QuickBooks Payment Card Industry Data Security Standard (PCI DSS) Implementation Guide

Transcription

1 QuickBooks Payment Card Industry Data Security Standard (PCI DSS) Implementation Guide Introduction The Payment Card Industry (PCI) Data Security Standard (DSS) defines a set of requirements for the configuration, operation, and security of payment card transactions in your business. If you use QuickBooks to store, process, or transmit payment card information, these standards and this guide apply to you. Failure to comply with these standards can result in significant fines should a security breach occur1. Overview of requirements PCI DSS requirements and QuickBooks QuickBooks and the PCI Data Security Standard Resources Appendix A: Encryption details Appendix B: Windows account security Overview of requirements The following table summarizes the PCI Data Security Standard, gives overview information about how QuickBooks facilitates compliance with the standard, and provides suggestions about what your business needs to do to be compliant. For details about each requirement, refer to the PCI Data Security Standard (PCI DSS) specification at QuickBooks facilitates PCI compliance, but you need to perform additional steps outside of QuickBooks in order for your business to be compatible with the security standard. Table 1 describes the PCI requirements, summarizes QuickBooks features to facilitate compliance, and contains a brief description of additional steps you need to perform to be compliant with these requirements. You can find additional information about each PCI requirement in the PCI DSS requirements and QuickBooks section following table 1. 1 For details, please consult

2 Table 1: PCI requirements PCI requirement 1) Install and maintain a firewall configuration to protect cardholder data. QuickBooks role in PCI compliance QuickBooks is compatible with firewalls and security devices. QuickBooks has been tested with Symantec, McAfee, ZoneLabs, and Trend Micro firewall software. Refer to Figure 1 below for more information. What needs to be done Where to find out more Configure the network to block random unauthorized traffic that might enter your network from the Internet. Review firewall configurations regularly. Consult your firewall vendor s web site for best practices consistent with your business needs. QuickBooks Firewall Settings 2) Do not use vendor supplied defaults for system passwords and other security parameters. QuickBooks requires a complex password for the administrator account and for all other QuickBooks users. In addition to QuickBooks passwords, you should set your own passwords on all network devices and for wireless networking. See for more information about general security practices. For more detailed guidance, IT professionals may refer to This includes specific guidance on Windows and networking configuration best practices. QuickBooks Complex Password Requirements 3) Protect cardholder data. QuickBooks encrypts credit card numbers within the data file to satisfy PCI security requirements. You will be required to perform periodic maintenance of passwords, which will update encryption keys as required by the PCI standard. Follow the guidance in the section on Encryption in this document. Deploy wireless networks carefully. Protect wireless networking using WPA configuration, rather than WEP. Prefer wireless network equipment that supports WPA encryption methods. QuickBooks Complex Password Requirements 4) Encrypt transmission of cardholder data across open, public networks. QuickBooks encrypts data sent over Internet connections when processing credit card payments. Consult your vendor documentation for wireless security information. IT professionals may refer to for detailed guidance on configuring wireless networking security. Refer to the PCI Data Security Standard, sections 1.3.9, 2.1.1, and for precise details regarding wireless configurations. For recommendations for antivirus and system security tools, refer to g or consult an IT professional. 5) Use and regularly update antivirus software QuickBooks is compatible with antivirus, antispyware, and personal firewall products. Use well-known and supported system security products on all your business computers. 2

3 6) Develop and maintain secure systems and applications. 7) Restrict access to cardholder data by business need-to-know. 8) Assign a unique ID to each person with computer access. 9) Restrict physical access to cardholder data. QuickBooks software is tested for security problems throughout development. Once installed, QuickBooks can be set up to regularly and automatically retrieve any necessary security updates. QuickBooks lets you restrict access to financially sensitive information. Based on access controls you set up for each QuickBooks user, you give your employees access to data on an as-needed basis. When you set up QuickBooks users in your company, you assign them a unique user ID and password. Users with access to credit card numbers will need to change their passwords every 90 days. QuickBooks supports isolating your data file on a physically secure server. Keep your systems up to date with software updates. Test updates on systems other than your production business systems first to be sure they will not affect your ongoing operation. Every QuickBooks user should log in to Windows under a regular user account and should not use administrator accounts. Apply user account management on your computers as prescribed by the PCI security standards Keep QuickBooks data, backups, and reports in secure locations. When reports containing payment information are no longer needed, use a shredder to dispose of that information. Microsoft Windows Update is available at: windowsupdate.microsoft.com. Consult your software vendors support sites for more information regarding updates and security alerts. IT professionals should refer to for regular updates on security patches and alerts. Update QuickBooks Automatically You can also retrieve product updates manually and install these to offline computers using QuickBooks Product Updates For information about how to manage Windows user accounts, IT professionals should refer to Microsoft guidance on using the Group Policy Editor at support.microsoft.com/kb/ QuickBooks permission to view credit card numbers Refer to the PCI Security Standard for more information at QuickBooks permission to view credit card numbers Refer to s.pdf for more information about physical security and other information about security topics. Install the QuickBooks Server 3

