Installing Theatre Manager

This guide provides instructions for installing or upgrading Theatre Manager that is very similar on all platforms. Since Theatre Manager is a point of sale application for your venue that can deal with credit card information, care must be taken to install it using the steps that follow to ensure PCI compliance.

There are three components to the Theatre Manager System

  • The Postgresql database server
  • The Theatre Manager desktop application used by Box Office, Development, Marketing, Finance, etc for daily activities
  • The Web Services (also known as the Director) that can be configured to handle various web related functions including:
    • The TM Web Listener service that responds to all online patron requests.
    • The Web server that passes web requests from Patrons to the TM Web Listener

The installation of the database server, Theatre Manager and web sales is relatively simple and can be done in a few minutes.

The installation procedures are constantly updated with the latest instructions to implement Theatre Manager in a PCI manner.

Achieving PCI compliance for your venue comes with how you install it on your network and other protections you put in place. These protections are mandated by PCI standards regardless of whether or not you use software in your operation. We hope that our instructions make it easy for a merchant to meet PCI DSS compliance.

We have placed alerts similar to this throughout the installation documentation to signify areas of particular concern to the PCI standards council. Please pay particular attention to these alerts as they contain valuable information to assist venues meeting PCI compliance.

The steps that follow indicate how to install and run Theatre Manager in a manner that will help you meet your PCI compliance requirements as outlined in the latest PCI quick reference guide. A venue that chooses to opt out of some of the safety and security measures in this document needs to be aware that they have chosen to bypass some aspects of the compliance required in the merchant agreement with their bank and the PCI Security Standards Council that is operated by the credit card companies.

Venues may opt out of any compliance step by signing the appropriate area. The credit card companies have placed the onus on all point of sale software providers to help merchants meet compliance (instead of the banks) and highlight areas to address.

Theatre Manager assists you in meeting PCI compliance because:

  • it is audited and certified per PCI requirements by an accredited third party for your protection
  • it provides the following PA-DSS installation instructions designed to help you implement your internal card practices in a safe manner
Step Purpose Optional Installation instructions or link Who
1. Network Setup Mandatory Setting up network for PCI compliance Artsman Venue
2. Installation of Postgres Server Mandatory Platform specific install instructions ArtsMan
3. Installation of Theatre Manager Mandatory Platform specific install instructions Venue
4. Installation of a customer database Optional If this is the first time that Theatre Manager is being installed at a venue, an 'empty' venue specific serialized database will be provided. It will only contain the zip code lookup table and sample code tables. ArtsMan
5. Credit Card Authorization Optional Theatre Manager provides a selection of service providers for credit card authorization.

Venue Artsman

6. Installation of the Nginx Server Optional Installation of the Nginx server is platform specific if you are using web sales. ArtsMan
7. Setup TLS certificate Optional If you are using web sales, you must set up an TLS certificate and configure your firewall to allow web traffic. You will need to set up a DNS record for 'tickets.yourvenue.org' rather than assigning the TLS to a static IP address. ArtsMan
8. Upgrade of existing web pages Optional This step indicates the general changes to existing web pages that must be made when migrating from any version to any other version.

In addition, a venue must be aware of OWASP and should bookmark it in their browser. This site has a 'top 10' list of ongoing security considerations and standards for web site development. Arts Management reviews and implements each years suggestions annually - see this years top 10.

Finally, if you accept credit cards on the internet, you may need an application firewall as per PCI requirement 6.6 and the web pages are significantly changed. We are looking at mod_security and may put that into a future release of the apache server on your behalf.

Venue
9. Initial settings in TM Mandatory After Theatre Manager and the database have been installed, you will need to review minimum key standards and other security features for PCI compliance. ArtsMan Venue
10. Remote Access Optional This step is a discussion on remote access and what a venue need to do if they wish to provide that for themselves, for Remote Box Offices.

There are considerations for using RDP within the network and enabling security.

Arts Management uses a tool for remote remote support called teamviewer.

ArtsMan Venue
11. Policy Manual Additions mandatory These are some policies that should be added to the customer service and/or security policy manual at a venue for PCI compliance. Venue ArtsMan

PCI Compliance

A Merchant's PCI compliance is obtained by setting up the network and office policies in the appropriate manner and following a few simple rules (green in the diagram). This is required regardless of the software used to process credit cards and can generally be done at a reasonable cost.

The software or hardware provided by any vendor is only a portion of the merchant's ability to meet PCI compliance. Software provided by vendors must meet the prevailing PCI PA-DSS and PCI-SSF standards to assist the merchant to meet overall PCI compliance.

Please familiarize yourself with the definitions of key terms used by the PCI DSS, PA-DSS, and key terms used by PCI SSF set by the Security Standards Council. Full documentation can be downloaded from the Official PCI Security Standards Council Site.

Meeting compliance requires some due diligence and is determined by the PCI compliance level guideline your organization needs to attain.

Depending on how your venue processes transactions, your venue can be Schedule 'A', 'A-EP', 'B','C', or 'D'.

The life cycle of a standard provided by the PCI Security Standards Council is approximately every 2 to 3 years. Once approved at a standard, it is valid even though future standards are being worked on.

The following table illustrates a brief historical summary of Theatre Manager PCI compliance

Version Standard Status Action
11.0

PCI PA/DSS 3.2.1

SSF 1.1

Theatre Manager version 11 has been reviewed for its PCI PA/DSS 3.2.1 audit as part of the 3 year cycle. A new audit for Secure Software Framework (SSF) 1.1 was completed at the same time.

The onsite assessment audit took place November 7 - 10, 2022 and the final document was approved by the PCI Security Standard Council with an expiry date of October 4, 2026 for new installations. The image (above) is from the PCI Security Standards Council's website of validated applications. Search for Arts Management.

All vendors are required to tell you this.

All upgrade automatically occurs - no action required by venue
11.0 PCI PA/DSS 3.2.1 Theatre Manager version 11.0.zz has been reviewed for its PCI PA/DSS 3.2.1 audit as part of the 3 year cycle.

The audit took place in September 16 - 20, 2019 the final document was approved by the PCI Security Standards Council with an expiry date of October 28, 2022 for new installations. The image (above) is from the PCI Security Standards Council's website of validated applications. Search for Arts Management.

All vendors are required to tell you this.

Upgrade automatically occurs July 2020
10.06 PCI PA/DSS 3.1 Theatre Manager version 10.06.zz has been reviewed for its PCI PA/DSS 3.1 audit as part of the 3 year cycle.

The audit took place in October 2015 the final document was approved by the PCI Security Standards Council with an expiry date of October 28, 2019 for new installations. The image (above) is from the PCI Security Standards Council's website of validated applications. Search for Arts Management.

All vendors are required to tell you this.

Upgrade October 2015
10.02 PCI PA/DSS 2.0 Theatre Manager version 10.02 has been reviewed for its PCI PA/DSS 2.0 audit as part of the annual change cycle.

The audit took place in October 2014 the final document was approved by the PCI Security Standards Council.

All vendors are required to tell you this.

Upgrade October 2014
10.00 PCI PA/DSS 2.0 Theatre Manager version 10 has been reviewed for its PCI PA/DSS 2.0 audit as part of the 3 year cycle.

The audit took place in July 2013 the final document was approved by the PCI Security Standards Council in October 2013. The image to the left is from the PCI Security Standards Council's website of validated applications. Search for Arts Management.

All vendors are required to tell you this.

Upgrade October 2013
9 PCI PA/DSS 1.2 Theatre Manager meets the PCI PA/DSS 1.2 standard and approved by the PCI Security Standards Council in December 2010. Upgrade to version 9 ASAP
8 PABP 1.4 Theatre Manager meets the PABP 1.4 standard and was certified in October 2008. Please refer to our certificate and approval by Visa - page 6. Install 2008
7 **Self Assessed in 2006 Theatre Manager implements the standards required of PABP 1.4 (as of 2006), including 3DES high encryption of cards, and does not store any track II or CVV2 information. However, this version is neither audited nor certified by an external vendor (not a requirement from the PCI Security Standards Council at the time). Version 7 has the same security measures as version 8 and was simply renamed version 8 as part of the audit. CD's Sent
6 **Self Assessed in 2003 Theatre Manager implements almost all PCI security features in effect at the time (early 2000's). Card encryption is DES and it does not track CVV2 information. Version 6 can be considered PCI compliant. Diskettes Sent

** Please note: PCI requirements have changed over the years. At one time, the PCI Security Standards Council required that vendors of software 'self assess' that they have followed the guidelines. At Arts Management, we have always taken card security and privacy of information seriously and implemented many PCI features before there were published rules. That is why we felt able to meet the self assessment criteria in force at the time. However, there is a much greater need for security than ever before and we encourage merchants to fulfill their obligations to merchant agreements and upgrade to the 'certified' versions of Theatre Manager - which have been audited by external companies as meeting all the rules in effect at the time of the audit.

Network Diagram for PCI Compliance

The block diagram below explains the general setup of a network that is required to implement Theatre Manager in a PCI compliant manner.

Feel free to print this setup document. If any part of the network setup cannot be made to comply with the diagram, you will need to address that at a later date to become PCI compliant. Some sample machine requirements are in the table in the picture, or you can view descriptive information on sample computer specs (Click to enlarge as a pdf)

PCI compliance requirements for Credit Card authorization

Overview

There are 7 parts to the basic network in the diagram above that are described in more detail in the following sections. The firewall is the glue that connects them all together, yet protects each part from the other (also see firewall rules). Only 4 parts are in PCI scope, the others are simply illustrations of how customers, volunteers, actors and other devices interact with your network.

 

In PCI Scope (inside the firewall) if they touch credit card info:

  1. The main firewall
  2. the DMZ - contains only the Apache server and restricts what can be accessed from the internet.
  3. OFFICE Lan - all wired devices in the office. Computers that access any Credit Card information should always be hardwired, or access via a secure VPN
  4. Remote box office

 

Out of PCI Scope

  1. You can exclude ranges of workstations if you've told TM that they cannot process cards by creating a subnet mask that focuses on only those that can in the System Preferences->PCI Tab
  2. You can exclude the database server if you set TM to be PCI Schedule 'C' compliance in the System Preferences->PCI Tab and sue P2PE decides and hosted payments for online.
  3. Outside the firewall - basically the internet and customers purchasing online
  4. VENUE Lan - any staff, volunteers, or actors using wired or wireless devices and who are not capable of processing or looking at credit cards.
  5. Ticket scanners used at the venue
  6. P2PE devices like Moneris P400 which do not share PCI related data with Theatre Manager. Theatre Manager simply activates the P2PE device, which is outside PCI scope as there is no direct connection to the device from Theatre Manager.
If you are attempting to meet Schedule 'C' compliance for Theatre Manager, the database and a number of workstations can be taken out of scope. Credit cards will never pass through the database and most workstations can be denied the ability to process cards. Doing this effectively limits PCI scope to very few machines.
You can also whitelist computers or blacklist a network segment to prevent any computer from taking credit cards -- which also takes it out of scope as credit cards never pass through the user workstation.
The diagram shows servers as separate machines per PCI requirement 2.2.1. This can be implemented either as physical or virtual machines to achieve the goal of one primary function per server to mitigate security level differences in the purpose of the machine.

AMS Private Cloud Diagram for PCI A, B, or C

Venues using Theatre Manager can take computers out of PCI scope as per the diagram below. A device is in scope if a credit card touches or passes through it. Devices are out of PCI scope if they can never see any credit card information pass through at any time. AMS Cloud causes most things to be out of scope and you can limit it further. It is possible to implement the same PCI scope within your own environment if desired.

AMS cloud allows a merchant to target the possible compliance levels to Schedule 'A', 'B', or 'C'. Since most venues have face-to-face or phone orders, the default is Schedule 'C' but you may wish to reduce the number of machines in scope to the minimum. If can take all machine out of scope in the office environment using dial up or IP pinpads, you may be able to achieve Schedule 'B' (very much dependent on your bank).

Possibilities for PCI compliance

  • Schedule A for merchants using only e-commerce transactions and Moneris Hosted Payment Page. All e-commerce authorizations occur at Moneris, and card data never enters the network
  • Schedule B Merchants using only: Imprint machines with no electronic cardholder data storage; and/or Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels
  • Schedule B-IP for Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage (Moneris P400). Not applicable to e-commerce channels.
  • Schedule 'C' Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. All Merchant Providers
  • Schedule 'A-EP' Merchants using hosted payments for web sales like Moneris

Even if you take all machines out of scope and use only dial up or IP terminals, if you are part of a large university or municipality, your Bank may force you to be schedule 'D'. This can happen if the Bank chooses to consider all your other merchant activities outside the venue (eg bookstore, admissions, dog tag sales, etc as part of the overall business). One way around that might be e-commerce and Moneris hosted payment page.

PCI Scope Diagram - AMS Cloud

The legend shows machines and network segments:

  • Organizational Areas:
    • that will never see credit cards (GREEN)
    • where a credit card passes through the machine while in flight to the bank during an authorization and is immediately gone (PURPLE). Cards in these zones are:
      • transmitted via TLS 1.2 and higher, and
      • live for an instant in time, and
      • are NEVER stored in a database.
    • where the card data is outside the boundaries of the organization. Examples are in the customer's hands (or wallet) or at your bank or service provider (who are required to perform their own PCI compliance) (RED)
  • TCP/IP Traffic
    • RED ARROWS - traffic where there is absolutely NO card data ever transmitted
    • BLUE ARROWS - traffic where card data travels (encrypted and via TLS) while it is IN FLIGHT for an authorization. This means that a message is sent for credit card authorization and the card resides only in memory (and is never stored in any disk file)

Components

Local Workstations

There are three options for workstations within a venue's physical environment.

Option Goal Steps Pro Possible PCI Levels
1 WORKSTATION OUT OF SCOPE and use a POS pin pad device

This takes a workstation out of PCI scope and allows the workstation to use any software on it that can reach the internet (eg email and web browsing). Credit Card authorization is via a P2PE pin-pad using

  • Dial up or IP connectivity that is completely independent of Theatre Manager and not connected in any way -or-
  • Using a device like the Moneris P400 where Theatre Manager talks to Moneris cloud to activate the pin pad. There is no direct connection between Theatre Manager and the P400
If all workstations are subject to this rule, then Schedule 'B' compliance may be possible (subject to your Bank's ruling). Risk of card being part of TM components is ZERO. Risk of any data breach is limited to the person hacking the standalone POS terminal.
  • Indicate to TM that a workstation cannot authorize credit cards by indicating a CIDR subnet that is outside scope of the network
  • Use a stand-alone P2PE pin pad device that talks to the bank without connecting to the Theatre Manager Workstation. These must be purchased from your bank or service provider and come in many varieties such as wireless, dialup, ethernet connected, accept apple pay, chip and pin cards, etc.
  • Can still authorize credit cards for walk up and phone sales via external terminal.
  • Workstation can be used for any purpose such as email, web, and analytics as it is not subject to PCI scope
  • End of day is broken into web sales and 'other' payments for box office'

'B'

'B-IP'

'C'

2 WORKSTATION OUT OF SCOPE and no credit card authorization at all

This option should definitely be used for all non-box office computers or computers used primarily for setup, reporting, and analysis.

  • Workstation can be used for any purpose such as email, web, and analytics as it is not subject to PCI scope
  • Only web sales will have a settlement for credit cards
'B'
3

DEFINED WORKSTATIONS IN SCOPE

The workstation is defined as one of those that may accept credit cards entered into the system so that it does

  • since Theatre Manager does the authorization, it can also do a void or refund. Depending on the credit card provider, it can be as long as a year after (Bambora using authorization token
  • Authorization will use higher level TLS transport encryption if supported by merchant services provider
'C'
4

TM Servers

NGINX and TM Server

can be in or out of scope depending on processor choices
To take the servers out of scope, you will need a merchant provider for Moneris Hosted Payment Page. The advantages are no data enters the network and you can be PCI A compliant. Disadvantages come with the inability to use post dated payments, and perhaps processing refunds. Under Moneris hosted payment page processing, TM does not see any card data - just the authorization, allowing for PCI A.

Hosted payments do not support the feature of post dated payments online.

'C' or 'A'

AMS Private Cloud

Credit card data can never be stored on the AMS Cloud, taking the database server out of scope.

Credit card data can pass through the firewalls and security appliances on the way to your Service Provider for authorization. It is transferred via TLS 1.2 and is subject to SPI (Stateful Packet Inspection), DOS detection, rate limitation, etc. to ensure security and privacy.

Bank/Service Provider

This is the merchant provider you selected out of those supported by Theatre Manager. The bank is not in scope of your PCI compliance requirements.

 

Risk Profile

Theatre Manager, the AMS Cloud, and POS terminals offer a very low PCI risk profile (almost negligible) for the following reasons:

  • Card data never enters your network - no risk
  • Cards are authorized using standalone pin pad terminals sold by the bank. This represents a negligible risk as only the physical device, sold and certified by the bank, could ever be compromised. Even if it were, it is not part of your network and has no communication with TM
  • Card data is never stored on disk. Having no card data in the database means no risk and no PCI exposure even if the entire database was given into the wrong hands. There simply is no card data in it.
  • Card data is transmitted from the user to the bank via TLS 1.2 (transport layer security) which is the highest form of security for sending data on the web.
  • Card data lives on the AMS network only for that instant in time needed to get to the service provider. TLS 1.2 cannot be sniffed by bad guys - very low risk
  • The TLS certificate can be reissued as often as you want to ensure that your key strings are secure. Google signaled intent to re-sign certificates every few months as additional cautions for commerce.

Main Firewall

You will need a router (with DMZ and VLAN and SPI capability) and two subnets are required within the office to implement PCI compliance. These can be reasonably priced such as the easily configurable SG-2440 pfSense router (approx $500 in 2015 prices) which has a lot of features. Please check techsoup.org if you are a not for profit organization as they have full cisco routers that you may be eligible to purchase at a discount.

We only recommend a router/firewall that has the ability to isolate the apache computer (i.e. designate an ip address for the DMZ).

Your firewall need to restrict connections between untrusted networks and any system components in the card holder environment PCI requirement 1.2.
  • Routers be a dedicated device, preferably a hardware router. If it is a software router such as one built on linux, then it must only be used only for this purpose and contain no other services.
  • It should be configured to shut down all incoming and outgoing ports except those required for business as per the following:

When you need to set up firewalls on computers, the built in firewall on windows is very flexible. On macOS, do not manage the built in firewall via System Preferences on servers - instead, consider using a tool like Murus Firewall to unlock the power of the macOS PF Firewall.

Firewall/Router Rules

The main router/firewall is protection from the outside world. If the router has DMZ capability, please set up the DMZ IP address to have the same subnet range as the office LAN. This will make it easier to scale up web listeners that talk to the Web Server.

This diagram identifies which traffic is required for Theatre Manager to work in the card holder environment per PCI requirement 1.2.1

Any traffic not required should be denied - and the router should be set to 'deny all' unless explicit permission is given.

All traffic is TLS 1.2 or better, including to and from:
  • database and internal workstations
  • patrons using internet browsers and NGINX
  • NGINX and web listeners
  • Web Listeners and database
  • credit card providers

In the example below, we'll refer to IP addresses

  • in the office VLAN as 192.168.1.x
  • in VLAN2 (containing wireless devices and/or machines not subject to PCI) as 192.168.2.x
  • and use 192.168.1.10 as the inside address of the DMZ where the Web Server resides, protected on both sides by firewall rules. The outside IP address (internet) also authenticated and verified using an TLS Certificate.

  • The lighter red arrows on the diagram represent places where you could place restrictive rules from specific machines to specific machines. Those rules are outlined in the table below the diagram.
  • The number in the first column of the table refers to the same number on the diagram to give an idea what kind of rules are required for each component. If you combine some services on to the same machine, you will need to aggregate the rules.
  • All ports in the table are TCP
  • Rules are for INITIATED connections (outbound connections). Meaning a machine starts the connection.
  • If an inbound message occurs on an approved port, then ANY port can be used for outgoing response. (i.e. do not block responses to approved inbound messages.

    For example: Item #1, the postgres server, only needs port 5432 incoming to that device. You would turn on the personal firewall on the machine so that it only opens that port.

If you prefer to view the firewall rules from the perspective of specific ports, please refer to ports used by Theatre Manager

Item Machine and Purpose Subject to PCI Virus S/W Inbound Port Rules Outbound Port Rules
1 PostgreSQL server

database

depends no*
  • 5432 from any 192.168.1.x (note: traffic to DB will be using TLS 1.2)
  • all to 192.168.1.x
  • 37 to NTP server
2 Remote Box Office via VPN
(or terminal server)
yes yes*
  • as needed from internet
  • all to internet
  • 5432 to 192.168.1.2 (Postgres Server)
3 Web Services (TM Listener) yes no*
  • 443 from 192.168.1.10 (NGINX server)
  • 8111 from other TM listeners if they exist
  • any from 192.168.1.2 (Postgres server)
  • any to 192.168.1.10 (NGINX web server)
  • 5432 to 192.168.1.2 (Postgres)
  • 53 for DNS, MX lookup
  • 37 to NTP server
  • 443 to
    • www2.artsman.com and
    • downloads.artsman.com
  • 80 to maps.googleapis.com/maps/api/geocode
  • 25 (or 465 or 587) to SMTP server (as required)
  • 110 to pop server for Facility Mgt
  • 443 outgoing to credit card provider
  • 443 outgoing to ippos.moneris.com if using a P400 EMV device from Moneris
4 Box Office Workstations yes yes*
  • all from 192.168.1.x
  • 80, 443, 8111 to 192.168.1.10 (web server)
  • 5432 to 192.168.1.2 (postgres)
  • 53 for DNS, MX lookup
  • 37 to NTP server
  • 443 to
    • www2.artsman.com and
    • downloads.artsman.com
  • 80 to maps.googleapis.com/maps/api/geocode
  • 80 to www.google.com/maps/api/staticmap
  • 80 to help.theatremanager.com
  • 443 outgoing to credit card provider
  • 443 outgoing to ippos.moneris.com if using a P400 EMV device from Moneris
5 Ticket Printer no n/a
  • 10001 from 192.168.1.x (or whatever port the printer is set on
  • all to 192.168.1.x
6 Web Server (NGINX) yes yes*
  • 80, 443 from internet
  • port 443 to 192.168.1.9 (Web Services TM Listener)
7 Outside of Firewall no n/a
  • 80,443 from internet
  • xxxx from internet or Term Services
  • forward 80,443 to 192.168.1.10 (NGINX Web Server - which automatically escalates to 443 using TLS 1.2 or later)
  • forward xxxx to 192.168.1.4 (Term Server)
8 Internal Wireless Router no n/a
  • all from 192.168.1.1
  • specific to 192.168.2.1 as required
9 Venue Lan computers not handling credit cards
no yes
  • all from 192.168.2.1
  • as needed to 192.168.1.1
10 wireless ticket scanners no n/a  
  • Ticket scanning occurs through the internet via tickets.yourvenue.org and port 443. Open ports to allow scanning traffic to the outside of the router

Ports used by Theatre Manager

The table below describes which ports various components in Theatre Manager uses. With few exceptions, it is possible to change the ports that are being used if you wish. The only ports that should not (or cannot) be changed are:
  • ports 80 & 443 externally for web sales.
  • Outgoing port 443 for credit card authorizations
  • port 37 for a time server
  • port 53 for MX record lookup via a DNS server

If you prefer to view the firewall rules from the perspective of specific machines, please refer to ports used by each machine

Port Meaning Use Security Note
25 (or 465 or 587) SMTP Outgoing TM Server uses this for email for web sales, eblasts and meeting scheduling. note: Workstations do not send emails and do not require access to SMTP server.

Alternate SMTP ports can be used as TM supports (startTLS and other security)

You may wish to place a small SMTP server (like Exchange) within your network so that TM talks to it and allow it to relay to the internet. This also controls outgoing access.

37 NTP Time Server Outgoing OSX and Windows machines use this to syncronize clocks. All machines should be able to synchronize with an NTP server so that transactions and audit logs are accurately recorded when the happen per PCI 10.4 compliance
53 DNS and MX lookup. Outgoing This is used to verify email and web domains during the data entry process to improve data quality
80 HTTP Incoming and Outgoing Incoming is only required to the Web server.

Outgoing for workstations to communicate to:

  • help.theatremanager.com
  • teamviewer
Teamviewer can go out on ports 80 and/or 5938
443 HTTPS Incoming and Outgoing Incoming is required for web sales.

Outgoing is required for TM Server and TM Workstations for

  • Credit Card Authorization
  • www2.artsman.com for autoupdates
  • TM Server for REST API access if enabled
110 (or 993) POP3 Outgoing Facility Management module only: TM has a scheduling function that lets users set up calendar event and send the invitations to users, patrons and volunteers.

The port is used by TM workstation and Server, and only email with valid outlook or iCal attachements are read. All others are discarded. No user checks this email address.

Theatre Manager supports alternate POP3 ports if you prefer.

5000 Web Services Internal The Web Server load balancer communicates to Theatre Manager Web Services on port 5000
8111 Web Template Server Internal This internal port on the web server is a Virtual host used by web services to obtain the custom web page templates from the htdocs folder for merging. It is also used by workstations to obtain web page templates used to send double out-in confirmations as per CASL (Canada's Anti Spam Law).
8201 Cache Server Internal This internal port is used for caching data shared between web service processes.
5432 Postgres Internal This is the standard port for the Postgres database server and is only used within the LAN. Postgres's pg_hba.conf configuration file specifies the IP address ranges (or specfic IP's) that can communicate with the database server. If a machine is not permitted to talk, postgres will does not respond.

Traffic from workstations to Postgres is via TLS 1.2

10001 Ticket Printer Internal Workstations send a string of characters to print a ticket. The printer responds with status requests as need be.

No outside machine needs access to a ticket printer.

xxxx Terminal Server & Remote Access Incoming A secure connection from the remote box office to the firewall is recommended for security purposes. RDC and Terminal Services establish secure connections. VPN is additional security.

PostgreSQL Server

Postgres listens on 5432 by default (see firewall rules for postgres).

Only this port needs to be open on this server. All other inbound ports can be closed in the operating system. The port can be changed by editing the Postgresql.conf file, or during the install.

Misc Recommendations

  • File and email services for the network must be placed on a separate machine from the database server.
  • Turn off windows auto updater. Instead, perform regular maintenance at a time of your choosing (every second Monday for example, more often if the news reports critical viruses) to download and install updates. For 24/7 web sales service, it is important that the Postgresql server run constantly and only be updated at a time of your choosing.
  • On OSX, turn off Software Update and run regular maintenance every second week, similar to Windows Environment. There is far less risk on unix based systems for virus attack vectors.

Deploy anti-virus software on all systems commonly affected by malicious software, particularly personal computers and file servers. PCI requirement 5.1

Since postgres is implemented on a stand alone machine (per PCI requirement 2.2.1), we recommend that you DO NOT install virus software on the PostgreSQL Server. If you must, then do it under very controlled circumstances..

Never allow the virus scanner to scan the actual postgres database directories for traffic because virus scanners severely affect performance when many files are changed rapidly (as in a stand alone database server).

If you absolutely must scan all files, scan the database folder at very off peak hours.

TM Listener - Web Services

The ports that need to be opened for web services depends on which you are using for load balancing

In all cases, you specify the ports to talk to listeners within the TM Director interface.

 

Simple Setup for Load Balancing

In the simple setup situation, you just need to open port 5000 to each TM listener. When any message is received by the second gen listener externally on port 5000, it load balances internally on ports local to the machine (5001-5010, 5111, 5201-5210).

Each second generation listener machine needs to be able to talk to the designated TM Web Listener machine to retrieve web pages.

 

Custom Setup for Load Balancing

In the custom setup, the web processes can listen on

  • Second Generation Listener:
    • port 5000 (like the simple setup for load balancing) -or-
    • ports 5001-500x where you specify the load balancing on the TM Web server for high performance throughput -or-

Deploy anti-virus software on all systems commonly affected by malicious software, particularly personal computers and servers PCI requirement 5.1

You can install anti virus software on the TM Server - but may need to exclude the TheatreManagerServer program directory and all traffic to port 5432 on the postgres server. Since the web services run as a service, there is limited need to log into the machine. It should not be used for any other purpose and listens only to the API's from the TM server, so you may only need periodic file scanning at night if you do not join a domain and/or limit people who can access it.

Venue LAN

Machines in your office that generally do not need access to Theatre Manager can be in a separate VLAN so that they do not accidentally compromise credit card data. Rules should be put in place so that these VLANs cannot talk to the servers in the Office VLAN per PCI requirement 1.2.3

It may be a good practice to have one or more VLANs beside the primary office network, especially if you have wireless access points, public WI-FI in your lobby, green room access for Actors, etc. (per the network diagram). Separating those kinds of users from the office LAN is beneficial from a security and bandwidth management point of view. Network segments not dealing with cardholder information are not subject to PCI rules (although it's a good idea to protect them too!).

Theatre Manager does not require use of wireless networks to operate.

However, if you do require that some computers access cardholder data over a wireless network, you must use strong encryption technology for authentication and transmission of data such as hidden SSID, specified MAC addresses, and WPA2 or better on a separate VLAN than other wireless access points and change vendor supplied passwords per PCI requirement 2.1.1.

You must never transmit card information over a network with WEP encryption per PCI requirement 4.1.1.

Office LAN

The office LAN should be set up to isolate computers that may access credit cards from other general purpose machines. These machines should be hardwired to ethernet hubs and routers. Generally, this just means putting it on a different VLAN than the rest of the office to provide maximum cardholder security PCI requirement 1.2.1.

For example, if there is an area that provides free wireless in the lobby or access to the internet for actors in the green room. Those access points should be part of the 'Venue Lan' and not part of the 'Office Lan' (per the network diagram) to separate the segment of the network containing credit cards (office) from wireless part of the network.

You should not be able to access the internet from the database server or any machine that contains credit card information except as required to authorize the card or update system components. PCI requirement 1.3.2 to 1.3.5

Ports that should be open are defined in the section about firewall rules

When you need to set up firewalls on computers, the built-in firewall on windows is very flexible. On macOS, do not manage the built-in firewall via System Preferences on servers - instead, consider using a tool like Murus Firewall to unlock the power of the macOS PF firewall.

This section describes the components of the Office LAN.

Box Office Admin Computers

Office computers can be classified in two categories:
  • those where credit card data is typed or entered into the system (with or without credit card swipes)
  • and those computer where credit card information is not typed into the machine.

Computers accepting Credit Card Data

Any computer where credit card information is entered or that has an attached credit card swipe is effectively a point of sale device and needs to be protected from a particularly nasty form of virus called 'Bots'.

These are especially prevalent on PC's and if a computer were to become infected, this type of virus scans keystrokes at the computer and sends those key strokes to the 'bad guys' outside the network. Preventing this involves closing most ports and providing very limited access to the outside world, especially for mail and web browsing.

For this reason, on those computers, you should:

  • Close down all outgoing ports except those specified in firewall rules for workstations.
  • Disallow general internet access via the web browser to prevent the most common source of infection. You can allow people to access help.theatremanager.com for online help.
  • install virus protection software on these machines and regularly run it and update the software. There are a number of good alternatives from freeware like Avast! to Symantec (our least favourite)
Deploy anti-virus software on all systems commonly affected by malicious software, particularly personal computers and servers. PCI requirement 5.1

If these computers are using Theatre Manager, you may need to exclude the 'Theatre Manager' program files directory, depending on your virus software. Exclude all network traffic to port 5432 on postgres server.

Computers that do not accept Credit Card Information

Machines that are not entering credit card numbers may have general internet access. You can ensure that these workstations cannot enter cards into Theatre Manager by setting up specific workstations or network segments that can accept payments and excluding these workstations.

If those computers are on the same network segment as the machines accepting card numbers then they fall into the scope of a PCI assessment for the venue. This means those machines would need all of the anti-virus and anti-malware software as well as file integrity monitoring, log management, access control, etc. just like the machines that accept the cards.

To reduce the scope of the venue's PCI assessment needs, the venue should consider placing those machines (back office or manager machines usually) on a separate network segment with just the necessary ports between them and the cardholder data network open. Refer to the network diagram and firewall rules to separate the computers with card access from those without onto separate VLAN's within your network.

Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) PCI requirement 5.1

If these computers are using Theatre Manager, you may need to exclude the 'Theatre Manager' program files directory, depending on your virus software. Exclude all network traffic to port 5432 on postgres server.

Wireless Access Points

Theatre Manager does not require use of any wireless network for operation as all workstations and servers are to be connected via ethernet cabling.

Since many venues use wireless networks in the lobby for customers and green rooms for actor, or volunteer use, it is important to ensure that wireless routers are separated from the cardholder network and are on their own VLAN and all default settings are changed from factory. PCI requirement 1.2.3 and PCI requirement 2.1.1

The following must also be changed every time somebody with knowledge of the security changes positions or leaves the company. PCI requirement 4.1.1

Configuration of these should include:

  • Turn off all SSID broadcasting
  • Enter the MAC addresses (00:00:xx:xx:xx:xx) of the scanners into the acceptable list of devices at the remote site and only allow those devices to gain access to the network
  • Use strong encryption such as WPA2 (also sometimes called IEEE 802.11i) or better for access control.
  • Update the router to the latest firmware
  • Change the default user ID and password for the router to be different than the manufacturer-supplied defaults.
  • Change all wireless default encryption keys and SNMP community strings

Ticket Scanners

Wireless ticket scanners do not transmit any cardholder data at all so wireless ticket scanning can be implemented one of two ways. The scanners can be
  • part of a VLAN that is inside your main router/firewall and connected to the other parts of your network. This is known as the Venue LAN according to the network diagram. Scanners using this configuration are subject to PCI regulations to the extent that the firewall must be in place to regulate traffic.
  • completely outside the main firewall and directly connected to the internet via the ISP. In this situation, the ticket scanner is considered not part of your network and is out of scope of PCI compliance.

Wireless Scanners in the Venue Lan

If the ticket scanners are within your firewall and part of a VLAN connected to the Office LAN, you must implement TLS 1.2 or better security and firewall rules between the venue LAN and the office LAN per the network diagram. Refer to PCI 4.1.1

You can use a direct IP in the scanner to access the Apache server directly (e.g. 192.168.1.x), or you can refer to the server via the domain name (like tickets.yourvenue.org).

Wireless Scanners connected to the Internet

If the wireless scanners are connected to a router that is on the internet (and not connected in any way to the internal trusted networks) then you do not need any security on the scanners. Since the scanners simply send HTTP requests to the Apache Server, you can use the external DNS name like tickets.yourvenue.org.

The Linea Pro and iPhone/iPod combination support the latest required encryption technologies from end to end

Wireless Computer Access

If you permit wireless access to your network within your office, PCI compliance states that these computers should go through at least one router or firewall before accessing the office network or any part of the network where credit card information is stored.

The DMZ (NGINX Server)

The NGINX server is the only part of the Theatre Manager system placed within the DMZ per the network diagram.

Note that card holder data should never be stored or placed on the NGINX server for any reason. Theatre Manager does not require it. PCI requirement 1.3.7

Best Practices for setting up the NGINX Server

  • NGINX should be on a standalone machine in the DMZ
  • NGINX must be protected by the main firewall rules. You should turn on the built-in firewall on the machine (OS X or Windows) and should only need to open ports 80 and 443
  • NGINX is a service so it will automatically start as a service upon reboot.
    • This means nobody needs login at all.
    • Do not allow anybody to access this machine except under controlled circumstances
    • However, configure the screen saver to require a password after it is activated.
  • Turn off Windows Update or OS X Software Update
    • Instead, perform regular maintenance at a time of your choosing (every second Monday for example, more often if the news reports critical viruses) to download and install updates.
    • For 24/7 web sales service, it is important that the NGINX server run constantly and only be maintained at a time of your choosing.
  • Remove access to Outlook and/or other mail clients on the machine
  • Make sure that accessing the internet through Internet Explorer or another browser on that machine is limited to certain URLs
  • Virus protection should be implemented on this machine:
    • This machine is only responding to requests from the internet via NGINX, it is not actively accessing anything on the internet using a browser or reading email - so the risk if is acquiring viruses is very minimal.
    • If you put a virus scanner on it, set it to scan the hard drive once or twice a day, preferably early morning or at a time of day when online sales is expected to be at its minimum. Some antivirus software applications are CPU-intensive and have the potential to severely slow down the NGINX response time to web requests.
    • Don't scan incoming requests from the internet to NGINX on port 80 or 443 - because those are the working ports for NGINX.
Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and file servers) PCI requirement 5.1

Policy Manual

PCI compliance requires some additions to your policy manuals, some of which are described below and relate to safeguarding your network and the credit card information. We recommend making these additions immediately.

Refer to Section 12 in the PCI DSS implementation guide for complete information

Policy Description
1. Credit Card information must not be stored on any machine that is in the DMZ.

This generally means laptops that connect to the network wirelessly should be examined for files that contain card information and that information must be deleted.

2. Do not transport credit card information outside the secure firewall without:
  • AES256 or better encryption of each card or the complete file containing any cards (never auto de-encrypt the file when starting a machine)
  • transporting the data in a secure password protected device -or-
  • sending via TLS or over a VPN if doing remote backups electronically to a secure site
3. Never email a credit card number to anyone.
4. Never read back an entire credit card to a patron if they call in asking for one. Always have the patron tell you the card and confirm it only if it right. You can confirm a card number that the patron just told you in entirety.

Remote Box Office

Depending on the remote access solution you use (Citrix, Terminal Services, Teamviewer, logmein), you may need to open the appropriate ports on your router(s) and server for this feature:
  • On the firewall built into this machine
  • On the main firewall protecting the office with forwarding to the appropriate ports on this machine.

Access to the terminal server from outside the main network should include VPN or packet encryption. Windows 2008 Server and later use secure access by default.

If the remote box office solution permits the feature, you should also set it up so that only specific applications can be launched and the user cannot get to the desktop. For example, Citrix provides a web interface under ISA services that allows you to only permit Theatre Manager to run. With Terminal Server, you can also force it to start Theatre Manager automatically. With 2012 Terminal server, you can limit to only Theatre Manager application to run.

Always disable outgoing web access within the Citrix or Terminal Server so that people cannot browse the internet on the Terminal Server Machine (this will prevent all viruses). You can enable web access on the local machine.

Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and file servers) PCI requirement 5.1

Remote Ticket Selling

In most cases, the best way to do remote box office is to set up a Terminal Services server inside your network and provide a VPN solution from the remote site to the router.

An inexpensive Linksys VPN router will provide adequate router to router VPN services at a good price - or will provide remote VPN software for computer-to-router VPN. More expensive routers like Cisco have VPN software that accompanies the router as well.

In all cases, remote box office or work at home should be set up using a VPN connection.

If you are using remote box office and ticket scanning for access control at the same venue, you just need to connect the ticket scanner to your ticketing web site. It can use the VPN, but does not have to. so connecting to any wifi point with external access is fine.

Remote Ticket Scanners

If your venue uses wireless ticket scanners for remote venues, you will need to set up a wireless access point at the remote venue to connect to the internet. These devices only confirm a ticket was used or a person exits the venue, through a very controlled API on the scanner.

The setup of the wireless access point should be:

  1. turn off all SSID broadcasting
  2. Enter the MAC addresses (00:00:xx:xx:xx:xx) of the scanners into the acceptable list of devices at the remote site
  3. use WPA2 passwords

The setup and functioning of the Linea Pro wireless device is described in a separate web page.

When you need to enter in the IP address, use [tickets.yourvenue.org]/TheatreManager/1 where [tickets.yourvenue.org] is your ticket website URL.

All data traffic is done over HTTPS using secure sockets and TLS 1.2 or better transport layer encryption.

Even if you are scanning tickets at your local venue, it is often a simple matter of setting up a small hub in front of your main router so that the access points are connected to it - and they would be outside the firewall for security.

Remote Access

Remote access for Theatre Manager usually means situations for remote box office or work at home. There are a number of tools that can be used, such as Remote Desktop Connection (RDP), LogMeIn, Go To My PC, and more.

In all cases of remote access for box office, you should implement either a VPN tunnel and/or SSH access - where the communication and session has strong encryption or is a private connection per PCI DSS 4.1.

There may be additional setup consideration as described in the following sections based on the software you use. Your IT person should ensure that whichever software is used, that it employs VPN or SSH.

PCI compliance requires that remote access have a user ID and password, and an additional authentication factor that includes, but is not limited to, items such as a smart card, token, PIN, biometrics, VPN, etc.
For people with remote access, you must establish passwords according to PCI DSS requirements 8.1, 8.2, 8.4 and any requirements of all sections of 8.5. In other words, the requirements for remote access passwords and authentication are exactly the same as for access to your office LAN.

 

Common remote access mechanisms that we use

While there are many vendors of remote access software, the ones that we see used most often are:

  • Using a VPN and local copy of TM for full and secure network access - best used when internet connections are fast
  • Using Microsoft Remote Access (RDP) and Terminal Server for full managed access to TM - best used when internet is marginal/poor or you need to control internal network access
  • Using a remote access tool like TeamViewer, LogMeIn, or similar to simply access your own machine from a remote location. Best when no remote ticket printing is required.

Using a VPN

The best way to access your own network from a remote location is to set up a VPN between your work location and the office router.
Your office router must be able to support VPN connections. It is generally a feature of a more expensive router, and some low cost routers may have the capability. Check with your IT support if this is an option for you.

 

Your routers and using TM over a VPN service

If your venue's routers support a VPN service to your network:

Initial, first time only setup steps

  • Ask to have the VPN Client software set up on your home computer.
  • Find the IP address of your database server It is on the lower part of the login screen while using TM in the office. In the example to the right, the address is circled in red (the sample shows 127.0.0.1)
  • Download and run the latest 64 bit version of Theatre Manager for:

 

Each Time you Connect to the Office

  • Establish your VPN connection from your laptop to your office first
  • Start Theatre Manager and wait for the login screen. Note: the first time you will be asked to find the database. Use the IP address located as outlined in the Initial Setup steps above.
If you are using IP based ticket printers at your remote location, you will need to set up a ticket printer device that has an IP address on the remote network.
If you are in a different local time zones from your office, you will need to provide the LocalTimeZone parameter in the Theatre Manager preferences file. This is only needed if your time zone does not match the time zone setting in the company preferences->Report/Misc tab

Microsoft Remote Access

If you are using remote access, you need to set up a terminal server to use high-security access for Remote Desktop and it should be set to disconnect or lock the terminal after a period of inactivity. (PCI requirement 12.3)
This typically needs a copy of Windows STANDARD Server version or better (not the windows OFFICE server version). If you bought a standard server under the Techsoup donated software program, you will likely have two CAL licences for the terminal server and may need to add some additional licences.

 

Windows 2012/2016/2019/2022 Terminal Server

Terminal Server is a great way to allow access from any location to your office. It has the benefits of:

  • allowing restricted access to your internal LAN by only allowing access to specific services or programs for a user.
  • working in conditions where internet connection bandwidth is poor since it is a screen-scraper technology and optimizes only transmission of screen changes
  • allows report printing to ticket printers on LPT ports

When connecting from any workstation to the current versions of Terminal Server, the server defaults to high encryption. It is good practice to verify that the setting has not been lowered.

Step Purpose Installation instructions or link
1. Verify Terminal Server settings The following links detail the security settings in Windows Server 2003. Server 2003 defaults to High encryption, but it is a good practice to make sure it hasn't been lowered accidentally.

support.microsoft.com/kb/814590

Terminal Server 2008/2012/2016/2019 and 2022 should default to high encryption.

2. Verify RDP settings RDP should be set to always prompt for a password.

TeamViewer Remote Support

Artsman uses TeamViewer for remote support. This is designed to only run if the user launches the application, contacts Artsman and permits the support team to have access to their machine for the purpose of diagnosing a problem on a one time basis.

Remote access is to be

Outside the Firewall (the internet)

The internet is everything that occurs outside your firewall perimeter and represents everything that is beyond your control to protect.

This is where your customers will be.

Customer Access

Customers buying on the web need to be able to access the Apache web server through ports 80 and 443 in the DMZ. The web server sends cookies back to them.

Web Page Design Considerations

  • Your main web site should direct links to the Apache server via HTTPS so that the majority of access to online ticket sales is secure.
  • If a customer tries to access tickets.yourvenue.org through port 80, the first thing that the index page does is redirect them to a secure port.
  • If a customer does alter the URL and tries to access a page via port 80, the Theatre Manager web listener always responds back with a secure page and the next interaction will be through port 443
  • Ultimately, if you only wish secure access through the DMZ, you can turn off port 443 and customers will be forced to access via HTTPS. This is quite an aggressive approach and has some marketing implications - the safeguards above ensure that people are moved to HTTPS after hitting the web site for the first time.

What a customer needs to do (nothing)

A customer has zero configuration to do on their machines, other than to allow cookies from your site if they cannot browse the web pages. The Theatre Manager Web Listener will alert them to turn on cookies as it detects people trying to move through pages without cookies enabled.

PCI Audit Logs

PCI DSS sections 10.2 and 10.3 require that Theatre Manager maintain audit logs for certain system events. These primarily deal with who has seen or could have seen credit card information.

The transaction logs in Theatre Manager deal with all these requirements because Theatre Manager has always maintained an 'audit log' of certain system events that tracks the events required in PCI section 10.2 and the minimum required data elements for PCI section 10.3.

PCI DSS section 10.5 requires centralization of all system related logs in a common log management process in a protected manner. The intent from the PCI council is that you could view access to login/out and card data in Theatre Manager along with firewall access changes or admin access to a machine or server in a consolidated view.

You can export the logs from Theatre Manager in Excel or tab delimited format and move them to your centralized logging mechanism.

Accessing the Audit Log

All financial and access audit log transactions are kept forever. Transactions for Login, Logout, Invalid Access, and Viewing Complete Card Data are kept in perpetuity. Transaction types are 'coded' and 'dated' for easy finding and sorting.

Access to the audit log is from the Setup Menu.

This will bring up a screen similar to the one below which is a sample of an audit log that is contained within the transaction records in Theatre Manager.

Exporting Audit Logs to External Logger

PCI DSS compliance section 10.5 requires centralization of logs in a common log management process. The intent from the PCI council is that you could view access to login/out and card data in Theatre Manager along with firewall access changes or admin access to a machine or server in a consolidated view.

You can export the logs from Theatre Manager in Excel or tab delimited format and move them to your centralized logging mechanism.

Audit logs are kept forever as part of the database. You can search for any past history and re-export them if you desire. Database backups will contain the logs in existence at time of backup.

Once you have accessed the Audit log and are viewing on the screen as per the sample below, to obtain the logs for a specified period of time:
  • Search the logs by transaction date for all new logs since the last export
  • Click the Export Button on the top of the screen and select export to Excel or tab format as required
  • Provide a file name as a place to save the logs
  • Import those into your centralized logging mechanism

Audit Log Description

PCI Std. Requirement Theatre Manager Implementation
10.2 Implement automated audit trails for all system components to reconstruct the following events:
10.2.1 All individual accesses to cardholder data Theatre Manager creates an 'AC' transaction to track whenever a user sees the entire credit card number. By default, Theatre Manager displays masked card numbers in all windows and reports. Only in specific places will Theatre Manager display card information to those who have specific authorization to see cards. Therefore, you should expect to see very little information in the audit log if you minimize who has access to see full card data.

The act of accepting a credit card at the box office is tracked with a PT audit transaction - i.e. the actual payment - and can be tracked by the user that way. Since this is a normal business act (accepting a card from a patron and typing it in), it is not necessary to also create an audit log.

None of these transactions can be purged.

10.2.2 All actions taken by any individual with root or administrative privileges An administrative user is subject to the same rigorous requirements as all other users.
10.2.3 Access to all audit trails Theatre Manager does not track who views audit trails because they cannot be changed, manipulated or altered by the user in any way. We believe that when users know this information is tracked for PCI compliance, it acts as an additional deterrent. None of the logs ever display sensitive data.
10.2.4 Invalid logical access attempts Theatre Manager tracks who accesses Theatre Manager and when they log in or out via the 'ALI' and 'ALO' transactions.

'ALX' transactions track invalid login attempts (after 3 mistyped passwords), or when the user account is locked out.

These transactions cannot be purged.

10.2.5 Use of identification and authentication mechanisms Theatre Manager uses login and authentication mechanisms. All users of the application must log in.
10.2.6 Initialization of the audit logs The audit logs can never be 'initialized' by the user, nor can be they be cleared except under programmatic control. The minimum retention time is 365 days for audit transactions with the default being forever. Payment logs indicating who took the actual payment are retained forever and cannot be deleted.
10.2.7 Creation and deletion of system-level objects  
10.3 Record at least the following audit trail entries for all system components for each event:

10.3.1 User identification yes - see log example in the user column.
10.3.2 Type of event yes - see log example for the specific transaction codes, expanded description and details about the specific activity.
10.3.3 Date and time yes - see log example
10.3.4 Success or failure indication yes - see log example. Failure logs show when a user tries to log in and forgot their password.
10.3.5 Origination of event yes - see log example for the IP address of the machine that created the event and the user
10.3.6 Identity or name of affected data, system component, or resource yes - see log example - this illustrates an example where a user viewed a specific credit card in full. The patron's name is displayed in the first and last name column.

Compliance Statement required by PCI Council

The PCI council represents the credit card companies. They dictate to vendors that products must be assessed, certified, and approved by them in order to appear on the list of 'Accepted Products'. In the fine print that is part of their processes, the PCI council has a specific clause we must relay to you.

It is repeated verbatim below so that there can be no mistaking what we have been instructed to do.

Vendor shall comply with, and communicate (in a reasonably manner determined by Vendor) to all purchasers and other licensees of Vendor Products that have been Accepted under any of the Programs, the following statement:

“Acceptance and/or listing of a given product by the PCI Security Standards Council, LLC (PCI SSC) only applies to the specific version of that product that was reviewed by an assessor or test laboratory qualified by PCI SSC (Assessor) and subsequently accepted and listed by PCI SSC (the “Accepted Version”), and only while such acceptance and listing are in effect. If any aspect of a product or version thereof is different from that which was reviewed by the applicable Assessor and accepted and listed by PCI SSC – even if the different product or version (the “Alternate Version”) conforms to the basic product description of the Accepted Version – then the Alternate Version should not be considered accepted by PCI SSC, nor promoted as such. The authoritative lists of products currently accepted by PCI SSC can be found on the PCI SSC website at www.pcisecuritystandards.org. Please notify PCI SSC if you believe that any product purportedly accepted by PCI SSC does not appear on these lists.

No vendor or other third party may refer to a product as “PCI Approved” or “PCI SSC Approved”, and no vendor or other third party may otherwise state or imply that PCI SSC has, in whole or part, accepted or approved any aspect of a vendor or its services or products, except to the extent and subject to the terms and restrictions expressly set forth in a written agreement with PCI SSC, or in a corresponding letter of acceptance provided by PCI SSC. All other references to PCI SSC’s approval or acceptance of a product or version thereof are strictly and actively prohibited by PCI SSC, should be reported to PCI SSC, and constitute a breach of applicable PCI SSC program requirements.

When granted, PCI SSC acceptance is provided to signify the Assessor’s determination that the product has demonstrated achievement of certain security and operational characteristics important to the security of payment card data, but such acceptance does not under any circumstances include or imply any endorsement or warranty by PCI SSC regarding the product vendor, the product, or the functionality, quality, or performance of the product or any other product or service. PCI SSC does not warrant any products or services provided by third parties. PCI SSC acceptance does not, under any circumstances, include or imply any product warranties from PCI SSC, including, without limitation, any implied warranties of merchantability, fitness for purpose or noninfringement, all of which are expressly disclaimed by PCI SSC. To the extent any rights or remedies regarding products or services that have received acceptance from PCI SSC are provided, those rights and remedies shall be provided by the party providing such products or services, and not by PCI SSC or any of its payment brand members.”

Misc PCI Requirements

The following section documents some of the final miscellaneous additional PCI compliance requirements that merchants will need to know or be aware of. These are presented here as 'things to do or know about' because they are not relevant in other parts of the installation guide.

Please use these as ticklers to yourself.

If card data is to be transmitted over a public network (i.e. outside your firewall), it must be sent using secure encryption technology like IPSEC, VPN or via TLS per PCI DSS 4.1.
Do not send any credit card data 'in the clear' such as pasting a card number into an email, or into an IM per PCI DSS 4.2 unless you are using secure encryption with these messaging technologies. Do not encourage customers to send card numbers, CVV2 numbers, name, expiry dates, or any other such data to you via the same technologies.

Theatre Manager does not provide this feature due to PCI compliance and only presents the final 4 characters to users for this reason.

If you are upgrading from a prior system that might have had unencrypted credit card information, you must throw that data into the trash and secure erase it with a tool like ERASER (free) on the PC or use File Menu -> Secure Erase on Mac.

Card Flow Across System

This diagram indicates the flow of card information in the various parts of the LAN segments described in the network architecture.

(Click to enlarge as a PDF)

Vulnerability Identification and Assessment

PCI requires that a venue establish a listing of security vulnerabilities and track them in a database as well as implement programs to prevent vulnerabilities PCI requirement 6.2.

Common Vulnerabilities and Exposures (CVE) vulnerabilities are reviewed at least monthly. As standard practice, Arts Management considers all CVE's to be a high priority for the software we incorporate. As such, these will be implemented using the auto deployment processes (regardless if they really affect Theatre Manager or not) under the principle of better to be safe than sorry. The release notes may mention any important fixes felt to be applicable.

We provide a list of vulnerabilities & patches specific to Theatre Manager and its components and update our installers regularly to address known issues.

Addressing PCI compliance and preventing most security issues is as simple as:

  • Keeping Theatre Manager up to date with the latest version (this occurs automatically via the auto deployment systems)
  • Updating all operating systems to current updates from the vendor
  • Having current anti-virus software in place

However, this is only one aspect of protecting your network. It is far more likely that vulnerabilities will arise from other programs. Here are some links that might be of interest to you to help maintain the health of your computers and networks.

Item Purpose
NIST.gov This web site has a list of recent security issues from the government web site. It is useful for seeing if there is something pertinent to your software suite. This is worth searching on a periodic basis.
NIST.org This web site has a summary of common security fixes and patches distilled from the government web site.
Secunia
PC only
PC's are vulnerable in a number of ways. Secuia is a free tool (for personal use) that inspects your PC and tells you about any vulnerabilities you may have on your PC that you are unaware of, and will automatically update versions of other software.

Note: Never forget to have anti-virus software on your machine.

Software Update Mac Only macOS has a software update feature for the operating system. For workstations, we recommend automatically applying security patches.
OSVDB This is an open source vulnerabilities database. We look at this periodically to see if there is anything that might affect tools that we supply to you. Apache and Postgres are both open source, so this is of interest to us. You may find other information, especially if you are using many open source tools.
QUALYS Labs Use this to verify if a TLS Certificate is setup right and if system scans are looking for new vulnerabilities

NGINX Vulnerability List

Nginx is auto deployed with each version of TM server.

It will always have the latest vulnerabilities mitigated per release notes and all attempts are made to deliver it within the mandated PCI time frame of 30 days of release (subject to testing and evaluation of other fixes).

Typical time to deployment is within 15 days.

Postgres Vulnerability List

The Theatre Manager postgres installers are always updated to the most recent version of postgres as soon possible after the postgres version it is released, ensuring any vulnerabilities are addressed by Arts Management as soon as a fix is released by the Postgres foundation.

Postgres vulnerabilities are monitored on the Postgres Security web site.

Those immediately relevant to Theatre Manager are listed with the release notes for that version of Theatre Manager and may require a forced update to the database server before an update to Theatre Manager will allow connection to the server.

OWASP and Theatre Manager

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Their mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of the materials are available under a free and open software license.

The OWASP Top 10 for 2021 is interesting reading for application developers, web site builders, and end users. The internet has many good features, but it is not a safe place if you are not aware.

Each year, the Arts Management team reviews the top 10 and, for those that are applicable, ensures that the web sales module provides a defence against the top 10 per PCI standard 6.5. Requirements are posted here. Merchants should also be aware of these.
In addition, please be aware that IFRAMES are disabled in NGINX due to possibility of a Click-Jacking attack. An iframe has typically been used by people (like MOGO Interactive) selling marketing pixels to include their code in your web site. PCI council checks for Click Jacking opportunity - so we have disabled this in our standard web Server Setup.

2021 Top 10 List

  Description Theatre Manager Implementation

2021A01

2017A05

Broken Access Control Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits

2021A02

2017A03

2015A06

2013A06

Cryptographic Failures Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

Theatre Manager handles encryption of the key card information and recommends shredding of unused data after a period of time. All credit card information is re-encrypted on a periodic basis per PCI compliance and the only information retained is per PCI standards.

Theatre Manager web services use TLS for all traffic, which means using port 443 to the NGINX server, and having a valid TLS certificate.

Ensuring the TLS certificate is current is a responsibility of the monthly PCI scan process, and we contact customers when they are ready to expire.

Users are encouraged to define a card retention period where TM will automatically shred cards based on their policy.

2021A03

2017A01

2015A01

2013A01

Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

OWASP's preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface.

In Theatre Manager, all web pages access the web listener using a parameterized API (generally html form) and each parameter is scrubbed on the way to the web listener for specific values. Only acceptable parameters are verified. Unacceptable parameters are rejected and ignored.

2021A04

Insecure Design Insecure design is a broad category representing different weaknesses, expressed as "missing or ineffective control design."

2021A05

2017A06

2015A05

2013A05

Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

The primary preventative measure for this is PCI security scans and upgrading of Theatre Manager components on a regular basis and following any implementation notes.

Users are encouraged to install operating system upgrades as they are made available and to turn on automatic checking on all workstations. On servers, the practice is to verify weekly for updates and install on a controlled basis.

Theatre Manager regularly offers the latest updates to web servers and TLS security patches when they are made available. Configuration files are hardened as vulnerabilities are detected (example: preventing directory listings is the default browser config).

2021A06

2017A09

2015A09

2013A09

Vulnerable and Outdated Components Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

Theatre Manager is designed to detect the version of significant components and will not start if the database version, web server version, or other significant components are insufficiently current.

Most importantly, TM Web Servers are regularly updated with security patches.

2021A07

2017A02

2015A02

2013A02

Identification and Authentication Failures Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

Theatre Manager uses cookies for session management. All data in the cookie is AES256 encrypted, along with a date and time.

If the web listener notices that the cookie comes back and contains an unexpected date and time setting, then it discards the request and resets the user.

There are no session IDs in any URL.

2021A08

Software and Data Integrity Failures Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations.

2021A09

2017A10

Security Logging and Monitoring Failures Security Logging and Monitoring Failures is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected.

2021A10

Server-Side Request Forgery (SSRF) SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

------- Historical References --------

2021MGD

2017A04

XML External Entities (XXE)

2021 merged with A05-Security Misconfiguration

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

2021MGD

2017A07

2015A03

2013A03

Cross-Site Scripting (XSS)

2021 merged into A03-Injection

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

OWASP's preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into.

Theatre Manager looks for any attempt to put Javascript and other characters into a form and simply removes them. We have determined that there is no valid need to have words like <script> in enterable fields like name or address.

2021MGD

2017A08

Insecure Deserialization

2021 merged into A08-Software and Data Integrity Failures

Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

2017MGD

2015A04

2013A04

Insecure Direct Object References

2017 merged into A05-Broken Access Control

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

Theatre Manage does not allow direct access to any object in the database through the use of an API. Users cannot retrieve data in an unauthorized way as all queries are done via a controlled API.

2017MGD

2015A07

2013A07

Missing Function Level Access Control

2017 merged into A05-Broken Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

This does not directly apply to Theatre Manager's web services due to the APIs used to control access to the system -AND- the very limited number of pages in the WebPages directory which are used exclusively for the singular function of web sales.

Accessing the limited number of web pages in the WebPages directory in a direct manner does nothing unless they are processed by a web service.

2017n/a

2015A08

2013A08

Cross-Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Theatre Manager does not allow access to the database except via API. It also forces a timeout for inactivity and injects a unique form token key for each HTTP POST request.

The cookie is time sensitive and is unique for each request sent from the server and back from the client. It is encrypted and contains other non-visible data that must be verified upon receipt back at the server. Failure to meet the verification requirements causes rejection of the request and the process to start over. Absence of a properly formatted and encrypted cookie rejects the request and starts over.

The form token is a unique encrypted time-sensitive field that is placed into each web page by the server. When a form is submitted, the server checks the form token with what was sent out. If it does not match, the patron is sent to a 'safe' landing page. Currently, Theatre Manager sends patrons who are logged in to the 'home' page and those that are browsing anonymously to the 'event listing' page. No form can be submitted twice.

2017n/a

2015A10

2013A10

Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Theatre Manager does not use redirects to any unknown source in any commerce web page. All URLs returned by the server are specific to each API. Requests for APIs that do not exist return a proper 404 HTTP response (not found)

PostgreSQL Database Server

The following instructions are used to set up a PostgreSQL server for use with the Theatre Manager application. Please follow the directions appropriate for the server platform you are using.

  • Installation on a Macintosh
  • Installation on Windows
  • Postgres will run on Linux and other Unix variants. You will have to install the server yourself by obtaining it from the PostgreSQL web site and follow much of the Macintosh setup steps for configuration and backups. We do not provide automatic installers or configuration/operational support for Linux servers.

The server only needs to be set up on one machine where you want the database to reside. Theatre Manager can be set up on as many machines as you wish.

  • Always make off machine AND offsite backups of the database. Consider implementing streaming replication. Backups are your best protection against almost all disasters, viruses or ransomware.
  • NEVER join a domain. This limits the people who can see or get into the machine remotely and largely avoids viruses.
  • Only allow external access via port 5432 for SQL traffic. Do not allow file server access.
  • If you must, only install virus software on the PostgreSQL Server under very controlled circumstances and never allow virus scanners to scan the actual Postgres database directories.

    Remember that Virus Software is the strongest attack vector for the bad guys and not guaranteed safety.

Replication is a feature of Postgres and is automatically set up for venues using AMS Cloud. Self service venues may set this up if they wish - the support team is unable to help you.
If you are using PCI schedule 'A", 'B', or 'C' compliance, credit card information will never pass through the database and it can effectively be taken out of PCI scope.

Refer to Postgres security notices for list of security issues addressed in each version.

Macintosh PostgreSQL Server

The following instructions are used to set up a Macintosh PostgreSQL server for use with the Theatre Manager application. Click if you are doing Windows setup

The server needs to be set up on one machine and the application can be set up on as many machines as you wish.

Follow these steps if you are using the Theatre Manager TMPostgresSetup installer program; you may want to bookmark this page in your browser in case you want to refer to these installation steps. If you are only installing a demo, refer to the last column for required steps.

task Description Full Install Demo
1 download the PostgreSQL installer for Mac yes yes
2 the installation of the PostgreSQL SQL server yes yes
3 configuration of the server parameters for maximizing performance in a production database yes no
4 creating a daily backup job using TM Server yes no
5 Turn off energy saving, airport and other energy saving features yes no
6 (Optional) Implement hot database standby server depending on load and other considerations. no no

Notes and Assumptions:

  • This install process will install or update PostgreSQL. If you are updating across versions, you may need to refer to Updating PostgreSQL Instructions
  • You MUST turn off all virus protection while running the installer (especially Norton if you are using it). Virus software always interferes with proper software installation.
  • If this installer is being used to create a demo installation, then you only really need do steps 1 and 2.

Step 1: Install PostgreSQL database server

When you run the installer for the database components, it will put the actual installer files into the Macintosh HD/Users/Shared directory along with all the support files needed for the rest of the steps.

The actual Postgres install process is part of the install process. If you cancel the setup of Postgres, you can always start it again by repeating the process from the start.

Installing PostgreSQL on a Macintosh

Before starting the install, please check that the computer date and timezone settings are correct. Failure to do so may cause Postgres to think it is in a different timezone.
If you are unable to install, you might need to use the following commands in terminal before running the installer More info is under disable power saving settings - Step 1:

sudo spctl --master-disable
sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool NO

1.
  • Double click on the TMPostgresSetup.zip file that you downloaded. It will unzip and create a TMPostgresSetup.pkg file.
  • Double click on the TMPostgresSetup.pkg
  • You will see the introductory 'Splash' screen
  • Click Continue on the splash screen.
2. Click Continue on the Licence Agreement screen after reading it.

3. Click Install to begin the actual install.

4. You will need to enter an administrator user ID and password to continue

5. You will see the installation progress as the Postgres database engine is installed

5. When the isntaller is finished successfully, click the Close button

Step 2: Configure the PostgreSQL server parameters

When you are able to connect to the database using Theatre Manager, it's time to tune some of the parameters for PostgresSQL that are specific to your machine and setup. On a Mac, this needs to be done with VI under the Postgres user account.

The general steps are:

  • Edit the pg_hba.conf file to indicate which IP addresses may talk to the database server
  • Edit the postgresql.conf file to adjust some memory settings for performance
An easy way to determine key config parameters is to use pgtune and paste the results at the bottom of the postgresql.conf file (don't forget to add ssl=on and Bonjour=on to the results).

PG_HBA.conf file

What does this file do? This file controls all access by users to the PostgreSQL server.

In order for clients to connect to the server, their IP address must be in the allowed list of users. The two common authentication methods that you will see being used for Theatre Manager clients are MD5 and trust.

  • MD5 does md5 password authentication and should be used for just about all entries to this file.
  • Trust allows clients to connect without password authentication; the only 'trust' entry should should be for the local server machine and/or localhost.

1. The first changes to make involve the pg_hba.conf file and the postgres.conf file. To do so, you'll need to use VI (a text editor) and be the postgres user in Terminal. To do this, start Terminal and type

su - postgres

enter the password

2. Go to the postgres data directory by typing

cd data

3. Edit the postgres pg_hba.conf file that contains the addresses to listen on. Type

VI pg_hba.conf

(full pathname is /Library/Postgresql/[version]/data/pg_hba.conf)

You should see a page of information. If you do not, then type 'Shift Q' and then just a 'q', after which you can start the process over. If you see the list of text similar to the right, then:

Use the down arrow on your keyboard to go to the very end of the file.

4. EditHba

When you are at the end of the file, use the up arrow on your keyboard so that you are right after the first line in the IPv4 settings, where it says 'host all all 127.0.0.1/32 trust'. In the example the cursor is on the '#' on the line after.

type the

I

key and the message at the bottom will change to Insert.

5. EditHba

Edit the pg_hba.conf so that its final settings are similar to the window on the right.

Type directly into Terminal so the data looks like the window above. Use the Delete key to get rid of characters. You will likely end up typing the following lines where the first one is your subnet. This is the most typical example we've seen at venues

host all all 192.168.1.0/24 md5

NOTE: For the 127.0.0.1/32 option, edit the handshaking to be TRUST at the end of the line to allow backups to run unaided.

NOTE: If your machine uses IPv6 (the new internet IP setting standard), you may also need to set ::1/128 to be TRUST instead of md5. If so, edit that line to look like:

host all all ::1/128 trust

NOTE: If you are running version 9.0 or higher of Postgres in a Mac environment the local all all line should be set to TRUST.

NOTE: You may also need to edit the local all all line from md5 to TRUST. This can be determined if the backup script will not run without a password after changing the settings above for 127.0.0.1 and ::1/128.

The line you added (or need to add) are for:

  • The local subnet - as in 192.168.9.0/24
  • Other subnets that need to access the data - as in 10.1.5.0/24
  • Any single machines that must have access - as in 55.66.77.88/32 (via VPN)

At the end of the subnet, the /24 refers to a complete subnet when you want any machine on the subnet to access the database as per CIDR rules. This is what is used most often.

The /32 refers to a particular machine. If you use this option, you will need to provide the exact computer IP that you want to allow to access the database.

6. EditHba

At the end, type, in this order:

hit the esc key

(the insert mode will dissappear)

Shift Q

(the window will show the 'Entering Ex mode' message)

wq

and the window will clear.

 

Reference for settings in the pg hba.conf file https://www.postgresql.org/docs/current/auth-pg-hba-conf.html

7. In the command line, type the following to reload the configuration:

pg_ctl reload

Terminal will say 'server signalled'

POSTGRESQL.conf file

The postgresql.conf file contains parameters to help configure and manage performance of the database server. You can use most parameters as installed out of the box, but the server will go much faster if you alter about a half-dozen key settings.

Note: you can also use pgadmin as described in the Windows setup to make these changes if you prefer.

Another was to get the key config parameters is to use pgtune and paste the results at the bottom of the postgresql.conf file (don't forget to add ssl=on and Bonjour=on to the results).

1. You will need to start by changing to the postgres user in Terminal. To do this, start Terminal and type

su - postgres

enter the password

2. Go to the Postgres data directory by typing

cd data

3.

This will use VI to edit it. Type

VI postgresql.conf

when the list appears, type

I

to go into insert mode and use the up and down arrows to find the options below

 

Find and edit the parameters in the list below and change them to the suggested values, if they are not already set to that value.

if any line contains a '#' at the beginning and you need to change that line as per the instructions below, make sure to remove the '#' as it uncomments the parameter. If there is no '#', then just change the values.

For any setting that is about disk space or memory, you can type 1GB, 1000MB, or 1000000KB - they are all equivalent. Do not leave a space between the number and the memory amount at the GB, MB or KB; otherwise, Postgres will not start.

4. use pgtune to get some optimized parameters for your machine and replace the values below. It is probably better to append the results from pgtune at the end and filling any missing settings at the bottom.
bonjour If you wish your Postgres server to be discoverable using Bonjour services so that the Mac version of Theatre Manager can automatically locate a server on the network, this value can be uncommented and changed from off to on

It will probably look like #bonjour = off. Remove the # from the front of the line (if any) to activate that parameter and change off to on

max_connections The default is 100 which may be fine for most venues. For venues with more users and web servers, 200 to 400 is suggested.
shared_buffers This value should be 20-25% of the total system total RAM. You find this value on the task manager as the total physical memory. Enter values as xxMB.
temp_buffers This value should be 20MB.
work_mem This value should be 20MB. Enter values as xxMB.
effective_cache_size This value should be about 75% of AVAILABLE ram. So, on a 4GB system, this value would be 3072MB. Set the shared memory first. Shared memory is part of the effective cache size. If there is enough available ram in the machine, to exceed the size of the database, it means most reads will be cached in memory.
timezone The timezone parameter is set to match the computer's timezone during the installation of Postgres. If the timezone is incorrect on the computer, you may need to correct the timezone in the config file. Refer to Wikipedia article on time zones (Use the TZ column)
ssl Change this parameter from off to on to enable encrypted TLS communication with the database. You will need to put a self signed TLS certificate into the data directory by using either the one supplied with the installer, or making your own.

Reference for postgres.conf file parameters https://www.postgresql.org/docs/current/static/runtime-config.html

5. Once the changes are made, type, in this order:

hit the 'esc' key

(the insert mode will disappear)

Shift Q

(the window will show the 'Entering EX mode' message)

wq

and the window will clear and you will be back at terminal

OSX Self Signed TLS Certificate

Making your own Self Signed TLS Certificate

It is generally best to create your own certificate. It takes about 30 seconds to do, and has the advantage that the certificate is unique to your database.

Start a terminal session, type the following 2 commands, and then follow the instructions as prompted. You can copy/paste the command.

cd /Users/Shared
openssl req -newkey rsa:4096 -nodes -keyout server.key -x509 -days 365 -out server.crt

Answer all the questions you are asked and when done, find the files in the /Users/Shared directory called:

  • server.crt
  • server.key
Continue to the installation step.

 

Using a supplied self Signed TLS Certificate

We have created a 4094 bit TLS certificate and included it with the installer. While it is better to create your own, if you need one fast to get started, you can use ours and create your own later (per the step above).

Go to the /Users/Shared folder and find the files called:

  • server.crt
  • server.key
Continue to the installation step.

 

Installing the server.crt and server.key Files

You will need to copy the files to the Postgres User directory as the postgres user. Do the following commands in Terminal:

su - postgres      (and enter the password when asked)
cd data
pwd      
Make sure the results of the pwd command says that the directory is /Library/PostgreSQL/x/data where 'x' is the version of PostgreSQL you have installed. It if does not, do not go any further. and call for assistance.
cp /Users/Shared/server.crt server.crt
cp /Users/Shared/server.key server.key
chown postgres:daemon server.*
chmod 600 server.*
ls -la

In the listing, the two files should now be in the postgres data directory and all that needs to occur is to stop and restart the database.

pg_ctl stop -m fast
pg_ctl start
Once the database is running, start Theatre Manager and go to the window showing employees that are logged in to see that the connection being used is secure.

Step 3: PostgreSQL server backups

Venues with databases on the AMS Cloud do not need to set up or manage backups - other than to request a special backup before running year end rollover

Once the database is set up, you will need to establish a back up frequency that is appropriate for your venue.

There are two steps to configuring the backup:

  1. Use the System Preferences->Backup to setup the backup frequency within Theatre Manager. The TM Server backup process uses this setup to do the backups
  2. Configuring a TM Server to do backups and monitor them

From then on, backups occur automatically. If they do not, you will receive a message on login that a backup has not been run for the past 24 hours.

Disable Power Saving Settings on Server

Additional Setup Considerations

Update to the latest version of macOS (macOS 12 Monterey or later).

It's free. The highest version you can update to will depend on how old your machine is.

The following settings should be made on all servers (Postgres, Apache and web listeners) that are installed on Macintosh.

1 If the Security and Privacy System Preference in MacOS does not show 'Anywhere' which allows applications to run from 'Anywhere', open Terminal and copy/paste the following two commands:

  • sudo spctl --master-disable
  • sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool NO

You may have to close System Preferences and open it again in order to see the change. If Anywhere is not selected, please select it - as it should allow TM to run when the user is not an administrator.

Installers from TM should make this option visible in system preferences per the image below. if not, run the above command.

Big Sur/Sonoma and later

Earlier versions of MacOS

2 Make sure to
  • turn OFF all energy saving options such as Prevent hard disk sleep, appnap, Do not allow the CPU to go into low processor mode, etc.

    Mojave Settings are to the right to prevent machine sleep.

  • turn ON features like restart the Mac after a power failure'. We also suggest altering the feature to auto-start the Mac at a time like '6:00am' should it just happen to be powered off. This way, your servers should always be on.
  • enable auto-login on machines with TM Server if it will have classic listeners, and set the machine so that you can lock the screen after inactivity. The classic listeners will halt if not running under a user.

    If you cannot set a mac to auto-login, it may be that file vault and/or cloud password needs disabled.

3 Make sure to turn Airport OFF if the Mac comes with it. Airport will cause the Mac to temporarily freeze while it looks for a network to connect to - and will lock out sales while it does that.

This is done by opening the control panel, clicking on the Airport interface, and then clicking on the 'gear' at the bottom to select the option 'make service inactive'. Doing this will change the status from 'off' to 'inactive'.

4 Make sure to force the Mac Mini to use the built-in Graphics Processor Unit (GPU) when displaying screen shots instead of CPU. This prevents remote access from using up a CPU core to display the screen. You can do one of the following:
  1. physically plug in a monitor to the Mac -or-
  2. connect a KVM switch into it that is powered up. -or-
  3. use an attachment like a Headless Video Adapter

Disconnecting a monitor from the Mac will cause the computer to unnecessarily waste CPU cycles on display - when it should use the GPU.

5 Turn off Spotlight Indexing (mdsworker) using Terminal and typing

sudo mdutil -a -i off

On Lion and later, also use the following command

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist

This will prevent the operating system from doing unnecessary work while serving web pages. To recognize if Spotlight is running on a server, look for an 'mds' application running. It can use a lot of CPU resources. If you receive Operation not permitted while System Integrity Protection is engaged while doing this, you may wish to disable System Integrity Protection

note: If any mdworker messages are in the console logs (or if mdworker pops up in activity logs), then Spotlight is not turned off.

6 Using Terminal, disable Time Machine for the database folder (optionally, completely disable and local Time Machine files)
  • sudo tmutil addexclusion /Library/PostgreSQL
  • sudo tmutil disable
  • sudo tmutil disablelocal (only for sierra and earlier)
  • sudo tmutil thinLocalSnapshots / 10000000000 4 (for sierra and later to thin local backups if time machine enabled and you need space)
  • tmutil listlocalsnapshots / (optional) to see how many snapshots there are.

Alternatively, you can disable Time Machine through System Preferences.

If you must use time machine on the database server, see the next step for options

7 Do not use Time Machine for the Postgres backups. Use the backup script and move the backups to another machine. If Time Machine must be used on the database server machine:
  • make /Library/Postgresql one of the folders that is ignored by Time Machine.
  • change the backup interval so it is less frequent. 3600 is 1 hour (the default), 43200 is 12 hours. Use terminal and enter the following command.>/li>

sudo defaults write /System/Library/LaunchDaemons/com.apple.backupd-auto StartInterval -int 43200

8 Completely turn off any automatic Software Updates in the Mac's System Preferences. This is a database machine and should be manually updated on a periodic basis under controlled circumstances.

It may be either under 'Software Update' or 'App Store', depending on the version of macOS you have.

9 Completely disable App Nap on the computer running the Classic Listener using the Terminal command below:

defaults write NSGlobalDomain NSAppSleepDisabled -bool YES

10 Update to the latest version of macOS. It is free.
11 Disable 'handoff' in general system preferences as well as disconnect from iCloud.
12 Disable Air Play Receiver on MacOS 11 Monterey in System Preferences->sharing setup.

Windows PostgreSQL Server

The following instructions are used to set up a Windows PostgreSQL server for use with the Theatre Manager application. Click if you are doing Mac or Unix setup.

The server needs to be set up on one machine and the application can be set up on as many machines as you wish.

Follow these steps if you are using the TMPostgresSetup installer program and you may want to bookmark this page in your browser in case you want to refer to these installation steps. If you are only installing a demo, refer to the last column for the required steps.

task Description Full Install Demo
1 Download the Postgres installer for Windows yes yes
2 The installation of the PostgreSQL server. Please make sure to read any caveats for the version of Windows you are using. yes yes
3 Installing the demo database and the main Theatre Manager User optional yes
4 Configuration of the server parameters for maximizing performance in a production database yes  
5 Creating a daily backup job in TM Server yes  
6 Considerations for installing virus protection on the PostgreSQL server - please do not include the Postgres data folder. yes  
7 Turn off Microsoft disk indexing on the volume that the database is running on. yes  
8 Turn off Microsoft Auto Updates on the database server so that it will not restart in the middle of sales. Applying Microsoft patches and updates should be done on a planned basis -- perhaps bi-weekly or monthly as a practice (or immediately if there is a current threat) yes  

Notes and Assumptions:

  • This install process assumes you have NEVER installed PostgreSQL or Theatre Manager on your computer before. If you have, you may need to refer to Updating PostgreSQL Instructions
  • You MUST turn off all virus protection while running the installer (especially Norton if you are using it). Virus software always interferes with proper software installation.
  • If this installer is being used to create a demo installation, then you only really need do steps 1, 2 and 3.
  • This process assumes that you have never installed Theatre Manager or PostgreSQL on your machine. If you have already installed PostgreSQL:
    • you will be asked if you want to un-install PostgreSQL (you may want to do that and then try to re-install after)
    • you may need to remove the 'postgres' user from your computer if one exists; unless you know the existing password for the postgres user.

Step 1: Install PostgreSQL Database Server

Caution: Please read to see if this applies to your installation:

All Versions of Windows

DO NOT set up the Postgres database server to also act as ACTIVE DIRECTORY or as a DOMAIN CONTROLLER.

While it is possible to do so, the reasons not to are:

  • It is part of PCI DSS standard 2.2.1
  • You get better performance
  • More importantly, you obtain better safety/security leaving it a stand alone machine nobody logs into or connects to unless they physically visit the machine.
  • Updating the database server requires logging in as LOCAL admin anyway.

We DO NOT recommend that the database server JOIN a windows DOMAIN CONTROLLER either. There is no need for it.

If you wish to join a domain controller, please leave the database server login window pointing to the local machine (instead of the domain). It makes a user logging on for support and updates easier. Note that the machine should always be locked so sign-in is required - per PCI compliance.

We DO NOT recommend installing virus software on the Postgres database server. Since access to the server is under very controlled access via port 5432 from the Theatre Manager application only, it should not be required.

If you must install virus software on the database machine, set it to scan the machine daily and void the Postgres DB files. The best defence against any virus software is a backup of the database off machine and, even better, off premises.

Additional Notes for Specific Versions of Windows

Windows Small Business Server For Windows Small Business Server, you MUST turn off 'disk quota management' for all users prior to installing Postgres (and leave it off). Otherwise, you may run out of space for the installer and any databases that get installed.
Windows 8 and higher For Windows 8 and higher, you may need to turn off UAC (user access control) if it is acting as a server. You can run Theatre Manager on other workstations with UAC on.
Windows 2012 Server and higher With Windows Server, you will need to be a local administrator to install Postgres.

Run Main TMPostgresSetup Installer

When you run the installer for the database, accept all the defaults.

Click OK Right click on the TMPostgresSetup.exe application and use Run As to begin the install. Select a LOCAL administrator as the user ID to use for the install.

If a checkbox that implies "Protect My Computer" or "Run with Restrictions" is available and enabled, uncheck the box to allow the installer to run with full install privileges.

Click Next
Click Next
Click Next
Click Yes At the end of the TM PostGres installer, you are asked if you want to install the PostGreSQL database in the dialog (as in below).

If you say yes, postgres will install automatically for you and you can SKIP the next section describing how to install it manually and proceed to the step where the installer asks about installing a demo database

Alternatively, you can install them later manually by:

Run Postgres Installer

Do not do this step if you elected to let the Theatre Manager Postgres installer automatically install Postgres for you.

Only reference these instructions if you are running the actual Postgres installer from the Postgres web site manually.

Accept all the defaults on the screens that follow except the last one that references 'stackbuilder'.

Before starting the install, please check that the computer date and timezone settings are correct. Failure to do so may cause postgres to think it is in a different timezone.
Click Next
Click Next

To install PostGres on another drive instead of the C: drive, click the Browse button and select another drive.

  • If you change this location, you must also change the backupTM.bat files later to refer to the other drive.
  • If you changed the install location to D:\BoxOffice, this would have already changed for you in this window

Be aware that the standard install location ignores the 32 or 64 bit version of the operating system.

you should always install to C:\Program Files\PostgeSQL\
Click Next

Enter a hardened ' Account Password' for the postgres user. If you do not supply one, we will generate one automatically. However, if this is a demo. In that case, please pick a user password that you remember - we suggest 'Master'.

For a purchased version of Theatre Manager, this will be set up for you by your trainer who will use a specific AMS password for this server that should not be changed.

Click Next

Leave the Port Number as 5432 (if you change the standard port, you will also have to change it in Theatre Manager login window)

Click Next

Leave both these settings as shown.

Click Next
Click Next

You will need to wait for a bit while the database server is installed

Click Finish

Uncheck the 'Launch Stackbuilder at Exit' setting. There are no additional modules to install into your database at this time.

At this time, the database should have installed successfully and should be runnning.

Load Demo Database

You will be given an option to install a demo database. If you would like to do this, click 'Yes'. It is recommended that you do.
Click Yes
Wait

Wait while a DOS window pops up and shows the progress of the demo database being imported. Depending on the performance and RAM in your machine, this could take a few minutes to finish.

  When the DOS window closes, the database server is installed, and the TheatreManagerDemo database is imported.

Step 2: Create user and import Database

Only perform this step if you did not install the demo database when installing server.

After the database server is installed, You need to create a specific user called TheatreManager and give them privileges. You also want to import a demo database. This step assumes that you have installed into C:\BoxOffice. If you did not, then you will need to edit the .bat files and do this step manually.

1. Go to C:\BoxOffice directory. You will see some files and folders with names similar to below.

2. Double click on the 'ImportDemo' bat file. This starts a DOS prompt and start the bat file running.

If the server is 64 bit, you will need to change the ImportDemo.bat' file to refer to C:\Program Files (x86).

If you have altered the install directory, you will need to change the path name to point to the location that Postgres was installed in. Often, this is just changing the drive letter.

3. You are asked for the password to create the 'TheatreManager' user. Type the password you used for the installation of the database in the preceding section. If this is a demo database install, this may have been 'master' you used when installing the server.

The password is not be echoed back to you and you will not see the cursor move. There is no visual feedback that even a character was typed. You'll just have to get it right. If any of the steps are not right, you can start at the top of this step at any time.

import2

4. You are asked for the password to create a 'TheatreManagerDemo' database. Type the same password used above and elsewhere in the install instructions.

import3

5. You are asked again for the password to import data into the TheatreManagerDemo database. Type the same password again and you will see a lot of lines displayed to you after that point as the demo database is imported.

step4

Step 3: Configure PostgreSQL server parameters

When you are able to connect to the database using Theatre Manager, its time to tune some of the parameters for PostGresSQL that are specific to your machine and setup.

Another way to get the key config parameters is to use pgtune and paste the results at the bottom of the postgresql.conf file

1. Configuring postgres entails editing two files in the 'data' folder of the current postgres installation as highlighted below:
  • Navigate to C:\Program Files\PostgreSQL\15\data
  • The 15 in the path above may be different for you.
    • It could be the number 9 or higher - if you are using versions of Postgres older than version 15 (which is current at the time of writing)
    • If there are versions newer than 15, then this number could be 15 or higher.
    • You will have to look to be sure.
2. edit the pg_hba.conf file using Notepad++
Scroll to the bottom of the pg_hba.conf file and you should see something similar to the image to the right
LOCAL ACCESS Leave Local Access as:
  • scram-sha-256 (postgres 13 and later) -or-
  • MD5 (postgres 12 and earlier) -or-
Under IPV4 Local Connections Add lines for any subnets that need access:
  • The local subnet - as in 192.168.9.0/24
  • Other subnets that need to access the data - as in 10.1.5.0/24
  • Any single machines that must have access - as in 55.66.77.88/32 (via VPN)

At the end of the subnet, the /24 refers to a complete subnet when you want any machine on the subnet to access the database. This is what is used most often.

The /32 refers to a particular machine. If you use this option, you will need to provide the exact computer IP that you want to allow to access the database.

Save your changes and RELOAD the server (see step 4)
3. Edit the postgesql.conf file. Some notes about editing:
  • Parameters are not in alphabetical order, so you may need to scroll up and down to find the ones that are in the list below (or use find) . We've tried to put them in the order that you will find them in the config file. (see *****)
  • Do not change any parameters other than the suggested ones, or unless you have been advised to do so by an expert in PostGres databases.
  • For any setting that is about disk space or memory, you can type 1GB, 1000MB, 1000000KB and they are the equivalent. Do not leave a space between the number and the memory amount at the GB, MB or KB otherwise postgres will not start.
***** Find and edit the parameters in the list to the right and change them to the suggested values, if they are not already set to that value.
An easy way to determine key config parameters is to use pgtune and paste the results at the bottom of the postgresql.conf file (don't forget to add ssl=on and Bonjour=on to the results).
listen_addresses This value should always = '*'

It will probably look like #Listen_address = 'localhost'. Remove the # from the front of the line (if any) to activate that parameter and change 'localhost' to '*'

max_connections The default is 100 which should be fine for most venues. If you have a number of users and web listeners, you might need to make it 150, 200 or even 400.
maintenance_work_mem This value should be 50MB for machines with 1 GB of RAM or more and 20MB for those with less. Enter values as xxMB.
shared_buffers This value should be 20-25% of the total system total RAM. You find this value on the task manager as the total phyiscal memory. Enter values as xxMB.
temp_buffers This value should be 20MB.
work_mem This value should be 20MB. Enter values as xxMB.
effective_cache_size This value should be about 75% of AVAILABLE ram. So on a 4GB system, perhaps 3072MB on a larger system. Set the Shared memory first. Shared memory is part of the effective cache size. If there is enough available ram in the machine, to exceed the size of the database, it means most reads will be cached in memory.
timezone The timezone parameter is set to match the computers timezone during the installation of postgres. so, if the timezone is incorrect on the computer, you may need to correct the timezone in the config file. Refer to wikipedia article on time zones (Use the TZ column)
ssl Change this parameter from off to on to enable encrypted TLS communication with the database. You will need to take 30 seconds and put a self signed TLS certificate into the data directory by using either the one supplied with the installer, or making your own.

Reference for postgres.conf file parameters https://www.postgresql.org/docs/current/static/runtime-config.html

 

Note: the best place to get memory values is from the 'Activity Monitor' on the 'Task Manager'. See an example below for what this screen looks like.

To find it, right click on the task bar and pick 'Task Manager'.

taskManager
Save your changes and RELOAD the server (see step 4) for most changes. If the change does not take effect, you may need to RESTART the server. This is usually only when first installing Postgres as changes to this file are rare
4. Reload or restart the postgres server to cause the new settings to be used.

All changes to the pg_hba.conf and many changes to postgresql.conf can be reloaded. That put the parameters in place without restarting the server, so any services (like web sales) that are running, continue to run.

A reload is done by:

  • using the windows start menu
  • finding the 'PostgreSQL application grouping
  • using the reload Configuration application

A few changes to the postgresql.conf file will require the postgres server to be completely restarted. This is usually noted in the comments beside the parameter. If this is required, the general steps are below. It is very rare that these parameters are changed after installation - so it might be best to ask support to help you with a complete server restart if you are not familiar:

  • Open services control panel
  • Find the postgresql service
  • Stop the postgresql service
  • Start the postgresql service
  • Make sure it is running
  • Restart the web services

Windows Self Signed TLS Certificate

Making your own Self Signed TLS Certificate

It is generally best to create your own certificate. It takes about 30 seconds to do, and has the advantage that the certificate is unique to your database.

Start a CMD prompt, type the following 3 commands, and then follow the instructions as prompted. You can copy/paste the commands.

cd C:\OpenSSL-Win32
cd bin
openssl req -newkey rsa:4096 -nodes -keyout server.key -x509 -days 365 -out server.crt

Answer all the questions you are asked and when done, find the files in the C:\OpenSSL-Win32\bin directory called:

  • server.crt
  • server.key
Continue to the installation step.

 

Using a supplied self Signed TLS Certificate

We have created a 4094 bit TLS certificate and included it with the installer. While it is better to create your own, if you need one fast to get started, you can use ours and create your own later (per the step above).

Go to the C:\BoxOffice folder and find the files called:

  • server.crt
  • server.key
Continue to the installation step.

 

Installing the server.crt and server.key Files

  1. Select both the server.crt and server.key files and right-click to COPY them
  2. Navigate to the postgres data directory which is C:\Program FIles\Postgres\x\data where 'x' is the version of PostgreSQL you have installed.
  3. Right-Click and PASTE them into the data directory
  4. You will need to restart the Postgres server for the changes to take effect
Once the database is running, start Theatre Manager and go to the window showing employees that are logged in to see that the connection being used is secure.

Step 4: Database Backups

Venues with databases on the AMS Cloud do not need to set up or manage backups - other than to request a special backup before running year end rollover

Once the database is set up, you will need to establish a backup frequency that is appropriate for your venue.

There are two steps to configuring the backup:

  1. Use the System Preferences->Backup to setup the backup frequency within Theatre Manager. The TM Server backup process uses this setup to do the backups
  2. Configuring a TM Server to do backups and monitor them

From then on, backups occur automatically. If they do not, you will receive a message on login that a backup has not been run for the past 24 hours.

Postgres User Password

Postgres is installed using a secure password for the 'service' user under windows. It may be changed by the venue if they wish and if you do so, then you may need to:
  • Find the local 'postgres' user on the computer using the Windows Administrative tools an edit the user id. You can change the password the way you would normally change the password for any other user (and is dependant on your version of windows)
  • If you change the service password, then you must also open the 'services' control panel and find the postgres service. Change the password there as well. To confirm that you got it right, please stop and start the postgres server. if it stops and starts, its safe to bet that the server will restart on the next reboot of the server.

Increasing Windows Performance

Postgres MUST be on a stand alone server so that it can be left alone to do its job. If this is possible, then the only thing that needs to talk to it is Theatre Manager clients through port 5432. Under that scenario:

On Windows machines:

  • Enable Windows Firewall to allow incoming on port 5432 for the database and turn off other non-essential ports. Alternatively, make sure that your IT personnel have opened the correct ports through the firewall between computers as per these firewall/router rules.
  • Turn off auto-updates completely

    These are something to be done manually and on a periodic scheduled basis. You do not want servers restarting in the middle of the night, nor do you want downloading to affect performance of your servers.

  • Turn off:
    • microsoft indexing for all directories and sub directories. by looking at the properties of the drive that database is running on
    • And go to Services to find Windows Search and disable that.
  • Disable any disk quota management on the disk drive
  • turn off any virus scanning for ports and data directories used by postgres

    NOTE: if using windows 10 pro, you need to permanently disable windows defender using one of the methods in the link. In win 10 Pro, use gpedit.msc to disable by group policy editor since windows 10 turns it back on later if you only temporarily disable it (Another stupid idea form Microsoft)

  • Note: turn off any virus scanning against the database directory which is usually

    C:\Program Files\PostgreSQL
    or
    D:\Program Files\PostgreSQL (if there are two drives)

  • Do not install active directory or join it to a domain. Only local access is required to this machine
  • Turn off file sharing or any means that might allow a file to be added to the machine, other than via the postgres engine
  • turn off any energy saving options
  • do not use the machine for saving snapshots of files by turning off 'use shadow copies' on the appropriate drives. (This is set in the properties of the drive)
  • set best performance options to maximize background performances.

Leaving any of those on will affect performance of the server for the database

Disable Defragmentation

Why Microsoft Windows turns on defragmentation by default, we don't know, but its not necessarily good for servers. It is particularly terrible if you have Solid State Drives as it affects the longevity of the device by interfering with the drive's wear leveling algorithms. We suggest turning it off from being automatic.

  • Click on the drive containing the database server
  • Right click to get properties
  • Click on the Tools tab
  • Click on the 'optimize' button
  • Look at the bottom to see if optimization is on (or off)
    • The button to turn it on and off is on the lower right
    • The current state is on the lower left

Disable Download of Updates and Auto Updating

For most versions of windows servers, you want to do controlled update so that you can pick the time of outage. We recommend using the sever versions of Windows as they behave as you expect (so far). Windows 10 has a mind of its own and may need some special treatment.

Windows Automatic Updates is now found in Services in Windows 10.

How to locate:

  • Open Control Panel and Administrative Tools
  • Select Services
  • In the Services window, scroll down to Windows Update and turn off the process.To turn it off, right-click on the process, click on Properties and select Disabled.
  • Note: windows 10 sometimes listens to you, most times it does not, despite what you indicate in various settings and you may have to:

Disable power saving on ethernet

For watever reason, Windows (out of the box) tends to be set to maximum power-saving which includes setting your network connection to go to sleep when it can:
  • especially on workstations, and
  • especially if you go take an extended coffee break or have a meeting.
This is not the best setting for any application, like Theatre Manager, QuickBooks or other accounting software that needs to connect to a database on a server.

We suggest disabling power management on the ethernet card.

  • use instructions like this for windows 7 and 8
  • Use instructions below for Windows 10 (they are very similar to windows 7)
    • Open Control Panel
    • select network and Internet
    • Pick Network Connections. the screen should look like below
    • click the network card
    • right click and show properties
    • click configure

    • click power management and uncheck the highlighted item per the image below

In addition, please make sure to disable power management except for monitors.

Making Windows Defender Manageable

Windows defender can prevent Theatre Manager auto updates from occurring in Windows 10 and can interfere with restarting of TM server. It can be addressed by:
  • Using 2012R2 or 2016 server for server processes instead of Windows 10. 2012R2 server does what you tell it with Defender, windows 10 does not - it automatically turns itself back on unless you
    • Set windows defender exclusion to all theatre manager folders on that machine -and/or-
    • Turning the Defender policy off -or-
    • Installing some other AV software that disables Defender and takes over. (we dislike this option - other AV software is much much worse)
  • Make sure to turn off DEP on windows 10 for all but essential programs - it might affect TM server from starting on startup

Setting a Custom Power Plan

Make sure to also turn off power saving on your ethernet card on all servers and workstations.

Create a custom Power Plan

  1. Open the control panel.
  2. Click Power Options.
  3. Click the Create a Power Plan option
  4. Select the bullet next to "High Performance"


  5. Click Next.
  6. Change the Display setting to "Never"


  7. Click Create.

Turning Off Indexing in Windows

There are a couple of ways to disable indexing.

Using Control Panel

You can usually turn of most indexing by clicking on the properties of the device. However, it seems windows 10 doesn't fully listen, so it may be best to approach this task via the control panel.

  1. Open Control Panels
  2. Look for where things are indexed
  3. Follow these instructions to disable indexing or something like the intent of the instructions.

Disabling indexing of disk from C drive properties

  1. Double-click on My Computer (or Computer).
  2. Right-click on C: drive (or the drive letter that Postgres is installed under).
  3. Select Properties from the popup context menu.
  4. Click the General tab.
  5. Remove the check in the "Allow files on this drive to have contents indexed in addition to file properties" box.

  6. Click Apply.

    It may take several minutes for Indexing to complete. If a message pops up indicating Administrator permissions are required click Ok. If the current user is not the Administrator a prompt for the Administrator password will appear. Enter the password and continue. If a prompt appears indicating select folders cannot be altered it may be they are already open. Click Ignore All and let the process continue.

  7. Click OK.
  8. Reboot the computer.

Repeat this setting on the Web Listener computer, and the Apache server as well

Turning Off Disk Quota Management

  1. Double-click on My Computer (or Computer).
  2. Right-click on C: drive (or the drive letter that Postgres is installed under).
  3. Select Properties from the popup context menu.
  4. Click the Quota tab.
  5. Remove the check in the "Enable quota management" box.

  6. Click Apply.
  7. Click OK.
  8. Reboot the computer.

Turning Off Windows Previous Versions

To check if the setting is turned on:

  • Double-click on My Computer (or Computer).
  • Right-click on C: drive (or the drive letter that Postgres is installed under).
  • Select Properties from the popup context menu.
  • Click the Previous Versions tab.

If Folder Versions reads "There are no previous versions available" this option is turned off. However, if backups are listed with date and time stamps, the feature is enabled and needs to be turned off.

  1. Click Start >> Control Panel.
  2. Click System in the Control Panel window.
  3. Click System Protection in the left column.

  4. Select the drive Postgres is installed on.
  5. Click the Configure button.
  6. Move the bullet to "Turn off system protection".

  7. Click Apply.
  8. Click OK.
  9. Reboot the computer.

Setting Best Performance Options

  1. Right-click on My Computer (or Computer).
  2. Select Properties from the popup context menu.
  3. Double-click on System Properties in the left column.
  4. Select the Advanced tab.
  5. Move the bullet to "Adjust for best performance".

  6. Click Apply.
  7. Click OK.
  8. Reboot the computer.

Turning Off UAC for Windows

  1. Open the control panel.
  2. Click User Accounts.
  3. Click the Change Users Account Control Settings link under Action Center
  4. Move the slider down to Never notify.
  5. Click Ok.

Linux PostgreSQL Server

The following instructions are used to set up a Linux PostGreSQL server for use with the Theatre Manager application. Click if you are doing Windows setup or Click if you are doing Macintosh setup.

As of July 1, 2018, the most recent version of Postgres is 10.4 (or later) - we recommend the latest production version be installed on new machines.

The server needs to be set up on one machine and the application can be set up on as many machines as you wish.

Follow these steps and you may want to bookmark this page in your browser in case you want to refer to these installation steps. If you are only installing a demo, refer to the last column for required steps.

task Description Full Install Demo
1 download the PostGres installer for Linux from Postgresql.org yes yes
2 the installation of the PostGres SQL server yes yes
3 installing the demo database and the main TheatreManager User optional yes
4 configuration of the server parameters for maximizing performance in a production database yes  
5 creating a daily backup job in using cronnix to run the backup yes  

Notes and Assumptions:

  • This install process assumes you have NEVER installed PostGres or Theatre Manager on your computer before. If you have, you may need to refer to Updating Postgres Instructions
  • You MUST turn all virus protection while running the installer (especially Norton if you are using it). Virus software always interferes with proper software installation.
  • If this installer is being used to create a demo installation, then you only really need do steps 1, 2 and 3.
  • This process assumes that you have never installed Theatre Manager or Postgres on your machine. If you have already installed Postgres:
    • you will be asked if you want to un-install Postgres (you may want to do that and then try to re-install after)
    • you may need to remove the 'postgres' user from your computer if one exists, unless you know the password for the use.

Step 1: Install PostgreSQL Database Server

PostgreSQL for a Linux implementation is the responsibility of your organization to provide the necessary expertise to install, configure, upgrade and maintain the database server.

Installing PostgreSQL on Linux

Before starting the install, please check that the computer date and timezone settings are correct. Failure to do so may cause postgres to think it is in a different timezone.
1. Install the latest production version of PostgreSQL application using apt-get or yum as per the flavour of unix you are using.

Step 2: Create user and import Database

Installing a demo database

The database server needs a specific user called TheatreManager with specific privileges that will be assigned as the owner of each database. We also want to import a demo database. This step assumes that you have installed things into the /Users/Shared directory. If you did not, then you will need to edit the script and do this step manually

1. Go to /Users/Shared directory. You should see some files and folders with names that look like below.

Import1

2. Start terminal and change the user to 'postgres' by typing:
su - postgres
Press RETURN
and then type the postgres user's password (password will not display anything)

import2

3. Drag the script '/Users/Shared/CreateDemoDB.sql onto the terminal window. This shortcut saves typing anything.
Click into the terminal window and then press RETURN to start the command.
If it does not run, then possible issues are:
  1. You need to have execute permissions on the 'CreateDemoDB.sql' script. Use File Examiner to check or fix that (or use unix chmod commands to give permission).
  2. Make sure that postgres was configured with 'trust' permissions for the local machine.
  3. Make sure that postgres was installed into the /Library/Postgresql8 directory.
import3
4. The script will run and load up the TheatreManagerDemo database. You can modify this script to load up a customer database if necessary by editing it in BBedit or in textedit (make sure to save it as text if you use textedit - its preference, unfortunately, is to save as an rtf document). Note, any WARNING messages from the TheatreManagerDemo database creation can be ignored. These warnings are normal.

step4

Update or Remove PostgreSQL

If you have already installed the Postgres database engine on your Windows server and need to update it, then follow the appropriate update steps. This also indicates when to make a backup after everybody has been locked out of the database.

