Payment Application Data Security Standards Implementation Guide

(1)

Payment Application Data Security Standards

Implementation Guide

(2)

PADSS

©2012 Blackbaud, Inc. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic, or mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without the prior written permission of Blackbaud, Inc.

The information in this manual has been carefully checked and is believed to be accurate. Blackbaud, Inc., assumes no responsibility for any inaccuracies, errors, or omissions in this manual. In no event will Blackbaud, Inc., be liable for direct, indirect, special, incidental, or consequential damages resulting from any defect or omission in this manual, even if advised of the possibility of damages.

In the interest of continuing product development, Blackbaud, Inc., reserves the right to make improvements in this manual and the products it describes at any time, without notice or obligation.

All Blackbaud product names appearing herein are trademarks or registered trademarks of Blackbaud, Inc. All other products and company names mentioned herein are trademarks of their respective holder. PADSSImplementation-2012

(3)

PCI DSS Implementation

in Your Organization

Payment Card Industry and Payment Application Data Security Standards . . . 1

Data Management . . . 2

Network Security . . . 4

System Maintenance . . . 7

Network Maintenance . . . 7

When you accept payment cards for donations or revenue, the security of the credit card information is very important. Used properly, Blackbaud programs can help you maintain this information in

accordance with the Payment Card Industry Data Security Standard (PCI DSS). To help promote the awareness of the security requirements for credit card and cardholder data, this chapter provides information about PCI DSS and how it impacts your organization. With the proper security of credit card information, you can protect your constituents and clients from inconvenience and financial and

personal loss and help protect your organization from additional expense. For information about PCI DSS, see “Payment Card Industry and Payment Application Data Security Standards” on page 1.

Payment Card Industry and Payment

Application Data Security Standards

Developed by Visa, the Payment Application Data Security Standard (PA DSS) requires software

companies such as Blackbaud to develop secure programs that enable users to comply with the PCI DSS. To learn more about PA DSS and download the specification, visit

http://usa.visa.com/download/merchants/cisp_payment_application_best_practices.doc.

Note: This guide provides only an overview of PCI DSS requirements and recommended best practices to ensure compliance. For additional detail, visit https://www.pcisecuritystandards.org to download the PCI DSS specification.

Note: The PCI Security Standards Council includes American Express, Discover Financial Services, JCB International, Mastercard Worldwide, and Visa Inc. and was formed to help implement consistent data security measures on a global basis.

(6)

Developed by the Payment Card Industry (PCI) Security Standards Council, the Payment Card Industry Data Security Standard (PCI DSS) includes requirements for security management, policies, procedures, network architecture, software design, and other proactive measures. As an organization that collects payment card information, such as to process payments or donations, you must adhere to the PCI DSS and proactively protect this data. To learn more about PCI DSS and download the specification and its supporting documents, visit https://www.pcisecuritystandards.org.

Data Management

Encryption is necessary to protect cardholder data. If a user circumvents security controls and gains access to encrypted data, without the proper cryptographic keys, the user cannot read or use the data. To reduce the risk of malicious abuse, you must consider other effective methods to protect stored data. For example, store cardholder data only when it is absolutely necessary, and do not send the cardholder data in unencrypted email messages.

Sensitive Authentication Data and Cardholder Data Retention

You should keep the storage of cardholder data to a minimum. To comply with PCI DSS, your organization must develop and maintain a data retention and disposal policy.

• Limit the cardholder data stored and the retention time to only that which is required for business, legal, and regulatory purposes.

• Purge all cardholder data that exceeds the retention period.

Do not retain sensitive authentication data, such as the full magnetic stripe, card validation code, or personal identification number (PIN) information, in your database. If you must retain sensitive authentication data, such as for troubleshooting purposes, you must follow these guidelines: • Collect sensitive authentication data only when necessary to solve a specific problem. • Store sensitive authentication data only in specific, known locations with limited access. • Collect only the limited amount of data necessary to solve a specific problem.

• Encrypt sensitive authentication data while stored. • Securely delete sensitive authentication data after use.

To ensure the complete and secure removal of cardholder data, you must securely erase temporary files that may contain sensitive authentication information and cardholder data.

Note: Depending on your organization and the number of payment card transactions you process, you may need to engage an external security assessment company to determine your level of compliance with PCI DSS and other security compliance programs. If you use an external assessor, we recommend you select one that is qualified and familiar with the latest requirements from the PCI Security

Standards Council. To validate whether your organization is compliant with PCI DSS, we recommend you also visit https://www.pcisecuritystandards.org and complete the PCI Security Standards Council Self-Assessment Questionnaire.

Warning: To comply with PCI DSS, you must remove historical sensitive authentication data and cardholder data from your database. If you upgrade from non-compliant version, or if your

organization used attributes, notes, or free-text fields to store sensitive authentication information or cardholder data, you must search for and securely delete this data from your database to comply with PCI DSS.

(7)

P C I D S S IM P L E M E N T A T I O N I N YO U R OR G A N I Z A T I O N

₃

• If you use Microsoft Windows XP or Windows Vista, turn off System Restore on the System Properties screen. System Restore creates and uses restore points to track changes in Windows. These restore points may retain cardholder data. When you turn off System Restore, the operating system automatically removes existing restore points and stops the creation of new restore points.

• To ensure the complete removal of data, install and run a secure delete tool such as Heidi Eraser. With a secure delete tool, you can safely erase temporary files that may contain sensitive authentication information or cardholder data. For information about how to install and run the secure delete tool, refer to the manufacturer’s documentation.

Cardholder Data Encryption

To comply with PCI DSS, your organization must encrypt cardholder information during transmission over open public networks that malicious users could abuse to intercept, modify, and divert data during transit. These open public networks include the Internet, WiFi (IEEE 802.11x), the global system for mobile communication (GSM), and general packet radio service (GPRS). To safeguard sensitive authentication information and cardholder data during transmission, use strong cryptography and security protocols such as Secure Sockets Layer (SSL) version 3/Transport Layer Security (TSL) version 1.1 and Internet Protocol security (IPSec). Never send unencrypted cardholder data in an email message.