4 10) Track and monitor all access to network resources and cardholder data. An audit log is prepared within QuickBooks for review. Review the audit log within QuickBooks to detect possible instances of unauthorized access to cardholder data. Keep audit logs and backups for at least one year. Follow the guidance in the PCI standard as appropriate for your business. Review your security settings and network configuration at least once each year. Use the QuickBooks Credit Card Audit Trail 11) Regularly test security systems and processes. Refer to the PCI Data Security Standard for detailed guidance on security assessments. 12) Maintain a policy that addresses information security. QuickBooks supports security policies by letting you control the level of user access and by providing audit logging. Refer to s.pdf for more information about issues that should be addressed in your security practices. IT professionals may refer to for more information about establishing and maintaining security policies. Add QuickBooks users and give them access Use the QuickBooks Credit Card Protection Security Log PCI DSS requirements and QuickBooks This section details information about each PCI requirement. 1) Install network-based and PC-based firewalls Using a firewall reduces the likelihood that uninvited persons will use the Internet to access systems on your network by ensuring that your computers conduct only the traffic you allow. There are many different firewalls available to you, and they can be either software or hardware-based (for example, many routers have built-in firewalls). On a typical network, there is a single point of connection to the Internet (such as the network server) and this is the critical point requiring a firewall. 2) Use complex passwords The QuickBooks Administrator and any user who has permission to view payment card data must use complex passwords. These passwords must be changed every 90 days. QuickBooks checks that your passwords meet these PCI requirements: They re at least seven characters long They contain numbers and letters They re changed every 90 days They do not match any of the last four passwords that you ve used 4

5 3) Protect cardholder data with encryption keys QuickBooks updates encryption keys automatically when the administrator password is changed. To satisfy the PCI standard, the administrator password (and therefore the encryption keys) must be changed every 90 days. Encryption keys are used to protect your customers credit card numbers (see Appendix A for detailed information about QuickBooks encryption). These keys are protected from substitution or unauthorized access in the same way that access control to data is provided within QuickBooks. If a user has no access to your customers credit card numbers, they will not have access to the keys to decrypt credit card numbers. Intuit recommends that you avoid assigning or at least minimize the number of users given access to View Complete Credit Card Numbers. Encryption keys remain within your QuickBooks company file, together with the data they protect. The credit card numbers are protected using a combination of encryption keys that are guarded with each user s password and the administrator s password. Users can not swap in alternative encryption keys or choose an encryption key to protect credit card information. Card swipe data used to authorize card payments is not stored to disk within QuickBooks in any version (past or current). You are not required to manually delete this information as described in the PCI standard, or take extra steps to remove this information, because QuickBooks never stores this data. In order to comply with PCI Data Security Standard Requirement 3.1, you are required to define a credit card data retention period. After the retention period, you are required to purge credit card data. You can use the 'Clean Up Company Data...' option in your QuickBooks to clean up any old transactions. When your QuickBooks is open, go to the 'File' menu, navigate to 'Utilities' and choose 'Clean Up Company Data...'. When you clean up your data file, QuickBooks deletes transactions that you no longer need, replacing them with new general journal transactions that summarize, by month, the deleted transactions. You can also choose to have QuickBooks clean up data by removing list items that you no longer need. An example of what happens during clean up follows: If an invoice has been paid in full, QuickBooks deletes the details and includes the amount in a summary transaction showing income accounts. Neither the customer name nor the items sold are retained. However, if an invoice is unpaid, QuickBooks leaves the invoice in your file so you can apply future payments to the invoice. The ending date, specified for the period of time before which you want to remove transactions, has no effect on transactions dated after the ending date. For example, if your ending date is 12/31/07, all transactions dated 1/1/08 and later remain unchanged in your company file. Of the transactions dated on or before the ending date, QuickBooks deletes and summarizes only those that have no effect on transactions dated after the ending date. 5