Updating Postgres

Download the latest postgres installer from the Artsman web site. Once you have it, make sure you have done the following steps:

  1. Check the version of postgres you are running. This is in the 'About Theatre Manager' menu. Look at the bottom left of the 'about Theatre Manager' screen. You will see your database name followed by a number such as (9.4.x) or (9.3.x) etc. Record this version for later.
  2. Log everybody out of Theatre Manager, including
    • Any user at the login window and/or
    • The second generation TM Server and/or
    • Classic web listeners
  3. Edit the pg_hba.conf file to restrict access and
    • Comment out any access that is allowed from any another IP address - and only allow access from 127.0.0.1
    • Reload (or restart) the postgres server configuration to make sure no other user would be able to log in and disrupt the upgrade.
  4. Make sure you have made a backup of the database, using the procedures in the daily backup job process after everybody has been locked out.
  5. Once you have confirmed the backup exists and have made another copy of that in a different place (just to be safe), then follow the specific instructions for updating the same version or from an older version as required. Refer back to the version of the database that you recorded in the first step above
  6. After the database has been restored, edit the pg_hba.conf and
    • Un comment any access that you removed previously
    • Reload (or restart) the postgres server configuration and make sure others can now log in.
  7. Restart any web services

Updating the Same Version of PostgreSQL

These steps are for updating Postgres on a Windows server where the version of postgres is at the SAME major revision level as you are currently running. The major revision level is denoted by the first two digits of the postgres version.

Remember, do not attempt to try this unless you just made a backup of your database. Preferably, you should also have restored that backup on another machine for safety, logged into it using Theatre Manager to prove that you can restore a backup and that it has 100% integrity.

  1. Make sure you are running postgres version 9.2.0 or later.
  2. Refer to the overall instructions to download the latest TMPostGresSetup installer.
  3. run the TMPostGresSetup installer.
    1. This will place all the install files into the C:\BoxOffice folder.
    2. Do not install the latest version when asked by the installer
    3. Let the installer complete and quit out of it.
  4. Go to C:/BoxOffice and find the latest version of postgres.
    • It will have a file with a name similar to the one below - with a different version number on it reflecting the latest one.
    • As of March 2013, the current shipping version will be 'Postgresql-9.2.3-1' or later.
  5. Double click on it.
  6. It will start up the installer and default most of the settings based on the existing installation.
  7. Follow the instructions and you will generally only need to use the 'next' key to continue (a few times) until the upgrade (or install) begins.
  8. At the end you will need to restart the server.
  9. Check that you can log in to Theatre Manager from the serer or any workstation.
    1. If the Postgres Service did not start, make sure that the Postgres User password (system settings or active directory) is the same as the password for the Postgres Service in the services panel
    2. If Postgres did startup, you are done.

Updating Older Version of Postges

These steps will assist you upgrading Postgres on Windows that has an older major version number of Postgres to the most recent version. The major version number is denoted by the first two digits.

If you have postgres 9.4.x (or older), the upgrade process involves some extra steps and can be done by Arts Management Support team if you are not comfortable following the steps below.

Remember, do not attempt to try this unless you just made a backup of your database. Preferably, you should also have restored that backup on another machine for safety, logged into it using Theatre Manager to prove that you can restore a backup and that it has 100% integrity.

Upgrading older Versions of Postgres

  1. Make sure that nobody is using Theatre Manager and that all second generation servers and classic web listeners are shut down
  2. Making a manual backup of the database using the DOS bat file C:\BoxOffice\BackupTM.bat and restoring it to a dummy database to make sure the backup will restore.
  3. Recording the PG_HBA.CONF and POSTGRESQL.CONF settings unique to this server
  4. stopping the server using the 'services' control panel.
  5. Un-installing Postgres by:
    • going to Control Panel and
    • looking for 'Add or Remove Programs' (XP) or 'Programs and Features' (or whatever Microsoft changed it to in the version of windows you have)
    • Finding the installed version of Postgres that you have and 'uninstalling it'
  6. Deleting the old postgres server data directories. These will generally be in C:\Program Files\Postgres or C:\Program Files (X86)\Postgres - depending on if you have 32 or 64 bit versions.
  7. Use the download steps to obtain the latest version of the Postgres installer from the ArtsMan site.
  8. Changing the configuration parameters in PG_HBA.CONF and POSTGRESQL.CONF per the standard install instructions or you can match those that your recorded from the prior version's config files if you optimized anything. Note, you cannot simply copy the older versions of both files in the new install of postgres as parameters are sometimes added or removed.
  9. Restoring the old database by
    • Creating a new database on the server that matches its prior name. (eg, if it was called 'MyTheatreDB', call it the same name.)
    • Setting the owner to 'TheatreManager' and the Encoding to 'UTF8' (which is the default in all current versions of postgres)
    • Importing the backup of the database made at the beginning of the instructions into the new database server.
    • Starting Theatre Manager and attempting to log in. (if you cannot, make sure that the pg_hba.conf is correct)
  10. Setting up the backup job again and verifying that it works. Verifying it works means that you actually run it under the task scheduler and ensure that the backup file sizes are as expected.

Removing Postgres from Windows

Postgres can be removed buy un-installing it and then removing the data directory.

  1. Preferred Method:
    1. Go to Setup->Settings->Control Panel->Add/Remove Programs
    2. Find the line that refers to your Postgres installation
    3. Use the remove option
    4. Delete the C:\Program Files\PostgreSQL folder to remove your database. (Note: it could be on another drive)
  2. Secondary Method:
    1. Run the PostGres installer and 'uninstall' the database first, and then run the install process -and/or-
    2. Delete the C:\Program Files\PostgreSQL folder, (Note: it could be on another drive) -and/or-
    3. Remove the 'postgres' user from you list of users using the admin tools -and/or-
    4. make sure that the PostGres server is not running as a service and has been removed using RegEdit

Theatre Manager Desktop Application

Installing or Updating??

Installing or Updating Theatre Manager is a similar process. If you do not already have the latest TM installer, you can obtain in one of three ways:

  • If you have Theatre Manager, you can check to see if an update is available which you can copy to any machine, even one without TM on it.
  • If TM notices an out-of-date component, it downloads the latest installer while you work and prompts for an update when you log in.
  • If you are new to Theatre Manager, you will have been provided a link in an email

Once you have the latest available version of the Theatre Manager installer/updater, please follow the specific instructions for:

  • Macintosh - macOS 11 Monterey and later recommended - MacOS 12 Big Sur and later will work with 64 bit -or-
  • Windows - Windows 11 recommended - Windows 8.1 or later will work for 64-bit
  • using the General Upgrade Steps as an overall guide.

 

If you set the PCI setting in Theatre Manager 'C', credit cards are never placed in the database. Thee card information is merely passed to the processor and immediately forgotten.
Running an upgrade will, if appropriate, automatically generate a random new PCI seed key and re-encrypt credit cards using the new key. In the process, this destroys any previous crypto keys per PCI DSS standard 3.6.

Credit cards that have been shredded are not affected by the re-encryption process.

Refer to re-encrypting cards if you wish to do this manually.

Theatre Manager has never stored CVV2, Track II or any other non PCI compliant information so removal is not necessary per PCI DSS standard 3.3.

  • Version 8 was certified under PABP 1.4. This audit provided verifiability that there was no CVV2 data.
  • Version 9 was certified under PA-DSS 1.2, also verifying there was no CVV2 data.
  • Version 10 was certified under PA-DSS 2.0, also verifying there was no CVV2 data
  • Version 10.6 was certified under PA-DSS 3.1, also verifying there was no CVV2 data
  • Version 11.0 was certified under PA-DSS 3.2.1, also verifying there was no CVV2 data
  • Future versions will never have any protected data as per PCI requirements.

Macintosh Theatre Manager

Now that the database server is setup and a sample database is imported, we can install Theatre Manager on the machine. These instructions are for installing on Macintosh. If you are using a mixed environment, please refer to the Windows instructions as well.
During a Full Install you will need to provide the administrator password to your machine. If you do not know this, contact your IT support or Systems Administrator.
You may need to go to Apple Menu >> System Preferences >> Security & Privacy to allow apps that are downloaded from anywhere.
If you are unable to install, you might need to use the following commands in terminal before running the installer More info is under disable power saving settings - Step 1:

sudo spctl --master-disable
sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool NO

1. Download the Theatre Manager Mac installer if you have not done so. This link is supplied upon request.
When downloading any update for Theatre Manager, please make sure your personal firewall is turned on PCI requirement 1.4
2.
  • Double click on the TMSetup.zip program you downloaded to extract the TheatreManager.pkg file.
  • Double click on the TheatreManager.pkg that was just extracted to begin the install process and respond to the prompts as follows
In recent versions of macOS, you may need to make a change in System Preferences after attempting to run the installer the first time before it will work.

Click continue

Click continue and read the license agreement

Click 'Agree' to accept the agreement and continue

Click Install

Enter your password (or if you have a Mac with Touch ID, use your finger)

Click 'Close' when done.

3. After installation, look for Theatre Manager link on the desktop and double-click on it to start it up. There will also be a file called TMPreview.pdf on the desktop that illustrates some key features of TM.
4.
For databases on your local server: enter the IP address of your server and click search to see the list of databases.
If your real database is in the AMS cloud, follow these instructions.
For Demo databases: If you get asked to find a database, enter the IP address 127.0.0.1 below and click Search. Normally, you should not need to do this, as the Demo database is always assumed to be on the local machine.

If you cannot connect to the database, check the following settings:

  • make sure port 5432 is open on your machine
  • make sure that the TheatreManagerDemo database got installed by using pgAdmin as per the section below, then come back and try connecting again.
5. (optional) If you are running a demonstration copy of Theatre Manager, you will see a first time setup screen asking you for your company information. All fields except the second line of address and the web site are mandatory. After you put this in the first time, you will not see it again.

These fields are used during the demo to show how Theatre Manager verifies information for you. For example, the city, state and country you enter becomes the default country for new patrons that you may add to the database. The area code for the phone number fields becomes the default for patron entry, etc.

Notice how Theatre Manager converts whatever you type into the proper case as it tries to assist in data entry.

6. Then, if you are able to connect to the database and enter the company information, you will see the login window below. The password for any of the users in the demo is 'master' (without the single quotes).
7. (Optional) if you are running Catalina, you may need to make a change to system preferences to allow permission.
  • Open System Preferences
  • Click on the Security & Privacy preferences
  • Click on the Privacy tab
  • click on Input Monitoring
  • Unlock the preferences to allow changes
  • Click on the checkbox beside Theatre Manager to enable the permission
8. In a production environment, once connected to the database in step 5, you can run the TMSetup file on any other machine in the network. After changing the pg_hba.conf file, and by editing the serial.txt file, you should be able to connect to the database.
You will need to use the IP address of the server to connect, instead of 127.0.0.1, and if you cannot connect to the server:
  • make sure port 5432 is open on the server
  • make sure that the real database is installed and setup using pgAdmin
  • there are no firewalls blocking access
  • the pg_hba.conf IP settings are correct and the server has been restarted

Enabling installation in Security and Preferences

Apple requires that users acknowledge that they trust the installer. The exact message you get may vary depending on the version of macOS you are using.

You can make apple run any installer option-double clicking on an installer and you should see a button that says 'open anyway'
If you are unable to install, you might need to use the following two commands in terminal before running the installer More info is under disable power saving settings - Step 1:

sudo spctl --master-disable
sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool NO

If you run the TM installer and receive a message similar to the one above (implying you have to provide permission). then:

  1. Select the Apple menu at the upper right of your computer screen
  2. Select System Preferences
  3. Select Security & Privacy which is on the top row of the preferences (it may be called Firewall in older versions of macOS).
  4. Click the General tab
  5. You will see a screen similar to the one below. Do one of the following
    • Click on the third option at the bottom saying Anywhere to allow apps downloaded from 'Anywhere'.
    • If that is not visible, then you should see an option to click a button that says Open Anyway to run the installer. If so click Open Anyway
  6. This will start the installation process

Using Network User Profiles - Mac

Follow the steps below if you have Network Users set up and performance of TM seems slow when everything is run across the network.

Primary Method for Network User Profiles - just install Theatre Manager

In macOS, Theatre Manager is designed to store key application components in the local user's 'Application Support' directory. This allows multiple local users on the same machine to use Theatre Manager.

Network Users have a different 'home' directory setup where the key files are not stored on the local machine. When Theatre Manager is installed, it will save some of its files in the network directory - but you may experience some performance issues if the network or server drives are slow.

Alternate method for running Theatre Manager with Network User Profiles:

If performance seems a little slow with a normal installation that users the network profiles, Theatre Manager can be configured a little differently, as follows.

  1. Make sure:
    • Theatre Manager is already installed on the machine using the TMSetup application -and-
    • Nobody is currently using Theatre Manager on the machine
  2. Go to the Applications Folder
  3. Right click on the Theatre Manager application and select Show Package Contents from the context menu
  4. Navigate to Contents --> MacOS --> firstruninstall folder
  5. Copy the entire contents for the firstruninstall folder.
  6. Navigate back to the MacOS folder.
  7. Paste the contents of the firstruninstall folder into the MacOS folder.
    • You may be asked to replace the serial.txt file
    • Respond 'yes'
  8. Delete the firstruninstall folder. The contents of the MacOS folder should now be similar to below.
  9. Test that Theatre Manager starts up and you see the login window.
  10. Log in as a couple of other network users and try again

If you get an error message starting Theatre Manager about permissions writing to a directory, you may need to type the following in Terminal:

sudo chmod -R -v 777 /Applications/Theatre Manager

Missing Zip Code or USPSIMBStanda Font

If you are installing Theatre Manager on a Mac and you get the message that you are missing the following fonts:
  • ZipCode, and
  • USPSIMBStanda
then it simply means you have a newer version of macOS, and it doesn't like the Theatre Manager installer trying to put fonts into the font directory.

To fix the message:


  1. Open the hard drive on your Mac, or open Finder

  2. Go to the Applications directory


  3. Find the TheatreManager application


  4. RIGHT+click on it and choose Show Package Contents from the menu


  5. Go into Contents >> MacOS >> Fonts
  6. The Fonts folder will have both fonts in it.

  7. Double click on each font, one at a time


  8. Click the Install Font button in the lower right corner




  9. macOS will bring up a Font Validation screen.
    There will be a message that it has found a problem with the font. Ignore this.

  10. Check the box next to the font name


  11. Click the Install Checked button in the lower right corner




  12. Repeat for the other font

Windows Theatre Manager

Now that the database server is setup and a sample database is imported, we can install Theatre Manager on the machine. These instructions are for installing on Windows. If you are using a mixed environment, please refer to the Macintosh instructions as well.
During a Full Install you may need to:
  • provide the administrator password to your machine. If you do not know this, contact your IT support or Systems Administrator
  • Disable anti-virus software temporarily and/or provide an exclusion for the c:\Program Files\TheatreManager directory.

1. Download the TheatreManager PC installer if you have not done so. This link is supplied upon request
When downloading any update for Theatre Manager, please make sure your personal firewall is turned on PCI requirement 1.4
2. Run the TMSetup.exe program and respond to all prompts as follows.

Click 'Next'

Read the licence agreement and click 'Yes' to agree to its terms and conditions

Click 'Next'

The installer will begin putting Theatre Manager into the 'C:\Program Files' folder.

Click 'Close'

3. After installation, look for a TheatreManager icon on the desktop or in the Start Menu and open Theatre Manager
4.

If you get asked to find a database, enter the IP address 127.0.0.1 below and click search. Normally, you should not need to do this as the Demo database is always assumed to be on the local machine.

If you cannot connect to the database, check the following settings:

  • make sure port 5432 is open on your machine
  • make sure that 'everyone' has access to all files in the 'C:\Program Files\Theatre Manager' directory
  • make sure that the demo database was installed by using pgAdmin as per the section below... then come back and try connecting again.
5. (Optional) If you are running a demonstration copy of Theatre Manager, you will see a first time setup screen asking you for your company information. All fields except the second line of address and the web site are mandatory. After you put this in the first time, you will not see it again.

These fields are used during the demo to show how Theatre Manager verifies information for you. For example, the city, state, and country you enter becomes the default country for new patrons that you may add to the database. The area code for the phone number fields becomes the default for patron entry, etc.

Notice how Theatre Manager converts whatever you type into the proper case as it tries to assist in data entry.

6.

Then, if you are able to connect to the database and enter the company information, you will see the login window below. The password for any of the users in the demo is 'master'

7.

In a production environment, once you are connected to the database in step 5, you can run the TMSetup.exe file on any other machine in the network. After changing the pg_hba.conf file, you should be able to connect to the database.

You will need to use the IP address of the server to connect instead of 127.0.0.1 and if you cannot connect to the server:
  • make sure port 5432 is open on the server
  • make sure that 'everyone' has access to all files in the 'C:\Program Files\Theatre Manager' directory
  • make sure that the real database is installed and setup using pgAdmin
Make sure to also turn off power saving on your ethernet card on all servers and workstations.

Setting Windows Compatability mode

on Windows 10: you must do this step, along with permitting C:/ProgramFiles/Theatre Manager in Windows Defender
You may encounter a failure to launch Theatre Manager if you are installing or upgrading Theatre Manager on a workstation running Windows.

It can be resolved by telling Windows that Theatre Manager may need to run as administrator for all users. You might see an error like below complaining about an invalid format for userpic.df1 and that it needs converting -- this is a sure sign of windows defender and the settings need to be made.

Follow the steps below

  1. Right Click on the Theatre Manager icon on the desktop
  2. Click properties and then FIND ORIGINAL"
  3. When you find TheatreManager on your desktop and choose Properties
  4. Click on the Compatibility Tab
  5. Click the button to Change Settings For All Users
    • Uncheck: Run this program in compatibility mode for:
    • Check: Run this program as administrator
  6. Click the button Apply

Installing .NET for Windows

It is rare that you might need to do the following steps to install .NET

Only do so if advised by the Arts Management Systems Support Team

Windows installs may require you to do one of the following if you get errors starting Theatre Manager, or if Theatre Manager starts, but seems to hang with some menus open, but the login window does not appear.

Older versions of XP and some versions of Windows 7 may not require this step. However, lately, Microsoft has opted to make their flagship .NET tools an optional part of Windows, which causes the error above. Installing .NET will add that part of Windows back into Windows that Microsoft made optional.

  • Download and install .NET version 2 (XP or earlier) or version 3 (Vista or later) if you do not have it.

Local AppData needs Read/Write permissions

Theatre Manager writes information to each users Local AppData directory. If you have very tight permissions on the desktop, you will need to make sure that Theatre Manager can write and update this directory. See example pathname below:

AMS Cloud Setup

If your database is not in the cloud, pick Local Database and follow instructions for Changing Database. You may have to unclick/click 'Default Port' to allow you to enter the IP address of the database.
If this is a new machine with a newly installed copy of Theatre Manager and you want to log into the cloud, then just pick <AMS Cloud Server> from the database list.
If your database for Theatre Manager is stored in the AMS cloud, the steps to log in to the AMS cloud and connect to your database are:

  1. Start Theatre Manager.
    • If you have never been connected to a database before, you will immediately see a dialog asking you to select a database. Select <AMS Cloud Server> from the popup list.

    • If you have previously connected to a Theatre Manager database before, you will see the familiar list of users. Click the Change DB button at the bottom left of the screen and then follow the instructions above.
  2. You will be prompted with a dialog asking you to:
    • enter the unique Private Cloud Key that you have been given
    • the Private Cloud Password specific to your venue
    Enter both items above and you will be connected to your database in the AMS cloud

  3. If there:
    • Are two or more databases in your cloud setup (eg: your main database and a training one), then you will be asked to pick your database.
    • Only one database is available in your cloud setup, you will be taken directly to the next step.
  4. You will see a list of people who can login

  5. Double-click to select one and enter your password

Any database in the AMS cloud can be set one of:

You can enhance settings by using Merchant Profiles (available with most providers) to store credit cards for all customers at your merchant service provider.

If there are users at the venue with different local time zones, you may need to provide the LocalTimeZone parameter in the Theatre Manager preferences file. This is only needed if the users time zone does not match the time zone setting in the company preferences->Report/Misc tab

Theatre Manager Web Services

Theatre Manager web services need 3 components set up in order to work. These are illustrated below and are:

You can access the Director to configure services at any time using http://127.0.0.1:3012 on a machine containing TM Server.

Since the director uses javascript, please make sure you have the latest version of your browser installed on your machine or mobile device: Safari, Firefox, Chrome, Opera, IE 11 or Edge browsers are known to be compatible.

 

For PCI compliance, if TM Server is configured as a web server, it must be installed in a DMZ and separated from the rest of the network so that card holder data would never be on the same part of the lan as the DMZ.
The above diagram illustrates a standard installation. Depending on security and/or performance requirements; other parameters can be altered to affect load balancing across multiple machines. This should only be done under guidance of AMS staff
The diagram above shows the flow of data for web sales. The general setup involves:

  • The firewall directs incoming traffic on ports 80 and 443 to the web server from the internet. The web server is configured to elevate all port 80 traffic to use TLS on port 443.
  • The web server can be on the same subnet as the firewall (or not, as you wish). This allows:
    • web traffic from the internet on ports 80 and 443
    • provides dynamic load balancing to a number of Theatre Manager Servers and passes web requests to port 5000 on each of those servers
  • A TM Server in Services Configuration receives communication on port 5000 and talks back to the web server on internal port 8111 (a separate virtual server) to retrieve custom web pages for merging
  • Some configuration of the services in Company Preferences 'Director Tab'

The actual installation of the is described for Macintosh and Windows. While unsupported by Arts Management, you can use Linux if you know how to use apt-get and install and configure NGINX (we can provide a template nginx.conf file for you.

 

The diagram refers to 192.168.1.x for the internal network and is used throughout the documentation as a sample lan addresses. Your IP addresses may be different

Install Theatre Manager Server

The TM server functions for both web server (using NGINX) and web services. If you have not already done so, please follow the instructions for:
  • downloading and installing TM server for Macintosh or Windows
  • starting the second generation Theatre Manager server for with purposes on the appropriate platform. Theatre Manager server can be configured later:

Only install TM Server ONCE on a machine. Once installed, TM Server will auto update itself.
TM Server should be installed on machines with multiple processors.

For best results, if it is to be used as a:

  • web server - use at least a dual core machine with hyper threading.
  • web services machine - use at least a 4 core machine with hyper threading.

TM Server for OSX

You normally need only install the Theatre Manager server ONCE on a machine per the instructions below. TM server will auto update itself.
In recent versions of OSX, you may need to make a temporary change in System Preferences after downloading the installer and before the installer will work.
Reinstalling TM Server can be done at any time.

Only if you are VERY stuck, you may need to type the following command in terminal prior to re-running the installer.

sudo launchctl unload /Library/LaunchDaemons/com.artsman.theatremanagerserver.plist
Step Action
Step 1 Download and extract the installers for Macintosh.
Step 2 Start the installer and click Continue.

Step 3 Click Continue

Step 4 Read the licence and click 'Agree'

Step 5 Enter your admin password or use your finger if your machine has 'touch id'

Step 6

Step 7 Click Close

Step 8 Turn off all power saving and performance degrading features
Step 9 Turn off Airplay Mirroring in since that has a conflict port port 5000 used by Theatre Manager. This problem seems to have begun in Monterey.
Step 10 Proceed to the Steps to configure the server for the purpose you want to use it for

Starting the NGINX server

Use terminal Start or Stop the Theatre Manager Server on OSX.

Step Action
Step 1 Open Terminal on your computer
Step 2 To completely stop and restart the server (note: it should have already been stopped during the install process), you will need
sudo launchctl unload /Library/LaunchDaemons/com.artsman.theatremanagerserver.plist
sudo chown -R root:wheel /Library/Application\ Support/TheatreManager/
sudo chown root:wheel /Library/LaunchDaemons/com.artsman.theatremanagerserver.plist
sudo launchctl load /Library/LaunchDaemons/com.artsman.theatremanagerserver.plist
Step 3 Use the Director to configure the second generation server for the first time.
Step 4 Disable all Power Saving options on OSX so that the server doesn't go to sleep - its not a good idea for it to so so for web sales. In addition, please read the note below.

on OSX, a user must be AUTO-0logged in to run TM server (classic services) on mac. In most version of OSX, the screen can be locked, but sometimes not. Make the user autologin is set.

~~~ Troubleshooting

You can test and troubleshoot the Theatre Manager Server on OSX using any of the following tools.
Make sure you have disabled all power saving settings by reviewing the installation steps on power saving managment.

Note: if you bring up this web page on the nginx server, the links below should work directly by clicking in them. If not, substitute your web server IP address for 127.0.0.1 in all links below.

Tool Action
Director Use the Director web page to verify the second generation server management process is running.

You can use the console log to verify errors on start up.

  • If you see that it cannot connect to the database, then verify that you put the IP address and Database name into the right fields in the director window
  • If you see a console message that says the schema is incorrect versions, the second gen listener should download the latest and install it. if it does not, manually stop and start the second gen listener via the terminal
  • if you get a message that indicates trouble with editing json preferences, you may need to use the following command in terminal to remove the preferences file and start again.

    sudo rm "/var/root/Library/Application Support/Theatre Manager Server/config.json"

Activity Monitor In Activity Monitor, if you view the list of processes, you should see a number that are named 'Theatre Manager Server' if it started properly.
Virtual Host Test You can test for a direct response to retrieving a page on the virtual server.. If the Theatre Manager Server is on 127.0.0.1, then the link below should elicit a response that shows a page that has not been merged. If you get Page Not Found or some other error, then the virtual host is not set up correctly.

http://127.0.0.1:8111/1/WebPagesEN/tmTickets.html

External Probe If you want to check the general health periodically of the second gen server, then use the following url to ask for the time from the second generation listener. (replace /1/ with your outlet number).

http://127.0.0.1/TheatreManager/1/time

If you want to query through the second generation listener to see if a classic listener is running, then add '&force_proxy' to the url. This talks through the second generation to the classic and, in effect, tests both at the same time:

http://127.0.0.1/TheatreManager/1/time&force_proxy

TM Server for Windows

Do not use Windows 10 or Windows 10 Pro for the TM web services. If at all possible use windows 7, 8, 8.1 or any windows server version. At this time, windows 10 interferes with simple file renaming and affects auto-updating of services.
You normally need only install the Theatre Manager server ONCE on a machine per the instructions below. TM server will auto update itself.
make sure to implement the key performance, similar to that of postgres server, especially turning off windows defender on windows 10 pro if you are having issues with auto-updating.
When installing Theatre Manager Server on a Windows machine, log into the computer as the local administrator. This ensures the proper permissions are assigned to the service.
You must not install or enable Microsoft's IIS server on the same machine as TM server configured for web services.
Step Action
Step 1 Download and extract the installers for Windows. The installer will automatically determine wether you have a 32 bit or 64 bit operating system and install the correct version.
Step 2 Start the installer and click 'Next'

Step 3 Click 'Next'

Step 4 Make sure that the right version (32 or 64 bit) is being installed and click 'Yes'.

Step 5 The installer will place the Theatre Manager Server in 'C:\Program Files' or where ever the standard program files directory is located.

Step 6 Click Done to complete the installation process. By default the Theatre Manager Service will start.
Step 7 Proceed to the Steps on configuring the server

Starting the Server

Use the Windows Services Manager to Start or Stop the Theatre Manager Server.

Step Action
Step 1 Open the Services Administrative tool through Start >> Control Panel >> Administrative Tools >> Services.
Step 2 Locate the 'Theatre Manager Server' item in the list.

It should be set as 'Started'. If it is not, please start it.

Step 3 Double click to edit the service settings to make sure that it will auto-restart. Click on the recovery tab and make it look like the window below. You will need to set the following:
  • First failure to 'Restart the Service'
  • Second failure to 'Restart the Service'
  • Subsequent failures to 'Restart the Service'
  • Restart service after '0' minutes.

Step 4 If the database server and the second generation listener are on the same machine, you will need to delay start of the Second Generation listener until a few system services start. This can be done in one of two ways:
  • Startup setting on the server (windows 2008 server and later) should be set to Automatic. Never set to Automatic (Delay) as it has been found to cause problems.
  • Adding dependancies to the service via the command line (all versions of windows server)

Using Delayed Startup

Make the startup settings as per the diagram.

Adding Service Dependancies

You may want to add a dependancy to the second generation server so that it will not start up until after Postgres and the event log starts.

To do this, you will need to know the name of the postgres service and type a command in at the command prompt. You can find it by looking at the service and examining the service name. It might look something like one of: postgresql-9.5 -or- postgresql-x64-9.5 depending if you are using 32 bit or 64 bit postgres and which version.

An example of the command when running on a 64 bit windows server using postgres 9.5 (note there is a space after the depend= which you must include)

sc config tmserver depend= eventlog/postgresql-x64-9.5

An example of the command when running on a 32 bit windows server using postgres 9.5

sc config tmserver depend= eventlog/postgresql-9.5

When done, check the dependancy tab on the tmserver service and it should show two lines: event log and postgres

Step 5 Also, once everything has been verified to run properly, make sure that the service start up type is changed from 'Manual' to 'Automatic' so that it will start each time the machine is rebooted.
  • Right click on the Theatre Manager Service.
  • Select Properties.
  • From the Startup Type drop down, choose Automatic.
  • Click the Apply button.
Step 6 Use the Director to configure the second generation server for the first time.

~~~ Troubleshooting

You can test and troubleshoot the Theatre Manager Server on Windows using any of the following tools.

Note: if you bring up this web page on the apache server, the links below should work directly by clicking in them. If not, substitute your web server IP address for 127.0.0.1 in all links below.

Tool Action
Task Manager In Task Manager, if you view the list of processes, you should see a number that are named 'Theatre Manager Server' if it started properly.
Director Use the Director to verify the second generation server management process is running.
Event Viewer Test You can look to see if the services start up properly by looking at the event viewer. If you can stop and start the service and you see that it starts listener services on port 5001, then you are likely ok.
Virtual Host Test You can test for a direct response to retrieving a page on the virtual server.. If the Theatre Manager Server is on 127.0.0.1, then the link below should elicit a response that shows a page that has not been merged. If you get Page Not Found or some other error, then the virtual host is not set up correctly.

http://127.0.0.1:8111/1/WebPagesEN/tmTickets.html

Preferences If the second generation listener is having trouble starting and/or keeps stopping, you may want to delete the system profile second gen preferences file and start the configuration process over again
External Probe If you want to check the general health periodically of the second gen server, then use the following url to ask for the time from the second generation listener. (replace /1/ with your outlet number).

http://127.0.0.1/TheatreManager/1/time

If you want to query through the second generation listener to see if a classic listener is running, then add '&force_proxy' to the url. This talks through the second generation to the classic and, in effect, tests both at the same time:

http://127.0.0.1/TheatreManager/1/time&force_proxy

TM Server preference file location

The TM Server configuration or preferences file can be found in the locations described below. If you run into a situation where a TM Server will not start up, you can delete the preferences file and start over.

Windows

  • Navigate to the directory: C:\Windows\system32\config\systemprofile\AppData\Local\Arts Management Systems\Theatre Manager Server
  • Delete the config.json

Macintosh

  • Open Terminal and type:
  • cd ~/Library/Application Support/Theatre Manager Server
  • rm -rf config.json

Special note: for classic listeners run and managed by the TM Server on OSX. There is a temporary file created in /var/root/Library/Caches/Theatre\ Manager\ Server/TheatreManagerRunTime/Libraries that tells the classic listener how to startup. It cannot be edited or changed by a user - it is re-created each time the classic listener starts.

For reference, this link has the location of the Theatre Manager desktop preference file.

Web Server Configuration

For PCI compliance, the web server configuration must be installed in a DMZ and separated from the rest of the network so that card holder data would never be on the same part of the lan as the DMZ.

The diagram above shows the flow of data for web sales. The general setup involves:

  • A firewall that directs incoming traffic on ports 80 and 443 to the web server from the internet. The web server is configured to elevate all port 80 traffic to use TLS on port 443.
  • The web server can be on the same subnet as the firewall (or not, as you wish). This allows:
    • web traffic from the internet on ports 80 and 443
    • provides dynamic load balancing to a number of Theatre Manager Servers and passes web requests to port 5000 on each of those servers
  • A TM Server in Services Configuration receives communication on port 5000 and talks back to the web server on internal port 8111 (a separate virtual server) to retrieve custom web pages for merging
  • Some configuration of the services in Company Preferences 'Director Tab'

The actual installation of the is described for Macintosh and Windows. While unsupported by Arts Management, you can use Linux if you know how to use apt-get and install and configure NGINX (we can provide a template nginx.conf file for you.

 

The diagram refers to 192.168.1.x for the internal network and is used throughout the documentation as a sample lan addresses. Your IP addresses may be different

Director Config for Web Server

If you enter the URL http://127.0.0.1:3012/configure and do not see the 'Director' screen, you may need to:

Configuring as a Web Server

This section describes how to configure the Theatre Manager server as an NGINX web server on a machine in the DMZ. This computer should have at least 4 gigs of ram and a fast dual core processor.

Connect to Theatre Manager server using your browser and enter the URL http://127.0.0.1:3012/configure. You will see a web page like the one to the right. It will help you configure the machine for its appropriate purpose.