Encryption Key Management

Do not retain any cryptographic key material, encryption keys, or cryptograms in your database, such as those used to compute or verify sensitive authentication information and cardholder data. Your

organization may have used attributes or free-text fields to store this information. To comply with PCI DSS, you must not store cryptographic material in the program. If your organization used attributes, notes, or free-text fields to store cryptographic material, you must search for and securely delete this data from your database to comply with PCI DSS. The abuse of the program to store cryptographic material may leave you vulnerable to attack by malicious users. To ensure the complete removal of data, install and run a secure delete tool such as Heidi Eraser. For information about how to install and run the secure delete tool, refer to the manufacturer’s documentation

To comply with PCI DSS, your organization must fully document and implement key management processes and procedures for keys used to encrypt cardholder data. At a minimum, this documentation must include:

• How to generate strong encryption keys.

• How to secure the distribution and storage of encryption keys.

• How to periodically change encryption keys, as necessary for the program and at least annually. • How to revoke and destroy old or invalid encryption keys.

• How to split the knowledge and establish dual control of encryption keys so it requires multiple people with partial knowledge of the key to construct the complete key.

• How to prevent the unauthorized substitution of encryption keys. • How to replace known or suspected compromised encryption keys.

Your organization must restrict access to encryption keys to the fewest number of custodians necessary and store keys securely in the fewest possible locations and forms. Custodians of encryption keys must sign a form to document their understanding and acceptance of their responsibilities as custodians of this data.

(8)

Network Security

With a secure network, you can protect your system and credit card information from internal and external malicious users. To secure your network, we recommend you utilize a firewall and configure wireless devices and remote access software.

User Account Management

To comply with PCI DSS, you must assign unique identification to each person who accesses networks, workstations, or servers that contain the program or cardholder data. Unique login credentials ensure that only authorized users can access and work with the critical data and systems included in your network. With unique login credentials, you can also trace actions on your network to specific users. These credentials must include a unique user name and a way to authenticate the user’s identity, such as a complex password, a token key, or biometrics.

At a minimum, your organization must implement these guidelines to create network user accounts and manage user authentication and passwords. You must communicate password procedures and policies to all users who can access cardholder data.

• Use authorization forms to control the addition, deletion, and modification of user IDs. • Verify the identity of users before you reset passwords.

• Immediately revoke account access for terminated users.

• Remove or disable inactive user accounts at least every 90 days.

• Enable user accounts for use by vendors for remote maintenance only when needed and immediately deactivate them after use.

• Do not use group, shared, or generic user accounts and passwords.

• Require users to change their initial passwords immediately after the first use and subsequent passwords at least every 90 days.

• Require passwords with a minimum length of seven numeric and alphabetic characters. • Require that new passwords not match one of the last four passwords used by the user.

• Lock out the user account after no more than six failed login attempts. Set the lockout duration to 30 minutes or until a system administrator enables the user account.

• Log out idle sessions after 15 minutes so users must enter the password to activate the workstation. • To log user authentication and requests, turn on database logging in Microsoft SQL Server.

Enable database logging in SQL Server

1. In Microsoft SQL Server Management Studio, connect to the instance of the database engine. 2. Under Object Explorer, right-click on the server name and select Properties. The Server

Properties page appears.

3. On the Security page, select Both failed and successful logins under Login auditing and click OK. 4. Stop and restart the SQL Server service for the database.

(9)

₅

For information about how to enable SQL Server to write to the Security log, see http://msdn.microsoft.com/en-us/library/cc645889.aspx.

Firewall Management

If you use software to process payments, we recommend you verify that the workstation’s link to the Internet is secure. If you transfer transactions online, ensure your Internet hardware, such as the modem or DSL router, provides a built-in firewall. You must restrict connections between publicly accessible servers and any system component that stores cardholder data, including connections from wireless networks. To comply with PCI DSS, the firewall configuration must:

• Restrict inbound Internet traffic to Internet Protocol (IP) addresses within the DMZ. • Not allow internal addresses to pass from the Internet into the DMZ.

• Implement inspection or dynamic packet filtering to allow only established connections into the network.

• Place the payment processing program and the database that contains the cardholder data in an internal network zone segregated from the DMZ.

• Restrict inbound and outbound traffic to only that which is necessary for the cardholder data environment and deny all other traffic that is not specifically allowed.

• Secure and synchronize router configuration files, such as running and start-up configuration files. Your organization must also install perimeter firewalls between any wireless networks and the cardholder data environment and configure these firewalls to deny or control any traffic from the wireless environment. To comply with PCI DSS, your organization must configure all mobile and

employee-owned computers with direct connectivity to the Internet, such as laptop computers, used to access the network with an installation of personal firewall software.

Wireless Devices

If you use wireless devices to store or transmit payment transaction information, you must configure these devices to ensure network security in compliance with PCI DSS.

• Install perimeter firewalls between any wireless networks and systems that store cardholder data. These firewalls must deny or control any traffic necessary for business purposes from the wireless environment to the cardholder data environment.

• Implement strong encryption, such as the Advanced Encryption Standard (AES), on all wireless networks.

• At installation, change encryption keys from the default. After installation, change encryption keys when anyone with knowledge of the keys leaves the organization or changes position with the organization.

• Do not use the vendor-supplied defaults for the wireless environment. Change the default passwords or pass phrases on access points and single network management protocol (SNMP) community strings on wireless devices.

• Change the default service set identifier (SSID) and disable SSID broadcasts when applicable.

• Update the firmware on wireless devices to support strong encryption, such as WiFi protected access (WPA or WPA2) technology, Internet Protocol security virtual private network (IPSec VPN), or Secure Sockets Layer (SSL)/Transport Layer Security (TLS), for authentication and transmission over wireless networks.

(10)

• Use industry best practices to implement strong encryption for the transmission of cardholder data and sensitive authentication data over the wireless network in the cardholder data environment.

To comply with PCI DSS, your organization must configure all mobile and employee-owned computers with direct connectivity to the Internet, such as laptop computers, used to access the network with an installation of personal firewall software. The firewalls must be active and configured to a specific standard that users cannot alter.