6 This table gives examples of the situations that cause QuickBooks to retain transactions dated on or before the ending date: Scenario A transaction has an open balance A transaction is linked to another transaction that has an open balance A transaction is not marked as cleared A transaction is marked as "to be printed" Cause Unpaid or partially-paid invoices, undeposited customer payments, unpaid bills, unused credit memos. An undeposited customer payment that you applied to an invoice. Even though the invoice is paid, QuickBooks retains the invoice because it has a link to an open transaction (the undeposited payment). Unreconciled transactions in a checking or credit card account. Any invoice, credit memo, sales receipt, or check that has a checkmark in its "To be printed" checkbox. QuickBooks creates summary general journal transactions for the transactions it deletes from your file. Except for transactions that affect the value of your inventory, you can spot the summary transactions by looking for GENJRNL in the Type field of your registers. There is usually one GENJRNL transaction for each month in which QuickBooks deleted transactions. The transaction amount is the total of the transactions that QuickBooks deleted for the month. For a given month, the register may also show other transactions that QuickBooks did not delete. These are transactions that could be affected by transactions you have yet to enter. 4) Build and maintain your network configuration carefully Conceptually, your company network should be constructed something like the model in Figure 1 below. Consistent with careful business practices, the PCI standard requires that your network be protected from unauthorized traffic using a firewall, that your computers have antivirus software installed (and updated regularly), and that you obtain regular updates and patches from Microsoft (and others) to keep your systems up to date. 6

7 1. Figure 1: QuickBooks on a PCI-compliant network When you build your office network, your QuickBooks company file should be well protected within your network, behind a firewall, and should not be stored on systems such as Internet-facing Web servers or remote-access servers. If you allow remote access to your network, consider using applications that provide strong encryption, authentication, and access controls into your network. Products should be based on well-known Internet standard protocols such as SSLv3/TLS and SSH. VNC: It is recommended that when accessing QuickBooks remotely for administrative access using VNC, users do it over an SSH or VPN connection. Users should also make use of vendor provided encryption if available to secure the VNC session including password authentication and data transfer. Remote Desktop: It is recommended that users set up Remote Desktop to use the highest level of encryption available and also require a password to connect to QuickBooks remotely with administrative access. In addition to these steps users should consult the documentation for the Remote Desktop application. When using any remote access communication software to communicate with hosts on which QuickBooks is installed, configure these products to operate with two-factor authentication, so that another factor is used to authenticate the user connecting to the host in addition to password authentication. 7

8 The PCI Data Security Standard suggests you configure remote access software in the following ways: Don t use default passwords; passwords are not shared between users. Allow connections only from authorized hosts (filter by network addresses). Use configurations to require complex passwords. Encrypt all communications using SSLv3, TLS, or IPSec. Enable account lockout after repeated failed authentication attempts. Configure your network such that remote users must establish an encrypted connection (typically referred to as a Virtual Private Network or VPN connection) through a firewall before access is allowed. Enable logging to record when each user connects remotely. Restrict access to authorized employees only. Establish passwords according to the PCI standard (see requirement 8 of the PCI Data Security Standard). When QuickBooks connects with online services to conduct payment transactions, it uses SSLv3-protected connections for PCI compliance. Note: QuickBooks never automatically sends credit or debit card numbers through . If you deliver your company file to your accountant (using the Accountant s Copy feature, for example) by , card numbers are encrypted before being transmitted. Intuit recommends that before you create an Accountant s Copy, secure your company file by setting a complex password that you share with only your accountant. The security of the encryption depends in part upon the password you choose. Refer to the guideline on setting complex passwords for your company file in the PCI DSS requirements and QuickBooks section above. Build out wireless networking carefully. When you build out your wireless network, consult your networking vendor documentation and online resources carefully for optimal security configurations. Industry best practices are to avoid using WEP to encrypt traffic and to use the more secure WPA or WPA2 protocols instead. Refer to the PCI Data Security Standard requirements 1.3.9, 2.1.1, and for precise details regarding wireless configurations. 1. Wireless If wireless is used or implemented in the payment environment or application, the wireless environment must be configured per PCI DSS version 1.2 requirements 1.2.3, 2.1.1, and Wireless technology must be securely implemented and transmissions of cardholder data over wireless networks must be secure. 2. PCI Requirements for Wireless Implementations Install and configure perimeter firewalls between wireless networks and systems that store credit card data, per PCI DSS version Modify default wireless settings, as follows, per PCI DSS 2.1.1: Change default encryption keys upon installation and anytime anyone with knowledge of the encryption keys leaves the company or changes positions Change default service set identifier (SSID) Change default passwords or passphrases on access points Change default SNMP community strings 8

