Payment Application Data Security Standards Implementation Guide

Transcription

1 Payment Application Data Security Standards Implementation Guide

2 PADSS 2012 Blackbaud, Inc. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic, or mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without the prior written permission of Blackbaud, Inc. The information in this manual has been carefully checked and is believed to be accurate. Blackbaud, Inc., assumes no responsibility for any inaccuracies, errors, or omissions in this manual. In no event will Blackbaud, Inc., be liable for direct, indirect, special, incidental, or consequential damages resulting from any defect or omission in this manual, even if advised of the possibility of damages. In the interest of continuing product development, Blackbaud, Inc., reserves the right to make improvements in this manual and the products it describes at any time, without notice or obligation. All Blackbaud product names appearing herein are trademarks or registered trademarks of Blackbaud, Inc. All other products and company names mentioned herein are trademarks of their respective holder. PADSSImplementation-2012

3 Contents PCI DSS IMPLEMENTATION IN YOUR ORGANIZATION Payment Card Industry and Payment Application Data Security Standards Data Management Sensitive Authentication Data and Cardholder Data Retention Cardholder Data Encryption Encryption Key Management Network Security User Account Management Firewall Management Wireless Devices Remote Access Non-console Administrative Access Internet-Accessible Systems System Maintenance Network Maintenance PA DSS IMPLEMENTATION IN THEPATRON EDGE ONLINE Patron Edge Online Payment Process Overview Installations and Upgrades Windows Account Requirement Database Master Key Requirement Key Service Configuration Single Key Service Environment Multiple Key Service Environment Key Service Updates Default Administrator Account Database Roles User Account Security and Configuration Password Strength Requirements Login Security Password Configuration Settings Workstation and Server Inactivity Password Group Site Settings Close Session Group Site Settings User Access Audit Capability/Audit Trail Payment Process Security VeriFone PCCharge

4 Blackbaud Secure Payments Cardholder Data Records Encryption and PA DSS Management Key Service Change the Key Service Login Account Message Encryption Encryption Keys Rotate the PEO Database Master Key Rotate the Service Master Key Change the Default SQL Server User Account for ThePatron Edge Online Sensitive Data and HTTPS Rollback and Uninstall INDEX

5 chapter 1 PCI DSS Implementation in Your Organization Payment Card Industry and Payment Application Data Security Standards Data Management Network Security System Maintenance Network Maintenance When you accept payment cards for donations or revenue, the security of the credit card information is very important. Used properly, Blackbaud programs can help you maintain this information in accordance with the Payment Card Industry Data Security Standard (PCI DSS). To help promote the awareness of the security requirements for credit card and cardholder data, this chapter provides information about PCI DSS and how it impacts your organization. With the proper security of credit card information, you can protect your constituents and clients from inconvenience and financial and personal loss and help protect your organization from additional expense. For information about PCI DSS, see Payment Card Industry and Payment Application Data Security Standards on page 1. Note: This guide provides only an overview of PCI DSS requirements and recommended best practices to ensure compliance. For additional detail, visit to download the PCI DSS specification. Payment Card Industry and Payment Application Data Security Standards Developed by Visa, the Payment Application Data Security Standard (PA DSS) requires software companies such as Blackbaud to develop secure programs that enable users to comply with the PCI DSS. To learn more about PA DSS and download the specification, visit Note: The PCI Security Standards Council includes American Express, Discover Financial Services, JCB International, Mastercard Worldwide, and Visa Inc. and was formed to help implement consistent data security measures on a global basis.

6 2 CHAPTER 1 Developed by the Payment Card Industry (PCI) Security Standards Council, the Payment Card Industry Data Security Standard (PCI DSS) includes requirements for security management, policies, procedures, network architecture, software design, and other proactive measures. As an organization that collects payment card information, such as to process payments or donations, you must adhere to the PCI DSS and proactively protect this data. To learn more about PCI DSS and download the specification and its supporting documents, visit Note: Depending on your organization and the number of payment card transactions you process, you may need to engage an external security assessment company to determine your level of compliance with PCI DSS and other security compliance programs. If you use an external assessor, we recommend you select one that is qualified and familiar with the latest requirements from the PCI Security Standards Council. To validate whether your organization is compliant with PCI DSS, we recommend you also visit and complete the PCI Security Standards Council Self-Assessment Questionnaire. Data Management Encryption is necessary to protect cardholder data. If a user circumvents security controls and gains access to encrypted data, without the proper cryptographic keys, the user cannot read or use the data. To reduce the risk of malicious abuse, you must consider other effective methods to protect stored data. For example, store cardholder data only when it is absolutely necessary, and do not send the cardholder data in unencrypted messages. Sensitive Authentication Data and Cardholder Data Retention You should keep the storage of cardholder data to a minimum. To comply with PCI DSS, your organization must develop and maintain a data retention and disposal policy. Limit the cardholder data stored and the retention time to only that which is required for business, legal, and regulatory purposes. Purge all cardholder data that exceeds the retention period. Do not retain sensitive authentication data, such as the full magnetic stripe, card validation code, or personal identification number (PIN) information, in your database. If you must retain sensitive authentication data, such as for troubleshooting purposes, you must follow these guidelines: Collect sensitive authentication data only when necessary to solve a specific problem. Store sensitive authentication data only in specific, known locations with limited access. Collect only the limited amount of data necessary to solve a specific problem. Encrypt sensitive authentication data while stored. Securely delete sensitive authentication data after use. To ensure the complete and secure removal of cardholder data, you must securely erase temporary files that may contain sensitive authentication information and cardholder data. Warning: To comply with PCI DSS, you must remove historical sensitive authentication data and cardholder data from your database. If you upgrade from non-compliant version, or if your organization used attributes, notes, or free-text fields to store sensitive authentication information or cardholder data, you must search for and securely delete this data from your database to comply with PCI DSS.

7 PCI DSS IMPLEMENTATION IN YOUR ORGANIZATION 3 If you use Microsoft Windows XP or Windows Vista, turn off System Restore on the System Properties screen. System Restore creates and uses restore points to track changes in Windows. These restore points may retain cardholder data. When you turn off System Restore, the operating system automatically removes existing restore points and stops the creation of new restore points. To ensure the complete removal of data, install and run a secure delete tool such as Heidi Eraser. With a secure delete tool, you can safely erase temporary files that may contain sensitive authentication information or cardholder data. For information about how to install and run the secure delete tool, refer to the manufacturer s documentation. Cardholder Data Encryption To comply with PCI DSS, your organization must encrypt cardholder information during transmission over open public networks that malicious users could abuse to intercept, modify, and divert data during transit. These open public networks include the Internet, WiFi (IEEE x), the global system for mobile communication (GSM), and general packet radio service (GPRS). To safeguard sensitive authentication information and cardholder data during transmission, use strong cryptography and security protocols such as Secure Sockets Layer (SSL) version 3/Transport Layer Security (TSL) version 1.1 and Internet Protocol security (IPSec). Never send unencrypted cardholder data in an message. Encryption Key Management Do not retain any cryptographic key material, encryption keys, or cryptograms in your database, such as those used to compute or verify sensitive authentication information and cardholder data. Your organization may have used attributes or free-text fields to store this information. To comply with PCI DSS, you must not store cryptographic material in the program. If your organization used attributes, notes, or free-text fields to store cryptographic material, you must search for and securely delete this data from your database to comply with PCI DSS. The abuse of the program to store cryptographic material may leave you vulnerable to attack by malicious users. To ensure the complete removal of data, install and run a secure delete tool such as Heidi Eraser. For information about how to install and run the secure delete tool, refer to the manufacturer s documentation To comply with PCI DSS, your organization must fully document and implement key management processes and procedures for keys used to encrypt cardholder data. At a minimum, this documentation must include: How to generate strong encryption keys. How to secure the distribution and storage of encryption keys. How to periodically change encryption keys, as necessary for the program and at least annually. How to revoke and destroy old or invalid encryption keys. How to split the knowledge and establish dual control of encryption keys so it requires multiple people with partial knowledge of the key to construct the complete key. How to prevent the unauthorized substitution of encryption keys. How to replace known or suspected compromised encryption keys. Your organization must restrict access to encryption keys to the fewest number of custodians necessary and store keys securely in the fewest possible locations and forms. Custodians of encryption keys must sign a form to document their understanding and acceptance of their responsibilities as custodians of this data.