Remote Access

If your organization enables remote access to the network for use by employees, administration, and vendors, you must implement two-factor authentication for logins. Two-factor authentication requires the unique login credentials and an additional authentication item such as a token or individual

certificate. Use technology such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens or VPN (based on SSL/TLS or IPSec) with individual certificates.

To comply with PCI DSS, your organization must configure the remote access software to ensure network security.

• Do not use the vendor-supplied defaults such as passwords for the remote access software.

• Establish unique login credentials and complex passwords for remote access users in accordance with PCI DSS requirements 8.1, 8.3, and 8.5.8-8.5.15. For more information, see “User Account

Management” on page 4.

• Allow connections from only specific known IP and MAC addresses. • Enable encrypted data transmission in accordance with PCI DSS 4.1.

• Lock out the remote access user account after no more than six failed login attempts.

• Require remote access users to establish a VPN connection through a firewall before they connect to the network.

• Enable the logging function.

• Establish complex passwords for customers in accordance with PCI DSS requirements 8.1, 8.2, 8.4, and 8.5.

• Restrict access to customer passwords to authorized third-party personnel.

• To verify the identities of remote access users, require two-factor authentication (T-FA) such as both a user login and a password.

If your organization enables remote access for use by vendors, it should be only when needed and immediately deactivated after use.

Non-console Administrative Access

To comply with PCI DSS, your organization must encrypt all non-console administrative access. For web-based management and other non-console administrative access, use technologies such as Secure Shell (SSH), VPN, or SSL/TLS.

Warning: It is prohibited to use Wired Equivalent Privacy (WEP) for payment applications as of June 30, 2010. We strongly recommend you use WPA2 technology to secure wireless implementations.

(11)

₇

Internet-Accessible Systems

Do not store cardholder data on Internet-accessible systems. For example, do not house the database server within the same server as the web server.

System Maintenance

Once you secure your system, you must keep your equipment current. Malicious users can use security vulnerabilities to access your system. Both hardware and software manufacturers occasionally issue updates to products, such as to remedy these vulnerabilities and help prevent such attacks. We recommend you ensure you have the most recently released patches installed. For example, you can frequently review the manufacturers’ websites, newsletters, and online forums to check for the current patches.

Occasionally, a manufacturer may stop support of a product. In this case, we recommend you determine whether your organization should continue to use an unsupported product. Also, a manufacturer may inform you of a flaw or defect in a product that may make your organization vulnerable to attack. We recommend you pay attention to these alerts and update your system accordingly.

To further reduce vulnerability, we recommend you also deploy anti-virus software on your systems and ensure they are current, actively running, and can generate assessment logs.

Network Maintenance

Once you secure your system, you must monitor and track access to the network and your credit card information, such as with logging mechanisms. The lack of activity logs can make the determination of the cause of an attack very difficult. Logs help you track and analyze network activity when something goes wrong.To further reduce vulnerability, we recommend you also frequently test your network to verify its security continues to be maintained, regardless of age or changes in software.

To comply with PCI DSS, you must implement automated audit trails for all system components to track these events:

• All individual users who access cardholder data.

• All actions performed by users with root or administrative privileges. • All access of the audit trails.

• All invalid logical access attempts.

• All use of identification and authentication mechanisms. • The initialization of the audit logs.

• The creation and deletion of system-level objects.

For each event, your organization must also record these audit trail entries for all system components: • The user who initiates the event.

• The type of event.

• The date and time of the event.

• Whether the event succeeded or failed. • The origination of the event.

(12)

(13)

2

chapter

PA DSS Implementation

in The Patron Edge

Online

Patron Edge Online Payment Process Overview . . . 10

Installations and Upgrades . . . 12

Database Roles . . . 16

User Account Security and Configuration . . . 17

User Access Audit Capability/Audit Trail . . . 21

Payment Process Security . . . 23

VeriFone PCCharge . . . 23

Blackbaud Secure Payments . . . 23

Cardholder Data . . . 24

Encryption and PA DSS Management . . . 25

Key Service . . . 26

Message Encryption . . . 28

Encryption Keys . . . 29

Sensitive Data and HTTPS . . . 34

Rollback and Uninstall . . . 34

(14)

Versions 3.41 and higher of The Patron Edge Online provide enhancements to help you secure your data and comply with PCI DSS. We strongly recommend you update your software to the latest version.

Patron Edge Online Payment Process

Overview

In The Patron Edge Online, you can securely process payment requests using more than method. One option is to use a process facilitated by the Blackbaud Payment Component group. In The Patron Edge Online, when a customer makes a purchase from your public site using a credit card, they enter the typical transaction information, including their credit card number. During this process, a payment request is sent to a payment processing vendor to determine if the purchase is approved or declined. The result is then sent back to The Patron Edge Online. This process is facilitated by the Blackbaud Payment Component group, which consists of executables and other entities that work together to securely process payment requests.

Warning: To use version 3.41 and higher of The Patron Edge Online, you must be on version 3.4 or higher of The Patron Edge. To use The Patron Edge Online 3.41 and higher and The Patron Edge 3.4

and higher, you must have Microsoft SQL Server 2005 Standard/Enterprise Edition Service Pack 2 or higher or Microsoft SQL Server 2008 Standard/Enterprise Edition installed. Go to

(15)

PA D S S IM P L E M E N T A T I O N I N TH E PA T R O N ED G E ON L I N E

₁₁

The Blackbaud Payment Components are installed and configured during the initial implementation of

The Patron Edge and The Patron Edge Online.

The Patron Edge Application Group for The Patron Edge Online. The Patron Edge Application Group for The Patron Edge Online includes a number of applications that work together to process transactions generated through The Patron Edge Online. When a purchase is made through your public site, an encrypted XML message containing the transaction information is sent from the web server over TCP and is received by this group of applications. After receiving the message, these applications decrypt for processing and then encrypt the credit card information before sending the payment request to the The Patron Edge database.

TIX_PSC. TIX_PSC checks the database table for payment requests on a designated interval. When the program recognizes a request, TIX_PSC invokes the Blackbaud Payment Server.

Blackbaud Payment Server. The Blackbaud Payment Server is notified of a credit card payment request by TIX_PSC. This server then sends the request to the corresponding Payment Processor and receives the results. You configure the Payment Server by adding or editing values in the Payment.ini file.