Auto Update

Theatre Manager Server is designed to auto update when a new version is released. If you wish to disable the feature, make sure to disable it on all machines. If it is enabled, make sure it is enabled on all machines. Components auto-updated by the server are:

  • TM Server
  • NGINX web server
  • TLS upgrades
  • Default Web Pages (customized changes are never touched)
  • Theatre Manager

 

Data stored by Arts Management as part of auto-update

Checking for auto-updates shares some of your information with Arts Management. Data is transmitted securely and SHA-384 checksummed for safety and the values retained by AMS are:

  • Theatre Manager version number
  • TM Listener version number
  • Postgres version number
  • NGINX version number
  • Timestamp of last backup
  • Timestamp of last check for an update
The above data is used by the web site monitoring tools to tailor our ability to assist your with managing Theatre Manager in your venue.

Data retrieved from AMS and stored in your database is: number of user and scanner licences, latest version of Theatre Manager for auto deployment to workstations.

 

Enable Web Server

Click the 'Enable Web Server Button' to use this machine as an NGINX web server. When clicked, a panel appears allowing you to enter the configuration parameters for the web server.

Enabling Background Report Generation

Enabling a TM Server to provide background report generation services requires four steps. You must:

  • Be running the TM server on a 64 bit server capable of running the 64 bit version of TM.
  • Click the check box Enable 64 bit Classic Listeners and Reporters
  • Lower in the page, you must indicate how many reporters you want to run on this machine
  • Enable background reporting in System Preferences before the Reporter processes will start up. This last setting enables you to quickly disable background reporting during a large onsales where you'd prefer your listeners to be doing web sales.

    Note: if this is not enabled, an employee can still add reports to the queue, they will just need to run them manually when they go for coffee or take an extended break.

  • Enabling appropriate employees to use the Report Queue in their employee preferences report tab

 

Considerations for setting up Reporters

Reporter processes use CPU resources when they are running a report and that may be in conflict with resources required if your venue requires the machines for web sales. You can manage how you set up reporters with the following considerations:

  • While, every web listener should be set to enable 64 bit if possible, you can assign zero as the number of reporters. If there are no reporter processes, the specific machine will not run reports in the background and have no deleterious effect on web sales
  • You can set only some listeners to provide reporting services
  • You can also dedicate machine(s) to be only reporting engines by:
    • Setting Web Listeners to zero
    • Setting Classic Web Listeners to zero
    • Setting HouseKeepers to one
    • Setting Reporters to one - or more if you want the machine to be able to run simultaneous web listeners

Static Marketing Site

Most venues host their marketing web site at their ISP.

Under some circumstances, you may wish to host your marketing site internally in addition to the ticketing web site. Such circumstances might be when you:

  • have lots of internet bandwidth
  • are able to write and maintain your marketing web pages yourself
  • can manage all traffic related issues and provide hardware as needed for yours sales cycles
  • want different kinds of integration between the main web site and the ticketing site
  • want your marketing web site under the same TLS certificate as your ticketing web site
  • you do not need some additional server processes (like a database and a content management tool like WordPress or Drupal) to deliver the web pages
  • you have a domain that you can point to the server such as:
It isn't for the faint of heart, because you are taking on a significant IT function.

Or, if you wish, this feature could be used for something other than your marketing site -- to handle volunteer pages, local static calendaring info, help pages for your patrons on how to use your web site or what have you. Remember, anything placed on the static web site is publicly visible.

 

What are Static Web Pages for the Marketing Web Site

A static HTML web page is one that does not require server processes to build the page. If you can see a fully functioning page when you place the HTML file on a browser, then it is static. However, if you need a server process like PHP (by choice by the way), a database lie postgres, or some server process to be installed to deliver the web pages, then the page is not static (and this feature should not be used)

 

Enabling a Static Web Site

On the primary (front facing) NGINX machine that has a Director on it, you would need to:

  • Go to the Configure tab of the director
  • Click the checkbox Enable Static Website
  • Scroll down for the parameters for the static website per the picture below
  • Type in the directory on the main NGINX machine where you wish to store your static web pages

 

What changes when you do this?

Since you are now hosting two web sites with the single NGINX server the landing path changes.

Currently:

Enabling the static web site means there are two, to the bias shifts to the static site. i.e.:

 

What tools to use to make Static web sites

There are a number of tools that let you make static web sites. We do not have any favourites and do not recommend one over the other (not do we provide any support if you play with them). Some popular ones at the current time are:

Web Server Parameters

Enable template server

This causes the web server to listen on port 8111 and provide all your custom web pages to all of the web listener services and there should only be one of these enabled for your entire system. The IP address of this machine must match the Custom Template URL specified in the Director Tab in Company Preferences.

On the primary web server, you need to enable this feature. When enabled, you will see the option Custom Template Directory lower on the page. Please fill it in.

 

Enable Load Balancing

This should always be enabled when you need to tell the web server where each of the web listener machines are (see Load Balancer below)

 

Domain or IP

Enter the domain name that this web server is for. This will be your tickets.myvenue.org URL that your customers use to access your sales site.

 

Custom Template Directory

The web services always use the most recent built in web pages to keep your web site current. Since you can customize these web pages, you need to tell the TM server where on the disk that the custom pages are stored so that the web listeners can get those instead of the default pages.

We suggest that they be kept in:

  • Macintosh: /BoxOffice/WebPages
  • Windows: C:\BoxOffice\WebPages
Refer to Director Tab in company preferences for the contents of the directory.

 

Transport Layer Security (TLS)

Each domain (eg tickets.myvenue.org) requires what is called a TLS certificate to uniquely encrypt the communication between your customer and your server. It is what turns on the lock in a patrons browser window. TLS certificate has 3 files that are obtained and properly configured for you by Arts Man:

  • Your public certificate obtained from your provider
  • Your private key which nobody else knows
  • The Diffie-Hellman Parameter file used by NGINX as part of the unique cryptographic key generation that is used in the subsequent encryption process.

Installation

To install these files, simply drag them from your desktop on top of the area on your browser. If the area on your browser is green, they are installed. Use the 'Clear Certificates' button to remove any prior certificate files if you do not want them, or simply drag new ones on top to replace them.

 

Load Balancer

This section is used to indicate the IP addresses where your Web Listeners are located. This will be on a separate machine and in the example setup, the address is 192.168.1.1 and the port is 5000 (which is the load balancer on of the web listeners).

Unless doing an expert setup with the assistance of Arts Management Systems support, the port will always be 5000. Simply add as many IP addresses as you have machines acting as web listeners.

Port 5000 on each web listener acts as a load balancer on the machine to forward requests to port 5001, 5002, etc (one for each second gen listener you have defined.

TLS Certificate

The purpose of the TLS Certificate is to ensure communications with your web sales server validated and secure. A valid TLS certificate causes the 'lock' on the patrons web browser to turn on and encrypts all communication between the patron and your web services.

Before you can get an TLS certificate, you will need:

The steps you will need to follow to set up an TLS Certificate and get web pages working are in the following sections.

 

For Venues hosted on AMS Cloud

AMS provides the static IP for you as part of your setup.

AMS can provide a URL like 'yourname.artsman.com' if you wish, and if so, will also provide our group TLS certificate for your use. If you prefer to use your own domain name, you will need your own TLS that we can obtain and set up.

Static IP for Your Router

Before you can get a TLS certificate, you will need:
  • a static address for your router.
  • a 'nice' domain name like 'tickets.yourvenue.org' that points to your firewall. These generally cost about $10 to $20 monthly in addition to your connection fees, unless you have a business internet package - in which case you probably get one included.

Obtaining a Static IP

The static IP must be obtained first and is supplied by your ISP. It will be set up in your firewall/router so that it never changes and means that customers will always be able to find you on the internet. These generally cost about $10 to $20 monthly in addition to your connection fees, unless you have a business internet package - in which case you probably get one included.

If you have a static IP and do not recall it, then open up a browser and type 'whatsmyip.org'. This asks a web site to tell you what the IP address of the outside of your router is. Alternately, you can enter the config mode for your router to determine the static IP address.

 

For Venues hosted on AMS Cloud

AMS provides the static IP for you as part of your setup.

External DNS

You will need to ask your ISP (or sometimes the people that host your external web site) to set up a DNS record to point to your static IP address if you do not have one.

You can think of this as a 'nice' name by which customers can find you, or if they see it in the URL area of the browser, they will be confident that they are connecting to the right web site.

Call up your ISP (or web site hosting company) and ask them to create a DNS record for 'tickets.myvenue.com' (where myvenue is replaced by your main web site name). As an example, if your main web site is www.artsman.com, then you would like your ISP to create a DNS record for tickets.artsman.com.

Possible DNS names that you may prefer from a marketing perspective are:
  • tickets.myvenue.org
  • boxoffice.myvenue.org
  • sales.myvenue.org
  • tm.myvenue.org
  • secure.myvenue.org
  • and if you have a mail server or other services already in your organization, we could use that as well.

Once the DNS record has been created and is propagated to the internet (this usually happens in a few hours but can take as long as 24 hours), the next step is to purchase and install the TLS certificate.

 

For Venues hosted on AMS Cloud

AMS can provide a URL like 'yourname.artsman.com' if you wish, and if so, will also provide our group TLS certificate for your use.

Buying the actual TLS Certificate

Purchasing your TLS from Arts Management Systems

Arts Management Systems uses 4096 bit encrypted premium certificates and if you wish to purchase one, please contact the sales office at (888) 536-5244, ext. 2.

When you buy a TLS Certificate from Arts Management Systems, information that we will require from you in order to customize is to your venue are:

  • company name (do not abbreviate, provide the full legal company name)
  • primary contact's first and last name
  • primary contact's title
  • primary contact's email address
  • primary contact's direct phone number
  • venue's legal Address, City, full State/Province name (do not abbreviate the state or province name)
  • external DNS that you set up such as tickets.myvenue.org
  • the operating system that Apache is running on (OSX, Linux, or Windows)
  • we will require an authorized administrator's email address to send the verification to and approve the request. This needs to be an email address you have the ability to check for the incoming emails. Please make sure that the email account has been set up and is available before you provide us the email account to use, or the approval email will not be delivered. With an invalid or non-working email account, the TLS certificate will not be processed. The options for the email address are below: (Select ONE of the following)
    • admin @ myvenue.org
    • administrator @ myvenue.org
    • hostmaster @ myvenue.org
    • webmaster @ myvenue.org
    • postmaster @ myvenue.org
We will generate the TLS certificate based on the information provided and you will receive 3 emails:
  1. An email indicating that a TLS creation request has been started.
  2. An email requiring you to confirm the information at the specified email address above. Please confirm the email (by clicking on the acceptance link within that email) and accept the TLS request.
  3. After you have confirmed email #2's acceptance link and the TLS has been processed by GeoTrust, the 3rd final email containing the actual TLS certificate information will be sent to you. Please note that this final email may arrive anywhere from 10 minutes to 12 hours after email #2 was accepted depending upon the next processing cycle.
After we have received the TLS certificate information, we will make the TLS certificate files and put it into the Apache server for you in the 'conf' folder and verify that it works. During this final process, we will require remote access to your NGINX Server and to a Web Listener to test the TLS certificate configuration with Theatre Manager.

 

Self Purchased TLS Certificate

If you purchase your own TLS certificate from another source, you will need to install it yourself following the instructions provided to you during the purchase process and make sure it works. If you have any questions about your Self Purchased TLS certificate, contact the company from whom you purchased it for any and all assistance.

Install and Test the TLS Certificate

Installing the TLS certificates is easy. Refer to the installation instructions in this web page - simply drag 3 files into the correct area of the setup page, save, and you are done.

Once the firewall rules have been implemented and the TLS certificate installed:

  1. Open up a browser
  2. Type 'https://tickets.myvenue.org'
  3. It should display a web page in the browser and turn on the lock on the browser.
  4. Use Qualys TLS Certificate Test to test the TLS Certificate.

    Make sure to check the option "Don't show the results on the Boards"

This page shows safari with the lock on the upper right turned on

This page shows firefox with the lock on the lower right turned on

Please check for it on your browser as appropriate.

Diffie Hellman Parameter File

What is Diffie-Helman?

Credit: Stack Exchange

Diffie-Helman is a way of generating a shared secret between two people in such a way that the secret can't be seen by observing the communication. That's an important distinction: You're not sharing information during the key exchange, you're creating a key together.

This is particularly useful because you can use this technique to create an encryption key with someone, and then start encrypting your traffic with that key. And even if the traffic is recorded and later analyzed, there's absolutely no way to figure out what the key was, even though the exchanges that created it may have been visible. This is where perfect forward secrecy comes from. Nobody analyzing the traffic at a later date can break in because the key was never saved, never transmitted, and never made visible anywhere.

The way it works is reasonably simple. A lot of the math is the same as you see in public key crypto in that a trapdoor function is used. And while the discrete logarithm problem is traditionally used (the xy mod p business), the general process can be modified to use elliptic curve cryptography as well.

But even though it uses the same underlying principles as public key cryptography, this is not asymmetric cryptography because nothing is ever encrypted or decrypted du ring the exchange. It is, however, an essential building-block, and was in fact the base upon which asymmetric crypto was later built.

 

How to create your Diffie Helman parameter file

Since the Diffie-Helman parameter file is a way of creating a shared secret at the start of the cryptographic process, you can change it as often as you want, completely independently of the TLS certificate. It is quite easy to do so.

Macintosh This needs to be done using Terminal:
  • Type

    sudo openssl dhparam -dsaparam -out ~/desktop/dhparam.pem 4096
    Enter your password

  • You will see a screen similar to below. Generating the key string may take a minute or so
  • This creates a file on your desktop called dhparam.pem which you can use for the Diffie-Hellman parameter file in the 'Director'
Windows Please ask Arts Management support to make one for you or find a Macintosh.

Testing your Web Sales (the Hosts file)

If your computer in the office cannot see the ticketing web site, the best way is to set up a DNS server inside the network to help all computers see the server.

Only edit the local machines 'host' file if you cannot set up a DNS server.

Testing your Web Sales Site

You should be able to access your ticketing web site via the URL you used to create the TLS certificate after the:

Try accessing the ticketing web site from:

  • a location outside the office to confirm it works. A cell phone is the ideal way - using the data plan and not while connected to the wifi network.
  • one or more computers inside the office to confirm that it works

 

Troubleshooting access inside the office

If you are having issues connecting to your ticketing web site while inside the office and are receiving timeouts, this is often resolved by:

  • adding an internal DNS entry to your DNS server to point to your ticketing web site via an internal path (preferred approach) -or-
  • editing the hosts file on each machine

Mac's are not usually subjected to this issue. PC's inside the office frequently are because they do not always seem to be able to resolve the DNS that goes outside the firewall and back in, so you have to edit the hosts file to tell the PC how to find the web site.

Editing the Host file for Mac

Troubleshooting generally depends on the behavior of the DNS within the firewall and the operating system used. Most Mac's will easily find 'tickets.yourvenue.org' by navigating through the firewall properly. However it may be possible for a machine to not be able to access the online sales domain directly.

The best way of correcting this issue is to put an entry within the internal DNS server to point 'tickets.myserver.org' directly to the IP address of the apache server.

If that is not possible, an entry in the hosts file of each web listener that points to the apache server can be made. This should be done if the DNS does not propagate in the internal network. If the Web Listeners start up and are able to find the 'tickets.myvenue.org', you will not need this step. If they do startup but they seem to be ignored by apache very quickly, then you will need this step.

# Description
1 Open the 'Terminal' window.
2 Type cd /etc.
3 Type sudo vi hosts.
4 Type the administrator password to the machine.
5 Use the arrow keys on the keyboard to scroll down.
6 Type 'I' to enter the edit mode.
7 Add the IP address of the Apache machine followed by the online sales domain.

8 Click the 'ESC' key on the keyboard.
9 Hold the SHIFT key on the keyboard and type Q.
10 Type WQ.
This with write the changes to the Host file and close it.

Editing the Host file for Windows

Troubleshooting generally depends on the behaviour of the DNS within the firewall and the operating system you use. Windows machines sometimes need a helping hand.

The best approach is to put an entry within the internal DNS server to point 'tickets.myserver.org' directly to the internal address of the apache server.

If that is not possible, an entry in the hosts file of each web listener that points to the apache server may be needed. If the Web Listeners start up and are able to find the 'tickets.myvenue.org', this step is not needed. If they do startup but they seem to be ignored by apache very quickly, this step will be needed.

# Description
1 Open My Computer.
2 Navigate to c:/windows/system32/drivers/etc/ (or where the windows system32 directory is located).
3 Right click on the Hosts file.
4 Select Open With... WordPad.
5 Add the IP address of the Apache machine followed by the online sales domain.

6 Click File >> Save.
6 Close the Host file.

Services Configuration

The Theatre Manager Server provides all web services. It is designed with the following criteria in mind:

  • Deliver performance by
    • Taking advantage of multiple CPU's on current machines by setting up multiple processes
    • Providing background worker processes that automatically take care of longer processes such as email or cart cleanup
    • Providing support for the standard Apache or Nginx Load Balancer for multiple servers
  • Simplify Setup and Management by
    • Handling web services for all outlets in one server while preserving branding for each outlet
    • Run as a service that will automatically restart in case of failure or machine restart
    • Being aware of system updates and automatically intalling them in the background with no outage.
  • Increase Deployment Options by
    • Running on OSX and Windows (linux possible in future)
    • Providing support for other high performance web servers (currently NGINX)

Installer Download Locations

Steps to Configure the Theatre Manager Server

The Following steps are used to configure the Theatre Manager Server:
  1. Theatre Manager Setup:
  2. Test your web pages to make sure the server is working. At this time, we suggest a log in, finding an event, adding it to the cart, and going to the checkout window.

Configuring Theatre Manager Server

Getting the Theatre Manager server to work requires the following steps

Using the Director to configure Theatre Manager Server

On OSX, if you enter the URL http://127.0.0.1:3012 and do not see the 'Director' screen to the right, you may need to start the process (or stop/start the process) using terminal commands.

On Windows, you may need to:

  • stop and start the Theatre Manager Server service - or-
  • use the latest Firefox, Chrome, Opera or Edge browser. (The Director does not support IE 10 or less).

Make sure you have enough permitted connections in postgresql.conf setup for the postgres database to handle the processes you configure.

Connect to Theatre Manager server using your browser and entering the URL http://127.0.0.1:3012. You will see a web page like the one to the right. It will help you configure what is best for your machine by making recommendations for number of processes.

 

General

Enable Automatic Update

Theatre Manager Server is designed to auto update when a new version is released. If you wish to disable the feature, make sure to disable it on all machines. If it is enabled, make sure it is enabled on all machines.

Enable Services

Enable this if you want to set up the online sales and REST api

Enable Web Server

This is enabled if this TM server will be acting as the primary load balancer and/or template server for custom web pages. Normally one of these is enabled - and has extended setup.

 

Services Database

In the database section, you will need to enter the IP address of the database server and provide the Database Name.

 

Services

The values that you enter for the processes depend on the number of CPU's, amount of memory and other processes running on the machine. The suggestion provided is for a machine dedicated to Theatre Manager server. It if it also running the database on the same machine, you will need to reduce the number of processes.

Web Listeners

Web Listeners are the actual processes that respond to an online web request from a patron purchasing online or to the REST API.

Typically (assuming a dedicated machine), the second generation server can be set to have one less process than the number of CPU's on the machine. A general rule of thumb is that you need about 1 meg of ram for each process including operating system, so make sure not to start more than you have available memory.. (Note: each process actually only uses about 400Mb, but the operating system and buffers require their own space). For example:

  • a 4 core machine with 4 gigs of ram could start 3 processes
  • a true 8 core machine could start 7 processes, although you may not need that many.
  • a dual 4 core with hyper-threading should only start 3 process. (It is best not to count the hyper-threaded cores as real CPU's)
  • a machine with 4 gigs of ram, regardless of the number of cores, should have no more than 3 listeners set up
  • a machine with 8 gigs of ram could have 7 processes, if it had enough cores. We would suggest 5 or 6 normally

Classic Listeners

Designate the number of classic listeners that you might need to handle some tasks that the main web listeners cannot do (yet)

  • Each Classic process needs about 400 megs of ram for buffers.
  • They are used for few processes and for plugins, so generally a ratio of 2 classic listeners for each web listener is reasonable on each machine.

Housekeepers

Housekeepers are used to handle background activity. Typically, this value is always 1. Housekeepers:

  • Clean up expired carts on a periodic basis.
  • Send out scheduled emails automatically.
  • Perform daily database jobs like purging expired web logs, etc

 

General Note

In general, if you count all your processes, multiply by 500mb each and make sure that is well under the total ram in the computer. It is far better to have two machines for web services than over-commit one machine

TM Server Company Preferences

The picture below has sample settings in company preferences Director tab that will handle the single router/DMZ settings. Refer to help about Company Preferences if you are unsure how to configuring this window.

The key things to note are:

  • The web Server URL should have 'https:' and use the URL of your ticketing web site. This is typically 'tickets.xxxx.org'
  • The web server port should be blank which means use the standard https: port of 443. This generally never needs changing.
  • The template page URL should NOT have 'https:' (it should only be http:) and should refer to the direct internal IP address of the main TM Server containing the web page templates
  • The Template Page PORT should be 8111 -- meaning FORWARD any requests for custom pages to the TM Server on port 8111.

    TM Server Special URLs

    The following URL's can be used to talk to the TM Server to obtain information about the server. These URL's would be available inside your network only as they talk to the Director. test TM servers to see if they are responding
    URL Purpose
    http://127.0.0.1:3012 Director's main web page showing the current status of services
    http://127.0.0.1:3012/configure Director's configuration page. This is also available as a link on the Director's status page
    http://127.0.0.1:3012/nginx.conf Shows the NGINX configuration file created by the Director for use with NGINX. It may be requested by AMS support for debug purposes on occasion.
    http://127.0.0.1:3012/access.log Shows the web pages accessed by users in the past 12 hours. It may be requested by AMS support for debug purposes on occasion.
    http://127.0.0.1:3012/error.log Shows the error log generated by the NGINX server in the past 12 hours. It may be requested by AMS support for debug purposes on occasion.
    http://127.0.0.1:3012/activity.log Shows the the current day's activity log -- this is all actions done by the server that go to console or event log in that day so you can see what occurred. It may be requested by AMS support for debug purposes on occasion.
    http://127.0.0.1:3012/backup Run the backup command on the database. You must have set up the Director for backups and configured the backup process. Results are shown in the backup.log and a blue message appears
    http://127.0.0.1:3012/backup.log Shows the the latest backup's activity log -- this shows what the result of the last pg_dump command .
    http://127.0.0.1:3012/api/v1/users Shows a list of IP addresses and sessions that are monitoring the specific TM server. This lets you know who is observing the status of the server and what they may be watching/monitoring the web activity.
    http://127.0.0.1:3012/clear Clears the setup/config to start over from scratch. None of the configuration is remembered. (remove 'XX' from end of link to actually do it)
    http://127.0.0.1:5000
    https://127.0.0.1/api/v1 Access to the REST API internally to the organization - if enabled for the employee

    Monitoring Theatre Manager Services

    You can quickly monitor the overall health of the Theatre Manager system with simple URL. If that does not respond as expected, there are some other things that you can do monitor the internal components. The following table gives you some ways to check the system and diagnose what is working and what is not.

    ArtsMan uses open source software called Nagios to check your 'ticketing' web site every 90 seconds via the top link in the table below (Ubuntu install instructions for technically minded).

    The monitoring is a free service. Our support team monitors this tool through out the day and if we notice outages during normal support hours (Monday-Friday 8-5 MST, excluding holidays), we will try to let you know. However, it is not substitute for your own monitoring services.

    Monitoring

    Item Purpose Monitoring Tool Expected Results
    1 Verify entire system is up https://tickets.yourvenue.org/TheatreManager/1/time?force_proxy

    This sends a web request asking for the time from the web services. If you get the results expected, then the database, web server, TM listener and classic listener are all working

    Web page with the text TIME=20 somewhere in it
    2 Verify everything but classic listeners running https://tickets.yourvenue.org/TheatreManager/1/time If the probe in #1 (above) fails, then sending the same command without '?force_proxy' tests to see if all but classic listeners are runing Web page with the text TIME=20 somewhere in it
    3 Verify Web Server is up https://tickets.yourvenue.org

    If the probes in #1 and 2 fail, his tests to see if NGINX is up

    The url should generally change to https://tickets.yourvenue.org/TheatreManager/1/login?event=0

    It means you should get a re-direct.

    4 Verify Domain or Router in terminal or dos prompt, type:

    NSLOOKUP tickets.yourvenue.org

    you should see the static IP address for the outside your router. If you see that but get no other response to the above, then your web site is there, but perhaps your router is down.
    5a Verify Database Server is Running Start up Theatre Manager on the database server machine. You should see the login window with the list of users. If so, skip to #6. If not, check that services are running.
    • OSX:, you should see 'postgres' in the activity monitor.
    • Windows: you should see postgres in the list of tasks.

    Otherwise refer to starting and stopping the service for the appropriate platform.

    5b Verify Database Server Running If nothing else seems to be running, you can test to see if the database server is working by remoting into the machine with the database server on it. Look for the program called 'pgadmin' and start it up.

    It will have a list of connections. Pick the connection that is localhost or 127.0.0.1 and double click on it. You may need to know the password.

    You should see a list of databases.
    6 Verify NGINX server is running If you cannot see your web services externally from probe #1, you can test the server internally using:

    http://127.0.0.1:8111/test.html

    If you see the message on the web page The stage is set! then the TM server is running, but may not be configured for some services.
    7a Verify TM Web Services are running Access the Director using http://127.0.0.1:3012

    If you do this on each machine that is running the Director, it will tell you which components of the TM server are running on the machine and which are down, stopped, or in error

    The Director web page with with a status showing that listeners, housekeepers, etc are up and running.

    If you do not see this, it is stopped

    7b Verify TM Web Services are running

    Windows

    You can also look to see if the service 'Theatre Manager Server' is running using the services control panel.

    OSX

    • you can use the terminal commands to unload and reload the service to restart it
    • you can use tail to watch the log

      sudo tail -f /var/root/Library/Logs/Theatre\ Manager\ Server/activity.log

    After playing with the service and/or restarting it, go back to '5a' to see if the director is running.

    Credit Card Authorization

    Theatre Manager provides connectivity to a few different service providers for credit card authorization, along with the ability to implement either Schedule "C" or Schedule "D" compliance.

    Our sales team will happily discuss your needs, provide contact information for each option, and help quickly and seamlessly setup credit card processing in Theatre Manager. Ultimately, the final choice of processor is up to the venue and we will certainly assist in the implementation.

    Service Providers provide the infrastructure to authorize cards under your merchant account and then deposit YOUR funds directly in YOUR bank with minimum delay.

    Definitions used in Credit Card Processing

    Definitions

    There is often confusion between the purpose of a bank, a processor, and an aggregator, and understanding the difference helps make sense of the authorization options available to you.

    • Bank: A bank is where the money ends up at the end of the day. If somebody gives you money in any form (cash, check, credit card), you write up deposit slips and take it to the building at the corner on the main street. Banks are brick-and-mortar companies with charters to write loans, put your money in a safe, etc.
    • Merchant Processor: A processor is not a bank. Direct Processors are only in the business of authorizing credit cards on behalf of a bank and hold on to the money while it is electronically in transit to your bank. When you do your daily credit card batch settlement, the money in transit is transferred directly to your bank. In North America, there are about 15 major processors such as Paymentech, Nova, 1st Data, Visanet, FMDS, Vital, TSYS, etc. Some banks prefer working with some processors - but generally most processors can get your money to any bank.
    • Merchant Provider/Aggregator: There are numerous (meaning hundreds) of aggregators that will process your card for you. All those aggregators use one of the 15 merchant processing companies. Think of the merchant provider/aggregator as being like an insurance broker... they shop for the best deal with a processor. The processor is the actual company that does the credit card processing for the aggregator.
    • Merchant Account: You set up an account with one of the processors or aggregators, who then assigns to you a merchant number. The merchant number accompanies transactions submitted to the processor and identifies:
      1. who should get the money (i.e. you), and
      2. which bank account the money gets deposited to.
    The reason that processors and banks are separate is historical. Banks started as local or regional entities in the USA. Most were not big enough to handle the infrastructure of authorizing credit cards. When cards became very popular in the 70's, they farmed out the business of authorizing cards to a processor as an economical means of providing cards to their customers without the expense of hosting large computer centres.

    Direct Credit Card Processing Options

    Regardless of the processor you pick, the money always goes directly to your bank account. You enter or swipe the card information into Theatre Manager and it sends all the correct information to the appropriate service provider.

    Theatre Manager transmits data directly to your processor over a secure HTTPS connection authenticated by a user ID and password unique to your merchant account and supplied only to you by the bank. Refer to each processor to see their additional capabilities. PCI DSS 4.1
    If you are considering changing merchant provider, be sure to read:

    These online processors are able to manage multiple authorizations at once, making for a faster and smoother buying experience both for direct Theatre Manager users and for patrons buying online.

    The following diagram illustrates the authorization flow.

    Merchant Processing Service Providers

    The merchant providers supported in Theatre Manager and various features of each are:

    Theatre Manager Help Link Processor Marketing Website Account Setup Contact Information Hosted Payments Merchant Profiles Linked Refunds Independent Refunds PinPad PCI compliance Options
    Bambora™ Bambora™
    formerly Beanstream
    click for contact info No February 2021 Yes No No C or D
    Paymentech Orbital™ Paymentech Orbital™. click for contact info No Yes Yes Yes No C or D
    Elavon™ VirtualMerchant Elavon™ Virtual Merchant main processor. click for contact info No Yes Yes Yes No C or D
    Moneris™ Moneris eSelect Plus™ direct processing or hosted payments click for contact info Yes Yes** Yes Yes Yes A-EP, B-IP, C or D
    Authorize.net™ Authorize.net™ No Yes Yes Yes No C or D
    Elavon™ (private brand) derivative of Elavon™ and specific to city of Miami City of Miami only No No No Yes No C or D
    Hosted Payments: is a feature where the Theatre Manager web site's payment page will redirect to the service provider's web site. Any card data entered there never enters your network, allowing PCI Schedule 'A-EP' compliance - limiting the amount of PCI compliance documentation you require.
    Merchant Profiles is a feature where Theatre Manager obtains a token from your merchant provider to replace the credit card number in your database. Token's mean that you are not storing credit card data that is subject to PCI compliance - all card data could then be shredded. However, you retain the ability to do post dated payments or provide refunds through the saved token that is unique to the patron and your organization.

    ** Note: Merchant profiles not recommended for Moneris because they charge too much.

    Bambora Installation

    Arts Management Systems provides the Bambora module (formerly Beanstream) to support credit card authorization. The installation is done for you on site by Arts Management training staff on any Theatre Manager Workstation.

    Bambora implements user id and password authentication over https connections to provide compliance with PCI DSS 4.1

    A unique feature of Bambora allows refunding against an original credit cards purchase, even if the credit card has been shredded. This is useful for venues that do not wish to store credit cards and may need to refund to cancelled events periodically long after the original payment.

    Please contact Arts Management to discuss the process of getting a Merchant Account from Bambora.

    After Bambora has provided you with a merchant account, installation is quite straightforward. Once set up, funds gets authorized as 'Card Not Present' and then deposited right to your own bank upon settlement from Theatre Manager. This account information you are provided is all you need in the merchant setup windows (in the pages that follow) to begin secure credit card authorization.

    Bambora needs an account setup for authorization and one for online viewing of the account data. You can set up multiple accounts for online access the data so some people can view data and others have more access to transactions and history.

    1. Bambora - uses the Merchant Portal via a web browser to "view the transactions" that have occurred. This account setup might need to be used during the EOD deposit process to verify transactions as required.
    2. Merchant User ID and Password - uses Bambora to allow authorizations to occur and be settled but not be viewed. This information is what needs to be entered into Theatre Manager's Merchant account to allow authorizations to occur.

    The user ids and passwords for both of the above are different and should not be interchanged or confused with each other. Follow the appropriate setup steps for each.

    After following the setup for both accounts, make sure to:

    • test the gateway
    • Disable requirements for CVV2 and AVS in the online interface and allow those be managed from Theatre Manager merchant setup and set each employee to require CVV2.

    Bambora Setup - Contact Information

    Once your Merchant Account information is provided to you, the following steps will need to happen:
    1. Settle any existing credit card batch (run an End of Day)
    2. Create a new merchant account in Theatre Manager
    3. Follow the steps to change your merchant provider

    Then you can start using Bambora.

    If you have any questions directly related to your Bambora merchant account setup, please contact your Bambora Representative directly. Contact Arts Management if you have questions about how to setup Theatre Manager to reference and authorize credit cards using your Bambora account.

    Bambora Gateway Account

    The User ID and Password setup is arranged by Arts Management from Bambora and is entered into the Setup --> System Tables --> Merchant Accounts window as below:

    Software Type

    The following values are set on the software type tab per the diagram below:

    • Set the server software to be Bambora.
    • The merchant provider - select the merchant services provider.
    • The merchant number is for use on ticket faces and for contacting Bambora support.


    Connection Info

    The following entries are set on the Connection Info tab per the diagram below:

    • User ID - provided through Bambora. The user id remains constant for the life of the account.
    • Password - the password is auto generated for you. You can change it via the online interface to generate a new 'secret' key. If you do that, you can expire your old password right away or allow both old and new to co-exist for up to 24 hours.
    • Passcode (API Key) Enabled - check this box if using the Payment Passcode API feature for connections rather than suppling the User ID/Password combination for each transaction processed.
    • Passcode (API Key) - Payment API Passcode. The passcode (different then the User ID Password) assigned to the merchant account via the online Bambora web portal.

      If Merchant Profiles are enabled and you get an authentication error, you might be using your Profiles API Key instead of your Payments API Key, so double check!

    • Capture Mode - select Host Capture or Terminal Capture for End-Of-Day deposit processing.
    • Primary URL - is always api.na.bambora.com/scripts/process_transaction.asp
    • Port - is always 443


    Merchant Profiles

    Theatre Manager's interface with Bambora to maintain Merchant Profiles is currently under development. This feature has been disabled for activation until completion of the enhancement.

    The following entries are set on the Profiles tab per the diagram below:

    • Enable Profiles - set to Active if Merchant Profiles will be used.
    • Profiles API Login Key - Unique Profiles API Key for your Bambora merchant account. This identifier is different than the Merchant ID and User ID on the Connections tab.

