How To Comply With Pca Dss

(1)

Payment Application Data Security Standards

Implementation Guide

(2)

PADSS

©2012 Blackbaud, Inc. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic, or mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without the prior written permission of Blackbaud, Inc.

The information in this manual has been carefully checked and is believed to be accurate. Blackbaud, Inc., assumes no responsibility for any inaccuracies, errors, or omissions in this manual. In no event will Blackbaud, Inc., be liable for direct, indirect, special, incidental, or consequential damages resulting from any defect or omission in this manual, even if advised of the possibility of damages.

In the interest of continuing product development, Blackbaud, Inc., reserves the right to make improvements in this manual and the products it describes at any time, without notice or obligation.

All Blackbaud product names appearing herein are trademarks or registered trademarks of Blackbaud, Inc. All other products and company names mentioned herein are trademarks of their respective holder. PADSSImplementation-2012

(3)

PCI DSS Implementation

in Your Organization

Payment Card Industry and Payment Application Data Security Standards . . . 1

Data Management . . . 2

Network Security . . . 4

System Maintenance . . . 7

Network Maintenance . . . 7

When you accept payment cards for donations or revenue, the security of the credit card information is very important. Used properly, Blackbaud programs can help you maintain this information in

accordance with the Payment Card Industry Data Security Standard (PCI DSS). To help promote the awareness of the security requirements for credit card and cardholder data, this chapter provides information about PCI DSS and how it impacts your organization. With the proper security of credit card information, you can protect your constituents and clients from inconvenience and financial and

personal loss and help protect your organization from additional expense. For information about PCI DSS, see “Payment Card Industry and Payment Application Data Security Standards” on page 1.

Payment Card Industry and Payment

Application Data Security Standards

Developed by Visa, the Payment Application Data Security Standard (PA DSS) requires software

companies such as Blackbaud to develop secure programs that enable users to comply with the PCI DSS. To learn more about PA DSS and download the specification, visit

http://usa.visa.com/download/merchants/cisp_payment_application_best_practices.doc.

Note: This guide provides only an overview of PCI DSS requirements and recommended best practices

to ensure compliance. For additional detail, visit https://www.pcisecuritystandards.org to download the PCI DSS specification.

Note: The PCI Security Standards Council includes American Express, Discover Financial Services, JCB

International, Mastercard Worldwide, and Visa Inc. and was formed to help implement consistent data security measures on a global basis.

(6)

Developed by the Payment Card Industry (PCI) Security Standards Council, the Payment Card Industry Data Security Standard (PCI DSS) includes requirements for security management, policies, procedures, network architecture, software design, and other proactive measures. As an organization that collects payment card information, such as to process payments or donations, you must adhere to the PCI DSS and proactively protect this data. To learn more about PCI DSS and download the specification and its supporting documents, visit https://www.pcisecuritystandards.org.

Data Management

Encryption is necessary to protect cardholder data. If a user circumvents security controls and gains access to encrypted data, without the proper cryptographic keys, the user cannot read or use the data. To reduce the risk of malicious abuse, you must consider other effective methods to protect stored data. For example, store cardholder data only when it is absolutely necessary, and do not send the cardholder data in unencrypted email messages.

Sensitive Authentication Data and Cardholder Data Retention

You should keep the storage of cardholder data to a minimum. To comply with PCI DSS, your organization must develop and maintain a data retention and disposal policy.

• Limit the cardholder data stored and the retention time to only that which is required for business, legal, and regulatory purposes.

• Purge all cardholder data that exceeds the retention period.

Do not retain sensitive authentication data, such as the full magnetic stripe, card validation code, or personal identification number (PIN) information, in your database. If you must retain sensitive authentication data, such as for troubleshooting purposes, you must follow these guidelines: • Collect sensitive authentication data only when necessary to solve a specific problem. • Store sensitive authentication data only in specific, known locations with limited access. • Collect only the limited amount of data necessary to solve a specific problem.

• Encrypt sensitive authentication data while stored. • Securely delete sensitive authentication data after use.

To ensure the complete and secure removal of cardholder data, you must securely erase temporary files that may contain sensitive authentication information and cardholder data.

Note: Depending on your organization and the number of payment card transactions you process, you

may need to engage an external security assessment company to determine your level of compliance with PCI DSS and other security compliance programs. If you use an external assessor, we recommend you select one that is qualified and familiar with the latest requirements from the PCI Security

Standards Council. To validate whether your organization is compliant with PCI DSS, we recommend you also visit https://www.pcisecuritystandards.org and complete the PCI Security Standards Council Self-Assessment Questionnaire.

Warning: To comply with PCI DSS, you must remove historical sensitive authentication data and

cardholder data from your database. If you upgrade from non-compliant version, or if your

organization used attributes, notes, or free-text fields to store sensitive authentication information or cardholder data, you must search for and securely delete this data from your database to comply with PCI DSS.

(7)

P C I D S S IM P L E M E N T A T I O N I N YO U R OR G A N I Z A T I O N

₃

• If you use Microsoft Windows XP or Windows Vista, turn off System Restore on the System Properties screen. System Restore creates and uses restore points to track changes in Windows. These restore points may retain cardholder data. When you turn off System Restore, the operating system automatically removes existing restore points and stops the creation of new restore points.

• To ensure the complete removal of data, install and run a secure delete tool such as Heidi Eraser. With a secure delete tool, you can safely erase temporary files that may contain sensitive authentication information or cardholder data. For information about how to install and run the secure delete tool, refer to the manufacturer’s documentation.

Cardholder Data Encryption

To comply with PCI DSS, your organization must encrypt cardholder information during transmission over open public networks that malicious users could abuse to intercept, modify, and divert data during transit. These open public networks include the Internet, WiFi (IEEE 802.11x), the global system for mobile communication (GSM), and general packet radio service (GPRS). To safeguard sensitive authentication information and cardholder data during transmission, use strong cryptography and security protocols such as Secure Sockets Layer (SSL) version 3/Transport Layer Security (TSL) version 1.1 and Internet Protocol security (IPSec). Never send unencrypted cardholder data in an email message.