(16)

Payment Processor. The Payment Processor is a plug-in that performs the credit card authorization through a specific payment processing vendor like VeriFone PCCharge. It then returns the results to the Blackbaud Payment Server.

CC_Payment Table. The program encrypts all sensitive data before clearing and stores it in the

CC_Payment table within your Patron Edge database. Once transactions clear, only the last four digits of the credit card number are stored in the database. All other cardholder data is purged from the CC_Payment table after a transaction clears. No credit card information is stored in your

Patron Edge Online database.

Alternatively, you can choose to use Blackbaud Secure Payments (BBSP) to securely process payment requests. With Blackbaud Secure Payments, you can enable clients to securely accept online credit card transactions from their website users and supporters. You can also accept transactions within The Patron Edge. The program does not encrypt all sensitive data before clearing and storing it in the CC_Payment table within your Patron Edge database. Blackbaud Secure Payments does not store any data within your Patron Edge database. For more information about Blackbaud Secure Payments, see the Administration Guide for The Patron Edge.

Installations and Upgrades

Before you install or upgrade to The Patron Edge Online 3.41 and higher, there are a number of considerations you should review and requirements you must meet to successfully complete the installation or upgrade.

Windows Account Requirement

During the installation, a Key Service Setup screen appears and you are prompted to enter a user name and password. The account information you enter should be for the Windows account that you added specifically to run the Key Service.

Before you install or upgrade to The Patron Edge 3.4 and higher, you must add a specific Windows

account that has “Logon as a service rights” and the db_owner role for your Patron Edge database in

SQL Server 2005 or SQL Server 2008. This is the Windows account that the Key Service will run under. The Key Service is used to retrieve sensitive data from the Patron Edge database, including the Patron Edge database connection string and data encryption key (DEK) used to encrypt card holder data. For more information about the Key Service and the DEK, see “Message Encryption” on page 28.

Database Master Key Requirement

The database master key (DMK) is the encryption key for your Patron Edge Online database and for symmetric and asymmetric keys. During all new installations and upgrades, you will be prompted to enter a new database master key password. The master key password must meet the following standards, which are determined by your Windows security policy:

• The key must be at least seven characters in length.

Note: For more information about installing The Patron Edge Online 3.41 and higher, including specific procedures, see the Installation Guide. For more information about upgrading to The Patron Edge Online 3.41 and higher, see the Update Guide. Both documents are available on the user guides page of our website, which is located here: http://www.blackbaud.com/support/guides/pe.aspx.

(17)

₁₃

• The key must contain characters from three of the following four categories: uppercase letters (A through Z), lowercase letters (a through z), base 10 digits (0 through 9), and non-alphanumeric characters, for example, an exclamation point (!) or number sign (#).

If this key becomes compromised or is even suspected of being compromised, you must rotate the key immediately. For steps that guide you through changing the DMK after the installation or upgrade is complete, see “Rotate the PEO Database Master Key” on page 30.

Key Service Configuration

After you install The Patron Edge Online, you must configure the Key Services needed for your specific implementation. This is required before you can access the administration site and run the Site Setup Wizard.

• If your Patron Edge and Patron Edge Online applications are installed on a single LAN, see “Single Key Service Environment” on page 13 for configuration instructions.

• If your Patron Edge and Patron Edge Online applications are on different LANs, you are prompted to set up a secondary Key Service during the Patron Edge Online installation process. If you set up a secondary Key Service during the Patron Edge Online installation process, see “Multiple Key Service Environment” on page 14 for configuration instructions.

Single Key Service Environment

If your Patron Edge and Patron Edge Online applications are installed on a single LAN, you require only a single Key Service. This single Key Service runs on your Patron Edge machine, retrieves sensitive data from your Patron Edge database, and communicates with your Patron Edge Online database. If you have a single Key Service environment, you must complete the following configuration steps before you can access your administration site and run the Site Setup Wizard

Configure a single Key Service

During this process you will access and use the PA DSS Management Utility on your The Patron Edge server. To use the utility, you must have administrator rights in Windows. You must also log into the utility with a Patron Edge account that has administrative privileges.

1. Before you continue, make sure all users are logged out of The Patron Edge.

2. Access your Patron Edge server and navigate to the Patron Edge installation directory. The default location is C:\Program Files\Blackbaud\The Patron Edge.

3. Locate and run PCIEncrypt.exe. The PA DSS Management Utility screen appears.

4. Review the information in The Patron Edge Online Database Connection frame and make sure it is correct. If the SQL Database and SQL Server Instance fields are blank or contain incorrect values, enter the correct values. Click Submit to verify the connection. You must click Submit

even if the correct values are displayed. This is required to configure the Key Service.

Note: For information about managing encryption keys and passwords, see “Encryption Key Management” on page 3.

Note: If you have multiple Key Services, The Patron Edge Online connection string, The Patron Edge

connection string, and the data encryption key are encrypted and stored in the Patron Edge Online

(18)

5. Access the The Patron Edge Database Connection frame and click Submit to verify the connection. This is required to configure the Key Service.

6. Next, you must rotate the Data Encryption Key (DEK). To do this, access the SQL Server

Encryption frame and in the Existing Master Key field, enter the current database master key for your Patron Edge database. You must enter the current DMK in order to rotate the DEK.

7. To continue, click Rotate Data Encryption Key. A confirmation screen appears.

8. Click OK. The DEK has now been successfully rotated. Any data using the old key will be

decrypted and then re-encrypted using the new key. Before logging back into The Patron Edge, restart TIX_PSC.

9. On your Patron Edge Online server, restart both the The Patron Edge communication

component and the Web application communication component before attempting to log into your administration site.

Multiple Key Service Environment

If your environment requires multiple Key Service instances, the The Patron Edge Online Key Service is considered to be a child service of the parent Key Service on your Patron Edge machine. Changing any secure asset (The Patron Edge Online connection string, The Patron Edge connection string, or data encryption key) should be done on the Patron Edge machine through the PA DSS Management Utility. When one of these values is changed, the parent Key Service pushes the new value over an SSL

connection to the child Key Service which will write the values in the Patron Edge Online database. This data is changed in a transactional manner ensuring that the values in all databases are synchronized. These secure assets are protected the same way in all databases via the DMK, symmetric keys, asymmetric keys, and the DEK.