8 4 CHAPTER 1 Network Security With a secure network, you can protect your system and credit card information from internal and external malicious users. To secure your network, we recommend you utilize a firewall and configure wireless devices and remote access software. User Account Management To comply with PCI DSS, you must assign unique identification to each person who accesses networks, workstations, or servers that contain the program or cardholder data. Unique login credentials ensure that only authorized users can access and work with the critical data and systems included in your network. With unique login credentials, you can also trace actions on your network to specific users. These credentials must include a unique user name and a way to authenticate the user s identity, such as a complex password, a token key, or biometrics. At a minimum, your organization must implement these guidelines to create network user accounts and manage user authentication and passwords. You must communicate password procedures and policies to all users who can access cardholder data. Use authorization forms to control the addition, deletion, and modification of user IDs. Verify the identity of users before you reset passwords. Immediately revoke account access for terminated users. Remove or disable inactive user accounts at least every 90 days. Enable user accounts for use by vendors for remote maintenance only when needed and immediately deactivate them after use. Do not use group, shared, or generic user accounts and passwords. Require users to change their initial passwords immediately after the first use and subsequent passwords at least every 90 days. Require passwords with a minimum length of seven numeric and alphabetic characters. Require that new passwords not match one of the last four passwords used by the user. Lock out the user account after no more than six failed login attempts. Set the lockout duration to 30 minutes or until a system administrator enables the user account. Log out idle sessions after 15 minutes so users must enter the password to activate the workstation. To log user authentication and requests, turn on database logging in Microsoft SQL Server. Enable database logging in SQL Server 1. In Microsoft SQL Server Management Studio, connect to the instance of the database engine. 2. Under Object Explorer, right-click on the server name and select Properties. The Server Properties page appears. 3. On the Security page, select Both failed and successful logins under Login auditing and click OK. 4. Stop and restart the SQL Server service for the database. 5. To view the log of failed and successful logins, access the Security log in the Event Viewer.

9 PCI DSS IMPLEMENTATION IN YOUR ORGANIZATION 5 For information about how to enable SQL Server to write to the Security log, see Firewall Management If you use software to process payments, we recommend you verify that the workstation s link to the Internet is secure. If you transfer transactions online, ensure your Internet hardware, such as the modem or DSL router, provides a built-in firewall. You must restrict connections between publicly accessible servers and any system component that stores cardholder data, including connections from wireless networks. To comply with PCI DSS, the firewall configuration must: Restrict inbound Internet traffic to Internet Protocol (IP) addresses within the DMZ. Not allow internal addresses to pass from the Internet into the DMZ. Implement inspection or dynamic packet filtering to allow only established connections into the network. Place the payment processing program and the database that contains the cardholder data in an internal network zone segregated from the DMZ. Restrict inbound and outbound traffic to only that which is necessary for the cardholder data environment and deny all other traffic that is not specifically allowed. Secure and synchronize router configuration files, such as running and start-up configuration files. Your organization must also install perimeter firewalls between any wireless networks and the cardholder data environment and configure these firewalls to deny or control any traffic from the wireless environment. To comply with PCI DSS, your organization must configure all mobile and employee-owned computers with direct connectivity to the Internet, such as laptop computers, used to access the network with an installation of personal firewall software. Wireless Devices If you use wireless devices to store or transmit payment transaction information, you must configure these devices to ensure network security in compliance with PCI DSS. Install perimeter firewalls between any wireless networks and systems that store cardholder data. These firewalls must deny or control any traffic necessary for business purposes from the wireless environment to the cardholder data environment. Implement strong encryption, such as the Advanced Encryption Standard (AES), on all wireless networks. At installation, change encryption keys from the default. After installation, change encryption keys when anyone with knowledge of the keys leaves the organization or changes position with the organization. Do not use the vendor-supplied defaults for the wireless environment. Change the default passwords or pass phrases on access points and single network management protocol (SNMP) community strings on wireless devices. Change the default service set identifier (SSID) and disable SSID broadcasts when applicable. Update the firmware on wireless devices to support strong encryption, such as WiFi protected access (WPA or WPA2) technology, Internet Protocol security virtual private network (IPSec VPN), or Secure Sockets Layer (SSL)/Transport Layer Security (TLS), for authentication and transmission over wireless networks.

10 6 CHAPTER 1 Use industry best practices to implement strong encryption for the transmission of cardholder data and sensitive authentication data over the wireless network in the cardholder data environment. Warning: It is prohibited to use Wired Equivalent Privacy (WEP) for payment applications as of June 30, We strongly recommend you use WPA2 technology to secure wireless implementations. To comply with PCI DSS, your organization must configure all mobile and employee-owned computers with direct connectivity to the Internet, such as laptop computers, used to access the network with an installation of personal firewall software. The firewalls must be active and configured to a specific standard that users cannot alter. Remote Access If your organization enables remote access to the network for use by employees, administration, and vendors, you must implement two-factor authentication for logins. Two-factor authentication requires the unique login credentials and an additional authentication item such as a token or individual certificate. Use technology such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens or VPN (based on SSL/TLS or IPSec) with individual certificates. To comply with PCI DSS, your organization must configure the remote access software to ensure network security. Do not use the vendor-supplied defaults such as passwords for the remote access software. Establish unique login credentials and complex passwords for remote access users in accordance with PCI DSS requirements 8.1, 8.3, and For more information, see User Account Management on page 4. Allow connections from only specific known IP and MAC addresses. Enable encrypted data transmission in accordance with PCI DSS 4.1. Lock out the remote access user account after no more than six failed login attempts. Require remote access users to establish a VPN connection through a firewall before they connect to the network. Enable the logging function. Establish complex passwords for customers in accordance with PCI DSS requirements 8.1, 8.2, 8.4, and 8.5. Restrict access to customer passwords to authorized third-party personnel. To verify the identities of remote access users, require two-factor authentication (T-FA) such as both a user login and a password. If your organization enables remote access for use by vendors, it should be only when needed and immediately deactivated after use. Non-console Administrative Access To comply with PCI DSS, your organization must encrypt all non-console administrative access. For web-based management and other non-console administrative access, use technologies such as Secure Shell (SSH), VPN, or SSL/TLS.

11 Internet-Accessible Systems PCI DSS IMPLEMENTATION IN YOUR ORGANIZATION 7 Do not store cardholder data on Internet-accessible systems. For example, do not house the database server within the same server as the web server. System Maintenance Once you secure your system, you must keep your equipment current. Malicious users can use security vulnerabilities to access your system. Both hardware and software manufacturers occasionally issue updates to products, such as to remedy these vulnerabilities and help prevent such attacks. We recommend you ensure you have the most recently released patches installed. For example, you can frequently review the manufacturers websites, newsletters, and online forums to check for the current patches. Occasionally, a manufacturer may stop support of a product. In this case, we recommend you determine whether your organization should continue to use an unsupported product. Also, a manufacturer may inform you of a flaw or defect in a product that may make your organization vulnerable to attack. We recommend you pay attention to these alerts and update your system accordingly. To further reduce vulnerability, we recommend you also deploy anti-virus software on your systems and ensure they are current, actively running, and can generate assessment logs. Network Maintenance Once you secure your system, you must monitor and track access to the network and your credit card information, such as with logging mechanisms. The lack of activity logs can make the determination of the cause of an attack very difficult. Logs help you track and analyze network activity when something goes wrong.to further reduce vulnerability, we recommend you also frequently test your network to verify its security continues to be maintained, regardless of age or changes in software. To comply with PCI DSS, you must implement automated audit trails for all system components to track these events: All individual users who access cardholder data. All actions performed by users with root or administrative privileges. All access of the audit trails. All invalid logical access attempts. All use of identification and authentication mechanisms. The initialization of the audit logs. The creation and deletion of system-level objects. For each event, your organization must also record these audit trail entries for all system components: The user who initiates the event. The type of event. The date and time of the event. Whether the event succeeded or failed. The origination of the event.

