v Tuition Express PA-DSS Implementation Guide Version 1.2.1 Approval Date: January 2012 Document Owners Brad Olson Operations Director Darren Gapp Chief System/Software Engineer Procare Software Tuition Express The information contained in this document is provided to assist the user in its PCI DSS compliance. It is the sole responsibility of the user of this guide to follow the procedures contained herein in addition to other PCI requirements. Procare makes no claims that this information will guarantee PCI certification.
Table of Contents Table of Contents... 2 Notice... 3 About this Document... 4 Revision Information... 5 Executive Summary... 6 Application Summary... 6 Typical Network Implementation... 7 Dataflow Diagram... 7 Difference between PCI Compliance and PA-DSS Validation... 8 Considerations for the Implementation of Tuition Express in a PCI-Compliant Environment... 10 Sensitive Credit Card Data requires special handling... 10 Remove Historical Credit Card Data... 10 Set up Good Access Controls... 12 Properly Train and Monitor Admin Personnel... 13 PCI-Compliant Remote Access... 14 Log settings must be compliant... 14 PCI-Compliant Wireless settings... 15 PCI-Compliant Use of End User Messaging Technologies... 15 Network Segmentation... 16 Never store cardholder data on internet-accessible systems... 16 Use SSL for Secure Data Transmission... 16 PCI-Compliant Delivery of Updates... 17 Maintain an Information Security Program... 17 Application System Configuration... 18 Installing the Application (Procare Management System)... 18 Payment Application Initial Setup & Configuration... 18 Conclusion... 20
Notice THE INFORMATION IN THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. PROCARE SOFTWARE MAKES NO REPRESENTATION OR WARRANTY AS TO THE ACCURACY OR THE COMPLETENESS OF THE INFORMATION CONTAINED HEREIN. YOU ACKNOWLEDGE AND AGREE THAT THIS INFORMATION IS PROVIDED TO YOU ON THE CONDITION THAT NEITHER PROCARE SOFTWARE NOR ANY OF ITS AFFILIATES OR REPRESENTATIVES WILL HAVE ANY LIABILITY IN RESPECT OF, OR AS A RESULT OF, THE USE OF THIS INFORMATION. IN ADDITION, YOU ACKNOWLEDGE AND AGREE THAT YOU ARE SOLELY RESPONSIBLE FOR MAKING YOUR OWN DECISIONS BASED ON THE INFORMATION HEREIN. Nothing herein shall be construed as limiting or reducing your obligations to comply with any applicable laws, regulations or industry Standards relating to security or otherwise including, but not limited to, PA- DSS and PCI DSS. The end user may undertake activities that may affect compliance. For this reason, Procare Software is required to be specific to only the Standard software provided by it.
About this Document This document describes the steps that must be followed in order for your Tuition Express installation to comply with the Payment Application - Data Security Standards (PA-DSS). The information in this document is based on PCI Security Standards Council Payment Application Data Security Standards program (version 1.2 dated October, 2008). Procare instructs and advises its customers to deploy Procare s Tuition Express in a manner that adheres to the PCI Data Security Standard (v-1.2). Subsequent to this, best practices and hardening methods, such as those referenced by the Center for Internet Security (CIS) and their various Benchmarks, should be followed in order to enhance system logging, reduce the chance of intrusion and increase the ability to detect intrusions, as well as other general recommendations to secure networking environments. Such methods include, but are not limited to, enabling operating system auditing subsystems, system logging of individual servers to a centralized logging server, the disabling of infrequently-used or frequently vulnerable networking protocols and the implementation of certificatebased protocols for access to servers by users and vendors. If you do not follow the steps outlined here your Tuition Express installation will not be PA-DSS compliant. Please note, based on the unique design of the Tuition Express service (software architecture and hosting services) several elements of the PA DSS Standard do not apply. In order for us to be fully compliant in the writing of this Implementation Guide each Standard will be referenced and discussed. Those Standards that do not apply we be so noted. Bank Account Information This Implementation Guide is required by VISA and MasterCard through the PCI SSC and discusses the handling and management of cardholder data. You will not find references to the management of bank account information that is processed through the Automated Clearing House (ACH) services. Procare addresses he security of bank account information in the same manner as cardholder data. The reader of this Implementation Guide can be assured that the highest level of security has been implemented within your Tuition Express service and this security approach applies to both cardholder data and bank account information. Proprietary and Confidential Information Page 4
Revision Information Name Title Date of Update Summary of Changes Note: This PA-DSS Implementation Guide must be reviewed on a yearly basis, whenever the underlying application changes or whenever the PA-DSS requirements change. Updates should be tracked and reasonable accommodations should be made to distribute or make the updated guide available to users. Proprietary and Confidential Information Page 5
Executive Summary Procare s Tuition Express Payment Application version 10.0 has been PA-DSS (Payment Application Data Security Standard) certified, with PA-DSS Version 1.2. For the PA-DSS assessment, we worked with the following PCI SSC approved Payment Application Qualified Security Assessor (PAQSA): Coalfire Systems, Inc. 361 Centennial Parkway Suite 150 Louisville, CO 80027 Coalfire Systems, Inc. 150 Nickerson Street Suite 106 Seattle, WA 98109 This document also explains the Payment Card Industry (PCI) initiative and the Payment Application Data Security Standard (PA-DSS) guidelines. The document then provides specific installation, configuration, and ongoing management best practices for using Tuition Express as a PA-DSS validated Application operating in a PCI Compliant environment. PCI Security Standards Council Reference Documents The following documents provide additional detail surrounding the PCI SSC and related security programs (PA-DSS, PCI DSS, etc): Payment Applications Data Security Standard (PA-DSS) https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml Payment Card Industry Data Security Standard (PCI DSS) https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Open Web Application Security Project (OWASP) http://www.owasp.org Application Summary Name: Tuition Express Specific File Version Numbers: 10.0 Credit Card Server: Back Office: Setup: Operating Systems: N/A PCI Level One Compliant Back-end @ Tuition Express Standard Microsoft Windows Proprietary and Confidential Information Page 6
Code base DB engine: Microsoft SQL Server 2005 Application Description: Electronic payment processing platform v10.0 for the purposes of transacting MOTO (card not present) and RETAIL (card present) credit card transactions. Application also allows end user the ability to process recurring ACH transactions. Application Environment Procare Software v.10.0 will run in the following environments; 1. Desktop/Stand Alone, 2. Client/Server. Application Target Clientele: Procare Software is exclusively marketed to childcare and child centered businesses. Users of the Tuition Express services MUST be users of Procare Software. Due to this integration, the Tuition Express service is exclusive to the childcare and child centered businesses. Typical Network Implementation Dataflow Diagram Proprietary and Confidential Information Page 7
Difference between PCI Compliance and PA-DSS Validation As a software vendor, our responsibility is to be PA-DSS Validated. We have performed an assessment and certification compliance review with our independent assessment firm, to ensure that our Tuition Express platform conforms to industry best practices when handling, managing and storing payment related information. PA-DSS is the Standard against which your Tuition Express Payment Application has been tested, assessed, and validated. PCI Compliance is then later obtained by the merchant, and is an assessment of your actual server (or hosting) environment. Obtaining PCI Compliance is your responsibility. As your host provider / processor, we have been certified PCI Level One compliant based on our server architecture, hardware & software configurations and access control procedures. This means all transactions submitted by you to us are processed and managed is a PCI compliant manner. The PA-DSS Validation is intended to ensure that your Tuition Express will help you achieve and maintain PCI Compliance with respect to how Tuition Express handles user accounts, passwords, encryption, and other payment data related information. The Payment Card Industry (PCI) has developed security Standards for handling cardholder information in a published Standard called the PCI Data Security Standard (DSS). The security requirements defined in the DSS apply to all members, merchants, and service providers that store, process or transmit cardholder data. The PCI DSS requirements apply to all system components within the Tuition Express environment which is defined as any network device, host, or application included in, or connected to, a network segment where cardholder data is stored, processed or transmitted. The 12 Requirements of the PCI DSS: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect Stored Data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know Proprietary and Confidential Information Page 8
8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security PCI DSS and Procare Software As your host provider / processor, Tuition Express underwent a PCI DSS security audit in the 4 th quarter of 2008. The audit was conducted by Coalfire Systems, the same auditors that have certified our application to be PA DSS compliant. The audit was based on Level One (1) requirements; the highest level of compliance required for a hosting provider. Procare s Tuition Express service was found to be in full compliance with all the Standards set forth by the PCI Security Standards Council. Currently, Procare is the only software developer within the childcare industry to be both PCI and PA DSS compliant. This gives the center end-to-end security and protection of its critical cardholder (and bank account) data. Proprietary and Confidential Information Page 9