      Creating and modifying Payment Profiles requires you use your Profiles API Key. If you get an authentication error you might be using your Payments API Key, so double check!

    • Profiles API URL - is always api.na.bambora.com/v1/profiles This URL is different than the URL on the Connections tab.

    Refer to Merchant Profiles for further information on functionality.

    Employee and Card Setup

    On the Merchant Setup window (see account setup), the final bit of setup is to determine which employees and which payment methods are associated with this merchant account.
    • To assign employees to this merchant account, click on the 'Employee' tab and find the employees to assign. In a multi merchant setup situation, drag only those employees that will use this merchant account as the default.

      While some employees may have permission to use multiple merchant accounts, viewing their name here is the default merchant account assigned to them for charging cards. If the employee wants to use another merchant account, they will need to select it on the payment window.

    • Click on the 'card' tab to select which credit card payment methods are associated with this merchant account.

      If you need to have multiple merchant accounts and both are to take Visa (for example), you will need two Visa payment methods and assign one of them to each merchant account.

    if you are switching from one merchant services provider software to another, you can open both merchant accounts and drag the employees from one window to the other. You can do the same for the credit card payment methods - to make the switch easy and fast.

    Any future dated 'post dated payments' associated with the card you drag to another merchant provider will automatically be re-assigned to authorize on the new merchant provider card network.

    Testing Bambora

    After setting up the Bambora Gateway in the Merchant Account setup, you will need to test that it works. The best way to do this is:
    • Search for yourself in the database or create a new patron that is yourself
    • Create a new order and buy a ticket
    • On the payment window, select the credit card you want to use and do a test authorization
    • If you get an authorization with a message indicating AVS match and/or CVV2 match, then the setup is correct
    • Log in to your Bambora online account and view the batch to see that your transaction is there
    • In Theatre Manager, void the credit card payment. It will appear in Bambora that the charge is still there with as a PA (pre-auth). That means it will be ignored
    • Try another authorization and then do an End Of Day (i.e. SETTLEMENT) and make sure the amount makes it to the bank in the next day or so

    Trouble Shooting Bambora Issues

    1. If you get a response that looks like it is HTML or XML and indicates that it was not authorized, then your user id/password is probably wrong (please verify), or something is incorrectly set up in Bambora and you will have to contact their merchant support group.
    2. If you get a message during end of day that will not allow cards to settle, make sure your provider has set you up to allow BACKEND transactions. These are used to convert 'authorize-only' transactions that are done during to the day to 'PAC' (fully processed) transactions during the end of day process

    Bambora Web Terminal

    After logging on to the online Bambora web portal, the transactions can be found under reporting/analysis->transaction report. There are two main screens of interest:

    Transaction List

    The Bambora transaction list lets you view the transactions that have occurred. Normally, you would only want to see those since the last end of day, but you can decide which data you want to view. To alter the search, the top part of the list contains date search range, the ability to limit the number of transactions per page and more. You may also view more detail about a transaction by clicking the credit card icon that is on the same line as the transaction.

    The important thing to note is the types of transactions and how Theatre Manager creates them. Specifically:

    • All payments sent for authorization will have a transaction type of 'PA'. This means Pre-Authorization. It is only a hold on the customers credit card. The the end of day is not done, this money will fall off the transaction list and you will not get your money.
    • When you do End of Day, Theatre Manager takes all payments that it authorized that day and turns them into 'PAC' - effectively completing them. Transactions that are 'completed' are swept to your bank at 11:59:59 pm. This means a few things
      • If you do not do end of day on any specific day, nothing will go to the bank until you compete an end of day.
      • If you two multiple end of days in the same day, Theatre Manager sees them as more than one posting. Bambora aggregates all the PAC's into one amount on your bank statement.
      • You will see AT LEAST TWO transactions for each customer. You will see a PA transaction and then you will see a corresponding PAC transaction that completes the PA. A successful authorization is a PA with a blue checkmark followed by a transaction some time later that is a PAC with a blue checkmark.
    • You may see some 'R' transactions -- or refunds. Those are always swept to your bank each night, even if you do not do an end of day. Sorry, but that's the way Bambora works. We suggest making absolutely sure that you do an end of day in each day that refund occurs. For that reason, you may wish to limit who can do refunds.

    Transaction Detail

    The Bambora transaction detail contains a lot of information about the payment, most of which is self explanatory. It is accessed by clicking on the 'credit card' icon on the list window.

    Theatre Manager currently uses 3 of the reference fields at the bottom of the screen to provide:

    • ref1 - contains the Theatre Manager patron number on the account that the ticket was sold under
    • ref2 - contains the Theatre Manager order number
    • ref3 - contains the name of the user who processed the credit card

    At the bottom of the detail window is a table that shows the related transactions.

    Related Transactions

    At the bottom of the transaction detail, there is a table that shows all the related transactions in Bambora. This is probably most pertinent to the original 'PA' transaction. If it has been converted to a 'PAC' transaction, you will see multiple lines as part of the Transaction Detail window that shows all the other transactions that affected this transaction.

    Ultimately, all that matters is that you see a blue checkmark beside the PAC transaction, which means it was swept to the bank. In the example below, we see one.

    Implication from Interrupted End of Day

    However, we also see a number of other transactions with a red X that are related to the PA. If you see those, it may be because an error caused the EOD process to stop (without finishing in Theatre Manager) and so you re-ran it. Bambora only allows one PAC for each PA. A second PAC gives an 'error' but does not affect the outcome.

    Paymentech Orbital Installation

    Arts Management Systems provides the Chase Paymentech Orbital™ adaptor module to support credit card authorization. The installation is done for you on site by Arts Management training staff on any Theatre Manager Workstation.

    Paymentech Orbital implements either user ID and password authentication; or access from specified IP addresses over HTTPS connections to provide compliance with PCI DSS 4.1

    Installation is quite straightforward. You would contact Paymentech using information provided by Arts Management, and they create a Merchant Account for you. Money gets authorized by Paymentech as 'Card Not Present' and then deposited right to your own bank upon settlement from Theatre Manager. This account information that you are provided is all you need to set up in the merchant setup window below to provide secure credit card authorization.

    Paymentech Orbital will need to provide the following 2 account setups (both are required):

    1. Orbital Virtual Terminal - uses the Orbital Gateway via a web browser to "view the transactions" that have occurred. This account setup is used during the Een Of Day deposit process to review your transactions prior to the settlement process.
    2. Certified Connection for User ID and Password - uses the Orbital Gateway to allow authorizations to occur but not be viewed. This information is what needs to be entered into Theatre Manager's merchant account to allow authorizations to occur.

    The user IDs and passwords for both of the above are completely different and should not be interchanged or confused with each other. Follow the appropriate setup steps for each.

    After following the setup for both accounts, make sure to test the gateway.

    Paymentech Orbital - Contact Information

    1. In Canada, contact:


      Amit Dhawan
      Chase Merchant Services
      100 Consilium Place
      17th Floor
      Toronto, Ontario M1H 3E3
      (647) 500-9872
      www.chasepaymentech.ca
      amit.dhawan@chase.com

    2. Ask for a Paymentech Orbital account to be set up

    Please note you may encounter with Paymentech:

    • a need to sign a 3-year contract for this account. Depending on your transaction volumes, you may able to request a 1-year trial if your organization meets the requirements
    • if you will be a new client to Paymentech, it will take up to two weeks to establish and setup your merchant account
    • Paymentech may request that all transactions flowing through your organization (Box office point of sale business as well as the ecommerce sales) flow through this new account.

    Please note you may encounter with your existing merchant privider:

    • may require 30 days written notice of cancellation

    Once your Orbital account is set up, the following steps will need to happen:

    1. Settle any existing credit card batch (run an End of Day)
    2. Create a new merchant account in Theatre Manager
    3. Follow the steps to change your merchant provider

    Then you can start using Paymentech Orbital.

    If you have any questions directly related to your Orbital merchant account setup, please contact Orbital Technical Support at 1-866-645-1314. Contact Arts Management if you have questions about how to setup Theatre Manager to reference and authorize credit cards using your Orbital merchant account.

    Orbital Gateway Account

    The Orbital Gateway Certified Connection for User ID and Password setup is obtained from Paymentech Orbital and is entered into the Setup --> System Tables --> Merchant Accounts window as below:

    Software Type

    The following values are set on the software type tab per the diagram below:

    • Set the server software to be Paymentech Orbital
    • The merchant provider will automatically be set for you
    • The PNS number is provided by Paymentech and will need to go into the PNS/Merchant number field - enter in the PNS# (not the merchant number) for your Orbital account. It is typically 12 digits long and generally starts with 720000


    Connection Info

    The following entries are set on the Connection Info tab per the diagram below:

    • User/Server ID - provided by Paymentech and is the user ID for the Certified Connection gateway, not to the Orbital Virtual Terminal (they are not the same thing - the Orbital Virtual Terminal is the online interface).
    • Password - provided by Paymentech and is the password for the Certified Connection gateway. It is also not the password for the Orbital Virtual Terminal.
    • Primary URL - is always orbital1.chasepaymentech.com/Authorize
    • Secondary URL - is always orbital2.chasepaymentech.com/Authorize
    • Port - is always 443
    • Terminal ID - provided by Paymentech and is usually 001
    • BIN number - provided by Paymentech and is always 000002 for North American credit card processing.


    Merchant Profiles

    The following entries are set on the Profiles tab per the diagram below:

    • Enable Profiles - set to Active if Merchant Profiles will be used.
    • Profiles API Login Key - not required. Paymentech Orbital uses the same connection information from the Connection Info tab.
    • Profiles API URL - not required. Paymentech Orbital uses the same connection information from the Connection Info tab.

    Refer to Merchant Profiles for further information on functionality.

    Employee and Card Setup

    On the Merchant Setup window (see Account Setup), the final bit of setup is to determine which employees and which payment methods are associated with this merchant account.
    • To assign employees to this merchant account, click on the Employee tab and find the employees to assign. In a multi-merchant setup situation, drag those employees that should use this merchant account by default from the same employee tab in another merchant record. While some employees may have permission to use multiple merchant accounts, viewing their name here shows the default merchant account assigned to them for charging cards. If the employee is able to use another merchant account, they will need to select it on the payment window.
    • Click on the Card tab to select which credit card payment methods are associated with this merchant account.

      If you need to have multiple merchant accounts and both are to take Visa (for example), you will need two Visa payment methods and assign one of them to each merchant account.

    If you are switching from one merchant services provider software to another, you can open both merchant accounts and drag the employees from one window to the other. You can do the same for the credit card payment methods - to make the switch easy and fast.

    Any future dated 'post dated payments' associated with the card you drag to another merchant provider will automatically be reassigned to authorize on the new merchant provider card network.

    Orbital Virtual Terminal

    The Orbital Virtual Terminal requires:

    • User ID - provided by Paymentech and is the user ID for the Orbital Virtual Terminal gateway.
    • Password - provided by Paymentech and is the password for the Orbital Virtual Terminal gateway
    • Orbital Virtual Terminal Gateway - is always accessed via a web browser through https://secure.paymentech.com/manager. This is used to verify current and past batches, look at transactions, generate reports and manage your Orbital Gateway account.

    All users of the Orbital Virtual Terminal in conjunction with Theatre Manager are encouraged to download the Virtual Terminal Users Manual directly from Chase Paymentech. There is also a Virtual Terminal Quick Reference Guide available from the same site.

    Orbital Virtual Terminal - Account Setting for Manual Settlement

    Once you have activated your new Virtual Terminal account by logging in, there is one very important setting that you need to adjust. This particular setting will adjust the behaviour of your account settlement process and is vital for accurate reconciliation. You will need the following.
    • User ID - provided by Paymentech and is the user ID for the Orbital Virtual Terminal gateway.
    • Password - you created after your initial access/activation for the Orbital Virtual Terminal gateway
    • Orbital Virtual Terminal Gateway - is always accessed via a web browser through https://secure.paymentech.com/manager.

      This is used to verify current and past batches, look at transactions, generate reports and manage your Orbital Gateway account.

    1. Log into your Virtual Terminal Account and from the Tab selection at the top click on Admin, then General Admin from the drop-down menu as shown in the following image.

    2. The following setting window will appear.

      Note the Auto Settle Section of the settings.

    3. Make sure the Auto Settle Time is set to NONE.

    Testing Orbital Gateway

    After setting up the Orbital Gateway in the Merchant Account setup, you will need to test that it works. The best way to do this is:
    • Find yourself in the database or create a new patron that is yourself
    • Create a new order and attempt to buy a ticket
    • On the payment window, select the credit card you want to use and do a test authorization
    • If you get an authorization with a message indicating AVS match and/or CVV2 match, then the setup is correct
    • Log in to your Orbital Virtual terminal account and view the batch to see that your transaction is there
    • In Theatre Manager, void the credit card payment and then confirm in the Orbital Virtual Terminal that the charge is marked as void

    Trouble Shooting

    If you get a response that looks like it is HTML or XML and indicates that it was not authorized, then your user ID/password is probably wrong (please verify), or Paymentech set up the account to require a specific IP. Contact your Paymentech representative and tell them of the issue so that they can correct it. They may put you in touch with the Gateway people. You can inform the Paymentech Gateway support staff that you need to be able to authorize via user ID and password (per their standard setup instructions for Theatre Manager).

    Availability of Settled Batches

    Chase Paymentech send out a bulletin in May 2015:

    Beginning June 29, 2015, we’re changing the Orbital Batch Data Retention Policy for our Orbital Batch subscribers. This change is intended to increase data security as well as reduce the operational burden of maintaining authorization response files on our redundant servers.

    QUICK SUMMARY:

    1. Effective June 29 2015, Orbital Batch response files will be available for download for seven days
    2. This change increases security and reduces operational burdens
    3. After seven days, files can only be retrieved by the Partner Relationship Management team
    Effective June 29 2015, Orbital Batch response files will be available for download for seven days. After that time, we will purge batch response files. Customers wishing to download this data after seven days must contact our Partner Relationship Management team to request the data be retrieved from the host and made available for download.

    For More Information: Contact the Partner Relationship Management Team at 888.818.5128, option 4 or via e-mail at IntegratorSupport@ChasePaymentech.com.

    Elavon Installation

    Arts Management Systems provides the Elavon Virtual Merchant™ adaptor module to support credit card authorization. The installation is done for you during an initial installation of Theatre Manager to your organization or via remote when switching to a new provider by Arts Management training staff on any Theatre Manager Workstation.

    Elavon implements either user ID and password authentication; or access from specified IP addresses over HTTPS connections to provide compliance with PCI DSS 4.1

    Installation is quite straightforward. You would contact Elavon using information provided by Arts Management, and they create a Merchant Account for you. Money gets authorized by Elavon as 'Card Not Present' or as 'Swiped Card' and then deposited right to your own bank upon settlement from Theatre Manager. This account information that you are provided is all you need to set up in the merchant setup window below to provide secure credit card authorization.

    Elavon will need to provide the following 2 account setups (both are required):

    1. Elavon Virtual Terminal - uses the Elavon VirtualMerchant Gateway via a web browser to "view the transactions" that have occurred. This account setup is used during the EOD deposit process to review your transactions prior to the settlement process.
    2. Certified Connection for User ID and Password - uses the Elavon Gateway to allow authorizations to occur but not be viewed. This information is what needs to be entered into Theatre Manager's Merchant account to allow authorizations to occur.

    The user IDs and passwords for both of the above are completely different and should not be interchanged or confused with each other. Follow the appropriate setup steps for each.

    After following the setup for both accounts, make sure to test the gateway.

    Elavon - Contact Information

    Contact Information

    US Clients:

    1-855-770-0526

    www.elavon.com

    Canadian Clients:

    1-844-352-8661

    www.elavon.ca

     

    Ask for an Elavon Virtual Terminal account to be set up

    Once your Merchant Account information is provided to you, the following steps will need to happen:

    1. Settle any existing credit card batch (run an End of Day)
    2. Create a new merchant account in Theatre Manager
    3. Follow the steps to change your merchant provider

    Then you can start using Elavon Virtual Merchant.

    If you have any questions directly related to your Elavon merchant account setup, please contact them directly. Contact Arts Management if you have questions about how to setup Theatre Manager to reference and authorize credit cards using your Elavon merchant account.

    Elavon Gateway Account

    The Elavon Gateway Setup for User ID and Password setup is obtained from Elavon and is entered into the Setup --> System Tables --> Merchant Accounts window as below:

    Software Type

    The following values are set on the software type tab per the diagram below:

    • Set the server software to be Elavon Virtual Merchant
    • The merchant provider will automatically be set for you
    • The merchant number is provided by Elavon and will need to go into the Merchant number field. It is typically 6 or 7 digits.

      This number may be referred to by Elavon Support as the Virtual Merchant Account ID or Converge Account ID. The Elavon Developer guide calls the the Virtual Terminal Merchant ID. Look for the Account ID: on the Welcome to the VirtualMerchant Application form.

      Elavon will provide both a Merchant Account ID and a Converge Account ID when setting up the account. Enter the Converge Account ID into the Merchant number field.



    Connection Info

    The following entries are set on the Connection Info tab per the diagram below:

    • User id - provided by Elavon and is the user id for the gateway, not to the Elavon VirtualMerchant Account (they are not the same thing - the latter is the online interface).
    • Password - provided by Elavon and is the password for the gateway. It is not the password for the Elavon VirtualMerchant Account.
    • Primary URL - is always api.convergepay.com/VirtualMerchant/processxml.do
    • Port - is always 443


    Merchant Profiles

    The following entries are set on the Profiles tab per the diagram below:

    • Enable Profiles - set to Active if Merchant Profiles will be used.
    • Profiles API Login Key - not required. Elavon uses the same connection information from the Connection Info tab.
    • Profiles API URL - not required. Elavon uses the same the connection information from the Connection Info tab.

    Refer to Merchant Profiles for further information on functionality.

    Employee and Card Setup

    On the Merchant Setup window (see Account Setup), the final bit of setup is to determine which employees and which payment methods are associated with this merchant account.
    • To assign employees to this merchant account, click on the Employee tab and find the employees to assign. In a multi-merchant setup situation, drag those employees that should use this merchant account by default from the same employee tab in another merchant record. While some employees may have permission to use multiple merchant accounts, viewing their name here means this is the default merchant account assigned to them for charging cards. If the employee is able to use another merchant account, they will need to select it on the payment window.
    • Click on the Card tab to select which credit card payment methods are associated with this merchant account.

      If you need to have multiple merchant accounts and both are to take Visa (for example), you will need two Visa payment methods and assign one of them to each merchant account.

    if you are switching from one merchant services provider software to another, you can open both merchant accounts and drag the employees from one window to the other. You can do the same for the credit card payment methods - to make the switch easy and fast.

    Any future dated 'post dated payments' associated with the card you drag to another merchant provider will automatically be reassigned to authorize on the new merchant provider card network.

    Elavon Virtual Merchant - Account Setting for Manual Settlement

    Once you have activated your new Virtual Merchant account by logging in, there is one very important setting that you need to adjust. This particular setting will adjust the behaviour of your account settlement process and is vital for accurate reconciliation. You will need the following.
    • Account ID - provided by Elavon and is the Virtual Merchant Account ID.
    • Password - you created after your initial access/activation for the Virtual Merchant
    1. Log into your Virtual Merchant Account and from the Tab selection at the top click on Terminal >> Advanced >> System Setup from the drop-down menu as shown in the following image.

    2. The following setting window will appear.

      Note the Auto Settle Section of the settings.

    3. Make sure the Auto Settlement box is not checked.

    4. Save your changes by clicking the save button at the bottom of the settings window

    Elavon Virtual Merchant Web Portal Login

    The Elavon VirtualMerchant requires:
    • User ID - provided by Elavon and is the user ID for the Elavon VirtualMerchant gateway.
    • Password - provided by Elavon and is the password for the Elavon VirtualMerchant gateway
    • Elavon VirtualMerchant 'Converge' Gateway - is always accessed via a web browser through https://www.convergepay.com/converge-webapp/#!/login. This is used to verify current and past batches, look at transactions, generate reports and manage your Elavon account.

    All users of the Elavon VirtualMerchant in conjunction with Theatre Manager are encouraged to download the VirtualMerchant Users Manual directly from Elavon.

    Testing Elavon Gateway

    After setting up the Elavon Gateway in the Merchant Account setup, you will need to test that it works. The best way to do this is:
    • Find yourself in the database or create a new patron that is yourself
    • Create a new order and attempt to by a ticket
    • On the payment window, select the credit card you want to use and do a test authorization
    • If you get an authorization with a message indicating AVS match and/or CVV2 match, then the setup is correct
    • Log in to your Elavon VirtualMerchant account and view the batch to see that your transaction is there
    • In Theatre Manager, void the credit card payment and then confirm in the orbital Virtual Terminal that the charge is marked as void
      • Trouble Shooting

        If you get a response that looks like it is HTML or XML and indicates that it was not authorized, then your user ID/password is probably wrong (please verify), or Paymentech set up the account to require a specific IP. Contact your Elavon representative and tell them of the issue so that they can correct it. They may put you in touch with the Gateway people. You can inform Elavon Gateway support staff that you need to be able to authorize via user ID and password (per their standard setup instructions for Theatre Manager).

    Moneris Installation

    Moneris eSelectplus Payment Gateway

    Theatre Manager supports two Moneris processing options:

    • Moneris Gateway Account - where Theatre Manager sends a credit card provided to Moneris, receives the approval and is able to store the encrypted card (depends on PCI settings in company preferences). This option is used for box office credit card authorizations -and- for web sales with the benefit of supporting post dated credit card payments is using PCI schedule C.
    • Hosted Payment Page - this option can be only be used for web sales. Instead of accepting credit cards, the web interface passes control to the Moneris Hosted Payment Page, meaning that the customer is actually typing the card information directly into Moneris and Theatre Manager never sees it. This enables much less stringent PCI reporting.
      • Schedule A-EP - if the venue only uses hosted payments for e-commerce and no cards at box office
      • Schedule C - if the venue still enters card data into Theatre Manager at the box office
    • EMV devices - this option can be used for box office. Instead of typing cards into Theatre Manager, or using stand alone EMV devices, Moneris offers a 'cloud' connection to some pin pad devices - like the Verifone P400. If set up through Moneris eSelect and cloud connection, Theatre Manager will tell the device to start the authorization process, along with the amount and record the resulting acceptance or decline. This enables much less stringent PCI reporting.
      • Schedule A-EP - if the venue only uses hosted payments for e-commerce and no cards at box office
      • Schedule B-IP - if the venue uses EMV pin pads like the P400 through the Moneris cloud connection

    You may also want to have Moneris add two features to your account at time of your merchant account setup:
    By default, your eSelectplus account will be set to automatically settle each night between 10 and 11PM Eastern time. You MUST CHANGE this option to settle manually which simplifies your end of day processing and makes it easier to reconcile bank statements to your accounting system

    The merchant account number, Store ID and ECR Terminal ID will be sent to you in a document from Moneris. That document will also contain instructions for you to log in to the eSelectplus gateway to activate your account. Once you do that, you can obtain the API Token that will be required by the Theatre Manager merchant account setup.

    Some sample test accounts are available, if needed.

    Also, visit Misc Moneris Support for additional daily status information.

    Moneris Setup - Contact Information

    Contact our Moneris support representative: Nandini @ 1 (877) 825-0361 X 4117 to have your account setup.

    You want to request the eSelectplus product/account.

    Direct Processing vs Hosted Payment

    Theatre Manager supports the following Moneris processing options:
    • Moneris Gateway Account - where Theatre Manager sends a credit card provided to Moneris, receives the approval and is able to store the encrypted card (depends on PCI settings in company preferences). This option is used for box office credit card authorizations -and- for web sales with the benefit of supporting post dated credit card payments is using PCI schedule C.
    • Hosted Payment Page - this option can be used for web sales. Instead of accepting credit cards, the web interface passes control to the Moneris Hosted Payment Page, meaning that the customer is actually typing the card information directly into Moneris and Theatre Manager never sees it.

      Note that this same account needs e-select plus setup for settlement. It means box office can use the one merchant account for hosted payment online and normal credit card authorization at the box office. This helps support PCI Schedule 'A-EP' compliance for internet sales.

    • Moneris EMV - Moneris supports cloud based connection to some EMV pin-pad devices. Those can be set up as a pin pad device and associated with a workstation using Theatre Manager. This helps support PCI Schedule 'B-IP' compliance for box office.
    Moneris charges far too much money for their merchant profile feature. For this reason it is not recommended for use with Theatre Manager.

    Activate Moneris Account and Common Setup

    To activate your eSelectplus account and obtain your API Token:
    • Navigate to theMoneris Activation page. You will need:
      • Moneris Merchant ID:
      • Moneris Store ID
      • Follow the prompts to verify and setup the account
      Once the account is activated or if the account has previously been setup, login to the Merchant portal.
      Future log-ins will require the Username, Store ID, and permanent password that you will set up using the one-use password. Make sure that information is stored somewhere safe in your office and shared among the appropriate staff. Arts Management will not have access to that information if it is lost.

      Obtain Moneris E-Select Plus API Token

      A Moneris E-Select Plus is part of the Admin->Store Settings configuration option.

      This is used when you want Theatre Manager to retain card information within the system (encrypted) for box office sales, or web sales or for settlement for hosted payment page.

      • Once logged into the account online, you should plainly see the API Token. Copy and paste that into a document to store/send to Arts Management along with the info sent you by Moneris so that we may assist setting up the merchant account in Theatre Manager.
      • If you do not see the API Token, in the Moneris Virtual Terminal go to Admin > Store Settings and the API Token will be displayed at the top of the page

      Note:The API Token above has been removed for security. Where the black square appears, a combination of upper-case and lower-case letters and numbers will comprise your store's API Token.

      Regenerate the API Token

      This process should only be undertaken in consultation with both Moneris Support and Arts Management Support. The API Token must match the Theatre Manager merchant account setup in order for credit card processing to work.

      Moneris Support may advise you to re-generate the API Token for your store in certain circumstances or for security reasons. It is done on the Admin->Store Settings page as shown below. You will be asked to click the Re-Generate API Token. If you are advised to do so, you will need to put that new token into the merchant account settings.

      Please contact support@artsman.com if you are unsure where to make this change within the Theatre Manager merchant account.

      Set eSelectplus to Manual Settlement

      By default, your eSelectplus account will be set to automatically settle each night between 10 and 11PM Eastern time. You MUST CHANGE this option to settle manually which simplifies your end of day processing and makes it easier to reconcile bank statements to your accounting system.

      To alter this setting:

      • Log into the eSelectplus Virtual Terminal
      • Go to Admin > Store Settings
      • Scroll down the page until you see the Batch Close selections
      • Change the radio button to the Manually Close option

      Moneris Gateway Account

      The User ID and Password setup is obtained from Moneris and is entered into the Setup --> System Tables --> Merchant Accounts window.

      Once the Moneris account has been activated and all the information in the following list has been obtained, the Merchant Account in Theatre Manager can be set up on each of the tabs that follow:

      • Server Software - Moneris (setting selected in TM)
      • Merchant Provider - Moneris (setting selected in TM)
      • Merchant Account Number - xxxxxxxxxx (from Moneris merchant services)
      • Store ID - xxxxxx (from Moneris merchant services)
      • API Token/Password - xxxxxxxxxx (from Moneris Online Portal store settings)
      • Primary URL for LIVE authorizations: - www3.moneris.com/gateway2/servlet/MpgRequest (typed into TM)
      • ECR Terminal ID - 66xxxx (from Moneris merchant services)

      Tabs with specific setup info are described in the following help pages. Other tabs like the Employees and Cards tabs are populated the same as described here.

      Moneris Gateway Account Software Tab

      On this tab, you will need to provide:
      • Server software - set to Moneris
      • Merchant Provider - set to Moneris
      • Merchant Number - is the Merchant Number from the document sent by Moneris

      Moneris Gateway Account Connection Info

      On this tab, you will need to provide:
      • Store ID - provided by Moneris on the setup information
      • API Token - obtained from the online Moneris portal
      • ECR Terminal ID - provided by Moneris on the setup information
      • Primary URL (Canada) - should be www3.moneris.com/gateway2/servlet/MpgRequest
      • Primary URL (USA) - should be esplus.moneris.com/gateway_us/servlet/MpgRequest
      • Port - should be 443

      Moneris Gateway Account Authorization

      On the authorization tab, you will need to verify:
      • Send address/zip - verify the setting for this feature. At one time, Moneris does not provide AVS by default and it an account add-on. If a test authorization results in a no permissions for avs_info error, unchecking this box will eliminate the error since TM will no longer send AVS info.
      • Pin Pad store info, if using the P400's

      Refer to general help page for more info.

      Moneris Gateway Account Profiles Tab

      On this tab, you will need to provide:
      • Enable Profiles - set to Active if Merchant Profiles will be used.
      • Profiles API Login Key - not required. Moneris uses the same connection information from the Connection Info tab.
      • Profiles API URL - not required. Moneris uses the same the connection information from the Connection Info tab.

      Refer to Merchant Profiles for further information on functionality.

      In general, using Moneris Merchant Profiles are not recommended because they charge for this feature, unlike other merchant providers.

      Moneris Hosted Checkout Page

      A Moneris Hosted Checkout Page is part of the Admin->Hosted Checkout config option.

      Hosted Checkout option is used if you want Theatre Manager to use Moneris for online credit card payments with an embedded web page. It is possible to be SAQ A compliant for your web sales since Moneris takes the credit card within an iframe and card data does not enter your network.
      If you use hosted payments for web sales, you will also need an E-Select plus account for settlement. Box office sales can use this same merchant account and will automatically authorize against the e-select plus account. This means that you only need one merchant account set up even though it is processing via different pathways, one for web and one for box office.
      You may also be able to accept payments like apple-pay online, digital wallets, online interac, verified by visa, multi currency, etc. Make sure to talk to Moneris about what is possible and what you want to accept.
      If you are already using Moneris Hosted Payment Page, refer to the conversion process to Moneris Checkout to see what is involved.
      Note: using Moneris Checkout disables use of online post dated payments since card data is not provided by Moneris and, therefore, cannot be saved. Recurring Payments initiated by the box office will still work.

      Setup Process

      The best process to configure this option is:

      • Obtain your online portal connection information from Moneris
      • Configure all the settings within the online portal
      • Use the Theatre Manager Merchant Account Setup for Moneris Hosted Checkout Page
      • Verify all credit card types you want to take in payment method code tables
        • If you are already using Moneris hosted payments or box office payments, you may not need to do anything
        • If you plan on taking advantage of other credit card types online (that you may not want to accept in the box office), you will need to add them to the payment types.
        • It is very important that card types you set up online are in the payment code tables.
      • Test:
        • Authorizations through the TM Web services
        • Attempted Authorizations but Cancel through the TM Web services by going online to buy something (use test cards)
        • Verify the display on the web to see that it matches what ou picked in the online portal setup and shows your name and settings you wish
        • Voids from Theatre Manager
        • End of Day Settlement

      Online Portal Setup

      You will need to log into your Moneris Resource Center online account

      Once you are logged into the online account setup, select Admin->Hosted Checkout config option per the image to the right.

      You will see a screen similar to the bottom of the web page that lists all the configurations you have made. You can have many of them, and all you need to do is enter the Checkout_ID in Theatre Manager merchant setup to use the one you prefer.

       

      Creating a New Profile

      • If you see no lines in the list, click the Create Profile to make the following for Theatre Manager:
        • CHECKOUT_ID
        • ALIAS
      • You will be asked to confirm that you want to create a new profile.

        Click OK

      • Click the Edit Name on the upper left and you will see the window below

        Enter in an alias like 'Theatre Manager'

        .

       

      Edit an existing Configuration

      If you see the Checkout_id that you want to change in the list below, you can Edit by clicking the edit button. Then process to the next pages for more information about the setup.

      Checkout Type

      The first things you see is a short list of options on the left side of the web page, along with a prototype checkout page.

      Set the checkout Type

      • Click the section that says Checkout Type
      • Click the option I have my custom order form and want to use Moneris simply for payment processing.
      • Click 'Checkout Type' to collapse it

      Order Summary (cart)

      There is nothing to select on the Order Summary Cart since you have your own custom form as part of Theatre Manager.

      Make sure the options look like the image to the right.

       

       

       

       

       

      Customer Details

      There is nothing to select on the Customer Details since you have your own custom web site as part of Theatre Manager.

      Make sure the options look like the image to the right.

       

       

       

       

       

       

       

      Multi Currency

      Most likely, you will NOT need to accept multiple currencies.

      Since that is the case, UNCHECK the enable multi-currency button. that will cause the currency choices to disappear from the the area indicated on the checkout form

       

      If, however, you do want to take some selected currencies (such as USD, or where ever your main customers come from, then CHECK the enable multi-currency button.

      If you do that, you will also need to check and uncheck the currencies that you wish to accept.

      We understand that all currencies are converted to CAD and so you will receive CAD in your bank account.

       

       

      Payment Options

      Indicate what digital wallets you want to accept. There are two main ones at time of writing
      • Apple Pay
      • Google Pay
      If you check these, there are other things you will be asked. You may need to contact Moneris to see what things mean.

      Click the Display Supported Cards checkbox to show miniature logos of the cards you accept on your web site.

       

       

       

       

       

      There are more options that you should make the same as the image to the right.

      You MUST select Transaction Type as Purchase

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

      Branding and Design

      There are three areas that are highlighted that we think you may want to change:
      • Colours -these are colours that the web page will be displayed in. They use the internet RGB hex colours and you can change these to suit your web site theme.
      • Process Text - this is the text that will display on the button to accept the patrons credit card and to process it. You may select what you wish. We suggest Pay
      • Cancel Text - this is the text that will display on he screen to allow the use to use the 'Back' button. You may select what you wish. We suggest Back

       

       

       

       

       

       

       

       

       

      Order Confirmation

      For this section, you must select Use Own Page and nothing else. This is because Theatre Manager must receive the confirmation Moneris that the card was accepted or rejected before it will process the shopping carts.

       

       

       

       

       

       

       

       

      Email Communications

      Uncheck all of the options to the right, if any are checked

       

       

       

       

       

       

       

       

       

       

      Theatre Manager Setup

      The User ID and Password setup is obtained from Moneris and is entered into the Setup --> System Tables --> Merchant Accounts window.

      Once the Moneris account has been activated and all the information in the following list has been obtained, the Merchant Account in Theatre Manager can be set up on each of the tabs that follow:

      • Server Software - Moneris (setting selected in TM)
      • Merchant Provider - Moneris Checkout Page (setting selected in TM)
      • Main Store Id - xxxxxxxxxx (provided by Moneris merchant services and used to login to Moneris online portal)
      • Hosted Store ID - xxxxxx (generated in Moneris online portal)
      • Checkout ID - xxxxxx (generated in Moneris online portal)
      • Primary URL for LIVE authorizations - set automatically
      • ECR Number - 66xxxx (provided by Moneris on the setup information)
      • api_token - obtained from the Moneris online portal

      Tabs with specific setup info are described in the following help pages. Other tabs like the Employees and Cards tabs are populated the same as described here.

      Moneris Hosted Checkout Software Type

      On this tab, you will need to provide:

      • Account Name - enter a description indicating that the purpose of this account is for Hosted Payments
      • Status - click to make it active, if not already
      • Enable Card Use by Web Listener - click to make it active, if not already. Hosted Checkout Page can be used for online sales to try to be PCI Schedule A compliant
      • Server Software - Moneris (setting selected in TM)
      • Merchant Provider - Moneris Checkout (setting selected in TM)
      • Main Store Id - xxxxxxxxxx (This is your Moneris Store # provided by Moneris. It should be a combination of letters and numbers. This is NOT your Merchant # OR ps_store_id. If the Moneris Store # is incorrect, Theatre Manager will NOT be able to close the credit card batch on the gateway server.)

      Hosted Checkout Connection Info

      On this tab, you will need to provide:
      • ps_store_id - xxxxxx (generated in Moneris online portal)
      • Hosted Checkout ID - xxxxxx (generated in Moneris online portal)
      • Authorization URL - automatically set for you
      • Settlement URL - automatically set for you
      • Port - must be 443
      • ECR Number - 66xxxx (provided by Moneris on the setup information)
      • api_token - obtained from the Moneris online portal

      The Web Experience

      It is very important to note that the credit card is being entered from the user's browser directly into the Moneris web site. This allows a venue to have:
      The checkout process for Hosted Checkout Page is very similar to standard checkout processing for credit cards online. This shows and explains the subtle differences.

      Step 1 of the checkout process illustrates that most of the checkout window appears the same.

      The singular difference is that the credit card entry data is missing. Card entry shows up on step 3.

      Step 2 shows an example of the actual hosted payment page.

      From step 1, the user's browser is directed to the Moneris web site where they enter:

      • cardholder name
      • Card number
      • Expiry date
      • CVV2 #
      They also have the ability to:
      • Pay - which will process the card, and if accepted, move on to Step 3
      • Back - which will take the patron back to the shopping cart page in Theatre Manager web sales
      Step 3 remains the same.

      This shows the confirmation page where the user can use the print at home feature if enabled.

      Converting HPP to Moneris Checkout

      The process of converting from Hosted Payments to the Moneris Checkout should be straightforward
      • Log on to your online Moneris E-Select Plus account
      • Follow the instructions to make a Moneris Checkout Page and copy the Checkout ID
      • Change your merchant settings in Theatre Manager from Hosted Payments to Moneris Checkout (see below)
      • Put the Checkout ID into the right place in Theatre Managaer
      • tmCheckout.html
        • You will have to update the web page if you have altered it in the past.
        • If you have not changed it (i.e. it is not in your web page directory), then you are done
      There are two additonal things you might have to watch out for:
      • You may need to add some credit card types like JCB, UPAY into code tables
      • If you have implemented restrictive outgoing firewall rules, you may need to review those to allow the Moneris checkout page to render in your organization's internal networks. It should not affect any patrons at home

       

      Converting Moneris Hosted Payment to Moneris Checkout

      Once you have your Checkout ID, all you need to do is change two things in your merchant setup:

          Complete your current end of day and settle all your credit cards
        1. Open the Setup->System Tables-> Merchant Account list
        2. Find the current/active Moneris Hosted Payment Page account in the list and double click on it
        3. On the Software Type tab

          click on the Merchant Provider popup. Change it:

          • From Moneris Hosted Pay Page - Deprecated
          • To Moneris Checkout

        4. On the Connection Info Tab:
          • Locate the field called Hosted Checkout ID
          • Save the contents of the field from the HPP setup, in case you need to put it back in later to reverse the process back to HPP
          • Paste in the checkout ID you created on the Moneris web site

        5. Save the merchant record
        6. Go to your online sales and try it out. The checkout process should be similar to the example. If it is not similar, please contact us.
        7. Go to your online Moneris Portal and make sure that it indicates that the card is authorized
        8. Try to void the credit card payment in Theatre Manager you just put through online
        9. Go to your online Moneris Portal and make sure that it indicates that the card is now voided

        Moneris Hosted Payment Page (deprecated)

        In late 2022, Moneris is replacing the Hosted Payment Page option with the Hosted Checkout Page option. It should require a little change to your merchant account setup in order to switch over.

        Refer to the conversion process from HPP to Moneris Checkout

         

        A Moneris Hosted Payment Page is part of the Admin->Hosted PayPage config option.

        Hosted Payment Page option is used if you want Theatre Manager to switch over to the Moneris site for online credit card payments. It is possible to be SAQ A compliant for your web sales since the web site no longer takes credit cards (Moneris does).
        If you use hosted payments for web sales, you will also need an E-Select plus account for settlement. Box office sales can use this same merchant account and will automatically authorize against the e-select plus account. This means that you only need one merchant account set up even though it is processing via different pathways, one for web and one for box office.
        Moneris Hosted Payments requires that your web page timeout is 60 minutes in company preferences - it cannot be less. This is because Moneris payment acceptance is 60 minutes and we cannot close carts until their payment page has timed out.
        You may also be able to accept payments like apple-pay online, online interac, verified by visa, etc. Make sure to talk to Moneris about what is possible and what you want to accept.

        Setup Process

        The best process to configure this option is:

        • Obtain your online portal connection information from Moneris
        • Configure all the settings within the online portal
        • Use the Theatre Manager Merchant Account Setup for Moneris Hosted Payment Page
        • Test:
          • Authorizations through the TM Web services
          • Attempted Authorizations but Cancel through the TM Web services by going online to buy something (use test cards)
          • Verify the display on the web to see that it matches what ou picked in the online portal setup and shows your name and settings you wish
          • Voids from Theatre Manager
          • End of Day Settlement

        Online Portal Setup

        You will need to log into your Moneris Resource Center online account at https://www3.moneris.com/mpg/index.php

        Once you are logged into the online account setup, select Admin->Hosted PayPage config option.

        You will see a screen similar to below.

        • If you see no lines in the list, click the Generate a New Configuration to make the following for Theatre Manager:
          • ps_store_id
          • hpp_key
        • If you see your ps_store_id in the list below, you can edit or verify information by proceeding to the next pages.

        Hosted Paypage Basic Configuration

        You will need to log into your Moneris Resource Center online account at https://www3.moneris.com/mpg/index.php

        Once you are logged into the online account setup, select Admin->Hosted PayPage config option.

        Once you see your ps_store_id, click the 'Edit Button and you will see a screen similar to below.

         

        Data Setup

        Enter data into the window above per the instructions:

        If you change anything on this page, be sure to click Save Changes under this section.

        Hosted Paypage Appearance Configuration

        You will need to log into your Moneris Resource Center online account at https://www3.moneris.com/mpg/index.php

        Once you are logged into the online account setup, select Admin->Hosted PayPage config option.

        Scroll down until you see a section that says Paypage Appearance and click Configure Appearance.

        A new window will open similar to below and the settings you place here control how the hosted payment page will appear to the patron.

        Appearance Configuration

        At the top are 3 buttons that are helpers for you:

        • Hex Colour Chart - which shows colours that can be placed into the 'Colours and styles' area. They are samples in a numeric format with examples. If you are familiar with setting colours of items on web pages, you can use any colour you wish.
        • Layout Sample - shows a picture of the various parts of the payment page that can be displayed
        • View Preview - will show what your payment page will look like after altering the settings. Our sample is to the right based on settings below

        Colours and Styles

        In this section, enter the colours for various parts of the payment page window. Use this to set colours as indicated.

        Hosted Paypage Data Fields

        Make settings as follows:

        • Display Item Details - uncheck. Theatre Manager does not send this information to Moneris
        • Display Customer Details - uncheck. Theatre Manager does not send this information to Moneris
        • Display Shipping Address Details - uncheck. Theatre Manager does not send this information to Moneris
        • Display Billing Address Details - uncheck. Theatre Manager does not send this information to Moneris
        • Enable input of Billing, Shipping, and extra fields - uncheck. Theatre Manager does not respond to this data if enabled
        • Display Merchant Name - Check this if you wish - it will display your merchant name from elsewhere in the Moneris config

        Buttons

        There should only be two things to set here:

        • Cancel Button Text - enter the words that you want to show to the user should they decide that they do not want to continue with authorization. Could be word like 'Cancel', 'Cancel Transaction','I Give up', 'Go Back to Cart', etc. Make sure and try an authorization so that you like what it says and that it is consistent with the behaviour of the window
        • Cancel Button URL - must be https://tickets.yourvenue.org/TheatreManager/payment/moneris/cancelled where tickets.yourvenue.org is the URL to your ticketing web site

        Hosted Paypage Input Fields

        The settings are:

        • Display CVD Input (Credit Card Only) - we suggest checking this to allow input of the number on the back of the card
        • Display AVS Input (Credit Card Only) - (optional) check this to allow input of address info for address verification if you wish customers to provide it. It does not go to Theatre Manager
        • Postal Code Input Only) - (optional) if you want address verification, this restricts address input to the postal code only. its probably the preferred option for AVS checking

        Logos

        If you wish, you can click on the credit card logos that you accept. It simply displays the logo on the payment page.

        Hosted Paypage Response/Receipt Data

        You will need to log into your Moneris Resource Center online account at https://www3.moneris.com/mpg/index.php

        Once you are logged into the online account setup, select Admin->Hosted PayPage config option.

        Scroll down until you see a section that says Response/Receipt Data and click Configure Response Fields.

        Response/Receipt Field Configuration

        Set the options as follows:

        • Return line item details - uncheck this, it is not used by Theatre Manager
        • Return shipping details - uncheck this, it is not used by Theatre Manager
        • Return billing details - uncheck this, it is not used by Theatre Manager
        • Return other customer fields - uncheck this, it is not used by Theatre Manager
        • Return ECI value - uncheck this, it is not used by Theatre Manager
        • Return the txn_number. - you MUST CHECK THIS as it can be used in Theatre Manager to void transactions
        • Return the VBV value - uncheck this, Verified by Visa is not used by Theatre Manager
        • Return Visa Debit card indicator - uncheck this, it is not used by Theatre Manager
        • Return AVS data - only CHECK THIS if you are wanting Moneris to check the postal code and you've allowed it as input on this screen
        • Encode carholder name - allows multi byte characters - you MUST CHECK THIS since Theate Manager understands unicode characters - allows customers to put accents in their names.
        • Automatically promptcardholder for a new card after a decline - check or uncheck this you wish

        Asynchronous Transaction Response

        Set the options as follows:

        Hosted Paypage Security Features

        You will need to log into your Moneris Resource Center online account at https://www3.moneris.com/mpg/index.php

        Once you are logged into the online account setup, select Admin->Hosted PayPage config option.

        Scroll down until you see a section that says Response/Receipt Data and click Configure Response Fields.

        Referring URL

        • Leave all data blank

        Transaction Verification

        • Non of the fields are required for processing. The can be left blank or unchecked
        • The Referring URL section contains an Add URL: field. The ticketing site, https://tickets.yourvenue.org, can be added to this field to ensure it's the only source for processing.

        Moneris Hosted Payment Email Receipts

        You will need to log into your Moneris Resource Center online account at https://www3.moneris.com/mpg/index.php

        Once you are logged into the online account setup, select Admin->Hosted PayPage config option.

        Scroll down until you see a section that says Email Receipts and click Configure Email Receipts.

        Receipt Conditions

        Theatre Manager handles all confirmation of purchases to the patron. This section is not used, although, if you wish, you might want to send emails to the MERCHANT' for audit purposes.

        • Leave all data blank or unchecked.

        Receipt Appearance

        Theatre Manager handles the receipt to the patron.

        • Leave all data blank or unchecked

        Theatre Manager Setup

        The User ID and Password setup is obtained from Moneris and is entered into the Setup --> System Tables --> Merchant Accounts window.

        Once the Moneris account has been activated and all the information in the following list has been obtained, the Merchant Account in Theatre Manager can be set up on each of the tabs that follow:

        • Server Software - Moneris (setting selected in TM)
        • Merchant Provider - Moneris (Hosted Pay Page) (setting selected in TM)
        • Main Store Id - xxxxxxxxxx (provided by Moneris merchant services and used to login to Moneris online portal)
        • ps_store_id - xxxxxx (generated in Moneris online portal)
        • hpp_key - xxxxxx (generated in Moneris online portal)
        • Primary URL for LIVE authorizations - www3.moneris.com/gateway2/servlet/MpgRequest
        • ECR Number - 66xxxx (provided by Moneris on the setup information)
        • api_token - obtained from the Moneris online portal

        Tabs with specific setup info are described in the following help pages. Other tabs like the Employees and Cards tabs are populated the same as described here.

        Moneris Hosted Payment Software Type

        On this tab, you will need to provide:

        • Account Name - enter a description indicating that the purpose of this account is for Hosted Payments
        • Status - click to make it active, if not already
        • Enable Card Use by Web Listener - click to make it active, if not already. Hosted Payment Page can be used for online sales to try to be PCI Schedule A compliant
        • Server Software - Moneris (setting selected in TM)
        • Merchant Provider - Moneris (Hosted Pay Page) (setting selected in TM)
        • Main Store Id - xxxxxxxxxx (This is your Moneris Store # provided by Moneris. It should be a combination of letters and numbers. This is NOT your Merchant # OR ps_store_id. If the Moneris Store # is incorrect, Theatre Manager will NOT be able to close the credit card batch on the gateway server.)

        Moneris Hosted Payment Connection Info

        On this tab, you will need to provide:
        • ps_store_id - xxxxxx (generated in Moneris online portal)
        • hpp_key - xxxxxx (generated in Moneris online portal)
        • Authorization URL - automatically set for you
        • Settlement URL - automatically set for you
        • Authorization URL - must be esplus.moneris.com/DPHPP/index.php
        • Settlement URL - must be esplus.moneris.com/gateway_us/servlet/MpgRequest
        • Port - must be 443
        • ECR Number - 66xxxx (provided by Moneris on the setup information)
        • api_token - obtained from the Moneris online portal

        The Web Experience

        It is very important to note that the credit card is being entered from the user's browser directly into the Moneris web site. This allows a venue to have:
        The checkout process for Hosted Payment is very similar to standard checkout processing for credit cards online. This shows and explains the subtle differences.

        Step 1 of the checkout process illustrates that most of the checkout window appears the same.

        The singular difference is that the credit card entry data is missing. Card entry shows up un step 3.

        Step 2 remains the same. The user can continue or go back.
        Step 3 shows an example of the actual hosted payment page.

        From step 2, the user's browser is directed to the Moneris web site where they enter:

        • postal/zip code for AVS
        • cardholder name
        • Card number
        • Expiry date
        • CVV2 #
        They also have the ability to:
        • Process the Transaction - which will process the card, and if accepted, move on to Step 4
        • Cancel Transaction - which will take the patron back to the shopping cart page in Theatre Manager web sales
        Step 4 remains the same.

        This shows the confirmation page where the user can use the print at home feature if enabled.

        Moneris EMV Devices for Box office

        Currently EMV Pinpads can only be used with Moneris and E-Select Plus Gateway. At time of writing it has been tested with
        • Verifone P400 (the only recommended device - no others work)

        Be sure to READ THE PRO's AND CON's of using the P400 before deciding to use them and ordering them from Moneris.

        Refer to accepting a payment on the payment window for EMV Pin Pad credit cards to see how the process works and how similar it is to other payment methods. When using pinpads, you do not receive the credit card data for TM - so you cannot use this method for post dated payments and recurring sales.

        Please refer to Moneris EMV PinPad Setup Steps to see how to integrate with Theatre Manager.

        EMV devices must be set up as a pin pad device and then must be associated with a workstation using Theatre Manager. Multiple workstations can use the same EMV device is you wish.
        Pin Pads are settled during end of day. if you receive any message about an imbalance on a pin pad, please refer to the Moneris Pin Pad End Of Day troubleshooting tips.
        If an EMV device is assigned to the workstation, the user simply selects any one of the credit card types as payment during the payment process, and Theatre Manager will activate the EMV device.
        You may need to import a new ticket face for payments to satisfy Moneris signature & receipt requirements.
        You CANNOT VOID a pin pad authorization. You must add a payment to the order and make it a REFUND (Moneris' rules)

        Pro & Con of using Moneris Pin Pads

        Using pin pads integrated with Theatre Manager save time and give you more options for taking payments for walk up customers.

        On the whole, the P400 helps for new sales, INTERAC and tapping for payment. It slows the mass refund process when a show is cancelled because it requires calling each person who bought at the box office to get their card and enter it manually.

        Pro Con
        1. Payment methods that can be setup and accepted are:
          • INTERAC,
          • All major card types (visa, mastercard, diners, amex, UCB, JCB, discover, and more)
          • e-wallet payment methods like Apple Pay.
          Discuss what you want to accept with your Moneris representative and set up those payment methods in TM for box office only
        2. Payments can be Tapped, Inserted (chip and pin), or Swiped (if the patron has an old style card without chip)
        3. Uses ONE merchant account for all web, phone and in person purchases.
        4. When accepting Pin Pad payments, Theatre Manager tells the Pin Pad the amount and activates it. It receives all authorization data back from Moneris
        5. The customer receipt is stored in the database and:
          • can be printed on a ticket printer if desired
          • copied from the payment detail and copy/pasted into an email and emailed to the customer if desired
        6. The merchant receipt is also stored in the database meaning you don't have to print them and deal with the additional paper
        7. Supports PCI schedule A-EP certification for your venue - meaning that Theatre Manager workstations are never in PCI scope
        8. Multiple workstations can share a Pin Pad.
          • You might want one for each box office window
          • multiple back office workstations can share if you'd like
        9. End of Day is largely unchanged. Theatre Manager issues a message to each pin pad to settle itself
        1. You cannot Void a payment taken through the pin pad. You can only issue a refund to the pin pad
        2. Refunds

          Moneris does not allow automatic refund to anything charged by Pin Pad.

          • A refund for any payment taken through the Pin Pad requires that you must either
            • call the customer and ask for their card to type it into the pin pad -or- ask Moneris for independent refund capability if you want to type the refund into Theatre Manager
            • Have the customer be present so that they can tap their card
          • It affects mass refunds to cancelled shows if the payment was taken through the Pin Pad. Those must be refunded one by one. All internet sales can be mass refunded as before. If most sales are internet, then this will not materially affect your business processes. If most sales are in person, it will add to the burden of refunds.
        A venue may need to change business practices for mass ticket refunds to a pass/gift certificate for people who paid via pin pad.

        Moneris Pin Pad Setup Steps

        The following is the general list of steps you have to follow to get the Moneris EMV pin pad to work with Theatre Manager at the box office or for other departments.

        Theatre Manager is designed that the EMV devices can be shared between workstations. However, you probably want one for each box office window and one for the rest of the office to manually enter cards.

        You can use Moneris EMV devices, even if you still want to use your existing provider. You just need to set up an EMV only merchant account in Theatre Manager.
        Note: check the firmware version of your pinpad. Version 19.05 works. 19.06 is known to be broken. Contact Moneris if you need to ask them to fix it.

         

        Pre-Preparation Steps (with Moneris) for CLOUD EMV DEVICES (P400)

        You will need a Moneris E-Select+ account. You need to contact Moneris for this - Arts Management cannot arrange one.

        • If you DO NOT HAVE an E-Select+ account, contact Moneris. It might involve changing you merchant provider - and you might want to talk to the support team about:
          • pro's/con's of changing completely to Moneris and/or
          • feature comparison of Moneris to other providers and/or
          • OR (if you want), you can keep your existing merchant provider and only use Moneris for EMV pin pad authorizations.
        • If you have an E-select+ Account
          • Contact your Moneris representative to arrange for the number of P400 cloud connected device you think you need.
          • You must tell Moneris that you are using it with Theatre Manger
          • Moneris must provision it with their software, so get them to confirm they will do that to work with Theatre Manager
        • Theatre Manager can share EMV devices amongst workstations. However, you probably want:
          • one for each box office window and
          • maybe also one for the rest of the office to manually enter cards.
        Moneris should provide you with merchant information and EMV Device setup information. Work with Moneris to get it set up in E-select+
        Very Important: DO NOT allow Moneris to settle the EMV devices automatically at a preset time each day. Theatre Manager will settle the devices during end of day to make accounting far more straightforward.

         

        Theatre Manager Setup Steps (after you have your EMV devices)

        Once you have your Moneris information and pin pads, follow these steps in Theatre Manager:

        Step Item General Instructions
        1 Turn off Power saving The pin pad requires a constant connection to the database while the authorization is occurring. there are two things to do:
        2 Plug in the Pin Pad Download this abridged version of the Moneris P400 installation instructions and follow it until the steps say come back to this web page to do the remainder of the steps
        • Make sure to use the Moneris Cloud Setup
        • Plug the ethernet cable into an ethernet jack
        • Set the Pin Pad to use Dynamic IP address
        3 Moneris Merchant Account Make sure you have a Moneris Merchant Account set up in Theatre Manager. I you already have a moneris account for hosted payments or web sales, you likely should use the same one.

        On the authorization tab in the pin-pad area of the Theatre Manager merchant setup, please:

        • enter the StoreID and
        • enter API key provided by Moneris
        • change the authorization timeout to be at least 90 seconds to allow for manual entry of card data for phone orders
        4 Plug in EMV Devices Physically plug the EMV devices in, power them up and connect them to your ethernet network.

        Place the devices where you think they will be best used for your box office and administration areas. The EMV devices will go through a startup process and should eventually show a screen with a pairing number on them.

        5 Create Device Records In Theatre Manager, open the Device List. For each pin pad that you have:
        • Create a new EMV device
        • Enter the relevant information on the above help page
        • Click the Pair button. Theatre Manager will ask for the pair code for that device. If pairing occurs successfully, the device will no longer show the pair code.
        • Repeat for all EMV pin pads that you've received.

        If pairing does not occur:

        • Make sure the merchant account is set to the one you are using for Moneris (see step 1)
        • Make sure the pin pad is on, connected to the internet and is showing the pair code (see step 2)
        • Make sure the setup data about the pin pad is entered properly (step 3)
        • Contact Moneris to make sure that the pin pad is set to 'cloud' setting
        • Try the 'pair' process again for the same device
        6 Edit Hardware Preferences After pairing all devices in as above, you will need to go to each workstation and decide which EMV device is associated with the workstation.
        • Log in to the workstation - any user is fine
        • Edit the Hardware Preferences and
        • associate each computer with one of the pin pads setup in step 3. e.g:
          • Each box office window computer could be associated with its own device.
          • All Admin computers could be associated with a common device for manual card entry.
        7 Payment Receipts You will need to import a new payment receipt ticket face designed specifically to satisfy Moneris signature & receipt requirements
        8 Setting up Payment Methods
        • If you are currently using Moneris for all credit card authorization
          • In payment methods code tables, add in any new card types you are taking. At a minimum, this might include INTRAC to take debit carts
          • You probably already have VISA, MC, AMEX and perhaps some others. if so, do not add them again. Only add new card types that you now intend to take.
          • proceed to step 9
        • If you are switching all your merchant processing to Moneris, follow instructions on converting to a new merchant
        • If you are going to use Moneris for EMV devices only, in conjunction with your existing merchant provider, you will need to:
          • Add duplicate credit card in payment methods code tables
          • For each CC payment method you take like: VISA, MC, DINR, etc -and-
          • Assign to your new Moneris merchant account record
        Make sure you have a payment method INTRAC to handle debit card payments in the payment methods code tables
        9 Restart Theatre Manager
        10 Optional tests
        • Go to the device list, edit each device setup and try the PinPad Totals button - to see authorization amounts and counts for each pinpad.
        • Try your end of day:
          • You will get a new batch and deposit # for each EMV device
          • Each device will be closed and summarized into its own GL Entry
          • Reports will show the separate batches
          • If an EMV device is out of balance, you will see an error message during end of day
        • View a receipt in the payment record for a patron who you accepted an EMV authorization for.
        • Have a look at all the payment requests that were taken, even including the failed or declined cards. You may need to come here and ask for support if your EMV device is out of balance.

          You can also go to patrons, orders and various other places from here

        • Print a real ticket receipt for a payment taken via EMV to make sure they appear correctly on your ticket stock on your printer
        11 Debugging If you are having trouble with getting pinpad authorization to work, there are some troubleshooting tips:
        • Enable outgoing firewall rules for the url specified for the device in the device setup. Currently, it is ippos.moneris.com. This is required for all:
          • workstations paired to the pinpad device -and-
          • all the web listeners.
          • Refer to Router/Firewall Rules for more info.
        • You can verify the correct communication steps are occurring with the pin pad device by looking at the web listener log for EMV devices
        • If the pin pad is communicating with Moneris and retrieving data, you can look at pin pad receipts, transaction data, and Moneris responses using Pin pad Request List. This list shows both successful authorizations and declines.
        • If all cards are beling declined with an error code 069 and a message like Bad Message Error/No CVM Results, please contact Moneris and have them configure the CAT indicator for the PinPad to be card present.
        • You can test the OpenTotal command on the device setup. This interrogates a pinpad for current charges and refunds, if any. This command is used by end of day and if you cannot do this or get permission denied, please contact Moneris to have them fix it

        Moneris Receipt Ticket Faces

        Payment receipts are optional and can be printed on demand. However, if you have customers who request a receipt, Moneris has specific requirements if the payment was made using EMV devices.

        We have created one you can download and import that meets Moneris requirements and is designed specifically for the P400.

        If you need to print receipts for Moneris Pin Pad authorizations, you will need to set up your ticket faces as follows:
        • Download a template Moneris EMV ticket face from the ArtsMan web site
        • Unzip the file so that you see the MonerisEMVTicketFace.tmf file on your desktop
        • Open the list of Ticket Faces window which should look similar to the image to the right.
          • Click the Import button at the top of the window
          • look for the file called MonerisEMVTicketFace.tmf on your desktop and import it
          • after importing the new ticket face, it will appear in the list of ticket faces. Look for the ticket face number of this Moneris EMV ticket face in the list. It will be used in the next step

        You have now imported a ticket face file. You can now edit this ticket face if you want to make any additional customized changes to the receipt layout based on any possible ticket face background images you may have preprinted on the ticket stock.

         

        Additional Steps to implement the ticket face

         

        After importing the ticket face, you will have to decide a few things on the company preferences Ticket Faces Tab under the section Credit Card Receipts. All the fields/options in this area may need adjustment.

        • Receipt Ticket - Change the ticket face number there to be the one you recorded above
        • Print Receipts - has 3 options to consider:
          • Automatically for Patron Present. Moneris give you the option of always printing a receipt, or only printing a receipt on demand. We recommend only printing a receipt on demand. Uncheck this option unless you always want to print are receipt of the ticket printer for any credit card payment.
          • Automatically for Telephone and Mail Order. Moneris may require a signature for card numbers typed into the EMV machine for payments taken over the phone since the card is not present. Check this option if you wish, although we recommend not. The better alternative is to batch print the receipt along with tickets if emailing or holding at will call. The receipt should automatically include a signature line.
          • Prompt User if receipt required If you are unsure if you want to print receipts for tapped in chip/pin authorizations, but you want to give the patron the choice, you can check this option.
            • We recommend not to since this adds an extra prompt you have to agree to when selling payments at the box office.
            • If you don't print the receipt you can go to the payment window and print a receipt if asked.
            • For years, most people have neither asked for nor requireda reeipt. This is even more true these days of social distancing.
            • again, receipts can always be batch printed for will call or mail to patron tickets.
        • Print Receipts xx times. This is designed for situations where you, the merchant, want a receipt copy as well as the customer. It you always, print for the customer, enter 1. If you want one for yourself as well, enter 2.

          Moneris does not require you to print one for yourself if they are stored electronically and can be reprinted. Theatre Manager stores all payments and Moneris EMV responses precisely for this purpose so you can reprint later if need be. We suggest not printing a merchant copy in this electronic age.

        Moneris Test Accounts

        Moneris has made some general purpose test accounts that you can use for setting up the Moneris Gateway Account and testing to ensure the connection is valid. Do not use these for a production environment as all authorizations sent here are for test only and ignored beyond that.

        These values are open for general testing from all sources - so you may see more than just your test transactions in the virtual gateway.
        They only work for the Moneris Gateway Account and will not work for Hosted Payment Page testing

        The following values will enable you to enter the test environment for the gateway:

        • Merchant Account Number 700000208782
        • Store ID store1
        • API Token/Password yesguy
        • Primary URL for TEST authorizations esqa.moneris.com/gateway2/servlet/MpgRequest
        • Port # 443
        • ECR Terminal ID 66002173

        Where TM Data goes in Moneris

        It is sometimes helpful to know where card data goes in the merchant portal to troubleshooting and cross reference purposes. The above diagram shows how to cross reference date on the payment window in Theatre Manager and Moneris' online portal.

        Data Sent by Theatre Manager to Moneris

        • Patron number, order number (that the payment is associated with) and current patron name is put into the Moneris Customer ID field. If you see this data in Theatre Manager, it should help you find the patron or order in TM, either by order number, patron number, or patron name. Note that since patron names can be changed at any time and patrons can be merged, order number(red lines)
        • Card and expiry date are sent to Moneris, which returns the authorization code. (orange lines)
        • Theatre Manager makes up a system wide unique number for Moneris to refer to thus specific payment authorization attempt (blue lines). They always look like TM-X-Y-ZZZZZZ where:
          • TM- means the authorization came from Theatre Manager. If it doesn't start with TM, somebody did it manually or via some other method.
          • X- is the unique number of the merchant record in Theatre Manager. This is in case you have set up multiple Moneris merchant accounts for different reasons. (eg one for box office and one for development - which is not really recommended
          • Y- is the TM outlet number that sent the authorization to Moneris
          • ZZZZZZ is a unique number generated by TM for each authorization attempt. If an attempt is made and fails, it will consume a number and the next attempt at authorization will use a new value for ZZZZZZ

         

        Data returned to TM by Moneris

        TM tracks the

        • Moneris Sequence number - which is a unique number generated by Moneris for successful authorizations.
        • Moneris Authorization Time - which is the date/time of day that the authorization occurred. If the dates are different, it will be because Theatre Manager has stored them in time zone adjusted time. (pink lines)

        Troubleshooting Moneris Account Setup

         

        Below are a list of some of the errors that may be encountered during processing using Moneris as a merchant provider:

         

        P400 - Reversing Pin Pad Authorizations (cannot void or delete)

        If you are using a Moneris P400 connected to your workstation, you cannot void or delete a credit card entered using the pin pad.

        Moneris does not support voiding in the pin pad because they require a log for each interaction. So you must refund.

        You many see a button on the lower left that says Linked. IF you click on it and the original payment was taken online, you will be able to refund against that payment without needing the card.

        Refunding a payment with the P400

        Instead, you will need to

        • Add a payment to the order. Refer to the general process for more information.
          • Select a credit card payment method when it becomes time in the process from the first step.

            You will see a window like below:

          • Enter a NEGATIVE AMOUNT for the payment to indicate a refund.
          • (optionally), click the button to enter the card data manually if the customer gave you their card over the phone
        • Click the Refund Payment button. The customer's action change depending if you selected
          • Patron taps, inserts, or swipes card on EMV device:
            • the customer will need to tap or insert their card on the pin pad
            • The customer must be present at the box office with their credit card for them to do this.
          • Employee enters credit card manually into EMV
            • you will need to enter the full card number and expiry date on the pin pad since card data is never entered into TM.
            • This is useful for refunds when the customer is not present and they gave you their card over the phone.

        No Permissions For AVS_Info

         

        No Permissions For AVS_Info

        When the merchant account is setup in Theatre Manager and a test transaction is processed the error message above may appear. This error message is the result of missing options in the setup of the Merchant Account by Moneris. To correct the issue:

        • the Moneris representative will need to be contacted.
        • A request will need to be submitted to enable AVG and CID/CVV2 processing. This process can take up to 5 business days.
        • Additional Moneris account setup charges will apply for implementing these charges.
        The settings are mandatory in order to process credit cards using Theatre Manager.

         

        Moneris Returned A Response Code of NULL

        By default, when a merchant account is created in Theatre Manager, it sends the patrons Address/Postal Code (Zip Code) with the credit card for verification. If the patron record does not contain an address this information is not available to send. Moneris is expecting data in these fields and thus sends but a response code of Null indicating the fields are empty. This error can be resolved in one of two ways. Address information can be made mandatory in the database or Address Verification can be turned off.

         

        Mandatory Address in Patron Records

        • Login to Theatre Manager as the Master User.
        • Click Setup >> System Preferences.
        • Select the Mandatory Data tab.
        • Check the boxes in Full Profile Patron Data for:
        • Patron Address
        • Patron Postal Code (Zip Code)
        • Click Save.

        An address and postal code (zip code) will now be required for all patron records added or updated in Theatre Manager.

         

        Turning Off Credit Card Address Verification

        • Click Setup >> System Tables >> Merchant Accounts.
        • Double click on the current Merchant Account to open it.
        • Select the Authorization tab.
        • Remove the check from Fraud Prevention >> Send address/zip.
        • Click Save.

        The Address and Postal Code (Zip Code) will no longer be sent with the credit card number for authorization.