9 Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication Update firmware on wireless access points to support strong encryption and authentication (WPA/WPA2) Other security related wireless vendor defaults For wireless networks transmitting cardholder data or connected to the cardholder data environment, implement industry best practices for strong encryption of data transmission and authentication (for example, IEEE i). All newly implemented wireless networks are prohibited from using WEP as of March 31 st, For current wireless implementations, it is prohibited to use WEP after June 30, ) Install antivirus software and keep it up to date Refer to PCI Data Security Standard requirement 5 for more information about using and updating antivirus software. 6) Develop and maintain secure systems and applications QuickBooks updates can be retrieved automatically, or you can download and install them manually on systems that aren t connected to the Internet. See Update QuickBooks Automatically for information about automatic updates and QuickBooks Product Updates for information about manual updates. You should also apply Microsoft software updates to your systems to ensure they are protected against emerging threats. Find out more about Windows security and Windows Update services from Microsoft at It is recommended that users who use Microsoft Internet Explorer install Internet Explorer version 7 or above. More information about Internet Explorer can be found at 7) Restrict access to cardholder data by business need-to-know QuickBooks Pro, Premier, and Enterprise versions allow you to configure user access for several classes of information and capabilities. You can restrict access to Accounts Receivable, Accounts Payable, Payroll, Online Banking, and Critical Accounting capabilities, so that only the people you choose can perform the functions you want them to. These restrictions also apply to applications that use the QuickBooks SDK that run under each user s account. Intuit recommends that you avoid assigning or at least minimize the number of users given access to View Complete Credit Card Numbers. When someone leaves your company, delete their QuickBooks user account to protect the data to which they had access. 9

10 8) Assign a unique ID to each person with computer access Each person should have a unique user name and password for Windows and for QuickBooks. While only the QuickBooks Administrator and any user with permission to view complete credit card numbers are required to have complex passwords, complex passwords should be set by all QuickBooks users. 9) Restrict access to cardholder data by business need to know Anyone with physical access to your company file may be able to retrieve data from that file, even under the best encryption. For this reason, limit access to the company file to employees on a need-to-know basis. For Windows: When creating a shared folder for a multi-user set up of QuickBooks in Windows, the following steps need to be followed: 1. Allow access to the shared folder to only those users who need to access the folder. 2. Require all users who have access to the shared folder to have their password set. 3. Do not allow guest access to the shared folder. Please refer to your operating system manual on how to create a shared folder on your system. For Linux The directory on your Linux server where you store the QuickBooks company files must be configured as a Samba share so it can be mapped as a drive on your Windows client computers. Samba does not overwrite limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies. Both the kernel and Samba must allow the user to perform an action on a file before that action can occur. Intuit recommends you do not use anonymous or guest-level access. The following procedure provides an example of how to create and configure a Samba share. For more detailed information about configuring a Samba share, refer to the Samba documentation. To create a Samba share: 1. On the Linux server, become the root user. 2. In a terminal window, type the following command to create a Linux group (this is the group name that users of QuickBooks will belong to). groupadd r groupname Where groupname is the name of the group you want to create (for example, qbusers) 3. Add the following line to the /etc/group file to list the users that will be part of the group you created in step 2. groupname: user1, user2, user3 4. Type the following command to add each user you specified in step 3 that will be accessing QuickBooks company files stored on the share directory: useradd user 5. For each user you specified in step 4, type the following command to activate the Samba user account and set a password: smbpasswd -a user 6. Type the following command to provide the users read/write/execute permissions to the share directory: chmod R 775 /directory 7. Type the following command to change the group ownership for the share directory. 10