If your Patron Edge and Patron Edge Online applications are on different LANs, you will need multiple Key Services. If multiple Key Services are needed for your environment, you are prompted to set up a secondary Key Service during the Patron Edge Online installation process. If you have a multiple Key Service environment, you must complete the following configuration steps before you can access your administration site and run the Site Setup Wizard.

During the configuration process for multiple key services, you will access the PA DSS Management Utility on your Patron Edge server and enter the URL for the Patron Edge Online Key Service. Before you begin this process, you should locate and write down the URL for the Patron Edge Online Key Service so you can enter it when needed.

To find the URL for the Patron Edge Online Key Service, on the machine where the Web application communication component is installed, navigate to the installation directory. The default installation

directory is C:\Program Files\Blackbaud\The Patron Edge Online. From the

installation directory, open TopTixEsro2.ini in a text editor. The URL for the Patron Edge Online

Key Service is the eSRO_ConnectString value displayed in the [General Parameters] section. For

example, in eSRO_ConnectString=net.tcp://localhost:9955/SecureAssets, the

URL you need to note is net.tcp://localhost:9955/SecureAssets.

Configure multiple Key Services

During this process you will access and use the PA DSS Management Utility on your The Patron Edge server. To use the utility, you must have administrator rights in Windows. You must also log into the utility with a Patron Edge account that has administrative privileges.

(19)

₁₅

2. Access your Patron Edge server and navigate to the Patron Edge installation directory. The default location is C:\Program Files\Blackbaud\The Patron Edge.

3. Locate and run PCIEncrypt.exe. The PA DSS Management Utility screen appears.

4. Access the Current Key Service Config File Settings frame and in the Bounded URL field, enter the URL for the Patron Edge Online Key Service.

5. After you enter the correct URL for the Patron Edge Online Key Service, click Submit.

6. Next, review the information in The Patron Edge Online Database Connection frame and make sure it is correct. If the SQL Database and SQL Server Instance fields are blank or contain incorrect values, enter the correct values. Click Submit to verify the connection. You must click

Submit even if the correct values are displayed. This is required to configure the Key Services. 7. Access the The Patron Edge Database Connection frame and click Submit to verify the

connection. This is required to configure the Key Services.

8. Next, you must rotate the Data Encryption Key (DEK). To do this, access the SQL Server

Encryption frame and in the Existing Master Key field, enter the current database master key for your Patron Edge database. You must enter the current DMK in order to rotate the DEK.

9. To continue, click Rotate Data Encryption Key. A confirmation screen appears.

10. Click OK. The DEK has now been successfully rotated. Any data using the old key will be

decrypted and then re-encrypted using the new key. Before logging back into The Patron Edge, restart TIX_PSC.

11. Restart both the The Patron Edge communication component and the Web application communication component before attempting to log into your administration site.

Key Service Updates

Every time you update a new patch or update to a new version of the Patron Edge Online, you must access the PA DSS utility on the Patron Edge server and resubmit the Patron Edge and Patron Edge Online database connection string information. If you have multiple Key Services, you must also verify that the URL for your Patron Edge Online Key Service is entered in the Bounded URL field and you must resubmit it. Once those values are resubmitted, you must also rotate the DEK. For more information about using the PA DSS utility, see “Encryption and PA DSS Management” on page 25.

Tip: To find the URL for the Patron Edge Online Key Service, on the machine where the Web

application communication component is installed, navigate to the installation directory. The default

installation directory is C:\Program Files\Blackbaud\The Patron Edge Online.

From the installation directory, open TopTixEsro2.ini in a text editor. The URL for the Patron Edge Online Key Service is the eSRO_ConnectString value displayed in the [General Parameters] section. For example, in

eSRO_ConnectString=net.tcp://localhost:9955/SecureAssets, the URL you

(20)

Default Administrator Account

When The Patron Edge Online is installed, a default administrator user account is created with the user name “Supervisor” and the password “admin”. For all new installations and upgrades to The Patron Edge Online 3.41 and higher, you will be required to change the default password of this user as described in the scenarios below.

For new installations of The Patron Edge Online 3.41 and higher, as well as any time you add a new database, you are required to change the user name and password for the default administrator user account created during the installation. After the installation process is complete and during the initial login, you will be prompted and required to change the user name and password for the default administrator user account. The new password must meet the password requirements as discussed in “Password Strength Requirements” on page 18. After the new user name and password are successfully added, you will be prompted to log in using the account.

For upgrades to The Patron Edge Online 3.41, you are required to change the password for the default supervisor account created during the installation. In addition, every user will be prompted and required to update their password to meet strong and complex requirements when they login after the upgrade. For information about changing a user account, see the “Configure System Users” section of the

Administration Guide.

Database Roles

By default, The Patron Edge Online uses the “PEOUser” account in SQL Server 2005 or SQL Server 2008

to log into the database. The “PEOUser” account needs the following roles on the Patron Edge Online

database: • db_ddladmin • db_datawriter • db_datareader

By default, the “PEOUser” account is denied access to the CustomizeSettings table, which is required to be PCI DSS compliant. However, if you use a different account to log into the Patron Edge Online database, you must manually deny access to the CustomizeSettings table for this user. To do this, run the following SQL script against the Patron Edge Online database and replace [username] with the appropriate account username:

Warning: For your organization to be PCI DSS compliant, you must configure and use unique user accounts the meet the PCI DSS standards. For more information about these standards, see “User Account Security and Configuration” on page 17. If in the past your organization used the default administrator account with the default password intact, you must ensure that it is no longer used or your organization will not be PCI DSS compliant.

Note: Prior to version 3.41 of the The Patron Edge Online, the default “PEOUser” account was assigned the db_owner role in addition to the roles listed above. However, starting with The Patron Edge Online 3.41, the db_owner role is no longer assigned to the “PEOUser” account in SQL Server 2005 or SQL Server 2008.