Encryption Key Management

Do not retain any cryptographic key material, encryption keys, or cryptograms in your database, such as those used to compute or verify sensitive authentication information and cardholder data. Your

organization may have used attributes or free-text fields to store this information. To comply with PCI DSS, you must not store cryptographic material in the program. If your organization used attributes, notes, or free-text fields to store cryptographic material, you must search for and securely delete this data from your database to comply with PCI DSS. The abuse of the program to store cryptographic material may leave you vulnerable to attack by malicious users. To ensure the complete removal of data, install and run a secure delete tool such as Heidi Eraser. For information about how to install and run the secure delete tool, refer to the manufacturer’s documentation

To comply with PCI DSS, your organization must fully document and implement key management processes and procedures for keys used to encrypt cardholder data. At a minimum, this documentation must include:

• How to generate strong encryption keys.

• How to secure the distribution and storage of encryption keys.

• How to periodically change encryption keys, as necessary for the program and at least annually. • How to revoke and destroy old or invalid encryption keys.

• How to split the knowledge and establish dual control of encryption keys so it requires multiple people with partial knowledge of the key to construct the complete key.

• How to prevent the unauthorized substitution of encryption keys. • How to replace known or suspected compromised encryption keys.

Your organization must restrict access to encryption keys to the fewest number of custodians necessary and store keys securely in the fewest possible locations and forms. Custodians of encryption keys must sign a form to document their understanding and acceptance of their responsibilities as custodians of this data.

(8)

Network Security

With a secure network, you can protect your system and credit card information from internal and external malicious users. To secure your network, we recommend you utilize a firewall and configure wireless devices and remote access software.

User Account Management

To comply with PCI DSS, you must assign unique identification to each person who accesses networks, workstations, or servers that contain the program or cardholder data. Unique login credentials ensure that only authorized users can access and work with the critical data and systems included in your network. With unique login credentials, you can also trace actions on your network to specific users. These credentials must include a unique user name and a way to authenticate the user’s identity, such as a complex password, a token key, or biometrics.

At a minimum, your organization must implement these guidelines to create network user accounts and manage user authentication and passwords. You must communicate password procedures and policies to all users who can access cardholder data.

• Use authorization forms to control the addition, deletion, and modification of user IDs. • Verify the identity of users before you reset passwords.

• Immediately revoke account access for terminated users.

• Remove or disable inactive user accounts at least every 90 days.

• Enable user accounts for use by vendors for remote maintenance only when needed and immediately deactivate them after use.

• Do not use group, shared, or generic user accounts and passwords.

• Require users to change their initial passwords immediately after the first use and subsequent passwords at least every 90 days.

• Require passwords with a minimum length of seven numeric and alphabetic characters. • Require that new passwords not match one of the last four passwords used by the user.

• Lock out the user account after no more than six failed login attempts. Set the lockout duration to 30 minutes or until a system administrator enables the user account.

• Log out idle sessions after 15 minutes so users must enter the password to activate the workstation. • To log user authentication and requests, turn on database logging in Microsoft SQL Server.

Enable database logging in SQL Server

1. In Microsoft SQL Server Management Studio, connect to the instance of the database engine. 2. Under Object Explorer, right-click on the server name and select Properties. The Server

Properties page appears.

3. On the Security page, select Both failed and successful logins under Login auditing and click OK. 4. Stop and restart the SQL Server service for the database.

(9)

₅

For information about how to enable SQL Server to write to the Security log, see http://msdn.microsoft.com/en-us/library/cc645889.aspx.

Firewall Management

If you use software to process payments, we recommend you verify that the workstation’s link to the Internet is secure. If you transfer transactions online, ensure your Internet hardware, such as the modem or DSL router, provides a built-in firewall. You must restrict connections between publicly accessible servers and any system component that stores cardholder data, including connections from wireless networks. To comply with PCI DSS, the firewall configuration must:

• Restrict inbound Internet traffic to Internet Protocol (IP) addresses within the DMZ. • Not allow internal addresses to pass from the Internet into the DMZ.

• Implement inspection or dynamic packet filtering to allow only established connections into the network.

• Place the payment processing program and the database that contains the cardholder data in an internal network zone segregated from the DMZ.

• Restrict inbound and outbound traffic to only that which is necessary for the cardholder data environment and deny all other traffic that is not specifically allowed.

• Secure and synchronize router configuration files, such as running and start-up configuration files. Your organization must also install perimeter firewalls between any wireless networks and the cardholder data environment and configure these firewalls to deny or control any traffic from the wireless environment. To comply with PCI DSS, your organization must configure all mobile and

employee-owned computers with direct connectivity to the Internet, such as laptop computers, used to access the network with an installation of personal firewall software.

Wireless Devices

If you use wireless devices to store or transmit payment transaction information, you must configure these devices to ensure network security in compliance with PCI DSS.

• Install perimeter firewalls between any wireless networks and systems that store cardholder data. These firewalls must deny or control any traffic necessary for business purposes from the wireless environment to the cardholder data environment.

• Implement strong encryption, such as the Advanced Encryption Standard (AES), on all wireless networks.

• At installation, change encryption keys from the default. After installation, change encryption keys when anyone with knowledge of the keys leaves the organization or changes position with the organization.

• Do not use the vendor-supplied defaults for the wireless environment. Change the default passwords or pass phrases on access points and single network management protocol (SNMP) community strings on wireless devices.

• Change the default service set identifier (SSID) and disable SSID broadcasts when applicable.

• Update the firmware on wireless devices to support strong encryption, such as WiFi protected access (WPA or WPA2) technology, Internet Protocol security virtual private network (IPSec VPN), or Secure Sockets Layer (SSL)/Transport Layer Security (TLS), for authentication and transmission over wireless networks.

(10)

• Use industry best practices to implement strong encryption for the transmission of cardholder data and sensitive authentication data over the wireless network in the cardholder data environment. • For new wireless implementations, it is prohibited to implement Wired Equivalent Privacy (WEP) for a

payment application as of March 31, 2009. For current wireless implementations, it is prohibited to use WEP after June 30, 2010.

To comply with PCI DSS, your organization must configure all mobile and employee-owned computers with direct connectivity to the Internet, such as laptop computers, used to access the network with an installation of personal firewall software. The firewalls must be active and configured to a specific standard that users cannot alter.

Remote Access

If your organization enables remote access to the network for use by employees, administration, and vendors, you must implement two-factor authentication for logins. Two-factor authentication requires the unique login credentials and an additional authentication item such as a token or individual

certificate. Use technology such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens or VPN (based on SSL/TLS or IPSec) with individual certificates.

To comply with PCI DSS, your organization must configure the remote access software to ensure network security.

• Do not use the vendor-supplied defaults such as passwords for the remote access software.

• Establish unique login credentials and complex passwords for remote access users in accordance with PCI DSS requirements 8.1, 8.3, and 8.5.8-8.5.15. For more information, see “User Account

Management” on page 4.

• Allow connections from only specific known IP and MAC addresses. • Enable encrypted data transmission in accordance with PCI DSS 4.1.

• Lock out the remote access user account after no more than six failed login attempts.

• Require remote access users to establish a VPN connection through a firewall before they connect to the network.

• Enable the logging function.

• Establish complex passwords for customers in accordance with PCI DSS requirements 8.1, 8.2, 8.4, and 8.5.

• Restrict access to customer passwords to authorized third-party personnel.

• To verify the identities of remote access users, require two-factor authentication (T-FA) such as both a user login and a password.

If your organization enables remote access for use by vendors, it should be only when needed and immediately deactivated after use.

Warning: It is prohibited to use Wired Equivalent Privacy (WEP) for payment applications as of June

30, 2010. We strongly recommend you use WPA2 technology to secure wireless implementations.

Warning: For new wireless implementations, it is prohibited to use WEP after March 31, 2009. For

(11)

₇

Non-console Administrative Access

To comply with PCI DSS, your organization must encrypt all non-console administrative access. For web-based management and other non-console administrative access, use technologies such as Secure Shell (SSH), VPN, or SSL/TLS.

Internet-Accessible Systems

Do not store cardholder data on Internet-accessible systems. For example, do not house the database server within the same server as the web server.

System Maintenance

Once you secure your system, you must keep your equipment current. Malicious users can use security vulnerabilities to access your system. Both hardware and software manufacturers occasionally issue updates to products, such as to remedy these vulnerabilities and help prevent such attacks. We recommend you ensure you have the most recently released patches installed. For example, you can frequently review the manufacturers’ websites, newsletters, and online forums to check for the current patches.

Occasionally, a manufacturer may stop support of a product. In this case, we recommend you determine whether your organization should continue to use an unsupported product. Also, a manufacturer may inform you of a flaw or defect in a product that may make your organization vulnerable to attack. We recommend you pay attention to these alerts and update your system accordingly.

To further reduce vulnerability, we recommend you also deploy anti-virus software on your systems and ensure they are current, actively running, and can generate assessment logs.

Network Maintenance

Once you secure your system, you must monitor and track access to the network and your credit card information, such as with logging mechanisms. The lack of activity logs can make the determination of the cause of an attack very difficult. Logs help you track and analyze network activity when something goes wrong.To further reduce vulnerability, we recommend you also frequently test your network to verify its security continues to be maintained, regardless of age or changes in software.

To comply with PCI DSS, you must implement automated audit trails for all system components to track these events:

• All individual users who access cardholder data.

• All actions performed by users with root or administrative privileges. • All access of the audit trails.

• All invalid logical access attempts.

• All use of identification and authentication mechanisms. • The initialization of the audit logs.

• The creation and deletion of system-level objects.

(12)

• The user who initiates the event. • The type of event.

• The date and time of the event.

• Whether the event succeeded or failed. • The origination of the event.

(13)

2

chapter

PA DSS Implementation

in The Patron Edge

Patron Edge Payment Process Overview . . . 10

Installations and Upgrades . . . 11

Database Roles . . . 13

User Account Security and Configuration . . . 14

User Access Audit Capability/Audit Trail . . . 16

Payment Process Security . . . 17

VeriFone PCCharge . . . 17

Blackbaud Secure Payments . . . 18

Cardholder Data . . . 18

Encryption and PA DSS Management . . . 20

Key Service . . . 20

Encryption Keys . . . 24

Company Settings . . . 31

Rollback and Uninstall . . . 32

Versions 3.4 and higher of The Patron Edge provide enhancements to help you secure your data and comply with PCI DSS. We strongly recommend you update your software to the latest version.

Warning: Versions 3.4 and higher of The Patron Edge are not compatible with Microsoft SQL Server

2000 Standard/Enterprise Edition. You must have either Microsoft SQL Server 2005 Standard/Enterprise Edition, Service Pack 2 or higher or Microsoft SQL Server 2008

Standard/Enterprise Edition installed. Go to support.blackbaud.com to review current system

requirements.

(14)

Patron Edge Payment Process Overview

In The Patron Edge, you can securely process payment requests using more than method.

One option is to use a process facilitated by the Blackbaud Payment Component group. In The Patron

Edge, when a customer makes a purchase using a credit card, the seller enters the typical transaction

information, including the credit card number. During this process, a payment request is sent to a payment processing vendor to determine if the purchase is approved or declined. The result is then sent back to The Patron Edge. This process is facilitated by the Blackbaud Payment Component group, which consists of executables and other entities that work together to securely process payment requests. The Blackbaud Payment Components are installed and configured during the initial implementation of

The Patron Edge.

Warning: If you are running SQL Server 2008, you must either have Microsoft SQL Server 2005

Standard/Enterprise Edition, Service Pack 2 or higher installed or you must install the Microsoft SQL Server 2005 Backward Compatibility Components. You can download these components from

(15)

PA D S S IM P L E M E N T A T I O N I N TH E PA T R O N ED G E

₁₁

Blackbaud Payment Client. The Blackbaud Payment Client is invoked when a ticket seller enters a credit card purchase into The Patron Edge. It collects and encrypts credit card information and sends the payment request to the database. Each sales point has its own Blackbaud Payment Client.

TIX_PSC. TIX_PSC checks the database table for payment requests on a designated interval. When the program recognizes a request, TIX_PSC invokes the Blackbaud Payment Server.

Blackbaud Payment Server. The Blackbaud Payment Server is notified of a credit card payment request by TIX_PSC. This server then sends the request to the corresponding Payment Processor and receives the results. You configure the Payment Server by adding or editing values in the Payment.ini file.

Payment Processor. The Payment Processor is a plug-in that performs the credit card authorization through a specific payment processing vendor like VeriFone PCCharge. It then returns the results to the Blackbaud Payment Server.

CC_Payment Table. The program encrypts all sensitive data before clearing and stores it in the

CC_Payment table within your Patron Edge database. Once transactions clear, only the last four digits of the credit card number are stored in the database. All other cardholder data is purged from the CC_Payment table after a transaction clears.

Alternatively, you can choose to use Blackbaud Secure Payments (BBSP) to securely process payment requests. With Blackbaud Secure Payments, you can enable clients to securely accept online credit card transactions from their website users and supporters. You can also accept transactions within The

Patron Edge. The program does not encrypt all sensitive data before clearing and storing it in the

CC_Payment table within your Patron Edge database. Blackbaud Secure Payments does not store any data within your Patron Edge database. For more information about Blackbaud Secure Payments, see the Administration Guide for The Patron Edge.

Installations and Upgrades

Before you install or upgrade to The Patron Edge 3.4 and higher, there are a number of considerations you should review and requirements you must meet to successfully complete the installation or upgrade.

Windows Account Requirement

If your Patron Edge and Patron Edge Online applications are on different LANs, you will need two separate Key Services that communicate with each other. If you have a multi-LAN environment, you must add a Windows account that has “Logon as a service rights” before you install The Patron Edge Online. During the installation process you will be prompted to enter the user name and password for the account on the Key Service Setup screen. This is the Windows account that the Patron Edge Online Key Service will run under.

Note: For more information about installing The Patron Edge 3.4 and higher, including specific

procedures, see the Installation Guide. For more information about upgrading to The Patron Edge 3.4 and higher, see the Update Guide. Both documents are available on the user guides page of our website, which is located here: http://www.blackbaud.com/support/guides/pe.aspx.

(16)

Temporary SQL Server Account Requirement

Prior to version 3.4 of the The Patron Edge, the default “PEUser” account was assigned the db_owner role in addition to db_ddladmin, db_datawriter, and db_datareader. However, starting with The Patron

Edge 3.4, the db_owner role is no longer assigned to the “PEUser” account in SQL Server 2005 or SQL

Server 2008.

The first time you run The Patron Edge 3.4 after installation or upgrade, a number of database updates are automatically applied before a user logs in. These updates are required to prepare the database. If the updates are not successfully completed, user log in will fail. In order for the updates to be applied to the database successfully, the changes must be applied with a SQL Server 2005 or SQL Server 2008 account that is assigned the db_owner role for the Patron Edge database.

Because the “PEUser” account no longer has this role, you will be prompted to enter the user name and password of SQL Server 2005 or SQL Server 2008 user that is assigned the required db_owner role. Before you install or upgrade to The Patron Edge 3.4, you should make sure you have an account with the db_owner role. This account is only needed temporarily to apply the initial updates. After the database revisions have successfully completed, you must remove or disable this temporary account.

Database Master Key Requirement

The database master key (DMK) is the encryption key for the database and for symmetric and

asymmetric keys that protect the data encryption key (DEK). During all new installations and upgrades, you will be prompted to enter a new database master key password. The master key password must meet the following standards, which are determined by your Windows security policy.

• The key must be at least seven characters in length.

• The key must contain characters from three of the following four categories: uppercase letters (A through Z), lowercase letters (a through z), base 10 digits (0 through 9), and non-alphanumeric characters, for example, an exclamation point (!) or number sign (#).

If this key becomes compromised or is even suspected of being compromised, you must rotate the key immediately. For steps that guide you through changing the DMK after the installation or upgrade is complete, see “Rotate the Database Master Key” on page 27.

Default Administrator Account

When The Patron Edge is installed, a default administrator user account is created with the user name “Supervisor” and the password “admin”. For all new installations and upgrades to The Patron Edge 3.4 and higher, you will be required to change the default password of this user as described in the scenarios below.

Note: For information about managing encryption keys and passwords, see “Encryption Key

Management” on page 3.

Warning: For your organization to be PCI DSS compliant, you must configure and use unique user

accounts the meet the PCI DSS standards. For more information about these standards, see “User Account Security and Configuration” on page 14. If in the past your organization used the default administrator account with the default password intact, you must ensure that it is no longer used or your organization will not be PCI DSS compliant.

(17)

₁₃

For new installations of The Patron Edge 3.4 and higher, as well as any time you add a new database using the Blackbaud Management Console (BMC), you are required to change the user name and password for the default administrator user account created during the installation. After the

installation process is complete and during the initial login, you will be prompted and required to change the user name and password for the default administrator user account. The new password must meet the password requirements as discussed in “Password Strength Requirements for User Accounts” on page 14. After the new user name and password are successfully added, you will be prompted to log in using the account.

For upgrades to The Patron Edge 3.4, you are required to change the password for the default

supervisor account created during the installation. In addition, every user will be prompted and required to update their password to meet strong and complex requirements when they login after the upgrade. For information about changing a user account, see the “Configure System Users” section of the

Administration Guide.

Database Roles

By default, The Patron Edge uses the “PEUser” account in SQL Server 2005 or SQL Server 2008 to log into the database. The “PEUser” account needs the processadmin server role and the following roles on the

Patron Edge database:

• db_ddladmin • db_datawriter • db_datareader

By default, the “PEUser” account is denied access to the CustomizeSettings table, which is required to be PCI DSS compliant. However, if you use a different account to log into the Patron Edge database, you must manually deny access to the CustomizeSettings table for this user. To do this, run the following SQL script against the Patron Edge database and replace [username] with the

appropriate account username:

deny select, insert, update, delete, references, alter, control, take ownership, view definition on CustomizeSettings to [username]

For your organization to be PCI DSS compliant, the password strength requirements of your Windows security policy must meet or exceed the PCI DSS requirements. To ensure that the password strength requirements for the “PEUser” account are determined by your Windows security policy, you must mark

Enforce password policy for this user on the Login Properties screen in SQL Server 2005 or SQL Server

2008. For more information about the password requirements, see the “Requirement 8: Assign a unique

ID to each person with computer access” section of the PCI DSS standards document. For more information see, “PCI DSS Implementation in Your Organization” on page 1.

Note: Prior to version 3.4 of the The Patron Edge, the default “PEUser” account was assigned the

db_owner role in addition to the roles listed above. However, starting with The Patron Edge 3.4, the db_owner role is no longer assigned to the “PEUser” account in SQL Server 2005 or SQL Server 2008.

Warning: In order to be PCI DSS compliant, the SQL Server 2005 or SQL Server 2008 account that The Patron Edge uses to log into the database must deny access to the CustomizeSettings table.

(18)

You can change the user name or password of the “PEUser” account in SQL Server 2005 or SQL Server

2008 or use an entirely different account configured with the required roles and denied access to the

CustomizeSettings table in the Patron Edge database. However, after changes are made, you must also run the PA DSS Management Utility to set the new user name and password information and establish the new connection string. This is necessary because the connection string used by The Patron

Edge is stored in an encrypted form in the Patron Edge database and is retrieved by the Key Service

when needed.

After the changes are made, restart all Patron Edge applications and verify that they are all working correctly with the new connection string. After the changes are confirmed and you have verified that all applications work correctly, you should access SQL Server 2005 or SQL Server 2008 and remove or disable the previous account that is no longer used. For more information about changing the default

SQL Server 2005 or SQL Server 2008 account used to log into your Patron Edge database, see “Change

the Default SQL Server User Account for The Patron Edge” on page 29.

User Account Security and Configuration

In order to be PCI DSS compliant, you must securely control access to workstations, servers, and databases that contain The Patron Edge applications and cardholder data. To establish, maintain, and control access, you must use unique user accounts with strong passwords and employ PCI DSS compliant secure authentication.

In The Patron Edge, an administrator can create the necessary unique user accounts needed for each person that accesses the application. To be PCI DSS compliant, you should have a one to one relationship between users and user accounts. Each user accessing the system should have only one user account and each account should have a unique name. Each unique user account must be configured with only the permissions needed for their specific roles. This is required for the integrity of the audit trail. Do not setup a user account that is shared by multiple people. For detailed information about setting up and configuring unique user accounts, permissions, and system profiles, see the “Configure System Users” section of the Administration Guide.

Password Strength Requirements for User Accounts

All user accounts in The Patron Edge 3.4 and higher must meet or exceed the following password strength requirements:

• The password cannot be the same as the user name. • The password must be at least seven characters in length.

• The password must contain both numeric and alphabetic characters.

Note: The Key Service is used to retrieve sensitive data from the Patron Edge database, including the Patron Edge database connection string and data encryption key (DEK) used to encrypt card holder

data.For more information about the Key Service, see “Key Service” on page 20.

Note: In order to be PCI DSS compliant, all workstations must be configured to automatically lock-out

the current user after 15 minutes of inactivity. To access the machine again, the Windows user must be required to re-enter their user name and password. You can accomplish this be setting the screen saver on each Windows machine to require a password on resume.

Note: By default, The Patron Edge will not allow a user to submit a new password that is the same as

(19)

₁₅

Login Security

When The Patron Edge is installed, a default administrator user account is created with the user name “Supervisor” and the password “admin”. If in the past your organization used the default administrator account with the default password intact, you must ensure that it is no longer used or your organization will not be PCI DSS compliant. For all new installations and upgrades to The Patron Edge 3.4 and higher, you will be required to change the default password of this user as described in the scenarios below.

For new installations of The Patron Edge 3.4 and higher you are required to change the user name and password for the default administrator user account created during the installation. After the

installation process is complete and during the initial login, you will be prompted and required to change the user name and password for the default administrator user account. The new password must meet the password requirements as discussed in “Password Strength Requirements for User Accounts” on page 14. After the new user name and password are successfully added, you will be prompted to log in using the account.

For upgrades to The Patron Edge 3.4 and higher, you are required to change the password for the default supervisor account created during the installation. In addition, every user will be prompted and required to update their password to meet strong and complex requirements when they login after the upgrade. For information about changing a user account, see the “Configure System Users” section of the Administration Guide.

The Patron Edge provides the configuration settings required to help you meet PCI DSS standards for enforcing login and password security measures. To comply with PCI DSS, you must require users to change passwords at least every 90 days and also lock out a user account after no more than six failed login attempts. You must also set the lockout duration to 30 minutes or until a system administrator enables the user account. For information about additional password and lockout requirements for PCI DSS, see “User Account Management” on page 4.

The following settings, which help you meet PCI DSS standards for enforcing login and password security measures, are accessed on the Security tab of the Maintain Company screen table in The Patron Edge

3.4 and higher. For more information, see the “Configure Company Table Settings” chapter of the

Administration Guide.

• Maximum password age - This setting ensures that all users change their passwords at least every 90 days. The maximum number of days that can be entered in this field is “90”.

• Min. Characters in Login Password - This setting ensures that passwords are at least seven characters. You can increase the number of required characters but the minimum allowed is seven.

• Password rotation - The minimum setting for Password rotation is “4”. This means that when a user changes their password, they cannot use a password that is the same as any of the last four passwords previously used.

• User’s login “lock-out” duration (minutes) - This setting determines the number of minutes that a user account is locked after they reach the limit for failed login attempts, which is a maximum of six attempts. The lockout duration is a minimum of 30 minutes or until an administrator manually unlocks the account.

Warning: For your organization to be PCI DSS compliant, you must configure and use unique user

accounts the meet the PCI DSS standards. For more information about these standards, see “User Account Security and Configuration” on page 14.

Note: In versions of The Patron Edge prior to version 3.4, you could set an option on the user account

that would allow the user password to never expire. This option has been removed from The Patron

(20)

The following setting is accessed on the General tab of the Maintain Company Table screen. For more information, see the “Configure Company Table Settings” chapter of the Administration Guide.

• Number of Login Attempts - This setting controls the number of failed login attempts that result in a user account being locked. The maximum setting is “6”.

Workstation Inactivity

Additionally, all workstations must be configured to automatically lock-out the current user after 15 minutes of inactivity. To access the machine again, the Windows user must be required to re-enter their user name and password. You can accomplish this be setting the screen saver on each Windows

machine to require a password on resume. This is required for your organization to be PCI DSS compliant.

User Access Audit Capability/Audit Trail

The Patron Edge 3.4 and higher includes an audit log that tracks database activity and links activities to

individual user accounts. This is true of for all Patron Edge system users, including those with administrative privileges. When The Patron Edge version 3.4 or higher is installed, the audit log is automatically turned on and monitors access to the database.

To access the audit log and view the information tracked, you must access the

view_auditoperations database view in your Patron Edge database.

Each audit log entry contains user identification, type of event, date and time, success or failure

indicator, origination of event, and the name of the affected data, system component, or resource. The following activity is monitored and tracked by the audit log:

Login activity. All user login activity is tracked and will have an entry in the audit log. This activity includes logins, logouts, password changes, and all account locking and unlocking activity.

Administration activity. All add, edit, and delete actions for tables in Administration are monitored and will have an entry in the audit log.

CRM record activity. All add, edit, and delete actions for client details contained in CRM records are monitored and will have an entry in the audit log.

Credit and debit card activity. All credit card and debit card activity is monitored and will have an entry in the audit log. Although monitored, no sensitive data is included in the log. For example, the primary account number (PAN) will never appear in the log as plain text. This is true for successful transactions and errors.

Note: If a user is locked out of their account or their password is compromised, an administrator can

access the user account record and reset the password to a new temporary password that meets the strong password requirements. Once the user attempts to log in, they will be prompted and required to change their password.

(21)

₁₇

PCI DSS audit trail requirement 10.3 states that the audit trail/log entries must contain user

identification, type of event, date and time, success or failure indicator, origination of event, and the name of the affected data, system component, or resource. The following table shows how each requirements is tracked and displayed in the Patron Edge audit log.

Payment Process Security

Versions 3.4 and higher of the The Patron Edge and associated Blackbaud payment components comply with PA DSS standards to securely handle card payment processes. For versions 3.4 and higher, credit card information is encrypted before transactions are cleared. Once the transactions are cleared, every credit card number is truncated, except for the last four digits and no other credit card information is retained. For more information, see “Cardholder Data” on page 18.

VeriFone PCCharge

Payment processing in The Patron Edge can be handled by VeriFone PCCharge. VeriFone PCCharge, which is a third party application. To be PCI DSS compliant you must install a PCI DSS compliant version of VeriFone PCCharge and it must be installed and configured according to the instructions provided in the PCI DSS implementation documentation from VeriFone. For more information, see the VeriFone PCCharge website here: http://www.verifone.com/card-acceptance/pccharge.aspx.

If you are connecting to the processing engine using the TCP/IP connection mode, when you set up the Integration Configuration in VeriFone PCCharge, you must select “Secure TCP/IP Integration.” The “Standard TCP/IP Integration” connection mode is not supported in The Patron Edge 3.4 and higher. In addition you must configure the payment.ini file for the BBPaymentServer to include the required SSL certificate information. For more information, see the Administration Guide.

For The Patron Edge 3.4 and higher, the view_auditoperations database view provides the required audit trail/log information as specified in requirement 10.3. The fields displayed in the view_auditoperations database view map directly to the PCI DSS audit trail requirements as follows:

UserID = User identification ActionType = Type of event ActionDate = Date and time

ActionStatus = Success or failure indicator

OriginApplication and OriginModule = Origination of event

EntityCode and TargetEntityID = Name of affected data, system component or resource

Warning: VeriFone PCCharge and The Patron Edge must be connected over a secure LAN. This is

required because card holder data can pass in plain text between the BBPaymentServer and VeriFone PCCharge if you use the dll communication mode. We recommend, for additional security, that you use the secure tcp connection method as recommended by the VeriFone PCCharge implementation documentation. VeriFone PCCharge provides a default certificate that can be exported to client machines to secure this communication. Additionally, you can purchase your own security certificate to encrypt this communication. You configure the communication mode through VeriFone PCCharge and the The Patron Edge payment.ini file. For more information, see the Administration Guide.

(22)

Blackbaud Secure Payments

Payment processing in The Patron Edge and The Patron Edge Online can be handled by Blackbaud

Secure Payments.

With Blackbaud Secure Payments (BBSP), you can enable clients to securely accept online credit card transactions from their website users and supporters. You can also accept donations and other transactions within The Patron Edge.

In The Patron Edge, each user workstation uses a customizable paymentclient.ini file that is unique to that workstation. You can edit the paymentclient.ini file to specify the default merchant account and currency to use, as well as the template to use when processing transactions within The Patron Edge. When you process credit card transactions, each workstation communicates directly with the Blackbaud

Secure Payments servers to verify and authorize the credit card information.

For The Patron Edge Online, you specify a series of online payment configuration settings, such as the merchant account, currency, and template to use when processing online transactions. You specify these settings from within the The Patron Edge Online Administration site. When you process credit card transactions, the program communicates directly with the Blackbaud Secure Payments servers to verify and authorize the credit card information.

Unlike VeriFone’s PCCharge where the program encrypts all sensitive data before clearing and stores it in the CC_Payment table within your Patron Edge database, Blackbaud Secure Payments does not store any data within your Patron Edge database.

For more information, see the Administration Guide for The Patron Edge.

Cardholder Data

Versions 3.340 and higher of the The Patron Edge encrypt all sensitive data before clearing and store it in the CC_Payment table within the database. The following information is securely encrypted and saved in the database before transactions clear:

• credit card number • cvv2

• magnetic_strip_data • track2_details • issue_number

Once transactions clear, the only cardholder data retained in the database is the last four digits of the credit card number. The cvv2, magnetic_strip_data, track2_details, and issue_number fields are purged from the database after transactions clear.

Within The Patron Edge, your organization can use notes, free-text fields, and user definable fields to store important information. However, do not use these features to store sensitive information, such as payment card or cardholder data, in the program. The abuse or misuse of the program to store sensitive information can leave you vulnerable to an attack by malicious users. For information about the data management requirements of PCI DSS, see “Data Management” on page 2.

Warning: If your organization used notes, free-text fields, or user definable fields to store sensitive

(23)

₁₉

Records

After a transaction is processed in The Patron Edge, the payment information for the transaction can be viewed on the Transaction Details screen. If a credit card payment was applied to the transaction, a truncated credit card number is displayed on the Payment tab with only the last four digits visible.

In accordance with PCI DSS, your organization must develop and maintain a data retention and disposal policy. You must keep cardholder data storage to a minimum and limit the retention time to only the duration required for business, legal, and regulatory purposes. We recommend that you purge this data once it is no longer needed for business purposes.

Reports

All reports generated from The Patron Edge meet PCI DSS standards for cardholder data. In reports that include credit card information, only the last four digits of the primary account number (PAN) are displayed.

Import and Export

In compliance with PCI DSS standards, The Patron Edge does not have a mechanism for importing or exporting sensitive cardholder data. This is true of previous versions of The Patron Edge, as well as version 3.340 and higher.

(24)

Encryption and PA DSS Management

With The Patron Edge 3.4 and higher, the program encrypts all sensitive data before clearing and stores only truncated credit card numbers after clearing. To enable the secure encryption of sensitive data, all versions of The Patron Edge 3.4 and higher include data encryption functionality that meets PA DSS requirements. This encryption functionality is implemented using a key service and a series of encryption keys.

The Patron Edge 3.4 and higher also provides the PA DSS Management Utility to effectively manage and

rotate the encryption keys. You can also use the PA DSS Management Utility to change the SQL Server

2005 or SQL Server 2008 account used to establish a secure connection between the application and

database.

Key Service

The Key Service is used to retrieve sensitive data from the Patron Edge database, including the Patron Edge database connection string and data encryption key (DEK) used to encrypt card holder data. Prior to running the installation for The Patron Edge 3.4 and higher, you should add a specific Windows account that the Key Service will run under. This Windows account must have “Logon as a service rights” and must also have the db_owner role in SQL Server 2005 or SQL Server 2008.

For a new installation of The Patron Edge, you will install a Key Service when you create a new database using the Blackbaud Management Console (BMC). When you install a new Key Service, you are

prompted to enter a user name and password. The account information you enter should be for the

Windows account that you added specifically to run the Key Service. For upgrades, you install a new Key

Service or point to an existing Key Service when you reattach your databases after the upgrade is complete.

Note: For information about working in the BMC to install and uninstall Key Services, see the

(25)

₂₁

Once the Key Service is installed and functioning, you can access a number of useful files in the “KeyService” directory, which is located within your Patron Edge installation directory. The default location is C:\Program Files\Blackbaud\The Patron Edge\KeyService.

For example, the KeysServiceServer.exe.Config file contains useful information that includes the database and SQL instance the Key Service is pointing to. It also contains the port number the Key Service is listening on, and a bounded Key Service address if you are using more than one Key Service in your system. For security purposes, this file is encrypted once the Key Service starts. However, you can view the file if you run PCIEncrypt.exe and log in.

This directory also contains KeyServiceServer.log and a KeyServiceServerErrors.log

files. You can use these files to help diagnose any connection problems with the Key Service.

Key Service URL and Port Numbers

When a program tries to connect to the Key Service, depending on the product, it either goes to the registry, the TopTixEsro2.INI file, or the kSRO.config file. Running a program from the desktop (as the current windows user) will cause the program to look for the Key Service URL at:

HKEY_CURRENT_USER\Software\VB and VBA Program

Settings\TopTix\DataAccess\PEKeyServiceURL. This address should point to the IP address or machine name where the Key Service is running.

• On machines running services under the local system account, the Key Service URL must be set at:

HKEY_USERS\s-1-5-18\Software\VB and VBA Program Settings\TopTix\DataAccess\PEKeyServiceURL.

• On machines running services under the network account, the Key Service URL must be set at:

HKEY_USERS\s-1-5-20\Software\VB and VBA Program settings\toptix\dataaccess\PEKeyServiceURL.

• If you are running the service under any other account, such as a specific user, the key must be set up for that user in the same fashion as the above keys.

The port number in the address must reflect the port number of the Key Service you want to communicate with. You can find this port number by reviewing the

KeysServiceServer.exe.Config file for the corresponding Key Service. When running multiple Key Services on one machine, each key service must be setup to use a different port number.

(26)

By default, the listening port used by the parent Key Service running on your Patron Edge server is 9955. If needed, you can change the listening port from the default 9955 to any open port. You can do this by editing the KeysServiceServer.exe.Config file or by accessing the PA DSS Management Utility and in the Current Key Service Config File Settings frame, edit the value in the Listening Port field.

Multiple Key Service Environment

If both the Patron Edge and Patron Edge Online are on the same LAN, you will need only one Key Service. However, if the Patron Edge and Patron Edge Online are on different LANs, you will need two separate Key Services that communicate with each other. The secondary Key Service is added during the

Patron Edge Online or Patron Edge Kiosk installation processes. For more information, see the

respective installation guides. If you require two Key Services, you will need to enter a bounded URL using the PA DSS Management Utility on your Patron Edge server. For more information, see “Configure a Bounded Key Service Address” on page 30.

If your environment requires multiple Key Service instances, the The Patron Edge Online or The Patron Edge Kiosk Key Service is considered to be a child service of the parent Key Service on your Patron Edge machine. Changing any secure asset (The Patron Edge Online connection string, The Patron Edge Kiosk connection string, The Patron Edge connection string, or data encryption key) should be done on the

Patron Edge machine through the PA DSS Management Utility. When one of these values is changed,

the parent Key Service pushes the new value over an SSL connection to the child Key Service which will write the values in the Patron Edge Online database. This data is changed in a transactional manner ensuring that the values in all databases are synchronized. These secure assets are protected the same way in all databases via the DMK, symmetric keys, asymmetric keys, and the DEK.

For more information about multiple Key Services, see the Payment Application Data Security Standards Implementation Guide for The Patron Edge Online and the Payment Application Data Security Standards Implementation Guide for The Patron Edge Kiosk.

Change the Key Service Login Account

The Key Service is used to retrieve sensitive data from the Patron Edge database, including the Patron Edge database connection string and data encryption key (DEK) used to encrypt card holder data. During the installation, a Key Service Setup screen appears and you are prompted to enter a user name and password. The account information you enter should be for the Windows account that will run the Key Service. If you want to change the Windows account used to run the Key Service, you must do so through Windows by accessing the Administrative Tools school and then opening the Services screen.