Considerations for the Implementation of Tuition Express in a PCI- Compliant Environment The following areas must be considered for proper implementation in a PCI-Compliant environment. Sensitive Credit Card Data requires special handling Remove Historical Credit Card Data Set up Good Access Controls Properly Train and Monitor Admin Personnel Key Management Roles & Responsibilities PCI-Compliant Remote Access Use SSH, VPN, or SSL/TLS for encryption of administrative access Log settings must be compliant PCI-Compliant Wireless settings Data Transport Encryption PCI-Compliant Use of Email Network Segmentation Never store cardholder data on internet-accessible systems Use SSL for Secure Data Transmission Delivery of Updates in a PCI Compliant Fashion Sensitive Credit Card Data requires special handling PCI Standards encompass a wide variety of issues associated with protecting cardholder data and the overall integrity of the credit card industry. Typically the following guidelines would apply when dealing with sensitive Credit Card data: Collect sensitive authentication data only when needed to solve a specific problem Store such data only in specific, known locations with limited access Collect only the limited amount of data needed to solve a specific problem Encrypt sensitive authentication data while stored Securely delete such data immediately after use Since Procare is the developer of your Tuition Express application and your payment processor, cardholder data and authentication data is never stored within your local Tuition Express environment. Based on this approach, there should be no reason a user would need to collect authentication data such as CVV, CVV2, Pin numbers etc. Procare s Tuition Express service hosts all cardholder data within its PCI Level One compliant environment and would address troubleshooting requests internally. This eliminates exposure of cardholder data and authentication data in your local Tuition Express environment, maintains section 1.1.5 PA DSS compliance, and protects cardholder data. In the event we need to utilize authentication data for troubleshooting we will comply with the PCI DSS 3.2 Standard associated with the handling, storing and disposal of such data. Remove Historical Credit Card Data In order to comply with PA DSS requirement 1.1.4, historical data must be removed from previous versions of Procare, specifically magnetic stripe data, card validation codes, PINs, or PIN blocks. The removal of such data is absolutely necessary for PCI compliance. Proprietary and Confidential Information Page 10
Our responsibility as the application developer is to ensure prohibited magnetic-stripe data is not stored or retained anywhere within your Tuition Express environment. Neither previous versions of Tuition Express nor the version associated with this documentation store authentication data. All versions of Tuition Express capable of transacting POS transactions (swiped or key entered) are designed to meet the requirements of PA-DSS section 1.1.4. Your applications compliance with this section in turn meets your requirements of PCI DSS 3.2 through 3.2.3 where: 3.2 Sensitive authentication data should not be stored after authorization. 3.2.1 Do not store full contents of any track/magnetic-stripe data. 3.2.2 Do not store card-verification code or the 3 or 4 digit number print on back of card. 3.2.3 Do not store the Personal Identification Number (PIN). [Note: Tuition Express does not utilize PIN Block Data (PIN Numbers associated with debit cards), thus PA DSS section 1.1.3 does not apply.] How Tuition Express Works Point of Sale (face-to-face transactions) Procare developed your Tuition Express POS service to only use magnetic-stripe data in the authorization process. At no time is magnetic stripe data stored within the local Tuition Express environment. Additionally your service has been designed based on the Authorization/Settle model. This means no cardholder data (eg. Primary Account Number/PAN) nor the related authorization codes (eg. CVV, CVV2) is ever stored in your local Tuition Express environment. This delivers to you added security and is in compliance with PA DSS requirements. Recurring Payment Services When the cardholder data is introduced into the Tuition Express environment for purposes of recurring payments, it is automatically transmitted to Tuition Express and tokenized (see note below) upon exit of the Set Up screen. Once tokenization occurs, the account number is neutered in accordance with PCI requirements. The neutering process renders the Primary Account Number (PAN) of the cardholder unreadable / unusable to anyone who might want to exploit this information. The only thing that remains visible to the user is a masked number, the first two digits and the last 4 digits of the account number. The masking of the account number is in accordance with PA DSS requirement 2.2 and PCI DSS requirement 3.3. [Note: Tokenization is the act of assigning a series of alphanumeric characters to the credit card number submitted for the purposes of, 1) Removing the actual credit card account number for security purposes and, 2) transacting payment requests without exposing the actual credit card information.] Purging of Cardholder Data Under section 2.1 of the PA DSS Standard cardholder data must be purged after the expiration of a customer defined retention period. Additionally we are to provide you a list of all locations where cardholder data may be stored. As mentioned above, cardholder data does not reside within your Tuition Express environment. The token associated with the cardholders account is the only data element residing within your Tuition Express environment. The token is generated via a proprietary algorithm and has no cardholder data that would allow exploitation. Based on this software architecture section 2.1 do not apply. Proprietary and Confidential Information Page 11
[Note: It is always prudent to Clear the Tuition Express account information upon request of the cardholder or after withdrawal of the client from Tuition Express. To clear the Tuition Express information go to the cardholders Tuition Express Set Up screen and click on the Clear button. This will terminate the account and avoid accidental processing of payments against the cardholder]. Cryptographic Key Removal Per PA DSS section 2.7 states all cryptographic key materials or cryptograms must be removed. Procare does not encrypt and decrypt cardholder data. Based on the process of tokenization, cardholder data is not stored within your local Tuition Express environment. Section 2.7 of the PA DSS does not apply. Set up Good Access Controls PA DSS section 3.2 requires that access to the Tuition Express environment be protected through the use of unique user names and complex passwords. Unique user accounts indicate that every account used is associated with an individual user and/or process. In accordance with PCI requirement 8.5.8 the use of generic group accounts (access by more than one user) is strictly prohibited. Finally, if any default accounts were provided with your operating system, databases and/or devices they should be completely removed, disabled, or renamed whenever possible. At a minimum these accounts should have PCI DSS compliant complex passwords and not be used. Examples of default administrator accounts include administrator (Windows systems), sa (SQL/MSDE), and root (UNIX/Linux). [Note: These password controls are not intended to apply to employees who only have access to one card number at a time to facilitate a single transaction (POS Environment). These controls are applicable for access by employees with administrative capabilities and for access controlled by the application.] Password Complexity PCI requirements 8.1 & 8.2 require the following password complexity for compliance (often referred to as using strong passwords ): Passwords must be changed at least every 90 days (PCI 8.5.9) Passwords must be at least 7 characters (PCI 8.5.10) Passwords must include both numeric and alphabetic characters (PCI 8.5.11) New passwords cannot be the same as the last 4 passwords (PCI 8.5.12) PCI user account requirements beyond uniqueness and password complexity are listed below: If an incorrect password is provided 6 times the account will be locked out (PCI 8.5.13) Account lock out duration will be 30 min. (or until an administrator unlocks it) (PCI 8.5.14) Do not use group, shared, or generic user accounts (use of these types of accounts will result in PCI non compliance) (PCI 8.5.8) Sessions idle for more than 15 minutes will require re-entry of username and password to reactivate the session. (PCI 8.5.15) Customers are advised not to change the Installation Settings for unique user ID s. Changing of these settings will result in PCI DSS non compliance. Proprietary and Confidential Information Page 12
These same account and password criteria must also be applied to any applications or databases included in payment processing to be PCI compliant. Tuition Express, as tested to in our PA-DSS audit, meets, or exceeds these requirements. Administrative Access Tuition Express requires unique usernames and complex passwords for all access. It is strongly advised that users Control access via unique usernames and PCI DSS-compliant complex passwords, to any personal computers (PC), servers, and databases with are associated with or access your Tuition Express environment. Failure to use these Standards will result in non-compliance; Do not use administrative accounts for application logins (e.g., don t use the administrator account for application access to the database). Assign strong passwords to these default accounts (even if they won t be used), and then disable or do not use the accounts. Assign strong application and system passwords whenever possible. Create PCI DSS-compliant complex passwords to access Tuition Express, per PCI Data Security Standard 8.5.8 through 8.5.15 Control access, via unique username and PCI DSS-compliant complex passwords to any PCs, servers or databases associated with the payment application environment. Non-Console Administration PA DSS Standard 13.1 requires encryption when administrative access is allowed via a non-console environment. Your Tuition Express does not allow for non-console access therefore PA DSS 13.1 does not apply. [Note: Non-console access means accessing the payment application environment from a computer that the payment application doesn t actually reside on.] Windows Access Users must set their Windows screensaver to an idle timeout not to exceed 15 minutes. Users are encouraged to implement the password complexity requirements listed above within their operating system environment to fully secure access to the Tuition Express environment. Properly Train and Monitor Admin Personnel It is your responsibility to institute proper management techniques for allowing administrative user access to sensitive areas of the Tuition Express environment. In most systems / applications, a security breach is the result of unethical personnel within the organization. So pay special attention to whom you trust into your Tuition Express environment and who you allow to manage payment information. Encryption Key Management Roles & Responsibilities The PA DSS 2.4 to 2.7 Standards requires specific management of encryption keys and cryptograms; If disk encryption is used logical access must be managed (PCI 3.4.1) The payment application must protect cryptographic keys (PCI 3.5) Key management and procedures must be in place for encryption of cardholder data (PCI 3.6) Proprietary and Confidential Information Page 13
Securely delete cryptographic key material or cryptogram stored by previous versions (PCI 3.6) Tuition Express does not utilize encryption key technology to protect cardholder data within your local Tuition Express environment. The process of tokenization circumvents the need for implementing encryption technology (as it applies to PA DSS and PCI DSS) therefore PA DSS sections 2.4 to 2.7 do not apply. PCI-Compliant Remote Access Section 11 of the PA DSS Standard requires that if employees or administrators are granted remote access to the payment application environment; access should be authenticated using a two-factor authentication mechanism (username/ password and an additional authentication item such as a token or certificate). Based on the software design of Tuition Express (tokenization of cardholder information) combined with Tuition Express being your host provider, Remote Access is not required nor has it been built into your application. Therefore section 11 of the PA DSS Standard does not apply. Log settings must be compliant Tuition Express has logging enabled. This logging is not configurable. [Note: the disabling of any logging functions within the Tuition Express environment is prohibited and will result in PCI non compliance.] Your Tuition Express has robust logging operations that track all PCI related security events. This is in accordance to section 4 of the PA DSS Standard and PCI security Standards 10.1 & 10.2. Logging is necessary to allow all parties to reconstruct events in an attempt to assess and remedy issues associated with your Tuition Express. The following assessment trail information is logged for all system components; All individual user access to the Tuition Express environment (PCI 10.2.1) All actions taken by any individual with root or administrative privileges (PCI 10.2.2) Access to all assessment trails (PCI 10.2.3) Invalid logical access attempts (PCI 10.2.4) Use of identification and authentication mechanisms (PCI 10.2 5) Initialization of the assessment logs (PCI 10.2.6) Creation and deletion of system-level objects (PCI 10.2.7). In addition to the events listed above, the following assessment trail entries are logged: User identification (PCI 10.3.1) Type of event (PCI 10.3.2) Date and time (PCI 10.3.3) Proprietary and Confidential Information Page 14
Success or failure indication (PCI 10.3.4) Origination of event (PCI 10.3.5) Identity or name of affected data, system component, or resource (PCI 10.3.6). PCI-Compliant Wireless settings Procare s Tuition Express was not designed to be installed within a wireless environment nor have we bundled third party wireless applications with Tuition Express. However that doesn t restrict you from introducing Tuition Express into wireless situation (eg. Laptop at front desk connected to a wireless router that is connected to your server where Tuition Express resides). If you install your Tuition Express into a wireless environment, you must use compliant wireless settings, per PCI Data Security Standard 1.2.3, 2.1.1 and 4.1.1: PCI requirement 1.2.3 requires that a perimeter firewall must be installed between any wireless networks and systems that store cardholder data. These firewalls must deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. PCI 2.1.1 requires: All wireless networks implement strong encryption (e.g. AES) Encryption keys were changed from default at installation, and are changed anytime anyone with knowledge of the keys leaves the company or changes positions Default SNMP community strings on wireless devices were changed Default passwords/passphrases on access points were changed Firmware on wireless devices are updated to support strong encryption for authentication and transmission over wireless networks (for example, WPA/WPA2) PCI 4.1.1 requires: Industry best practices are used to implement strong encryption for the following over the wireless network in the cardholder data environment (4.1.1): o Transmission of cardholder data o Transmission of authentication data Payment applications using wireless technology must facilitate the following regarding use of WEP: o For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. o For current wireless implementations, it is prohibited to use WEP after June 30, 2010. Failure to implement these settings and practices when wireless technology is a part of the Tuition Express will result in PCI non compliance. PCI-Compliant Use of End User Messaging Technologies Under PA DSS 12.2.b if an application allows for the transmission of Primary Account Numbers (PAN) through messaging technologies (for example, e-mail, instant messaging, and chat) then strong cryptology methods must be applied. Tuition Express does not have functionality for sending of Primary Account Numbers (PAN) over public networks therefore section 12.2.b does not apply. Proprietary and Confidential Information Page 15