12 8 CHAPTER 1 The data, system component, or resource the event affected.

13 chapter 2 PA DSS Implementation in The Patron Edge Online Patron Edge Online Payment Process Overview Installations and Upgrades Database Roles User Account Security and Configuration User Access Audit Capability/Audit Trail Payment Process Security VeriFone PCCharge Blackbaud Secure Payments Cardholder Data Encryption and PA DSS Management Key Service Message Encryption Encryption Keys Sensitive Data and HTTPS Rollback and Uninstall

14 10 CHAPTER 2 Versions 3.41 and higher of ThePatron Edge Online provide enhancements to help you secure your data and comply with PCI DSS. We strongly recommend you update your software to the latest version. Warning: To use version 3.41 and higher of The Patron Edge Online, you must be on version 3.4 or higher of The Patron Edge. To use The Patron Edge Online 3.41 and higher and The Patron Edge 3.4 and higher, you must have Microsoft SQL Server 2005 Standard/Enterprise Edition Service Pack 2 or higher or Microsoft SQL Server 2008 Standard/Enterprise Edition installed. Go to support.blackbaud.com to review current system requirements. Patron Edge Online Payment Process Overview In The Patron Edge Online, you can securely process payment requests using more than method. One option is to use a process facilitated by the Blackbaud Payment Component group. In The Patron Edge Online, when a customer makes a purchase from your public site using a credit card, they enter the typical transaction information, including their credit card number. During this process, a payment request is sent to a payment processing vendor to determine if the purchase is approved or declined. The result is then sent back to The Patron Edge Online. This process is facilitated by the Blackbaud Payment Component group, which consists of executables and other entities that work together to securely process payment requests.

15 PA DSS IMPLEMENTATION IN THE PATRON EDGE ONLINE 11 The Blackbaud Payment Components are installed and configured during the initial implementation of ThePatron Edge and The Patron Edge Online. The Patron Edge Application Group for The Patron Edge Online. The Patron Edge Application Group for The Patron Edge Online includes a number of applications that work together to process transactions generated through The Patron Edge Online. When a purchase is made through your public site, an encrypted XML message containing the transaction information is sent from the web server over TCP and is received by this group of applications. After receiving the message, these applications decrypt for processing and then encrypt the credit card information before sending the payment request to the The Patron Edge database. TIX_PSC. TIX_PSC checks the database table for payment requests on a designated interval. When the program recognizes a request, TIX_PSC invokes the Blackbaud Payment Server. Blackbaud Payment Server. The Blackbaud Payment Server is notified of a credit card payment request by TIX_PSC. This server then sends the request to the corresponding Payment Processor and receives the results. You configure the Payment Server by adding or editing values in the Payment.ini file.

16 12 CHAPTER 2 Payment Processor. The Payment Processor is a plug-in that performs the credit card authorization through a specific payment processing vendor like VeriFone PCCharge. It then returns the results to the Blackbaud Payment Server. CC_Payment Table. The program encrypts all sensitive data before clearing and stores it in the CC_Payment table within your Patron Edge database. Once transactions clear, only the last four digits of the credit card number are stored in the database. All other cardholder data is purged from the CC_Payment table after a transaction clears. No credit card information is stored in your Patron Edge Online database. Alternatively, you can choose to use Blackbaud Secure Payments (BBSP) to securely process payment requests. With Blackbaud Secure Payments, you can enable clients to securely accept online credit card transactions from their website users and supporters. You can also accept transactions within The Patron Edge. The program does not encrypt all sensitive data before clearing and storing it in the CC_Payment table within your Patron Edge database. Blackbaud Secure Payments does not store any data within your Patron Edge database. For more information about Blackbaud Secure Payments, see the Administration Guide for The Patron Edge. Installations and Upgrades Before you install or upgrade to The Patron Edge Online 3.41 and higher, there are a number of considerations you should review and requirements you must meet to successfully complete the installation or upgrade. Note: For more information about installing The Patron Edge Online 3.41 and higher, including specific procedures, see the Installation Guide. For more information about upgrading to The Patron Edge Online 3.41 and higher, see the Update Guide. Both documents are available on the user guides page of our website, which is located here: Windows Account Requirement During the installation, a Key Service Setup screen appears and you are prompted to enter a user name and password. The account information you enter should be for the Windows account that you added specifically to run the Key Service. Before you install or upgrade to The Patron Edge 3.4 and higher, you must add a specific Windows account that has Logon as a service rights and the db_owner role for your Patron Edge database in SQL Server 2005 or SQL Server This is the Windows account that the Key Service will run under. The Key Service is used to retrieve sensitive data from the Patron Edge database, including the Patron Edge database connection string and data encryption key (DEK) used to encrypt card holder data. For more information about the Key Service and the DEK, see Message Encryption on page28. Database Master Key Requirement The database master key (DMK) is the encryption key for your Patron Edge Online database and for symmetric and asymmetric keys. During all new installations and upgrades, you will be prompted to enter a new database master key password. The master key password must meet the following standards, which are determined by your Windows security policy: The key must be at least seven characters in length.

17 PA DSS IMPLEMENTATION IN THE PATRON EDGE ONLINE 13 The key must contain characters from three of the following four categories: uppercase letters (A through Z), lowercase letters (a through z), base 10 digits (0 through 9), and non-alphanumeric characters, for example, an exclamation point (!) or number sign (#). Note: For information about managing encryption keys and passwords, see Encryption Key Management on page 3. If this key becomes compromised or is even suspected of being compromised, you must rotate the key immediately. For steps that guide you through changing the DMK after the installation or upgrade is complete, see Rotate the PEO Database Master Key on page 30. Key Service Configuration After you install The Patron Edge Online, you must configure the Key Services needed for your specific implementation. This is required before you can access the administration site and run the Site Setup Wizard. If your Patron Edge and Patron Edge Online applications are installed on a single LAN, see Single Key Service Environment on page 13 for configuration instructions. If your Patron Edge and Patron Edge Online applications are on different LANs, you are prompted to set up a secondary Key Service during the Patron Edge Online installation process. If you set up a secondary Key Service during the Patron Edge Online installation process, see Multiple Key Service Environment on page 14 for configuration instructions. Note: If you have multiple Key Services, The Patron Edge Online connection string, The Patron Edge connection string, and the data encryption key are encrypted and stored in the Patron Edge Online database. If a single Key Service is used, this sensitive data is stored only in the Patron Edge database. Single Key Service Environment If your Patron Edge and Patron Edge Online applications are installed on a single LAN, you require only a single Key Service. This single Key Service runs on your Patron Edge machine, retrieves sensitive data from your Patron Edge database, and communicates with your Patron Edge Online database. If you have a single Key Service environment, you must complete the following configuration steps before you can access your administration site and run the Site Setup Wizard Configure a single Key Service During this process you will access and use the PA DSS Management Utility on your The Patron Edge server. To use the utility, you must have administrator rights in Windows. You must also log into the utility with a Patron Edge account that has administrative privileges. 1. Before you continue, make sure all users are logged out of The Patron Edge. 2. Access your Patron Edge server and navigate to the Patron Edge installation directory. The default location is C:\Program Files\Blackbaud\The Patron Edge. 3. Locate and run PCIEncrypt.exe. The PA DSS Management Utility screen appears. 4. Review the information in The Patron Edge Online Database Connection frame and make sure it is correct. If the SQL Database and SQL Server Instance fields are blank or contain incorrect values, enter the correct values. Click Submit to verify the connection. You must click Submit even if the correct values are displayed. This is required to configure the Key Service.

18 14 CHAPTER 2 5. Access the The Patron Edge Database Connection frame and click Submit to verify the connection. This is required to configure the Key Service. 6. Next, you must rotate the Data Encryption Key (DEK). To do this, access the SQL Server Encryption frame and in the Existing Master Key field, enter the current database master key for your Patron Edge database. You must enter the current DMK in order to rotate the DEK. 7. To continue, click Rotate Data Encryption Key. A confirmation screen appears. 8. Click OK. The DEK has now been successfully rotated. Any data using the old key will be decrypted and then re-encrypted using the new key. Before logging back into The Patron Edge, restart TIX_PSC. 9. On your Patron Edge Online server, restart both the The Patron Edge communication component and the Web application communication component before attempting to log into your administration site. Multiple Key Service Environment If your environment requires multiple Key Service instances, the The Patron Edge Online Key Service is considered to be a child service of the parent Key Service on your Patron Edge machine. Changing any secure asset (The Patron Edge Online connection string, The Patron Edge connection string, or data encryption key) should be done on the Patron Edge machine through the PA DSS Management Utility. When one of these values is changed, the parent Key Service pushes the new value over an SSL connection to the child Key Service which will write the values in the Patron Edge Online database. This data is changed in a transactional manner ensuring that the values in all databases are synchronized. These secure assets are protected the same way in all databases via the DMK, symmetric keys, asymmetric keys, and the DEK. If your Patron Edge and Patron Edge Online applications are on different LANs, you will need multiple Key Services. If multiple Key Services are needed for your environment, you are prompted to set up a secondary Key Service during the Patron Edge Online installation process. If you have a multiple Key Service environment, you must complete the following configuration steps before you can access your administration site and run the Site Setup Wizard. During the configuration process for multiple key services, you will access the PA DSS Management Utility on your Patron Edge server and enter the URL for the Patron Edge Online Key Service. Before you begin this process, you should locate and write down the URL for the Patron Edge Online Key Service so you can enter it when needed. To find the URL for the Patron Edge Online Key Service, on the machine where the Web application communication component is installed, navigate to the installation directory. The default installation directory is C:\Program Files\Blackbaud\The Patron Edge Online. From the installation directory, open TopTixEsro2.ini in a text editor. The URL for the Patron Edge Online Key Service is the esro_connectstring value displayed in the [General Parameters] section. For example, in esro_connectstring=net.tcp://localhost:9955/secureassets, the URL you need to note is net.tcp://localhost:9955/secureassets. Configure multiple Key Services During this process you will access and use the PA DSS Management Utility on your The Patron Edge server. To use the utility, you must have administrator rights in Windows. You must also log into the utility with a Patron Edge account that has administrative privileges. 1. Before you continue, make sure all users are logged out of The Patron Edge.

19 PA DSS IMPLEMENTATION IN THE PATRON EDGE ONLINE Access your Patron Edge server and navigate to the Patron Edge installation directory. The default location is C:\Program Files\Blackbaud\The Patron Edge. 3. Locate and run PCIEncrypt.exe. The PA DSS Management Utility screen appears. 4. Access the Current Key Service Config File Settings frame and in the Bounded URL field, enter the URL for the Patron Edge Online Key Service. Tip: To find the URL for the Patron Edge Online Key Service, on the machine where the Web application communication component is installed, navigate to the installation directory. The default installation directory is C:\Program Files\Blackbaud\The Patron Edge Online. From the installation directory, open TopTixEsro2.ini in a text editor. The URL for the Patron Edge Online Key Service is the esro_connectstring value displayed in the [General Parameters] section. For example, in esro_connectstring=net.tcp://localhost:9955/secureassets, the URL you need to enter is net.tcp://localhost:9955/secureassets. 5. After you enter the correct URL for the Patron Edge Online Key Service, click Submit. 6. Next, review the information in The Patron Edge Online Database Connection frame and make sure it is correct. If the SQL Database and SQL Server Instance fields are blank or contain incorrect values, enter the correct values. Click Submit to verify the connection. You must click Submit even if the correct values are displayed. This is required to configure the Key Services. 7. Access the The Patron Edge Database Connection frame and click Submit to verify the connection. This is required to configure the Key Services. 8. Next, you must rotate the Data Encryption Key (DEK). To do this, access the SQL Server Encryption frame and in the Existing Master Key field, enter the current database master key for your Patron Edge database. You must enter the current DMK in order to rotate the DEK. 9. To continue, click Rotate Data Encryption Key. A confirmation screen appears. 10. Click OK. The DEK has now been successfully rotated. Any data using the old key will be decrypted and then re-encrypted using the new key. Before logging back into The Patron Edge, restart TIX_PSC. 11. Restart both the The Patron Edge communication component and the Web application communication component before attempting to log into your administration site. Key Service Updates Every time you update a new patch or update to a new version of the Patron Edge Online, you must access the PA DSS utility on the Patron Edge server and resubmit the Patron Edge and Patron Edge Online database connection string information. If you have multiple Key Services, you must also verify that the URL for your Patron Edge Online Key Service is entered in the Bounded URL field and you must resubmit it. Once those values are resubmitted, you must also rotate the DEK. For more information about using the PA DSS utility, see Encryption and PA DSS Management on page25.

20 16 CHAPTER 2 Default Administrator Account When The Patron Edge Online is installed, a default administrator user account is created with the user name Supervisor and the password admin. For all new installations and upgrades to The Patron Edge Online 3.41 and higher, you will be required to change the default password of this user as described in the scenarios below. Warning: For your organization to be PCI DSS compliant, you must configure and use unique user accounts the meet the PCI DSS standards. For more information about these standards, see User Account Security and Configuration on page17. If in the past your organization used the default administrator account with the default password intact, you must ensure that it is no longer used or your organization will not be PCI DSS compliant. For new installations of The Patron Edge Online 3.41 and higher, as well as any time you add a new database, you are required to change the user name and password for the default administrator user account created during the installation. After the installation process is complete and during the initial login, you will be prompted and required to change the user name and password for the default administrator user account. The new password must meet the password requirements as discussed in Password Strength Requirements on page18. After the new user name and password are successfully added, you will be prompted to log in using the account. For upgrades to The Patron Edge Online 3.41, you are required to change the password for the default supervisor account created during the installation. In addition, every user will be prompted and required to update their password to meet strong and complex requirements when they login after the upgrade. For information about changing a user account, see the Configure System Users section of the Administration Guide. Database Roles By default, The Patron Edge Online uses the PEOUser account in SQL Server 2005 or SQL Server 2008 to log into the database. The PEOUser account needs the following roles on the Patron Edge Online database: db_ddladmin db_datawriter db_datareader Note: Prior to version 3.41 of the The Patron Edge Online, the default PEOUser account was assigned the db_owner role in addition to the roles listed above. However, starting with The Patron Edge Online 3.41, the db_owner role is no longer assigned to the PEOUser account in SQL Server 2005 or SQL Server Warning: In order to be PCI DSS compliant, the SQL Server 2005 or SQL Server 2008 account that The Patron Edge Online uses to log into the database must deny access to the CustomizeSettings table. By default, the PEOUser account is denied access to the CustomizeSettings table, which is required to be PCI DSS compliant. However, if you use a different account to log into the Patron Edge Online database, you must manually deny access to the CustomizeSettings table for this user. To do this, run the following SQL script against the Patron Edge Online database and replace [username] with the appropriate account username:

21 PA DSS IMPLEMENTATION IN THE PATRON EDGE ONLINE 17 deny select, insert, update, delete, references, alter, control, take ownership, view definition on CustomizeSettings to [username] For your organization to be PCI DSS compliant, the password strength requirements of your Windows security policy must meet or exceed the PCI DSS requirements. To ensure that the password strength requirements for the PEOUser account are determined by your Windows security policy, you must mark Enforce password policy for this user on the Login Properties screen in SQL Server 2005 or SQL Server For more information about the password requirements, see the Requirement 8: Assign a unique ID to each person with computer access section of the PCI DSS standards document. For more information see, PCI DSS Implementation in Your Organization on page 1. You can change the user name or password of the PEOUser account in SQL Server 2005 or SQL Server 2008, or use an entirely different account configured with the required roles and denied access to the CustomizeSettings table in the Patron Edge Online database. However, after changes are made, you must run the PA DSS Management Utility that is installed on the Patron Edge machine to set the new user name and password information and establish the new connection string. This is necessary because the connection string used by ThePatron Edge Online is stored in an encrypted form in the Patron Edge Online database and is retrieved by the Key Service when needed. Note: The Key Service is used to retrieve the data from the Patron Edge Online database, including the Patron Edge Online database connection string. For more information about the Key Service, see Key Service on page 26. After changes are made, restart all Patron Edge Online applications and verify that they are all working correctly with the new connection string. After the changes are confirmed and you have verified that all applications work correctly, you should access SQL Server 2005 or SQL Server 2008 and remove or disable the previous account that is no longer used. For more information about changing the default SQL Server 2005 or SQL Server 2008 account used to log into your Patron Edge Online database, see Change the Default SQL Server User Account for ThePatron Edge Online on page31. User Account Security and Configuration In order to be PCI DSS compliant, you must securely control access to workstations, servers, and databases that contain The Patron Edge Online applications and cardholder data. To establish, maintain, and control access, you must use unique user accounts with strong passwords and employ PCI DSS compliant secure authentication. In The Patron Edge Online, an administrator can create the necessary unique user accounts needed for each person that accesses the application through the administration site. To be PCI DSS compliant, you should have a one to one relationship between users and user accounts. Each user accessing the system should have only one user account and each account should have a unique name. Each unique user account must be configured with only the permissions needed for their specific roles. This is required for the integrity of the audit trail. Do not setup a user account that is shared by multiple people. For detailed information about setting up and configuring unique user accounts and permissions, see the Set Up Administration Users section of the Administration Site Guide. In addition to setting up administration site users for The Patron Edge Online, there are customer accounts that are created from your public site. When a customer creates an account on your Patron Edge Online public site, they receive an that contains a unique auto-generated password that meets PCI DSS requirements.

22 18 CHAPTER 2 The auto-generated passwords are created by combining the user s first name with a set of randomly selected numeric and alphabetic characters. The customer uses this password to access their account on your public site. Once they login using their auto-generated password, they are prompted and required to change the password. The password they enter must meet the strength requirements discussed below. Password Strength Requirements All user and customer accounts in The Patron Edge Online 3.41 and higher must meet or exceed the following password strength requirements: The password cannot be the same as the user name. The password must be at least seven characters in length. The password must contain both numeric and alphabetic characters. Note: By default, The Patron Edge Online will not allow a user to submit a new password that is the same as any of the last four passwords he or she has used. Login Security When The Patron Edge Online is installed, a default administrator user account is created with the user name Supervisor and the password admin. When you access the Patron Edge Online administration site the first time, a Setup Wizard automatically runs. During the Setup Wizard process, you must change the default administrator user name and password. The new password must meet the password requirements as discussed in Password Strength Requirements on page 18. For new installations of The Patron Edge Online 3.41 and higher you are required to change the user name and password for the default administrator user account created during the installation. After the installation process is complete and during the initial login, you will be prompted and required to change the user name and password for the default administrator user account. The new password must meet the password requirements as discussed in Password Strength Requirements on page18. After the new user name and password are successfully added, you will be prompted to log in using the account. For upgrades to The Patron Edge Online 3.41, you are required to change the password for the default supervisor account created during the installation. In addition, every administration site user will be prompted and required to update their password to meet complexity requirements when they log in after the upgrade. For information about changing a user account, see the "Security Tasks" section of the Administration Site Guide. This is not the case for customers who have created accounts through your public site. If their existing account password meets complexity requirements, those users will not be prompted to change their passwords after an update. Password Configuration Settings Password configuration settings required to meet PCI DSS standards for enforcing login and password security measures in The Patron Edge are shared with The Patron Edge Online. This means that the password policies you establish in The Patron Edge are respected and applied to administration site users created through the administration site, as well as customer accounts created through your public site.

23 PA DSS IMPLEMENTATION IN THE PATRON EDGE ONLINE 19 The Patron Edge provides the configuration settings required to meet PCI DSS standards for enforcing login and password security measures. To comply with PCI DSS, you must require administration site users to change passwords at least every 90 days and also lock out a user account after no more than six failed login attempts. You must also set the lockout duration to 30 minutes or until a system administrator enables the user account. For information about additional password and lockout requirements for PCI DSS, see User Account Management on page 4. The following settings are accessed on the Security tab of the Maintain Company screen table in ThePatron Edge and apply to Patron Edge users, as well as administration site users and customer accounts created in The Patron Edge Online. For information, see the Configure Company Table Settings chapter of the Administration Guide for The Patron Edge. Maximum password age - This setting ensures that all administration site users change their passwords at least every 90 days. The maximum number of days that can be entered in this field is 90. This setting does not apply to customer accounts created from your Patron Edge Online public site. Min. Characters in Login Password - This setting ensures that passwords are at least seven characters. You can increase the number of required characters but the minimum allowed is seven. Warning: The value you enter for the Min. Characters in Login Password setting in ThePatron Edge must also be entered as the value for the Minimum Length site setting in the Password group in the administration site of ThePatron Edge Online. If the value specified for the Minimum Length site setting is less than the value entered for the Min. Characters in Login Password setting in ThePatron Edge, users will receive an error when attempting to log into their account through your public site. Password rotation - The minimum setting for Password rotation is 4. This means that when a user changes their password, they cannot use a password that is the same as any of the last four passwords previously used. User s login lock-out duration (minutes) - This setting determines the number of minutes that a user account is locked after they reach the limit for failed login attempts, which is a maximum of six attempts. The lockout duration is a minimum of 30 minutes or until an administrator manually unlocks the account. The following setting is accessed on the General tab of the Maintain Company Table screen in The Patron Edge. For information, see the Configure Company Table Settings chapter of the Administration Guide. Number of Login Attempts - This setting controls the number of failed login attempts that result in a user account being locked. The maximum setting is 6. Note: If a user is locked out of their account or their password is compromised, an administrator can access the user account record and reset the password to a new temporary password that meets the strong password requirements. Once the user attempts to log in, they will be prompted and required to change their password. Workstation and Server Inactivity All workstations or servers that contain The Patron Edge Online and access the administration site must be configured to automatically lock-out the current user after 15 minutes of inactivity. To access the machine again, the Windows user must be required to re-enter their user name and password. You can accomplish this be setting the screen saver on each Windows machine to require a password on resume. This is required for your organization to be PCI DSS compliant.

24 20 CHAPTER 2 In addition, we recommend that you configure public site sessions to close after 10 minutes of inactivity. For more information, see Close Session Group Site Settings on page 21. Password Group Site Settings In addition to the password configuration settings in The Patron Edge that apply to administration site users and customer accounts created in The Patron Edge Online, there are a number of site settings in the administration site that apply specifically to The Patron Edge Online. These settings are collected together in the Password site settings group and are accessed through the administration site. Can reuse old password - The value of this setting is 0 and cannot be changed. This setting works in conjunction with the Password rotation company setting configured in the The Patron Edge. The minimum setting for Password rotation is 4. This means that when a user changes their password, they cannot use a password that is the same as any of the last four passwords previously used. The setting you enter for Password rotation in The Patron Edge is enforced for administration site users and customer accounts in The Patron Edge Online. Display reset form link - This setting is used in conjunction with the forgot password process for customers who create user accounts from your public site. Mandatory literal characters - The value of this setting is 1 and cannot be changed. Passwords in ThePatron Edge Online must contain alphabetic characters. The term literal in the name of this setting refers to alphabetic characters. Mandatory numeric characters - The value of this setting is 1 and cannot be changed. Passwords in The Patron Edge Online must contain numeric characters. Minimum length - The minimum length allowed for passwords created for administration site users and ecrm customers in the ThePatron Edge Online is seven characters. The value you enter for this parameter must match the value entered for the Min. Characters in Login Password setting on the Security tab of the Maintain Company screen table in ThePatron Edge. If this setting is not the same, users will receive an error when attempting to log into their account through your public site. Must not include login - The value of this setting is 1 and cannot be changed. This setting ensures that users cannot create passwords that contain their user name. Password replacement pattern - This setting works in conjunction with the Password replacement template parameter when defining custom patterns for the auto-generated passwords that are sent to customers after they create an account on your public site. Here, you can enter a regular expression used for generating the name portion of the password, based on the client s first name. For example, you can enter an expression that removes the space from a two-word first name when generating the name portion of the password. To do this, set the Password replacement pattern value to \s to remove spaces from the client s name. In this example, the name portion of the password generated for a customer name Jean Luc will be JeanLuc. The password will never include a client s last name regardless of settings specified here. Password replacement template - This setting works in conjunction with the Password replacement pattern parameter when defining custom patterns for the auto-generated passwords that are sent to customers after they create an account on your public site. Here, you can enter a regular expression that indicates how to combine the name portion of the password with the random portion. For example, set the Password replacement pattern value to ^\s*(\s+).*$ and the Password replacement template value to $1 to use only the first word of a client s first name. In this example, the randomly generated password for a user with a two-word first name, like Jean Luc would be Jean0547X6. Note the randomly generated portion is a minimum of six characters. To require more than six characters, you adjust the Random length site setting.