Change the Key Service Login Account

1. Before you continue, make sure users all users are logged out of The Patron Edge and stop the Key Service.

(27)

₂₃

2. From Windows, access the Administrative Tools screen.

3. On the Administrative Tools screen, double-click “Services.” The Services screen appears. 4. Scroll down and select “Keys Services SVC.” Verify that the service has been stopped.

5. Right-click on the service and select Properties from the shortcut menu. The properties screen for the key service appears.

(28)

6. Select the Log On tab.

7. Under Log on as, enter a new Windows account for the key service to run under. To select an account, click Browse. The Windows account you enter must have “Logon as a service rights” and must also have the db_owner role in SQL Server 2005 or SQL Server 2008. You must also enter and confirm the user password in the corresponding fields.

8. To continue, click Apply and then OK. The Key Service Login Account is changed and you return to the Services screen.

9. Restart the Key Service and all Patron Edge applications to ensure that they are working correctly.

Encryption Keys

The Patron Edge 3.4 and higher encrypts sensitive data using a series of encryption keys. With the PA

DSS Management Utility, you can effectively manage and rotate the encryption keys to meet PCI DSS requirements. The encryption keys used to secure data in The Patron Edge 3.4 and higher are explained below. Encryption keys are sensitive data that must be managed according to PCI DSS standards for encryption key management. If they are not managed according to PCI DSS standards for encryption key management, you will not be PCI DSS compliant.

If encryption keys are compromised, they must be rotated immediately. However, if you are rotating keys under normal circumstances, we recommend rotating the keys during down time as it can be a time-consuming process. For procedures the guide you through the rotation of these keys, see “PA DSS Management Utility” on page 26.

Tip: For more information about SQL Server encryption and the encryption hierarchy, see the

following MSDN article on Microsoft’s website:

http://msdn.microsoft.com/en-us/library/bb510663.aspx.

Warning: If an encryption key becomes compromised or is even suspected of being compromised,

(29)

₂₅

Data Encryption Key (DEK). The DEK is a programmatic key that encrypts card holder data. If this key becomes compromised or is even suspected of being compromised, you must rotate the key immediately. When you rotate this key, pre-authorization data using the old key will be decrypted and then re-encrypted using the new key.

Database Master Key (DMK). The DMK is the encryption key for the database and for symmetric and asymmetric keys that protect the DEK. If this key becomes compromised or is even suspected of being compromised, you must rotate the key immediately. During installations of version 3.4 and higher, as well as subsequent updates, you will be required to enter a new DMK.

Service Master Key (SMK). The SMK is the encryption key for all databases on a specific instance of

SQL Server 2005 or SQL Server 2008. Which means, if this key is rotated it affects not only your

Patron Edge database, but all databases on the same SQL Server 2005 or SQL Server 2008 instance

as your Patron Edge database. This task is typically performed by an experienced Database Administrator and should be approached with caution.

Warning: To comply with PCI DSS, your organization must fully document and implement key

management processes and procedures for keys used to encrypt cardholder data. For specific information about the requirements, see “Encryption Key Management” on page 3.

(30)

PA DSS Management Utility

With the PA DSS Management Utility, you can effectively manage and rotate the required encryption keys. If encryption keys are compromised, they must be rotated immediately. However, if you are rotating keys under normal circumstances, we recommend rotating them during down time as it can be a time-consuming process. Additionally, you can use the PA DSS Management Utility to change the SSQL

Server 2005 or SQL Server 2008 account used to establish a secure connection between the application

and database.

To access and fully use the PA DSS Management Utility, you must have administrator rights in Windows. You must also log into this utility with a Patron Edge account that has administrative privileges. If you are already logged into Patron Edge on the same machine, those credentials are used when running this application.

For more procedures that guide you through each PA DSS Management Utility process, see the following:

• “Rotate the Data Encryption Key” on page 27 • “Rotate the Database Master Key” on page 27 • “Rotate the Service Master Key” on page 28

(31)

₂₇

• “Change the Default SQL Server User Account for The Patron Edge” on page 29 • “Configure a Bounded Key Service Address” on page 30

Rotate the Data Encryption Key

The Data Encryption Key (DEK) is a programmatic key that encrypts card holder data. If this key becomes compromised or is even suspected of being compromised, you must rotate the key immediately. When you rotate this key, any data using the old key will be decrypted and then re-encrypted using the new key.

Rotate the Data Encryption Key

To access and use the PA DSS Management Utility to rotate the DEK, you must have administrator rights in Windows. You must also log into this utility with a Patron Edge account that has

administrative privileges.

1. Before you continue, make sure all users are logged out of The Patron Edge.

2. Access your Patron Edge server and navigate to the Patron Edge installation directory. The default location is C:\Program Files\Blackbaud\The Patron Edge.

3. Locate and run PCIEncrypt.exe. The PA DSS Management Utility screen appears.

4. Access the SQL Server Encryption frame and in the Existing Master Key field, enter the current database master key. You must enter the current DMK in order to rotate the DEK.

5. To continue, click Rotate Data Encryption Key. A confirmation screen appears.

6. Click OK. The DEK has now been successfully rotated. Any data using the old key will be

decrypted and then re-encrypted using the new key. Before logging back into The Patron Edge, restart TIX_PSC.

Rotate the Database Master Key

The Database Master Key (DMK) is the encryption key for the database and for symmetric and

asymmetric keys that protect the DEK. If this key becomes compromised or is even suspected of being compromised, you must rotate the key immediately. During installations of version 3.4 and higher, as well as subsequent updates, you will be required to enter a new DMK.

Rotate the Database Master Key

To access and use the PA DSS Management Utility to rotate the DMK, you must have administrator rights in Windows. You must also log into this utility with a Patron Edge account that has

administrative privileges. If you are already logged into Patron Edge on the same machine, those credentials are used when running this application.

1. Before you continue, make sure users all other users are logged out of The Patron Edge.

Note: For information about changing the Windows account used to run the Key Service, see “Change

the Key Service Login Account” on page 22.