Warning: In order to be PCI DSS compliant, the SQL Server 2005 or SQL Server 2008 account that The Patron Edge Online uses to log into the database must deny access to the CustomizeSettings

(21)

₁₇

deny select, insert, update, delete, references, alter, control, take ownership, view definition on CustomizeSettings to [username]

For your organization to be PCI DSS compliant, the password strength requirements of your Windows

security policy must meet or exceed the PCI DSS requirements. To ensure that the password strength requirements for the “PEOUser” account are determined by your Windows security policy, you must mark Enforce password policy for this user on the Login Properties screen in SQL Server 2005 or SQL Server 2008. For more information about the password requirements, see the “Requirement 8: Assign a unique ID to each person with computer access” section of the PCI DSS standards document. For more information see, “PCI DSS Implementation in Your Organization” on page 1.

You can change the user name or password of the “PEOUser” account in SQL Server 2005 or SQL Server 2008, or use an entirely different account configured with the required roles and denied access to the

CustomizeSettings table in the Patron Edge Online database. However, after changes are made, you must run the PA DSS Management Utility that is installed on the Patron Edge machine to set the new user name and password information and establish the new connection string. This is necessary because the connection string used by The Patron Edge Online is stored in an encrypted form in the

Patron Edge Online database and is retrieved by the Key Service when needed.

After changes are made, restart all Patron Edge Online applications and verify that they are all working correctly with the new connection string. After the changes are confirmed and you have verified that all applications work correctly, you should access SQL Server 2005 or SQL Server 2008 and remove or disable the previous account that is no longer used. For more information about changing the default

SQL Server 2005 or SQL Server 2008 account used to log into your Patron Edge Online database, see “Change the Default SQL Server User Account for The Patron Edge Online” on page 31.

User Account Security and Configuration

In order to be PCI DSS compliant, you must securely control access to workstations, servers, and

databases that contain The Patron Edge Online applications and cardholder data. To establish, maintain, and control access, you must use unique user accounts with strong passwords and employ PCI DSS compliant secure authentication.

In The Patron Edge Online, an administrator can create the necessary unique user accounts needed for each person that accesses the application through the administration site. To be PCI DSS compliant, you should have a one to one relationship between users and user accounts. Each user accessing the system should have only one user account and each account should have a unique name. Each unique user account must be configured with only the permissions needed for their specific roles. This is required for the integrity of the audit trail. Do not setup a user account that is shared by multiple people. For

detailed information about setting up and configuring unique user accounts and permissions, see the “Set Up Administration Users” section of the Administration Site Guide.

In addition to setting up administration site users for The Patron Edge Online, there are customer accounts that are created from your public site. When a customer creates an account on your Patron Edge Online public site, they receive an email that contains a unique auto-generated password that meets PCI DSS requirements.

Note: The Key Service is used to retrieve the data from the Patron Edge Online database, including the Patron Edge Online database connection string. For more information about the Key Service, see “Key Service” on page 26.

(22)

The auto-generated passwords are created by combining the user’s first name with a set of randomly selected numeric and alphabetic characters. The customer uses this password to access their account on your public site. Once they login using their auto-generated password, they are prompted and required to change the password. The password they enter must meet the strength requirements discussed below.

Password Strength Requirements

All user and customer accounts in The Patron Edge Online 3.41 and higher must meet or exceed the following password strength requirements:

• The password cannot be the same as the user name. • The password must be at least seven characters in length.

• The password must contain both numeric and alphabetic characters.

Login Security

When The Patron Edge Online is installed, a default administrator user account is created with the user name “Supervisor” and the password “admin”.

When you access the Patron Edge Online administration site the first time, a Setup Wizard automatically runs. During the Setup Wizard process, you must change the default administrator user name and password. The new password must meet the password requirements as discussed in “Password Strength Requirements” on page 18.

For new installations of The Patron Edge Online 3.41 and higheryou are required to change the user name and password for the default administrator user account created during the installation. After the installation process is complete and during the initial login, you will be prompted and required to change the user name and password for the default administrator user account. The new password must meet the password requirements as discussed in “Password Strength Requirements” on page 18. After the new user name and password are successfully added, you will be prompted to log in using the account. For upgrades to The Patron Edge Online 3.41, you are required to change the password for the default supervisor account created during the installation. In addition, every administration site user will be prompted and required to update their password to meet complexity requirements when they log in after the upgrade. For information about changing a user account, see the "Security Tasks" section of the Administration Site Guide.

This is not the case for customers who have created accounts through your public site. If their existing account password meets complexity requirements, those users will not be prompted to change their passwords after an update.

Password Configuration Settings

Password configuration settings required to meet PCI DSS standards for enforcing login and password security measures in The Patron Edge are shared with The Patron Edge Online. This means that the password policies you establish in The Patron Edge are respected and applied to administration site users created through the administration site, as well as customer accounts created through your public site.

Note: By default, The Patron Edge Online will not allow a user to submit a new password that is the same as any of the last four passwords he or she has used.

(23)

₁₉

The Patron Edge provides the configuration settings required to meet PCI DSS standards for enforcing login and password security measures. To comply with PCI DSS, you must require administration site users to change passwords at least every 90 days and also lock out a user account after no more than six failed login attempts. You must also set the lockout duration to 30 minutes or until a system

administrator enables the user account. For information about additional password and lockout requirements for PCI DSS, see “User Account Management” on page 4.

The following settings are accessed on the Security tab of the Maintain Company screen table in

The Patron Edge and apply to Patron Edge users, as well as administration site users and customer accounts created in The Patron Edge Online. For information, see the “Configure Company Table Settings” chapter of the Administration Guide for The Patron Edge.

• Maximum password age - This setting ensures that all administration site users change their passwords at least every 90 days. The maximum number of days that can be entered in this field is “90”. This setting does not apply to customer accounts created from your Patron Edge Online public site.

• Min. Characters in Login Password - This setting ensures that passwords are at least seven characters. You can increase the number of required characters but the minimum allowed is seven.

• Password rotation - The minimum setting for Password rotation is “4”. This means that when a user changes their password, they cannot use a password that is the same as any of the last four passwords previously used.

• User’s login “lock-out” duration (minutes) - This setting determines the number of minutes that a user account is locked after they reach the limit for failed login attempts, which is a maximum of six attempts. The lockout duration is a minimum of 30 minutes or until an administrator manually unlocks the account.

The following setting is accessed on the General tab of the Maintain Company Table screen in The Patron Edge. For information, see the “Configure Company Table Settings” chapter of the Administration Guide.

• Number of Login Attempts - This setting controls the number of failed login attempts that result in a user account being locked. The maximum setting is “6”.

Workstation and Server Inactivity

All workstations or servers that contain The Patron Edge Online and access the administration site must be configured to automatically lock-out the current user after 15 minutes of inactivity. To access the machine again, the Windows user must be required to re-enter their user name and password. You can accomplish this be setting the screen saver on each Windows machine to require a password on resume. This is required for your organization to be PCI DSS compliant.

Warning: The value you enter for the Min. Characters in Login Password setting in The Patron Edge

must also be entered as the value for the Minimum Length site setting in the Password group in the administration site of The Patron Edge Online. If the value specified for the Minimum Length site setting is less than the value entered for the Min. Characters in Login Password setting in The Patron Edge, users will receive an error when attempting to log into their account through your public site.

Note: If a user is locked out of their account or their password is compromised, an administrator can access the user account record and reset the password to a new temporary password that meets the strong password requirements. Once the user attempts to log in, they will be prompted and required to change their password.

(24)

In addition, we recommend that you configure public site sessions to close after 10 minutes of inactivity. For more information, see “Close Session Group Site Settings” on page 21.

Password Group Site Settings

In addition to the password configuration settings in The Patron Edge that apply to administration site users and customer accounts created in The Patron Edge Online, there are a number of site settings in the administration site that apply specifically to The Patron Edge Online. These settings are collected together in the Password site settings group and are accessed through the administration site.

• Can reuse old password - The value of this setting is 0 and cannot be changed. This setting works in conjunction with the Password rotation company setting configured in the The Patron Edge. The minimum setting for Password rotation is “4”. This means that when a user changes their password, they cannot use a password that is the same as any of the last four passwords previously used. The setting you enter for Password rotation in The Patron Edge is enforced for administration site users and customer accounts in The Patron Edge Online.

• Display reset form link - This setting is used in conjunction with the “forgot password” process for customers who create user accounts from your public site.

• Mandatory literal characters - The value of this setting is 1 and cannot be changed. Passwords in

The Patron Edge Online must contain alphabetic characters. The term “literal” in the name of this setting refers to alphabetic characters.

• Mandatory numeric characters - The value of this setting is 1 and cannot be changed. Passwords in

The Patron Edge Online must contain numeric characters.

• Minimum length - The minimum length allowed for passwords created for administration site users and eCRM customers in the The Patron Edge Online is seven characters. The value you enter for this parameter must match the value entered for the Min. Characters in Login Password setting on the Security tab of the Maintain Company screen table in The Patron Edge. If this setting is not the same, users will receive an error when attempting to log into their account through your public site.

• Must not include login - The value of this setting is 1 and cannot be changed. This setting ensures that users cannot create passwords that contain their user name.

• Password replacement pattern - This setting works in conjunction with the Password replacement template parameter when defining custom patterns for the auto-generated passwords that are sent to customers after they create an account on your public site. Here, you can enter a regular expression used for generating the name portion of the password, based on the client’s first name.

For example, you can enter an expression that removes the space from a two-word first name when generating the name portion of the password. To do this, set the Password replacement pattern

value to \s to remove spaces from the client’s name. In this example, the name portion of the password generated for a customer name Jean Luc will be “JeanLuc”. The password will never include a client’s last name regardless of settings specified here.

• Password replacement template - This setting works in conjunction with the Password replacement pattern parameter when defining custom patterns for the auto-generated passwords that are sent to customers after they create an account on your public site. Here, you can enter a regular expression that indicates how to combine the name portion of the password with the random portion.

For example, set the Password replacement pattern value to ^\s*(\S+).*$ and the Password replacement template value to $1 to use only the first word of a client’s first name. In this example, the randomly generated password for a user with a two-word first name, like Jean Luc would be “Jean0547X6”. Note the randomly generated portion is a minimum of six characters. To require more than six characters, you adjust the Random length site setting.

(25)

₂₁

• Random characters - This setting is used when defining custom patterns for the auto-generated passwords that are sent to customers after they create an account on your public site. With this setting you can shape the characters selected for the random password portion by entering specific characters to be used. Enter the characters without delimiters. If you leave this parameter empty, the characters are selected randomly.

• Random length - This setting is used when defining custom patterns for the auto-generated passwords that are sent to customers after they create an account on your public site. The initial customer password is generated using a combination of the customer’s first name and a quantity of random digits. With this setting, you determine the quantity of random digits that are used by entering a number in the Value field. The minimum allowed value is 6.

• Reset token expiration - This setting is used in conjunction with the “forgot password” process for customers who create user accounts from your public site. When customers click the “Forgot

password?” link on your public site, they will receive an email that contains a link and a unique reset key. They will click the link and enter the reset key before they can reset their forgotten password. The

Reset token expiration setting determines the duration of time that the link and reset key are usable. The value is set in minutes and the default setting is 1440. Once the set number of minutes pass, the link and reset key will not work.

Close Session Group Site Settings

This site setting group contains a parameter you can use to define how long your Patron Edge Online

public website can be idle before a session is automatically closed.

• IdleBeforeClose - This site setting controls the amount of time a session remains open when a user has not accessed, requested, or refreshed a page. The amount of time you allow users to hold a session open is determined by the number of minutes you define in the Value field of this record. The default setting is 10 minutes. If no site activity is detected for the number of minutes entered, the session automatically closes. If a session ends and the user continues navigating your public site, they are returned to the default page. This session time differs from the IIS session time, but when it is over, the program eliminates all the user's IIS session parameters, including the basket content, client details, and UID value.