Network Segmentation The PCI DSS requires that firewall services be used (with NAT or PAT) to segment network segments into logical security domains based on the environmental needs for internet access. Traditionally, this corresponds to the creation of at least a DMZ and a trusted network segment where only authorized, business-justified traffic from the DMZ is allowed to connect to the trusted segment. No direct incoming internet traffic to the trusted application environment can be allowed. Additionally, outbound internet access from the trusted segment must be limited to required and justified ports and services. Refer to the Standardized Network diagram for an understanding of the flow of encrypted data associated with Tuition Express. Never store cardholder data on internet-accessible systems Section 9 of the PA DSS Standard states that cardholder data must never be stored on a server connected to the internet. Since neither cardholder data nor any authentication data (CVV and Pin Block data) is stored within your Tuition Express environment, this section does not apply. Use SSL for Secure Data Transmission The PCI DSS requires the use of strong cryptography and encryption techniques with at least a 128 bit encryption strength (either at the transport layer with SSL or IPSEC; or at the data layer with algorithms such as RSA, Triple-DES or AES) to safeguard sensitive cardholder data during transmission over public networks (this includes the Internet and Internet accessible DMZ network segments). Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM), and general packet radio service (GPRS). Refer to the Dataflow diagram for an understanding of the flow of encrypted data associated with Payment Application. 4.1.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC, VPN, or SSL/TLS. Procare has designed its Tuition Express service utilizing 128 bit encryption and secure socket layer (SSL) technology. It is the responsibility of the end user to establish and utilize proper encryption technologies and procedures when connecting to the payment application environment via a wireless device. PCI Standard 4.1.1 states; For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. [Note: The use of wired equivalent privacy (WEP) to protect confidentiality is no longer acceptable by the Payment Card Industry Security Standards Council (PCI SSC). The use of the WEP Standard will result in PCI non compliance. ] Proprietary and Confidential Information Page 16
PCI-Compliant Delivery of Updates As a development company, we keep abreast of the relevant security concerns and vulnerabilities in our area of development and expertise. We do this by: using proprietary implementation and exclusive, non-configurable update access to us. We do not deliver software and/or updates via remote access to customer networks. It is the responsibility of the end user to download the update from Procare utilizing the download option within their Procare Management System. Mandatory Updates Once we identify a relevant vulnerability that requires attention, we work to develop & test an update / patch that helps protect your Tuition Express environment against the new vulnerability. Procare will make every attempt to publish an update / patch within 10 days of the identification of the vulnerability. Once the update / patch has been vetted, notification will be emailed to all users of a required update. Tuition Express users are expected to respond quickly to and install available updates / patches within 30 days. [Note: Mandatory updates will result in minimum supported versions of your Procare Software / Tuition Express. Failure to update to the minimum supported version will result in disruption of your service.] Procare will not be responsible for any breach in security or data compromise as a result of a Tuition Express users failure to update or install a patch in a timely manner. Maintain an Information Security Program In addition to the preceding security recommendations, a comprehensive approach to assessing and maintaining the security compliance of the payment application environment is necessary to protect the organization and sensitive cardholder data. The following is a very basic plan every merchant/service provider should adopt in developing and implementing a security policy and program: Read the PCI DSS in full and perform a security gap analysis. Identify any gaps between existing practices in your organization and those outlined by the PCI requirements. Once the gaps are identified, determine the steps to close the gaps and protect cardholder data. Changes could mean adding new technologies to shore up firewall and perimeter controls, or increasing the logging and archiving procedures associated with transaction data. Create an action plan for on-going compliance and assessment. Implement, monitor and maintain the plan. Compliance is not a one-time event. Regardless of merchant or service provider level, all entities should complete annual self-assessments using the PCI Self Assessment Questionnaire. Call in outside experts as needed. Proprietary and Confidential Information Page 17