25 PA DSS IMPLEMENTATION IN THE PATRON EDGE ONLINE 21 Random characters - This setting is used when defining custom patterns for the auto-generated passwords that are sent to customers after they create an account on your public site. With this setting you can shape the characters selected for the random password portion by entering specific characters to be used. Enter the characters without delimiters. If you leave this parameter empty, the characters are selected randomly. Random length - This setting is used when defining custom patterns for the auto-generated passwords that are sent to customers after they create an account on your public site. The initial customer password is generated using a combination of the customer s first name and a quantity of random digits. With this setting, you determine the quantity of random digits that are used by entering a number in the Value field. The minimum allowed value is 6. Reset token expiration - This setting is used in conjunction with the forgot password process for customers who create user accounts from your public site. When customers click the Forgot password? link on your public site, they will receive an that contains a link and a unique reset key. They will click the link and enter the reset key before they can reset their forgotten password. The Reset token expiration setting determines the duration of time that the link and reset key are usable. The value is set in minutes and the default setting is Once the set number of minutes pass, the link and reset key will not work. Close Session Group Site Settings This site setting group contains a parameter you can use to define how long your Patron Edge Online public website can be idle before a session is automatically closed. IdleBeforeClose - This site setting controls the amount of time a session remains open when a user has not accessed, requested, or refreshed a page. The amount of time you allow users to hold a session open is determined by the number of minutes you define in the Value field of this record. The default setting is 10 minutes. If no site activity is detected for the number of minutes entered, the session automatically closes. If a session ends and the user continues navigating your public site, they are returned to the default page. This session time differs from the IIS session time, but when it is over, the program eliminates all the user's IIS session parameters, including the basket content, client details, and UID value. User Access Audit Capability/Audit Trail The Patron Edge Online 3.41 and higher includes an audit log that tracks database activity and links activities to individual user accounts. This is true of for all Patron Edge Online system users, including those with administrative privileges. When The Patron Edge Online version 3.41 or higher is installed, the audit log is automatically turned on and monitors access to the Patron Edge Online database. To access the audit log and view the information tracked, you must access the view_auditoperations database view in your Patron Edge Online database. Note: In addition to the view_auditoperations database view in your Patron Edge Online database, transaction activity originating in the Patron Edge Online is also audited and recorded in the view_auditoperations database view in your Patron Edge database. Each audit log entry contains user identification, type of event, date and time, success or failure indicator, origination of event, and the name of the affected data, system component, or resource. The following activity is monitored and tracked by the audit log: Login activity. All user login activity is tracked and will have an entry in the audit log. This activity includes logins, logouts, password changes, and all account locking and unlocking activity.

26 22 CHAPTER 2 Administration site activity. All add, edit, and delete actions in the Users, Areas, Events, Shows, Halls, Donations, Subscriptions, and Merchandise areas of the administration site are logged. Credit card activity. All credit card activity is monitored and will have an entry in the audit log. Although monitored, no sensitive data is included in the log. For example, the primary account number (PAN) will never appear in the log as plain text. This is true for successful transactions and errors. PCI DSS audit trail requirement 10.3 states that the audit trail/log entries must contain user identification, type of event, date and time, success or failure indicator, origination of event, and the name of the affected data, system component, or resource. The following table shows how each requirements is tracked and displayed in the Patron Edge audit log. For The Patron Edge Online 3.41 and higher, the view_auditoperations database view provides the required audit trail/log information as specified in requirement The fields displayed in the view_auditoperations database view map directly to the PCI DSS audit trail requirements as follows: UserID = User identification ActionType = Type of event ActionDate = Date and time ActionStatus = Success or failure indicator OriginApplication and OriginModule = Origination of event EntityCode and TargetEntityID = Name of affected data, system component or resource In addition to the audit log that is tracked and viewable by accessing the view_auditoperations database view, the The Patron Edge Online provides additional auditing to track application interactions with The Patron Edge, as well as all administration site and public site sessions. Application interactions. All application interactions between the The Patron Edge Online and The Patron Edge are logged in the Transact database table and are viewable in the The Patron Edge Online database. Application interactions include retrieving show data from The Patron Edge and submit basket actions. Administration and public site sessions. All administration site and public site sessions are logged in the Caller and Caller_Session database tables and are viewable in the The Patron Edge Online database. The data collected and logged includes browser details and pages viewed by session. Payment Process Security Versions 3.41 and higher of The Patron Edge Online and versions 3.4 and higher of the The Patron Edge comply with PA DSS standards to securely handle credit card processes. Credit card information is encrypted before transactions are cleared. Once the transactions are cleared, every credit card number is truncated, except for the last four digits and no other credit card information is retained. For more information, see Cardholder Data on page 24. No credit card information is stored in the Patron Edge Online database. Once online transactions are processed, the transaction data is stored securely in the Patron Edge database.

27 PA DSS IMPLEMENTATION IN THE PATRON EDGE ONLINE 23 VeriFone PCCharge Payment processing in The Patron Edge Online can be handled by VeriFone PCCharge, which is a third party application. To be PCI DSS compliant you must install a PCI DSS compliant version of VeriFone PCCharge and it must be installed and configured according to the instructions provided in the PCI DSS implementation documentation from VeriFone. For more information, see the VeriFone PCCharge website here: VeriFone PCCharge is installed and configured when The Patron Edge is implemented. For more information, see the Administration Guide for The Patron Edge. Blackbaud Secure Payments Payment processing in The Patron Edge and The Patron Edge Online can be handled by Blackbaud Secure Payments. With Blackbaud Secure Payments (BBSP), you can enable clients to securely accept online credit card transactions from their website users and supporters. You can also accept donations and other transactions within The Patron Edge. In The Patron Edge, each user workstation uses a customizable paymentclient.ini file that is unique to that workstation. You can edit the paymentclient.ini file to specify the default merchant account and currency to use, as well as the template to use when processing transactions within ThePatronEdge. When you process credit card transactions, each workstation communicates directly with the Blackbaud Secure Payments servers to verify and authorize the credit card information. Unlike VeriFone s PCCharge where the program encrypts all sensitive data before clearing and stores it in the CC_Payment table within your Patron Edge database, Blackbaud Secure Payments does not store any data within your Patron Edge database. For The Patron Edge Online, you specify a series of online payment configuration settings, such as the merchant account, currency, and template to use when processing online transactions. You specify these settings from within the The Patron Edge Online Administration site. When you process credit card transactions, the program communicates directly with the Blackbaud Secure Payments servers to verify and authorize the credit card information. Unlike VeriFone s PCCharge where the program encrypts all sensitive data before clearing and stores it in the CC_Payment table within your Patron Edge database, Blackbaud Secure Payments does not store any data within your Patron Edge database. For more information, see the the Administration Guide for The Patron Edge. Cardholder Data No cardholder data is stored in The Patron Edge Online database. Once online transactions are processed, the cardholder data is stored in the The Patron Edge database according to PA DSS standards. Versions 3.4 and higher of the The Patron Edge encrypt all sensitive data before clearing and store it in the CC_Payment table within the database. The following information is securely encrypted and saved in the database before transactions clear: credit card number cvv2 magnetic_strip_data

28 24 CHAPTER 2 track2_details issue_number Once transactions clear, the only cardholder data retained in the database is the last four digits of the credit card number. The cvv2, magnetic_strip_data, track2_details, and issue_number fields are purged from the database after transactions clear. Records After a transaction is processed online through your Patron Edge Online public site, the payment information for the transaction can be viewed on the Transaction Details screen within The Patron Edge. If a credit card payment was applied to the transaction, a truncated credit card number is displayed on the Payment tab with only the last four digits visible. In accordance with PCI DSS, your organization must develop and maintain a data retention and disposal policy. You must keep cardholder data storage to a minimum and limit the retention time to only the duration required for business, legal, and regulatory purposes. We recommend that you purge this data once it is no longer needed for business purposes.