User Access Audit Capability/Audit Trail

The Patron Edge Online 3.41 and higher includes an audit log that tracks database activity and links activities to individual user accounts. This is true of for all Patron Edge Online system users, including those with administrative privileges. When The Patron Edge Online version 3.41 or higher is installed, the audit log is automatically turned on and monitors access to the Patron Edge Online database. To access the audit log and view the information tracked, you must access the

view_auditoperations database view in your Patron Edge Online database.

Each audit log entry contains user identification, type of event, date and time, success or failure

indicator, origination of event, and the name of the affected data, system component, or resource. The following activity is monitored and tracked by the audit log:

Login activity. All user login activity is tracked and will have an entry in the audit log. This activity includes logins, logouts, password changes, and all account locking and unlocking activity.

Note: In addition to the view_auditoperations database view in your Patron Edge Online

database, transaction activity originating in the Patron Edge Online is also audited and recorded in the view_auditoperations database view in your Patron Edge database.

(26)

Administration site activity. All add, edit, and delete actions in the Users, Areas, Events, Shows, Halls, Donations, Subscriptions, and Merchandise areas of the administration site are logged.

Credit card activity. All credit card activity is monitored and will have an entry in the audit log. Although monitored, no sensitive data is included in the log. For example, the primary account number (PAN) will never appear in the log as plain text. This is true for successful transactions and errors.

PCI DSS audit trail requirement 10.3 states that the audit trail/log entries must contain user

identification, type of event, date and time, success or failure indicator, origination of event, and the name of the affected data, system component, or resource. The following table shows how each requirements is tracked and displayed in the Patron Edge audit log.

In addition to the audit log that is tracked and viewable by accessing the view_auditoperations

database view, the The Patron Edge Online provides additional auditing to track application interactions with The Patron Edge, as well as all administration site and public site sessions.

Application interactions. All application interactions between the The Patron Edge Online and The Patron Edge are logged in the Transact database table and are viewable in the The Patron Edge Online database. Application interactions include retrieving show data from The Patron Edge and submit basket actions.

Administration and public site sessions. All administration site and public site sessions are logged in the Caller and Caller_Session database tables and are viewable in the The Patron Edge Online database. The data collected and logged includes browser details and pages viewed by session.

Payment Process Security

Versions 3.41 and higher of The Patron Edge Online and versions 3.4 and higher of the The Patron Edge

comply with PA DSS standards to securely handle credit card processes. Credit card information is encrypted before transactions are cleared. Once the transactions are cleared, every credit card number is truncated, except for the last four digits and no other credit card information is retained. For more information, see “Cardholder Data” on page 24.

No credit card information is stored in the Patron Edge Online database. Once online transactions are processed, the transaction data is stored securely in the Patron Edge database.

For The Patron Edge Online 3.41 and higher, the view_auditoperations database view provides the required audit trail/log information as specified in requirement 10.3. The fields displayed in the view_auditoperations database view map directly to the PCI DSS audit trail requirements as follows:

UserID = User identification ActionType = Type of event ActionDate = Date and time

ActionStatus = Success or failure indicator

OriginApplication and OriginModule = Origination of event

(27)

₂₃

VeriFone PCCharge

Payment processing in The Patron Edge Online can be handled by VeriFone PCCharge, which is a third party application. To be PCI DSS compliant you must install a PCI DSS compliant version of VeriFone PCCharge and it must be installed and configured according to the instructions provided in the PCI DSS implementation documentation from VeriFone. For more information, see the VeriFone PCCharge website here: http://www.verifone.com/card-acceptance/pccharge.aspx.

VeriFone PCCharge is installed and configured when The Patron Edge is implemented. For more information, see the Administration Guide for The Patron Edge.

Blackbaud Secure Payments

Payment processing in The Patron Edge and The Patron Edge Online can be handled by Blackbaud Secure Payments.

With Blackbaud Secure Payments (BBSP), you can enable clients to securely accept online credit card transactions from their website users and supporters. You can also accept donations and other transactions within The Patron Edge.

In The Patron Edge, each user workstation uses a customizable paymentclient.ini file that is unique to that workstation. You can edit the paymentclient.ini file to specify the default merchant account and currency to use, as well as the template to use when processing transactions within The Patron Edge. When you process credit card transactions, each workstation communicates directly with the Blackbaud Secure Payments servers to verify and authorize the credit card information. Unlike VeriFone’s

PCCharge where the program encrypts all sensitive data before clearing and stores it in the CC_Payment table within your Patron Edge database, Blackbaud Secure Payments does not store any data within your Patron Edge database.

For The Patron Edge Online, you specify a series of online payment configuration settings, such as the merchant account, currency, and template to use when processing online transactions. You specify these settings from within the The Patron Edge Online Administration site. When you process credit card transactions, the program communicates directly with the Blackbaud Secure Payments servers to verify and authorize the credit card information.

Unlike VeriFone’s PCCharge where the program encrypts all sensitive data before clearing and stores it in the CC_Payment table within your Patron Edge database, Blackbaud Secure Payments does not store any data within your Patron Edge database.

For more information, see the the Administration Guide for The Patron Edge.

Cardholder Data

No cardholder data is stored in The Patron Edge Online database. Once online transactions are

processed, the cardholder data is stored in the The Patron Edge database according to PA DSS standards. Versions 3.4 and higher of the The Patron Edge encrypt all sensitive data before clearing and store it in the CC_Payment table within the database. The following information is securely encrypted and saved in the database before transactions clear:

• credit card number • cvv2

(28)

• track2_details • issue_number

Once transactions clear, the only cardholder data retained in the database is the last four digits of the credit card number. The cvv2, magnetic_strip_data, track2_details, and issue_number fields are purged from the database after transactions clear.

Records

After a transaction is processed online through your Patron Edge Online public site, the payment information for the transaction can be viewed on the Transaction Details screen within The Patron Edge. If a credit card payment was applied to the transaction, a truncated credit card number is displayed on the Payment tab with only the last four digits visible.

In accordance with PCI DSS, your organization must develop and maintain a data retention and disposal policy. You must keep cardholder data storage to a minimum and limit the retention time to only the duration required for business, legal, and regulatory purposes. We recommend that you purge this data once it is no longer needed for business purposes.

Payment Application Data Security Standards Implementation Guide