Application System Configuration Below are the operating systems and dependent application patch levels and configurations supported and tested for continued PCI DSS compliance. Operating System Windows Vista (SP1 or later) Windows XP (SP2 or later) Windows 2000 (SP4 or later) Windows Server 2008 Windows Server 2003 (SP1 or later) Application / Database.NET Framework 2.0 SP1 or later (distributed with Procare) SQL Server 2005 Express Edition SP3 or later (distributed with Procare) or use your own SQL Server 2005 SP3 or later Network Card (NIC) required Installing the Application (Procare Management System) How is it installed? Installation is based on the role each computer will play. A computer will either host the data or be a client that accesses the data. Some computers will play both roles. Procare V10 Clients Roles: both host and client (install database server, licensing server, and client software) Note: By default, this local database will not be available for connection over a network - may be changed if needed. Peer Network - Roles: Client / server = both host and client (install database server, licensing server, and client software) other computers = client (install client software only) Server Based Network - Roles: Client / server = host (install database server & licensing server) other computers = client (install client software only) Payment Application Initial Setup & Configuration The following information is provided to facilitate the end users initial set up of Procare s Tuition Express service. Proprietary and Confidential Information Page 18
We prefer to do one-on-one training with all our new clients to properly configure the service and familiarize the end user with the rules and services associated with Tuition Express. For those that elect to configure the service independent of the one-on-one training, please do the following; Verify that Payment Descriptions coincide with the services used. o Go To - Procare Home, Configuration, System, Family Accounting, Charge/Credit Descriptions, Payments o Add your custom descriptions or re-configure existing Payment Descriptions Configure your Tuition Express Account by doing the following; o Go to Procare Home, Configuration, System, Region & Schools o Select Region/School (If your organization runs multiple locations utilizing different regions, expand the o o o tree for the desired Region and select the specific school to be set up with Tuition Express services.) Click Set Options to activate the School Options section Select Family Accounting In the Tuition Express section input the following required information; Account Number ACH Batch Description Credit Card Batch Description Point of Sale (POS) Payment Description Batch Bank Account For Deposit Report Allow Batch Comment (optional) Allow Processing Date Change (optional) Minimum Transaction Amount Once these steps have been completed the service will be active. Defining a Gateway Since Procare is the developer of your payment application and Procare s Tuition Express service is your gateway to processing credit card transactions, no special instructions or procedures are required. Your Tuition Express service has been pre-configured to connect exclusively to Tuition Express. Conducting Test Transactions The end user does not need to initiate Test Transactions. Tuition Express will conduct a Test Transaction on the end users behalf to verify that the account has been set up properly, the Merchant ID number assigned to your organization is valid, and confirm that the merchant account is live. Special Instructions for Upgrades All upgrades associated with Tuition Express will be completed through routine updates of the end users Procare Management System. In the event of a critical updates (security enhancements etc.) the end users will be notified via an email campaign as well as postings on the company website. All critical updates have to be completed within the specified timeline (typically 10 business days) or the end user runs the risk of account suspension until the minimum supported version is being utilized to transact credit card payments. Resetting Administrator Passwords Proprietary and Confidential Information Page 19
It is the responsibility of the end user to develop policies and procedures to reset administrative Passwords. Typically the end user will be required to have someone within the organization with equal or higher privileges reset the password in accordance with the rules above or they will need to contact Tuition Express for assistance. In the event the end user needs to contact us the following information must be submitted via a signed fax request; Name and address of center Name and title of the requestor Name of affected Administrator (the one who forgot their login information) Username of the affected Administrator Conclusion As your payment application developers, we have designed Tuition Express to conform to the PA DSS v1.2 Standards. Your Tuition Express application has been certified compliant by Coalfire Systems. Throughout this Implementation Guide we have educated you on the importance of processing credit card transactions in a safe and secure environment. By implementing the PCI requirements, you reduce the potential of a cardholder data compromise. But remember, it is your responsibility to develop a security program reflective of your PCI compliance level and register your compliance with the PCI SSC. Thank you. Tuition Express Proprietary and Confidential Information Page 20