11 chgrp R groupname /directory 8. Edit the smb.conf file to include the following lines. By default, this file is located in /etc/samba. [share_name] path= /directory comment= samba share for company files valid users=user1 user2 user3 public=no writable=yes printable=no create mask=0765 Replace share_name with the name you want to use for the share (this is the name that your Windows clients can see). Replace directory with the full path of the directory you want to configure as the Samba share (the directory you created on your Linux server to store the QuickBooks company files). 9. Type the following command to restart the Samba daemon: Service smb restart QuickBooks Enterprise Solutions users can now access QuickBooks company files that are located on the Linux server directly from their Windows client machines. 10) Review access to the data regularly Examine the credit card audit trail prepared within QuickBooks daily (to avoid having to review too much data if it accumulates). The PCI standard requires that you review this information frequently. When you store credit card numbers in QuickBooks, QuickBooks automatically records information in the credit card audit trail to comply with the PCI standard. You do not need to turn this on manually. 11) Track and monitor all access to network resources and cardholder data Review audit logs, system configurations, and system software patch levels to ensure that standard configurations are in place and that software is up to date with appropriate patches. Companies that perform high volumes of payment card transactions are held to higher standards for security. Consult the guidelines at for more information. 12) Maintain a policy that addresses information security Update these operating policies to ensure consistent business practices and protections for your customer information. Refer to for more information about issues that should be addressed in your security practices. 11

12 QuickBooks and the PCI Data Security Standard This section describes additional tasks in QuickBooks that facilitate compliance with the PCI Data Security Standard. Enabling credit card protection in QuickBooks Completing additional tasks required for compliance within QuickBooks Backing up your data file frequently Keeping your business running if disaster strikes What to do if Intuit requests your data If you share your QuickBooks data Upgrading from earlier versions of QuickBooks Enabling customer credit card protection in QuickBooks QuickBooks walks you through enabling protection and setting up complex passwords. To enable setup, go to the Company menu and click Customer Credit Card Protection. Complete additional tasks required for compliance within QuickBooks These additional tasks in QuickBooks are designed to help ensure compliance: 1. In the Customer Center, use only the Credit Card No. field on the Payment Info tab of a customer record to store your customer credit card data. Refer to PCI DSS requirement 3.3 for details. 12

13 2. Don t store sensitive authentication data such as card-validation codes (3-digit number near signature panel), personal identification numbers (PIN), and magnetic strip data. Refer to PCI DSS requirement 3.2 for details. 3. Limit access to credit card data for QuickBooks users by assigning or removing permission to view full customer credit card numbers. Refer to PCI DSS requirement Set complex passwords for all users with access to view credit card data. Refer to PCI DSS requirement 8.5. Disabling System Restore Points in Windows In order to prevent storing clear text cardholder data, or sensitive authentication data, systems running Windows XP/Vista/7 and payment applications should have Windows System Restore Points disabled. This will prevent violation of PCI DSS requirement 3.2. Windows XP Instructions for disabling System Restore points in Windows XP are documented in Microsoft Knowledge Base article accessible here: In short, follow the following steps: Click Start, right click My Computer, and then click Properties. In the System Properties dialog box, navigate to the System Restore tab. Check the Turn off System Restore checkbox. Windows Vista Instructions for disabling System Restore points in Windows Vista are documented in Microsoft web page accessible here: 13

14 In short, follow the following steps: Open System by clicking the Start button, clicking Control Panel, clicking System and Maintenance, and then clicking System. In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. To turn off System Protection for a hard disk, clear the check box next to the disk, and then click OK. Windows 7 Instructions for disabling System Restore points in Windows 7 are documented in Microsoft web page accessible here: In short, follow the following steps: Open System by clicking the Start button, right-clicking Computer, and then clicking Properties. In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the password or provide confirmation. Under Protection Settings, click the disk, and then click Configure. Click Turn off system protection, click OK, and then click OK again. Back up your company file frequently Be sure to back up your company file frequently and to keep backups of the file in a safe location. Keep your backups in a fireproof safe or at a business records management facility. Keep your business running if disaster strikes Only trusted people in your company should perform administration of your QuickBooks company file and your system configuration. If you allow a temporary or limited-skill employee to install and set up QuickBooks, they may not be capable of supporting you in a critical data security situation. Plan for situations where your trusted technical advisor or accountant is unavailable. Remember that the QuickBooks Administrator account and password are critical to the operation and protection of your business, and you should handle this account with care. To access the QuickBooks log file containing information on any invalid login attempts follow the steps given below: 1. When QuickBooks is open, press F2 to open 'Product Information' 2. Press F3 to open 'Tech Help' 3. Navigate to the 'Open File' tab. Choose QBWin.log file in the list of files and click on 'Open File' 14

