA (and optionally QwickCards.com) via an
Internet gateway.
Network Security Topology Option #2: Proxy Server. In the second configuration, the EC2000
transmits SSL requests to MagTek’s CA (and optionally QwickCards.com) via a proxy server on the
card issuer’s network. The proxy server enables the card issuer to monitor EC2000 network traffic,
and the EC2000 does not communicate directly with the Internet.
The network infrastructure supporting the chosen topology should be in place before attempting to set up
the EC2000. In addition:
1) An operational Ethernet jack or network appliance should be available within reasonable cabling
distance (10-12’) from the EC2000’s final install location.
2) The physical cable path from the EC2000 to its connection destination should be appropriately
secured against unauthorized access.
3) Firewalls should be configured to allow bidirectional communication from the EC2000 via Secure
Sockets Layer (SSL) on port 443. No other open ports are required. Standard destination servers are:
a) for any EC2000 device.
b) https://qwickcardsjs.com for EC2000 devices to be used with QwickCards.com.
4) If the network primarily uses static IP addresses, an appropriate IP address should be allocated and
ready for use by the EC2000.
5) If the network provides local DNS lookups, MagTek advises creating an entry for the EC2000’s IP
address using the name EC-serial-number (see section 6.1 Finding the Serial Number). This will
prevent users from seeing errors when using a web browser to connect to the EC2000 via https.
6) If using a proxy server, proxy information should be available prior to setting up the EC2000.
7) A system administrator should select and configure a secure workstation from which users can create
card processing transactions for the EC2000:
a) If users will process cards using local card personalization software, the EC2000 and the card
personalization workstation must be on the same LAN, or must have an alternate way to connect
directly by IP address, such as a VPN. In any case, the PC and the EC2000 must be able to
communicate via port 443 SSL.
b) If users will process cards via QwickCards.com, the workstation must be equipped with a
working web browser and an Internet connection, and be able to communicate via SSL.
8) A system administrator should select and configure a secure workstation from which administrators
can perform updates to the EC2000. At the administrator’s discretion, it may share a workstation
with the card personalization software, with some additional requirements: