You are here

PCI Security Tab

Subscribe to Syndicate
The PCI Security tab allows the Master User to set the overall parameters of how Employees will log on to the database, the structure of their passwords, and important PCI Compliance considerations for managing retention of credit card data.

Employee Access Management

Logon Window Setting Offers the option to have Employees login:
Minimum Length Sets the minimum length of logon passwords. For PCI compliance, the minimum length is 7 characters.
Unique Passwords The number of unique passwords required by the system. If set to zero, then passwords are not required to be unique. If set to 2, then the same password may be shared by two employees. If set to 3, then the same password may be shared by three employees.
Days til Change Allowed The minimum number of days that a password must be used before it is allowed to be changed.
Days until Expiry The maximum number of days that a password may be used. For PCI compliance, this must not exceed 90 days.
Attempts til Lockout This determines how many incorrect attempts an employee may make before Theatre Manager will lock them out of the system and must be manually re-instated.
IP addresses that can accept cards PCI documentation indicates that any machine that touches credit card information becomes within scope of PCI compliance requirements. If you identify which machines process credit cards (such as box office), then other machines on the network that are used for reporting, management, etc, can be taken out of scope for PCI compliance.

To do so, you can indicate a white-list specific machines or subnet of machines that will process cards by:

  • leaving the list blank to indicate ALL machines process cards
  • Entering one or more specific ip address (eg 192.168.0.10) to indicate specific machines that accept cards
  • Entering one or more subnet masks using CIDR format to indicate a range of machines. For example:
    • 10.10.1.0/24 means all machines on the 10.10.1.x subnet.
    • 10.100.0.0/16 means all machines on the 10.100.x.x subnet.
  • Entering a combination of specific ip addresses or subnet masks
  • Enter a specific IP address that is not on your network so that NO user workstations can accept credit cards anywhere
If a machine is whitelisted to allow entering credit cards, then those payment methods appear on the payment window as normal. Machines that are not part of the whitelist, then the credit card payment methods are removed from the payment window and the user at that workstation will not be able to enter cards at all - they will need to go to another machine with permissions to process a credit card payment.
By clicking this button, Theatre Manager will be set to use all the PCI Standards in terms of employee passwords and logons. Note: Use of this setting will change existing passwords to be fully PCI compliant, and all parameters to meet the minimum compliance standards.

Patron Access Management

Patron Password Complexity You can set the required complexity of patron passwords in Theatre Manager to two levels:
  • Passwords must meet the minimum length only. This is the historical setting - and forces the passwords to be at least the same length as the employee PCI passwords. It does not enforce any other rules. Normally, this is sufficient and the web pages give a strength meter to people to indicate if the password is good enough, or not. The reason this is the default setting is because many people have complex enough passwords that they use with modification on various sites, simply by meeting the length criteria, but may not have a special character or some other element. It also helps avoid patron frustration.
  • Passwords used by patrons must meet the same PCI standards enforced on employees that are:
    • At least one upper case character
    • At least one lower case character
    • At least one number
    • At least one special character
    • And length as described in your employee password settings.

Credit Card Management

Theatre Manager can implement either Schedule "C" or "D" for the Self-Assessment Questionnaire (SAQ) - the choice is yours. You can define a retention period for credit card information before it is 'shredded' per PCI DSS standard 3.1

Note: Users find ways to type credit card into note fields, more so when using Schedule 'C' compliance because the credit card storage capability has been disabled.

You can use a feature in the Patron List window to search and identify data that could be construed as clear text credit cards attached to patrons. That kind of data would be in violation of PCI guidelines.

A shredded card means that it will be stored in the database as '#### **** **** ####'. This renders the PAN useless for all purposes. However, given the first 4 and last 4 digits of any card, you can still search for the patron.

Converting from schedule D to Schedule C compliance will shred all cards currently in the database EXCEPT those set up for future post dated payments. Since that business already exists, those few cards will remain until the final post date payment is take for the patron. At that time, the card will be shredded immediately. This prevents disruption of existing commitments to patrons.

Generally, if you want to take post dated payments and retain minimum data in the database, sue Schedule D with one day retention.

Schedule C: Shred cards immediately after use Using an online payment gateway and the Schedule "C" setting means that cards will not be stored in the database. The PAN is sent to the processor to get the authorization code and token from the merchant provider. Those are stored in TM (not the card itself) and the merchant token is what is used for voiding cards. It puts the workstation in scope of a PCI device, but not the database.
Schedule D: Encrypted credit card data Schedule "D" compliance with about 120 days of retention is sufficient for most venues, especially if you are using post dated payments or may have to deal with refunds for cancelled events.
Retention Period The number of days credit card information will be retained before it is shredded in a Schedule D environment. Normally 90 days will handle most business cases, and the recommended maximum is 365 days. If you set it to one day, then all cards are shredded right away, except those that are saved for post dated payments.
Generates a completely random 60 character key to use as part of the encryption key process that will be unique to the venue and re-encrypt all cards in the database.
Immediately shreds credit cards longer than the Retention Period as noted above.