15 If your data is requested by Intuit There may be a time when it becomes necessary for you to submit data files to Intuit Technical Support for troubleshooting or data recovery. Intuit maintains a written policy governing how your data is collected, transmitted, stored, and used in a secure manner for support purposes. Highlights of this policy include: Intuit does not request magnetic strip data, card validation codes or values, PINs, or PIN block numbers for any support purposes. Cardholder or authentication data is collected only with your express permission and only when needed to solve a specific issue. Collection is limited to the data needed to solve the specific problem. Data is encrypted and stored in a limited-access location while in use. Data is securely deleted immediately after use. Intuit s use of the data is further governed by the Intuit Privacy Policy, which you can review at If you share your QuickBooks data with other parties (such as system integrators) If you transmit or share your company file outside of QuickBooks, such as with an accountant or technical advisor, it is your responsibility to understand and follow the PCI DSS requirements for the security of such transmissions. You should never or transmit unencrypted cardholder data; this data should be transmitted only in an SSLv3-encrypted format. Before you share you data, we strongly recommend you familiarize yourself with the requirements outlined at as well as the additional security resources included in Table 1. Upgrading from previous QuickBooks versions When you upgrade from a previous version of QuickBooks, the program makes a copy of the company file from your previous version and converts it for use with the current version. Once the upgrade to the current version is complete, the old version of the data file is deleted. However, remaining data files from previous versions and any backups of those files may contain cardholder data. QuickBooks 2007 and later versions have the capability to encrypt payment card numbers in the company data file. After you have successfully upgraded from QuickBooks 2007 (and later) versions of QuickBooks to later releases and you change the QuickBooks Administrator s password, the encryption keys used in the prior versions will be destroyed and updated with new keys to comply with PCI Data Security Standard. 15

16 Resources Intuit does not endorse nor specifically recommend any of the products listed in the links below. Take into account factors unique to your business when reviewing security recommendations. No single product or security technique by itself will assure complete protection of your data. Combinations of the products and practices listed here will help to protect your QuickBooks data. Additional information may be obtained by using your favorite search engine to search for antivirus and firewall products. Table 2: Security Web sites Web Site Description A government-industry sponsored site to educate the public on computer security. Look for advice for small businesses under the Beginners Guides. Consumer Reports has issued ratings on personal firewalls and antivirus software; search for firewalls and antivirus for more details. This site is for IT professionals looking for best practices documents for system configuration Look under Home Computer Security for more details. This is a set of guidelines for home users issued by the Computer Emergency Response Team and Carnegie Mellon University. Guidance from a cross-section of industry, government, and academic sources on security matters as they relate to small businesses. Refer to the sections on wireless networking and remote access for security advice. Visa s information site for the Payment Card Industry DSS and related information. The official site for the Payment Card Industry DSS 16

17 Appendix A: Details about QuickBooks encryption A) QuickBooks complies with PCI security standards that require cardholder information be encrypted using standard algorithms and encryption key lengths. When you create the QuickBooks Administrator user and other user accounts, QuickBooks generates three pieces of information that are used to protect credit card information: A Data Access Key: This is a 128-bit AES encryption key used to encrypt the credit card numbers. A per-user Master Key: This is a 128-bit AES encryption key that QuickBooks generates for each user. The Master Key encrypts a copy of the Data Access key and any other encryption keys that the user has access to use. A Password-Derived Key: This is a 128-bit AES key that QuickBooks generates using a seed value and each user s password. The Password-Derived Key is used to protect each user s copy of their Master Key. QuickBooks creates these keys when the administrator user is set up and when the administrator creates additional user accounts. The administrator s Master Key is used to manage other users Master Keys and each user s copy of the Data Access keys that they have access to use. B) Permissions to use encryption keys should be properly controlled, according to the PCI standard. QuickBooks lets you assign access to encryption keys, which supports the PCI standard. When a QuickBooks Administrator creates a new account and assigns its permissions, QuickBooks determines access to encryption keys consistent with the account s permissions to the data. Keys never leave the company file and are never stored unencrypted. The manner in which Data Access Keys are distributed to each user with permission to use them is done using QuickBooks permissions. Because any employee within your company can create a new customer and enter a new credit card number, each user is entitled to use the encryption key to protect your customers credit card information. However, the permission to use the key for any other purpose (such as processing credit card transactions from stored information) is dictated by each employee s permissions for Accounts Receivable. C) Data encryption keys must be stored in a secure manner to meet the PCI requirements and to properly protect your customers credit card information. QuickBooks manages the storage of encryption keys in the company file automatically. In doing this, keys are always stored in an encrypted fashion. The key management hierarchy previously described is applied to protect the keys of credit card numbers for each customer. Each user with access to QuickBooks data has access to their own copy of the key used to protect cardholder information. The administrator can determine which employees have access to the keys and what the nature of their access ought to be. 17