29 PA DSS IMPLEMENTATION IN THE PATRON EDGE ONLINE 25 Encryption and PA DSS Management When a purchase is made through your public site, an encrypted XML message containing the transaction information is sent from the web server over TCP and is received by the Patron Edge Application Group for The Patron Edge Online applications. After receiving the message, these applications decrypt the credit card information for processing and then encrypt sensitive data. The payment request, including the encrypted sensitive data, is then sent to the ThePatron Edge database where it is recorded in the CC_Payment database table. TIX_PSC checks the database table for payment requests on a designated interval. When a payment request is found, TIX_PSC invokes the Blackbaud Payment Server, which sends the payment request to your payment processor. The result of the payment request is then sent by the payment processor back to the Blackbaud Payment Server and is recorded in the CC_Payment table within the Patron Edge database by TIX_PSC. The Patron Edge Online is then notified of the result. During this process, all sensitive data transmitted between the The Patron Edge Online and The Patron Edge before clearing is encrypted and only truncated credit card numbers are stored after clearing. To enable the secure encryption of sensitive data, The Patron Edge Online 3.41 and The Patron Edge 3.4 and higher include data encryption functionality that meets PA DSS requirements. This encryption functionality is implemented using a Key Service and a series of encryption keys that are described in detail in the following sections. To enable the secure encryption of sensitive data, The Patron Edge Online 3.41 and The Patron Edge 3.4 and higher include data encryption functionality that meets PA DSS requirements. This encryption functionality is implemented using a Key Service and a series of encryption keys that are described in detail in the following sections. Key Service Depending on your implementation, you will have one Key Service that is running on your Patron Edge machine that retrieves sensitive data from your Patron Edge database and communicates with your Patron Edge Online database. This single Key Service is started and configured when you install The Patron Edge. If your environment requires multiple Key Service instances, the The Patron Edge Online Key Service is considered to be a child service of the parent Key Service on your Patron Edge machine. Changing any secure asset (The Patron Edge Online connection string, The Patron Edge connection string, or data encryption key) should be done on the Patron Edge machine through the PA DSS Management Utility. When one of these values is changed, the parent Key Service pushes the new value over an SSL connection to the child Key Service which will write the values in the Patron Edge Online database. This data is changed in a transactional manner ensuring that the values in all databases are synchronized. These secure assets are protected the same way in all databases via the DMK, symmetric keys, asymmetric keys, and the DEK. Change the Key Service Login Account You can use the following procedure to change the Windows account that will run the Key Service. The Windows account you select must have Logon as a service rights and the db_owner role for the respective database in SQL Server 2005 or SQL Server 2008.

30 26 CHAPTER 2 If you have a single Key Service, you change the login account for the Key Service on the Patron Edge server. If you have multiple Key Services, you change the login account for the parent Key Service on the Patron Edge server and the login account for the child Key Service on the Patron Edge Online machine. The account information you enter should be for the Windows account that will run the Key Service on each machine. Change the Key Service Login Account 1. Before you continue, make sure users all users are logged out of The Patron Edge Online and/or The Patron Edge and stop the Key Service. You must also stop all Patron Edge Online services before proceeding. 2. From Windows, access the Administrative Tools screen. 3. On the Administrative Tools screen, double-click Services. The Services screen appears.

31 PA DSS IMPLEMENTATION IN THE PATRON EDGE ONLINE Scroll down and select Keys Services SVC. Verify that the service has been stopped. 5. Right-click on the service and select Properties from the shortcut menu. The properties screen for the key service appears. 6. Select the Log On tab. 7. Under Log on as, enter a new Windows account for the key service to run under. To select an account, click Browse. The Windows account you enter must have Logon as a service rights and must also have the db_owner role in SQL Server 2005 or SQL Server You must also enter and confirm the user password in the corresponding fields. 8. To continue, click Apply and then OK. The Key Service Login Account is changed and you return to the Services screen.

32 28 CHAPTER 2 9. Restart the Key Service and all Patron Edge Online and/or Patron Edge applications to ensure that they are working correctly. Message Encryption When a purchase is made through your public site, an encrypted XML message containing the transaction information is sent from the web server over TCP and is received by the Patron Edge Application Group for The Patron Edge Online applications. The encryption strength for the connection between the web server and the Patron Edge Application Group for The Patron Edge Online is set to 256 and cannot be changed. The encryption of this message is handled by the data encryption key (DEK). For more information about the DEK, see Encryption Keys on page29. Note: The administration site contains a site settings group called Encryption. Within this group is a Key Size site setting. It is important to note that this site setting is not active and should be ignored. The encryption strength for the connection between the web server and the Patron Edge Application Group for The Patron Edge Online is set to 256 and cannot be changed regardless of the value of this site setting. The transaction data generated from sales processed through The Patron Edge Online is stored securely in the Patron Edge database. With The Patron Edge 3.4 and higher, the program encrypts all sensitive data before clearing and stores only truncated credit card numbers after clearing. Encryption Keys The Patron Edge Online 3.41 and higher and The Patron Edge 3.4 and higher use a series of encryption keys to encrypt sensitive data. The encryption keys used to secure data in The Patron Edge Online 3.41 and higher and The Patron Edge 3.4 and higher are explained below. Warning: Encryption keys are sensitive data that must be managed according to PCI DSS standards for encryption key management. If they are not managed according to PCI DSS standards for encryption key management, you will not be PCI DSS compliant. For information about PCI DSS key management standards, see Encryption Key Management on page 3. Data Encryption Key (DEK). The DEK is a programmatic key that encrypts card holder data and is stored in the Patron Edge database. It also encrypts the XML message containing the transaction information sent from the web server over TCP and is received by the Patron Edge Application Group for The Patron Edge Online applications. To rotate this key, you must use the PA DSS Utility on the machine where The Patron Edge is installed. For information about using the PA DSS Utility to rotate this key, see the PA DSS Implementation Guide for The Patron Edge. If this key becomes compromised or is even suspected of being compromised, you must rotate the key immediately. When you rotate this key, pre-authorization data using the old key will be decrypted and then re-encrypted using the new key. Data Encryption Key (DEK). The DEK is a programmatic key that is stored in the Patron Edge database. It encrypts the XML message sent from the web server over TCP and is received by the Patron Edge Application Group for The Patron Edge Online applications. To rotate this key, you must use the PA DSS Utility on the machine where The Patron Edge is installed. For information about using the PA DSS Utility to rotate this key, see Rotate the Data Encryption Key on page27. If this key becomes compromised or is even suspected of being compromised, you must rotate the key immediately. When you rotate this key, pre-authorization data using the old key will be decrypted and then re-encrypted using the new key.