18 D) Key rotation is required in order to be compliant with the PCI standard. Key rotation is a term used to refer to the practice of periodically replacing older keys with newer keys. In the event that an encryption key is disclosed, a new key is used to replace it. If the keys are changed at some frequency, there is less risk that someone will guess the value of the key at random and decrypt the data within that key. Whenever a user changes their password, their Password-Derived Key is replaced, and their Master Key is replaced. Whenever the administrator changes their password, the administrator s Master Key is automatically regenerated, and all administrator-accessible copies of each user s Master Key are replaced. Note: The PCI standard requires that the QuickBooks Administrator change their password every 90 days. This means that the keys used to encrypt the cardholder data will be updated every 90 days. E) When old keys are no longer used to protect data, the PCI standard dictates that these keys be destroyed. The intention is to avoid cases where a key might be recoverable and applied to an old copy of the company file (encrypted with the old key). QuickBooks handles this task automatically. When new data encryption keys are generated, the new keys overwrite, and therefore delete, the old keys and render them unrecoverable. Whenever a user account is deleted from the company file, their entry in the permissions table is removed. When someone leaves your company, delete their QuickBooks user account to protect the data to which they had access. Backup copies of company files must be deleted after a defined retention period to be in compliance with PA DSS. To securely delete the backup copies of company files, file shredders such as SDelete or other such utilities can be used. More information about SDelete can be found at F) Within very large businesses with extensive business systems, a common implementation pattern is to apply dual-control of keys. Under dual-controls, two (or more) people need to be present in order to unlock a key for use. Since the target market for QuickBooks is small businesses that may not have dedicated IT staff, no dual control of keys has been implemented. G) QuickBooks prevents the scheme of someone substituting an unauthorized key for another (authorized) version of the key. QuickBooks also prevents someone from swapping rogue data in the company file with another piece of information. When keys and credit card data are encrypted and stored in the company file, information describing that data is also encrypted and stored. The data, and the data describing the data, are encrypted and stored as a single unit. When the data is decrypted, QuickBooks performs checking on the decrypted data to be sure that only valid data is retrieved from the database. There are two problems this is intended to prevent. It prevents situations where a key for one user can be copied and placed into the row of a second user to grant the second user permissions to the key. The second problem this prevents is a situation where a user can place random data into their row for a given key, and then start garbling data in the database. 18

19 Because there s validation of the key before it s used, some means of key integrity is assured. H) What to do when you suspect that data has been compromised, or if you want to refresh all encryption keys within QuickBooks. If you suspect that your customers data has been compromised through a specific QuickBooks user account, delete that user account. If certain customers data is suspected of being compromised, consult the QuickBooks credit card audit log to examine the activity related to that customer s account. Based on the information obtained through these sources, you may: 1. Back up your QuickBooks data file. Keep the backup copy in a safe location. 2. Delete the QuickBooks user account through which data was compromised or remove their access to credit card data. Deleting the user account retains information in the credit card audit logs, but may remove the name of the account associated with the activity in the data file. Removing or disabling the user s access to the data in the file retains the auditing information, but prevents the account from retrieving any data from the data file. 3. Change the password for the QuickBooks Administrator and all other QuickBooks user accounts. Changing the administrator and user passwords resets encryption keys. Resetting user passwords refreshes each user s keys as well. Appendix B: Windows Account Security (Windows Screensaver, Password Security, and Account Lockout Settings) In all recent versions of Windows, from Windows 2000 to Windows Vista, account policy settings have been available to mitigate risks associated with attacks on Windows authentication. In order to comply with the PCI Data Security Standard, you should configure your systems as described below. In addition to the points below, when you assign passwords to new Windows users, select the option to require the user to change their password at next login. Accounts for employees that leave your company must be disabled immediately, and inactive accounts should be removed at least every 90 days. If you allow vendors or contractors to access your systems remotely, provide them with accounts (in compliance with these settings) only for the duration of time required for them to perform their services. You should communicate password and authentication security policies to all employees of your company that have access to cardholder information. When they select passwords for their accounts, they will need to choose their password carefully to meet the PCI security standards. Before you implement these settings, be aware of the following considerations and situations where account policies may affect how you operate your business. Some points apply only to domain accounts; if your computers operate in a workgroup configuration, some points may not apply. Please read these points carefully and review your practices to head off problems. 1. Don t share Windows accounts. If the same domain account is logged in on more than one machine, and another user attempts to log in to another machine after the password has been changed by one user, other users may lock out the account. Avoid using 19

20 shared, group, or generic accounts in order to minimize the impact of account lockouts and improve accountability 2. Avoid needing the Windows administrator to reset passwords. While this is sometimes unavoidable, when user passwords are reset by the Windows administrator, you may find that data protected using some Windows encryption facilities will not be recoverable. For example, under Windows EFS (Encrypting File System), any data encrypted for an account provisioned with the old password will be unrecoverable under the new password. Similarly, data encrypted with the Windows Data Protection APIs will also be unrecoverable after the administrator resets the user s password. 3. Be careful when configuring lockout on publicly accessible machines. For any system that s accessible by a large population of people in your company where the accounts in a lockout state on a machine that affects all other machines on your domain. 4. Periodically examine all user accounts on your system to determine their password age and lockout status. Microsoft has a number of tools available to assist you in securing your Windows systems. Among the tools you may find useful are: i. LockoutStatus.exe: This executable file shows a list of locked out users and the last time they attempted to log in, the number of times they failed to log in and the domain controllers that were referenced in authentication. ii. ALockout.dll: This DLL file is a logging component that will assist you in determining which application or service is using an incorrect password and causing an account to enter a lockout state. Lockout may occur when background processes use stale credentials; this tool may be helpful in those cases. These and other tools are available in the ALTools.exe collection of tools to manage authentication in your Windows domain. The collection is available from Microsoft: Microsoft Account Lockout and Management Tools. 20

21 Setting your Windows password policies Microsoft provides extensive information about password policies in their Account Lockout Best Practices document. See Microsoft Account Lockout Best Practices White Paper. Figure 2: Password Policy settings When you open the Group Policy Editor to set Windows password policies, you might see a screen something like that shown in Figure 2 (shown with default values). The PCI standard requires the following changes: Enforce password history: 4 passwords remembered Maximum password age: 90 days Minimum password age: 0 days Minimum password length: 7 characters Password must meet complexity requirements: Enabled Store password using reversible encryption: Disabled Double-click each item shown in the panel to the right in Figure 2 and set the respective values described in the list. 21

22 These settings require that each of your employees select a password that s eight or more characters in length and comply with the following complexity rules: Doesn t contain all or part of the user's account name. Contain characters from three of the following four categories: English uppercase characters (A through Z). English lowercase characters (a through z). Base-10 digits (0 through 9). No alphanumeric (for example,!, $, #, %) extended ASCII, symbolic, or linguistic characters. Setting account lockout policies Microsoft provides extensive information about account lockout policies in their Account Lockout Best Practices document. See Microsoft Account Lockout Best Practices White Paper. Figure 3: Account Lockout Policy settings When you open the Group Policy Editor for Account Lockout, you might see a screen as shown in Figure 3 (shown with default settings). The PCI standard suggests the following changes: Account Lockout Duration: 30 (minutes) Account Lockout Threshold: 6 invalid login attempts Reset account lockout counter after: 30 (minutes) As in the Password Policy settings, double-click the entries in the panel to the right; for each entry, enter the values listed above. 22

23 Figure 4: Setting screen saver security options Setting session idle time and screensaver options To set session idle timeout behavior to be compliant with the PCI Data Security Standard, configure your screen saver to wait 15 minutes and then check the On resume, password protect option. 23