33 PA DSS IMPLEMENTATION IN THE PATRON EDGE ONLINE 29 Database Master Key (DMK). Your Patron Edge Online and Patron Edge databases each have a DMK. The DMK is the encryption key for the database and for symmetric and asymmetric keys. For The Patron Edge database, the DMK is also the encryption key for the DEK. If a DMK becomes compromised or is even suspected of being compromised, you must rotate the key immediately. For information about rotating the DMK for your Patron Edge Online database, see Rotate the PEO Database Master Key on page30. For information about rotating the DMK for your Patron Edge database, see the PA DSS Implementation Guide for The Patron Edge. Database Master Key (DMK). Your Patron Edge Online and Patron Edge databases each have a DMK. The DMK is the encryption key for the database and for symmetric and asymmetric keys. For The Patron Edge database, the DMK is also the encryption key for the DEK. If a DMK becomes compromised or is even suspected of being compromised, you must rotate the key immediately. For information about rotating the DMK for your Patron Edge Online database, see Rotate the Data Encryption Key on page27. Rotate the PEO Database Master Key on page30. For information about rotating the DMK for your Patron Edge database, see Rotate the Database Master Key on page27. Note: During new installations of The Patron Edge Online 3.41 and higher, as well as subsequent updates, you will be required to enter a new DMK. Service Master Key (SMK). The SMK is the encryption key for all databases on a specific instance of SQL Server 2005 or SQL Server Which means, if this key is rotated it affects not only your Patron Edge Online database, but all databases on the same SQL Server 2005 or SQL Server 2008 instance as your Patron Edge Online database. This task is typically performed by an experienced Database Administrator and should be approached with caution. For information about rotating the SMK for your Patron Edge Online database, see Rotate the Service Master Key on page31. Tip: For more information about SQL Server encryption and the encryption hierarchy, see the following MSDN article on Microsoft s website: Warning: If an encryption key becomes compromised or is even suspected of being compromised, you must replace the key immediately. This is required to be PCI DSS compliant. Warning: To comply with PCI DSS, your organization must fully document and implement key management processes and procedures for keys used to encrypt cardholder data. For specific information about the requirements, see Encryption Key Management on page 3. Rotate the PEO Database Master Key The Database Master Key (DMK) is the encryption key for the Patron Edge Online database and for symmetric and asymmetric keys. If this key becomes compromised or is even suspected of being compromised, you must rotate the key immediately. However, if you are rotating keys under normal circumstances, we recommend rotating the keys during down time as it can be a time-consuming process.

34 30 CHAPTER 2 During new installations of version 3.41 and higher, as well as subsequent updates, you will be required to enter a new DMK. Warning: Before you rotate the DMK, make sure users all other users are logged out of The Patron Edge Online. This task is typically performed by an experienced Database Administrator and should be approached with caution. To rotate the DMK for the Patron Edge Online database, you do not use the PA DSS Management Utility. Instead, you manually rotate the key by running the following SQL script against your Patron Edge Online database: open master key decryption by password = '<CurrentMasterKeyGoesHere>'; alter master key regenerate with encryption by password = '<NewMasterKeyGoesHere>'; close master key; The new master key you specify in the script must meet the following password complexity requirements: The key must be at least seven characters in length. The key must contain characters from three of the following four categories: uppercase letters (A through Z), lowercase letters (a through z), base 10 digits (0 through 9), and non-alphanumeric characters, for example, an exclamation point (!) or number sign (#). Rotate the Service Master Key The Service Master Key (SMK) is the encryption key for all databases on a specific instance of SQL Server 2005 or SQL Server Which means, if this key is rotated it affects not only your Patron Edge Online database, but all databases on the same SQL Server 2005 or SQL Server 2008 instance as your Patron Edge Online database. This task is typically performed by an experienced Database Administrator and should be approached with caution. Warning: Before you rotate the SMK, make sure all users are logged out of The Patron Edge, The Patron Edge Online, as well as all other applications connected to databases within the corresponding instance of SQL Server 2005 or SQL Server If your Patron Edge Online database and your Patron Edge database are on the same instance of SQL Server 2005 or SQL Server 2008, you use the PA DSS Management Utility installed on your Patron Edge machine to rotate the SMK. For information about rotating the SMK for a single SQL Server instance that contains both your Patron Edge Online and Patron Edge databases, see the PA DSS Implementation Guide for The Patron Edge. If the Patron Edge Online database and the Patron Edge database are on different instances of SQL Server 2005 or SQL Server 2008, you rotate the SMK for the Patron Edge database using the PA DSS Management Utility, but you must manually rotate the SMK for the SQL Server 2005 or SQL Server 2008 instance where the Patron Edge Online database resides. Note: To rotate the SMK, a user must have CONTROL SERVER permission on the SQL Server 2005 or SQL Server 2008 instance where the Patron Edge Online database resides. For information about rotating the SMK for the Patron Edge database using the PA DSS Management Utility, see the PA DSS Implementation Guide for The Patron Edge. To manually rotate the SMK for the Patron Edge Online database, you must run the following SQL script against your Patron Edge Online database:

35 PA DSS IMPLEMENTATION IN THE PATRON EDGE ONLINE 31 alter service master key regenerate; Change the Default SQL Server User Account for The Patron Edge Online By default, The Patron Edge Online uses the PEOUser account in SQL Server 2005 or SQL Server 2008 to log into the database. If needed, you can change the user name or password for this account in SQL Server 2005 or SQL Server 2008, or use an entirely different account configured with the required roles. If you change the user name or password for the default account or add a new user in SQL Server 2005 or SQL Server 2008 to use instead of the default account, you must run the PA DSS Management Utility that is installed on the Patron Edge machine to set the new user name and password information and establish the new connection string. This is necessary because the connection string used by ThePatron Edge Online is stored in an encrypted form in the Patron Edge Online database and is retrieved by the Key Service when needed. After changes are made, restart all Patron Edge Online applications and verify that they are all working correctly with the new connection string. After the changes are confirmed and you have verified that all applications work correctly, you should access SQL Server 2005 or SQL Server 2008 and remove or disable the previous account that is no longer used. The PEOUser account needs the following roles on the Patron Edge Online database: db_ddladmin db_datawriter db_datareader In addition to the roles specified above that are required, you must also deny this user access to the CustomizeSettings table in the Patron Edge Online database. To deny access to the CustomizeSettings table, run the following SQL script against the Patron Edge Online database and replace [username] with the appropriate account username: deny select, insert, update, delete, references, alter, control, take ownership, view definition on CustomizeSettings to [username] Warning: In order to be PCI DSS compliant, the SQL Server 2005 or SQL Server 2008 account that The Patron Edge Online uses to log into the database must deny access to the CustomizeSettings table. Change the default SQL Server user account for The Patron Edge Online You must access the PA DSS Management Utility installed on the Patron Edge machine to complete this process. To access and use the PA DSS Management Utility, you must have administrator rights in Windows. You must also log into this utility with a Patron Edge account that has administrative privileges. If you are already logged into The Patron Edge on the same machine, those credentials are used when running this application. 1. By default, The Patron Edge Online uses the PEOUser account in SQL Server 2005 or SQL Server 2008 to log into the database. If needed, you can change the user name or password for this account in SQL Server 2005 or SQL Server 2008 or use an entirely different account configured with the required roles. Once changes are made SQL Server 2005 or SQL Server 2008, you must complete this procedure to set the new user name and password and establish the secure database connection string.

36 32 CHAPTER 2 2. Before you continue, make sure all users are logged out of The Patron Edge Online. You must also stop all Patron Edge Online services before proceeding. 3. Access your Patron Edge server and navigate to the Patron Edge installation directory. The default location is C:\Program Files\Blackbaud\The Patron Edge. 4. Locate and run PCIEncrypt.exe. The PA DSS Management Utility screen appears. 5. Under The Patron Edge Online Database Connection, mark the appropriate authentication type and enter the new and/or current SQL user name and SQL password in the corresponding fields. 6. To continue, click Submit. A confirmation screen appears. 7. Click OK. The new information for the default SQL Server 2005 or SQL Server 2008 account for The Patron Edge Online has been set and a new secure database connection string established. 8. After the changes are complete, restart all Patron Edge Online applications to ensure that they are working correctly with the new connection string. After the changes are confirmed and you have verified that all applications work correctly, if applicable, access SQL Server 2005 or SQL Server 2008 and remove or disable the previous account that is no longer used.