         

        Transaction Not Allowed: ind_refund -5

        Independent Refunds is a Moneris add-on feature. You must contact them if you receive the message below and you want to issue refunds to patron's credit cards.

        Your Moneris merchant account and/or your Store ID may need to be setup to process Independent Refunds if you want to allow credit card refunds in Theatre Manager. Since this is entirely a dependant on Moneris and how they setup your merchant account, enabling independent refunds requires that you:

        • Contact your MONERIS REPRESENTATIVE
        • Tell them that you want to issue refunds to credit cards
        • MONERIS may ask you for additional banking information
        • Test out a refund for a small amount to ensure it works, other wise you'll get the message above

        Even if the merchant account is enabled for refunds and refunds can be performed through the web portal, Independent Refunds must be enabled for the Store ID before a refund will be accepted by Moneris from Theatre Manager.

        Should Moneris detect suspicious activity on the account they could remove the option to process Independent Refunds to protect the account from fraud. To enable this feature once more the person who setup the Moneris account will need to contact them directly. A verbal request to enable Independent Refunds will need to be made and the following information well be required throughout the call:

        • Merchant Account Number & Store ID
        • Full Business Address
        • Deposit Bank Name
        • Deposit Bank Account Number
        Once the request is complete a reference number will be provided. Moneris will telephone the contact person within a week to verify the account settings have been altered. Please make sure Moneris has the correct contact telephone number on file before completing the call.

         

        Authorize.net Installation

        Arts Management Systems provides the Authorize.net™ module to support credit card authorization. The installation is done for you on site by Arts Management training staff on any Theatre Manager Workstation.

        Authorize.net implements either user ID and password authentication over HTTPS connections to provide compliance with PCI DSS 4.1

        Please contact Arts Management to discuss the process of getting a Merchant Account from Authorize.net or use the merchant provider contact info and inform them that you will be using Theatre Manager as they are aware of the proper setup.

        After Authorize.net has provided you with a merchant account, installation is quite straightforward. Once set up, funds gets authorized as 'Card Not Present' and then deposited right to your own bank upon settlement from Theatre Manager. This account information you are provided is all you need in the merchant setup windows (in the pages that follow) to begin secure credit card authorization.

        Authorize.net needs one account set up for authorization and one for online viewing of the account data. You can set up multiple accounts for online access of the data, so some people can view data and others have more access to transactions and history.

        1. Authorize.net - uses the Merchant Portal via a web browser to "view the transactions" that have occurred. This account setup might need to be used during the End Of Day deposit process to verify transactions if you have more than 1000 authorizations between each End of Day.
        2. Merchant User ID and Password - uses Authorize.net to allow authorizations to occur and be settled but not be viewed. This information is what needs to be entered into Theatre Manager's Merchant account to allow authorizations to occur.

        The user IDs and passwords for both of the above are different and should not be interchanged or confused with each other. Follow the appropriate setup steps for each.
        After following the setup for both accounts, make sure to:

        Authorize.net contact information

        To set up Auth.net as a merchant provider, contact (in USA):


        Shannon Maher, Sr.
        Sales Manager
        National Merchant Alliance
        7415 West 130th Street, Suite #270
        Overland Park, KS 66213
        (913) 906-9595
        smaher@nmainfo.com

        Authorize.Net Gateway Account

        The User ID and Password setup is arranged by Arts Management from Authorize.Net and is entered into the Setup --> System Tables --> Merchant Accounts window as below:

        Software Type

        The following values are set on the software type tab per the diagram below:

        • Set the server software to be Authorize.net
        • The merchant provider will automatically be set for you
        • The merchant number is for use on ticket faces and for contacting Authorize.Net support.

         

        Connection Info

        The following entries are set on the Connection Info tab per the diagram below:

        • User/Server ID - provided through Authorize.net. The user ID remains constant for the life of the account and is generally an MD5 version of your main account UserID
        • Password - the password is auto generated for you. You can change it via the online interface to generate a new 'secret' key. If you do that, you can expire your old password right away or allow both old and new to co-exist for up to 24 hours.
        • Primary URL - is always secure.authorize.net/gateway/transact.dll and is used for authorization only
        • Secondary URL - is always api.authorize.net/xml/v1/request.api and is used during the settlement process.
        • Port - is always 443

         

        Merchant Profiles

        The following entries are set on the Profiles tab per the diagram below if you are going to use merchant profiles and have an agreement with your merchant provider:

        • Enable Profiles - set to Active if Merchant Profiles will be used.
        • Profiles API Login Key - not required. Authorize.Net uses the same connection information from the Connection Info tab.
        • Profiles API URL - is always api.authorize.net/xml/v1/request.api
        Refer to Merchant Profiles for further information on functionality.

        Testing Authorize.net

        After setting up the Authorize.net in the Merchant Account setup, you will need to test that it works. The best way to do this is:
        • Find yourself in the database or create a new patron for yourself
        • Create a new order and attempt to buy a ticket or Gift Certificate
        • On the payment window, select the credit card you want to use and do a test authorization
        • If you get an authorization with a message indicating AVS match and/or CVV2 match, then the setup is correct
        • Log in to your Authorize.net Online Merchant Account and view the batch to see that your transaction is there
        • In Theatre Manager, void the credit card payment and then confirm in the Online Merchant Account that the charge is marked as void

        Trouble Shooting


        Authorization Response looks like HTML or XML

        If you get an authorization response that:

        • looks like it is HTML or XML and indicates that it was not authorized:
        • specifically indicates that the API key is wrong
        then your User ID/Password is probably wrong. Please verify it and copy it into Theatre Manager.

         

        If you merchant account still doesn't authorize after verifying it, log in to the Authorize.net Online Merchant Account and
        • Click on 'Account' button at the top.
        • Click on the MD5 hash at the middle of the screen
        • Get a new MD5 hash key (API Key) for your account and put it into the merchant setup screen - connection info tab under the password
        • Try to authorize a card again


        Error on Settlement

        If an error occurs during the initial part of settlement, you may not have the 'Transaction Details API' enabled. If this occurs, log in to the Online Merchant account and then

        • Click on 'Account' button at the top.
        • Click on the Transaction Details API link
        • Enter the answer to your 'secret question'
        • Click Enable Transaction Details API button if it is not already enabled

        If issues persist, contact Arts Management and let us know so that we can help get it corrected.


        Authorization Number: 000000

        When processing a test charge, if you get an Authorization Number: 000000, this means the account is still in TEST mode at Authorize.net. Log into your Authorize.net account, and change the setting from TEST mode to LIVE mode.

        Specific Authorize.net Account Settings

        There are some specific settings that we recommend are made in the Authorize.net online interface, or applied for and added to your account to make daily processing easier on your staff members. These are:
        • Apply to Authorize.net to allow unrestricted refunds for your venue.
        • Enable transaction details so that Theatre Manager can obtain batch information and allow End of Day settlement.
        • Specify the sweep time where Authorize.net takes completed End of Day transactions and moves them to the bank.

        Setting Transaction IP Velocity Filter

        Authorize.net allows you to define the number of transactions received from the same IP address within the course of an hour. The default value in the gateway is set to 10 transactions per hour. This setting, while helpful for fraud detection, does not take into account the number of transactions processed at the box office and needs to be increased.

        1. Open your online gateway to Authorize.net and select Fraud Detection Suites in the right column.

        2. Under Card Testing Settings select Transaciton IP Velocity Filter

        3. In the Transaction IP Velocity Threshold section of the page increase the Allow transactions from the same IP address per hour value.

          This value should be set based on the number of transactions your organizations processes in the office per hour during peak sales times. Depending on the size of your organization this may mean 50, 100, or possible 500.

        4. Click the Save button at the bottom of the window.

        Transaction Receipt Email

        Authorize.net sends an email to the Gateway user for each payment processed through the account. This feature can be disabled using the steps below. You will be required to

        1. In the Authorize.net Gateway select Account at the top of the window.
        2. Select User Profile in the left column and click the Edit Profile Information button under Profile and Security Settings.

        3. Under Transaction Emails remove the check next to Transaction Receipt.

        4. Scroll to the bottom of the page and click the Save button.

        Clicking Save will generate a pop-up window asking to send a verification pin to the email address on the account. Follow the steps and add the pin to complete the process.

        Authorize.net Address Verification Settings

        There are settings on the Authorize.net interface that need to be set up/changed - or you can get address mismatch or rejection issues. If you suddenly find you are getting a lot of rejections for credit card authorizations due to AVS errors, please verify your settings in the authorize.net portal.

        To set these parameters, you perform the following steps:

        1. Open your online gateway to Authorize.net and choose Account >> Settings.

          The main Settings window opens.

        2. In the Security Settings section, click on Address Verification Service.

          The following window displays.

        3. Ensure the following settings are enabled:

          General AVS Responses

          B - Transaction was submitted without a billing address
          E - AVS Data provided is invalid or AVS is not allowed for the card type used
          R - The AVS system was unavailable at the time of processing
          G - The card issuing bank is of non-US origin and does not support AVS.
          U - The address information for the cardholder is unavailable
          S - the US card bank does not support AVS

          Address and Zip Code Resources

          N
          A
          Z
          W
          Y
        4. When complete, your page will look like the following:

        Allowing refunds with Authorize.net

        In order to process refunds in a separate batch from the original transaction (which is how most refunds occur), clients will need to download Authorize.net's Expanded Credit Capabilities form:

        http://www.authorize.net/files/ecc.pdf

        NOTE: You do not need this feature if you typically refund money against the original order within 120 days of purchase and up to the original authorized amount.

        An occasional refund needed that is past 120 days can be accomplished via the Authorize.net web interface.

        Only apply for this feature if you constantly need to refund money outside the original order and/or outside 120 days (and don't wish to refund to a gift certificate for store credit.

        Once the form is filled out, faxed back to Authorize.net, and processed by Authorize.net's customer support team, clients will be able to process refunds through Theatre Manager - sometimes within hours, sometimes up to 2 days later. The sure way to know is to check the status of your Expanded Credit Capabilities.

        To check the status of your Expanded Credit Capabilities, you can look directly within the gateway for your Authorize.net account.

        1. Go to the home page
        2. Click on the Merchant Profile link on the left hand side
        3. A series of settings will appear, including 'Additional Services.' The Expanded Credit Capabilities should read 'Enabled."

        This is only for processing refunds in a separate batch, after the End of Day deposit has been done for the original charge. In cases where the card is to be refunded before settlement, users should instead Void and Delete the payment in Theatre Manager. Then the tickets can be refunded to clear the order balance that will be created when the payment is voided. There is no additional setup required through Authorize.net in order to process voids.
        Refunds are processed immediately by Authorize.net. YOU CANNOT VOID A REFUND

        If you fail to settle a batch containing a refund before the Authorize.net sweep time, you will receive a warning during the End of Day that the batch may be out of balance (even if it is not).

        It is also important to note that the ECC form will allow users to run a refund in any amount to a card without matching up the refund amount to the original charge. Because of this, there are a couple of important considerations:
        • Clients may want to limit who can do refunds in Theatre Manager through their Employee Access settings.
        • Clients may also be cautious with whom the Virtual Gateway login and password is shared as users could run refunds directly from within that interface.

        Enabling Transaction Details API in order to settle during End of Day

        There is a setting inside the Authorize.net Virtual Terminal that will need to be enabled in order for Theatre Manager users to settle batches using the End of Day Wizard.
        1. Log into your Authorize.net account
        2. Select the Account button at the top right of the toolbar
        3. Choose Settings from the Menu at the left
        4. Select the Transaction Details API option under Security Settings
        5. You will be prompted to enter your secret question/answer that you set up when you created your account. Then click the Enable Transaction Details API button
        6. You will be taken back to the main Settings screen. To check that the settings have taken effect, go back to Transaction Details API
        7. When enabled, your screen shows you an option to Disable as below (do not do this).
        8. You will now be able to settle through the Theatre Manager End of Day Wizard. For more information about the Wizard, click here.

        Setting the Sweep Time for Settlement

        As explained here, Authorize.net sweeps (or settles) all transactions once a day to the client's bank account. This Sweep Time, or Transaction Cut-Off Time, is set directly in the Settings for the client's Authorize.net account.
        1. Sign in to the Authorize.net interface
        2. Choose the Virtual Terminal option at the left

        3. Choose the Transaction Cut-Off Time option under Business Settings.

        4. You'll see the current sweep or settlement time in the middle of the page (3:00 PM PDT in the example). Change the time using the drop down choices at the bottom of the page and click Submit. Our recommendation is to set this time sometime between 12AM and 4AM local time.

        Authorize.Net Troubleshooting

        If you are having issues with credit card authorization using authorize.net, there are a few things that can assist.
        • The official status for Authorize.net web site
        • The developer web site which may indicate some troubles before the official status site
        • The debug option in the merchant set up which can be used to show the raw data for the request sent to authorize.net and the response received from their servers.
        • Make sure your Authorize.net API key is correct in Theatre Manager - you may want to test your account again and/or follow the setup procedures to verify your account info is entered properly

        Elavon (private) Installation

        The Elavon-Private Merchant account was written to process payments using Elavon as the processor and working in conjunction with an existing customized interface. This is only available to certain municipal organizations in Florida.

        This section of the online help contains details on how to configure a Merchant Account in Theatre Manager to process payments, refunds and settle a batch using this interface.

        The information that Theatre Manager requires from Elavon setup will be:

        • Agency ID: xxxxxxxxxx
        • Admin ID: xxxxxx
        • Password: xxxxxxxxxx
        • Primary URL for authorizations:
        • Port #: 443

        The Agency ID, Admin ID and password will be sent in a document from Elavon. That document will also contain instructions for you to log in to the Elavon online gateway to activate your account. The Primary URL should be obtained from the IT company that setup the customized interface.

        Elavon Gateway Setup

        The Elavon Merchant Account information is obtained from Elavon. The Primary URL will be provided by the IT company that created the custom interface. This information is entered into Theatre Manager under Setup >> System Tables >> Merchant Accounts.

        Software Type

        The following values are set on the Software Type tab per the diagram below:

        • Enter an Account Name for the Merchant Account.
        • The Status Active, At the Box Office and By the Web Listener boxes should both be checked.
        • Set the server software to be Elavon-Private.
        • The merchant provider will automatically be set to Elavon (NOVA).
        • The Agency ID is provided by Elavon and will need to go into the Agency ID field - enter in the Agency ID (not the merchant number) for the Elavon account which is typically 6 digits.


        Connection Info

        The following entries are set on the Connection Info tab per the diagram below:

        • An Admin ID will be provided by Elavon and is required to process refunds using this merchant account. This is a mandatory field in the Merchant Account Setup.
        • The Password is also provided by Elavon and is required to process refunds. This is a mandatory field in the Merchant Account Setup.
        • The IT company that created the customized interface will proved the Primary URL.
        • The Port will always be 443. Payments, refunds and batch settlement will all be processed using this port. Local work stations that need to process payments will need this port open for communication.


        Authorization

        For fraud prevention, Elavon accounts in Theatre Manager will be automatically set up to send address info and Track II data. Verify the Authorization tab matches the image below.



        Merchant Profiles

        Due to custom interface limitations that may exist in a Private Installation, Merchant Profiles are unavailable for Elavon (Private Installations).

        The following entries are set on the Profiles tab per the diagram below:

        • Enable Profiles - disabled feature. Merchant Profiles are unable for Elavon (Private Installations).
        • Profiles API Login Key - not required. Elavon uses the same connection information from the Connection Info tab.
        • Profiles API URL - not required. Elavon uses the same the connection information from the Connection Info tab.

        Refer to Merchant Profiles for further information on functionality.

        Activating your Elavon Payment Gateway

        This page is under construction

        Switching Merchant Accounts: Employee and Card Setup

        Switching from One Merchant Provider to Another

        On the Merchant Setup window (see Merchant Account Setup), the final bit of setup is to determine which employees and which payment methods are associated with this merchant account.

        • To assign employees to this merchant account, click on the Employee tab and find the employees to assign. In a multi-merchant setup situation, drag only those employees that will use this merchant account as the default.

          While some employees may have permission to use multiple merchant accounts, viewing their name here means this is the default merchant account assigned to them for charging cards. If the employee wants to use another merchant account, they will need to select it on the payment window.

        • Click on the Card tab to select which credit card payment methods are associated with this merchant account.

          If you need to have multiple merchant accounts and both are to take Visa (for example), you will need two Visa payment methods and assign one of them to each merchant account.

        Any future dated 'post dated payments' associated with the card you drag to another merchant provider will automatically be reassigned to authorize on the new merchant provider card network.

        When switching, you can open both merchant accounts and drag the employees from one window to the other. You can do the same for the credit card payment methods - to make the switch easy and fast.
        Linked Refunds authorized under your old merchant account are only possible if you keep your old merchant account open. This is because the tokens used by the credit card companies are specific to card #, order, patron and merchant.

        It may be wise to keep the old merchant account aroudn/inactive for 3 months or so.

        This is a non-issue if your merchant provided the ability to do Independent Refunds

        Credit Card Refund Rules

        VERY IMPORTANT: BEFORE REFUNDING PAYMENTS TO CREDIT CARDS...

        Your merchant provider dictates all rules regarding refunds to credit cards Theatre Manager does its best to determine which refund rule might apply, based on how the card was originally authorized.

        If you have difficulty with some refunds, your merchant provider is the key to unlocking the door - you can set their rules in Merchant Setup

        An HISTORICAL UNDERSTANDING of the credit card refund process and CARD FRAUD might help guide you solving some issues (along with some workarounds)

        When doing MASS REFUNDS, we recommend:
        • creating the payments as POST DATED PAYMENTS at time of refund and
        • doing the actual authorization during end of day (eg from event and dates window on the attendance tab). This helps deal with conditions like:
          • Authorization is too far in the past for linked refunds - card sits in EOD until you talk to the bank to extend the time frame
          • The card is shredded and there is no Merchant profile for the patron - so you can then get the patrons' card and do a refund after that
          • use some other method (like change to a Gift Certificate) if the refund just will not get approved. At least the patron can use that online at a later date.

        Refunds and Fraud Prevention

        How did credit card refunds originally work?

        For a long long time, the rules were simple. You needed the entire card in front of you. When sending in a request for a refund, you provided the entire card number, expiry and amount.

         

        About the Refund Rules (as we understand them today)

        Credit card providers felt that the simple rule had too much potential for fraud. And it did: bad guys with cards figured out how to create a lot of refunds and steal a lot of money.

        Each credit card merchant provider instituted one or more out of a number of rules to thwart fraud, making the refund process difficult. This generally works fine for one off refunds, but hampers the process when trying to do mass refunds to an entire event meaning it may need a lot of manual intervention.

         

        What a Mixture of Rules means for Refunds

        Some of the techniques credit card providers implemented that make the refund process difficult to navigate are below. Since the rules have been implemented over time, you may find that mass refunds might encounter one or more of these scenarios:

        NOTE: you can set which type of refund(s) your merchant provider allows in merchant setup

        If you are allowed both, Theatre Manager tries Linked refunds. If that fails, you can chose to do an independent refund on the payment window

        Independent Refunds, Payments Not Linked To An Order

        Sending the entire credit card number and expiry date is now known an INDEPENDENT REFUND. This allows a merchant to refund any amount to any customer using and card even if:
        • the amount refunded is more that the original authorization
        • the card number is different than the one used for original authorization

        An independent refund means you must supply the full credit card number and expiry. You either have this (because it is encrypted on the database) or you ask the customer for it.

        If you have shredded old cards and do not have it encrypted on the database, then you cannot do an independent refund. It will need to be a linked refund (which is generally preferable for the credit card companies)

        Bambora and Elavon (Miami-Dade) do not support this feature and only allows linked refunds

        To our knowledge, all other merchant providers support independent refunds and some require this permission to be specifically requested.

        Conditions Action or Workaround
        You must have:
        • stored encrypted credit card data in your database or
        • contact the patron to get the card number
        Verify that your PCI Settings in Default Data is PCI Schedule D, with many days of retention since last use of card.
        • The retention period must be at least as far back as you need to go since TM automatically shreds credit cards.
        • For example, if you have 180 days of retention, any card authorized before that cannot be refunded and you will need to contact the owner to get the card and re-enter it.
        • However, most cards in a mass refund should work without issue.
        • If you don't have the encrypted card data for a patron, you must contact them to get the card number to refund to
        Some merchant providers require you to sign up for INDEPENDENT REFUNDS. Contact your merchant provider to ensure that you have this feature enabled if you need to do mass refunds. You can call your merchant provider after and disable it when done.

        eg:

        • Moneris gives a distinct error if you do not have the feature.
        • Auth.net may need it enabled to correct some error conditions since their refunds are automatically settled (and can't be voided), redoing a refund would need to use Independent Refund
        End of day may appear out of balance for Authorize.net Authorize.net processes refunds right away. If you do a lot of refunds before the sweep time and settle end of day after the sweep time, you may be told that you are out of balance by what seems to be the total amount of your refunds.
        Refund rejected because card is shredded If you see a message saying that the card was rejected because no encrypted card is on file, then you are trying to do an independent refund.

        Instead, change the setting in your merchant profile to allow linked refunds first.

        Linked Refund: Merchant Provider limits refunds to xx days to same order using tokens

        This is a relatively recent fraud prevention technique implemented by some merchant providers (Moneris, Bambora, PaymentTech Orbital, and Authorize.net) to limit refunds to an amount that has previously been authorized on the card and prevent potential fraud from the wide open "free for all" called Independent Refunds

        A linked refund does not require the full credit card number. Instead, it uses a token representing a particular authorization that the merchant processor gave Theatre Manager at time of authorization.

        This is the only method of refund that can be used if you are shredding credit cards for PCI compliance.

         

        Linked Refund Rules

        Typical rules that merchant providers implemented for linked refunds

        • within xxx days since the original authorization. The default we've seen is 120 days.
        • by referencing the same order as the original authorization
        • using the saved transaction token from the original authorization (instead of the credit card data)
        • for no more than the amount of the original authorization (less any other refunds to the card already)
        This restriction seems reasonable. If Theatre Manager is able to do a refund with a prior card payment, it will. It usually works.

         

        Conditions Action or Workaround
        Refund rejected because card is shredded If you see a message saying that the card was rejected because no encrypted card is on file, then you are trying to do an independent refund.

        Instead, change the setting in your merchant profile to allow linked refunds first.

        Refund gets rejected because of age
        IF YOU RECEIVE A MESSAGE THAT THERE ARE NO PRIOR PAYMENTS...

        if you receive a message from Theatre Manager there are NO PRIOR PAYMENTS when doing a refund, the root cause is because merchant providers have been forcing venues into using linked refunds, meaning the merchant providers imposed a typical time limit of having to refund within 120 days of purchase.

        YOU MAY NEED THE LINKED REFUND AGE LIMIT CHANGED

        Each venue seems to have a different time limit and you can set it in Theatre Manager's Merchant Setup. It may work if you increase the time frame. If not, ask your merchant provider to increase the number of historic days you are allowed to process refunds. We have seen clients with limits as long as 365 days.

        Refund Rejected because it is too much In a LINKED REFUND, you can only refund the a maximum amount of the original credit card payment.

        If the patron paid with two different payments methods (eg: part in cash and part in credit card), then you will need to:

        • adjust the refunded amount to be no more than the amount available to refund on the card
        • if there is more than one cards in the list, then refund what you can to each one -and-
        • then refund the rest using a check or some other payment method.

        NOTE: If the message below indicates your merchant setup supports Independent Refunds, AND you know the entire card number, CVV2 and expiry date, you might be able try an independent refund instead.

        Refund gets rejected because it is not connected to order If there are multiple credit card payments for the order and you get this message, you may be affected by the timing of when the payment was authorized. You could have:
        • Authorized an amount many months ago, before the merchant provider instituted linked refunds - in which case Theatre Manager would not have the token available for refunding
        • Authorized an additional amount in the order for exchanged tickets which happened after the implementation of linked refunds (approximately fall 2019) - in which case Theatre Manager would have the token available for that card.

        Theatre Manager presents a list of credit cards to refund to - pick the one you want, If you try to refund too much, you'll see an error like the image below. IF this is the case, then break the refund up into smaller amounts.

        At this time, the way to refund this card is to either ask for independent refunds, or to employ a trick and:

        Refunding against Shredded Credit Cards

        In order to do independent refunds, Theatre Manger may be able to use the original encrypted credit card stored on file. However, Credit Cards can be shredded if they have passed their retention period.

        Conditions Action or Workaround
        Payments without full card data will be rejected with invalid PAN numbers

        or that card number has been shredded

        If your PCI Settings in Default Data is Schedule C, or D and the retention period for the card has expired, you might see this error.

        It means that you attempted to refund to a shredded credit card. The way to refund in this situations is:

        • Ensure you have independent refund capability
        • Call the patron and get their credit card number ending in xxxx
        • Use the following steps to change a post dated payment credit card in any location that it allows it
        • then Authorize the post dated refund in End of Day deposits or Till Balance

        Refunds accepted to a certain amount and start getting rejected

        Sometimes refunds just work during a day, then they don't.

        Conditions Action or Workaround
        You may have daily or weekly limits to the amount that can be refunded Verify with your merchant provider if there are limits. If so, then when doing a mass refund to an event:
        • Create all refunds to credit cards.
        • Do not authorize the cards at time of refund - which saves them for end of day
        • In end of day, Authorize refunds up to your limit, use the Remove button in the Deposit window to remove the rest of the refunds. Authorize the remaining refunds on subsequent days.
        You may have limits based on bank balance Verify with your merchant provider and bank if there are limits based on balance. If so, then when doing a mass refund to an event:
        • Create all refunds to credit cards.
        • Do not authorize the cards at time of refund - which saves them for end of day
        • In end of day, Authorize refunds up to your limit, use the Remove button in the Deposit window to remove the rest of the refunds. Authorize the remaining refunds on subsequent days.

        Refunds with merchant profiles enabled

        Merchant Profiles are a feature provided by some merchant providers where, during an authorization:
        • The patron provides the card data to Theatre Manager during an authorization
        • Theatre Manager sends the data to the bank and receives a UNIQUE TOKEN back
        • and the unique token can be used for all subsequent authorizations or refunds, without ever needing the card data again, making it suited for post dated payments for schedule 'C' compliance.

        Conditions Action or Workaround
        Some cards are accepted and some rejected If you have merchant profiles enabled and cards are being rejected:
        • You may not have a profile for the patron.
        Theatre Manger only creates profiles for patrons when they use a card for the first time -or- if you asked Theatre Manager to convert any encrypted card data into merchant profiles after setting the flag.

        You cannot create a profile for previously shredded card data.

        First Transaction Cannot be a Refund

        Conditions Action or Workaround
        Cannot send a refund after completing an end of day Some merchant providers instituted a policy that the first transaction after settling batches or the fraud transaction in any calendar day could not be a refund, since that might be considered the first step to fraud.

        If Theatre Manager gives you a message that it cannot process a refund as the first transaction, it may be as simple as turning ON setting that first transaction can be a refund in your merchant setup to seeing if your merchant provider still enforces this rule. If they still do, then contact your merchant provider to get that rule waived.

        End of Day Imbalance due to Sweep Time

        This condition pertains to refunds that actually worked, but causes a seeming out of balance error condition in End of Day when depositing. You may get a list of transactions that are in Theatre Manager and not in Authorize.Net or vice versa.

        Conditions Action or Workaround
        Refunds appear in Theatre Manager and not in Authorize.net
        Refunds are processed immediately by Authorize.net.

        If you do a lot of refunds before the sweep time and settle end of day after the sweep time, you may be told that you are out of balance by what seems to be the total amount of your refunds.

        See explanation why Authorize.net processes refunds right away.

        Transactions in Authorize.net but not in Theatre Manager
        Print the Audit report and refer to the help around reading the audit report and actions to take

        Refunds using Full Card Data (stored)

        Individual Refunds

        Individual refunds are easiest when you can refund to a credit card on file. This is possible if

        • You keep encrypted data in the database for all patrons by using Schedule D with a reasonable retention period -or-
        • You are using merchant profiles and a profile has been created for the patron because they used the credit card to buy something -and-
        • You are allowed to do independent refunds by your merchant provider.

         

        Mass Refunds of tickets to Events

        You can do mass refunds if you have card data stored in the database if the patrons card data meets the individual criteria above.

         

        Possible Errors doing Refunds with Full Card Data

        We recommend doing the refunds first, then authorizing during end of day. This gives you more control over the authorization process. Typical issues that can arise are:

        • Credit card rejected - you will need to call the patron
        • Independent Refunds - you might see these if they are enabled by your merchant provider.
        • Linked Refunds - you might see some of these errors if independent refunds are not enabled.
        • Shredded Card Errors - the system might create a payment for a shredded credit card. Naturally, this will be declined. The card can be entered manually during end of day.

        Independent Refunds using Full Card Data (entered)

        Individual Refunds

        Refunding using full card data means that you are able to enter the patron's credit card in full and ask for a refund. You should receive an authorization.

        Refunding with no previous card on file requires:

         

        Mass Refunds of tickets to Events

        You cannot do mass refunds unless you have card data (or a merchant profile) stored in the database. If you find that you need to refund a lot of people and have neither, you can still use the mechanisms described in refunding to an entire performance

        • The best way is by:
          • opening the performance attendance tab
          • selecting tickets to an order
          • and refund on a case by case basis (described in the above link)
        • You can refund all tickets and then create refund payments later -or-

         

        Possible Errors doing Refunds with Full Card Data entered by you

        Since you have to be talking to a patron to refund money when typing in the full card data, you are able to ask them for their card data.

        Typical issues that can arise are:

        • Credit card rejected - you will need to call the patron
        • Independent Refunds - you might see these if they are enabled.
        • First transaction is a Refund - You might be prevented from refunding as the first transaction of the day - which might need a flag changed.

        Linked Refunds using tokens within xx days

        Individual Refunds

        Refunding using tokens is like refunding using merchant profiles. It means that you can select a prior card owned by the patron on the payment window based on the last 4 digits. The payment window will appear to show a masked credit card number.

        Then submitting the refund for authorization, you are restricted to the rules of Linked Refunds. You must pick a card that belongs to the order, otherwise you will not receive an authorization.

        IF YOU RECEIVE A MESSAGE THAT THERE ARE NO PRIOR PAYMENTS...

        if you receive a message from Theatre Manager there are NO PRIOR PAYMENTS when doing a refund, the root cause is because merchant providers have been forcing venues to use linked refunds, meaning they imposed a typical time limit of having to refund within 120 days of purchase.

        In these times of crisis, each venue seems to have a different time limit and you can set it in Theatre Manager's Merchant Setup. It may work if you increase the time frame. If not, you may need to talk to the bank to have them raise the timeframe on their end as well.

         

        Mass Refunds of tickets to Events

        Mass refunds of tickets and creating payment at time of refund using tokens is currently not supported.

        You can open the attendance window and refund patrons orders one by one, selecting card as the refund method. This will invoke refund by token for that order.

         

        Possible Errors doing Refunds with Merchant Profiles

        Typical issues that can arise are:

        • Credit card rejected - you will need to call the patron
        • Linked Refunds - you might see some of these errors.

        Refunds using Merchant Profiles

        Individual Refunds

        Refunding using merchant profiles means that you can select a prior card owned by the patron on the payment window based on the last 4 digits. The payment window will appear to show a masked credit card number.

        Then submitting the refund for authorization, your merchant provider subjects you to the same rules depending on whether you can do:

        • Independent Refunds: the only difference is you are not typing the credit card and do not need to talk to the patron to get it
        • Linked Refunds: if you pick a card that doesn't belong to the order, you will not receive an authorization

         

        Mass Refunds of tickets to Events

        You can do mass refunds of tickets using merchant profiles. TM will attempt to use the merchant profile and apply an independent refund. Linked refunds are currently not supported for mass refund of tickets.

         

        Possible Errors doing Refunds with Merchant Profiles

        We recommend doing the refunds first, then authorizing during end of day. This gives you more control over the authorization process. Typical issues that can arise are:

        • Credit card rejected - you will need to call the patron
        • Independent Refunds - you might see these if they are enabled.
        • Linked Refunds - you might see some of these errors if independent refunds are not enabled.
        • Shredded Card Errors - the system might create a payment for a shredded credit card. Naturally, this will be declined. The card can be entered manually during end of day.

        USB Credit Card Swipes

        Theatre Manager supports using USB credit card swipes - which effectively are a replacement for keyboard input. The user swipes a credit card into the USB reader which translates it into keyboard input - exactly as if you typed the data.

        Installation is easy - just plug it into your computer.

        It works by reading the card information, including the track II information into Theatre Manager. Theatre Manager encrypts the credit card. It forwards the track II information to the credit card company and then promptly forgets about it - Track II data is never retained in Theatre Manager per PCI DSS requirements. A number of credit card companies use Track II information as proof that the cardholder is present and may adjust discount rates. Note also that they adjust rates for full address verification, CVV2 verification and other factors - making it equivalent to Track II authorization.

        All Service Providers operate as card not present. That means Track II information is never send to them, even if the credit card is swiped using a USB reader. The card #, plus address and CVV2 are more important and will provide competitive discount rates.

        In this case, a USB swipe becomes only an efficiency tool for data entry rather than a need for proving card present.

        Moneris has an additional option: sending card information using and external pin pad, if you wish to have those as part of your account. It allows Schedule B-IP compliance and is considered Card Present, allowing tab, chip and pin, swipe, apple-pay, etc.

        Any computer that has a USB credit card reader OR a keyboard attached to should have limited ability to connect to the internet with direct access for browsing and/or strong virus protection

        This protection is to detect any 'bad actors' in viruses which are keystroke loggers. If your machine is infected, it will send every keystroke to the 'bad guys' and this is one easy way for them to compromise credit card information, one card at a time when they are entered.

        Programming a Credit Card Swipe

        The following instructions are used to program a USB or serial ID Tech Minimag credit card swipe purchased from Arts Management Systems to work with Theatre Manager version 7 or later. If you did not purchase the swipe from Arts Management, you may need to ask your vendor how you can re-program the swipe to work with Theatre Manager.

         

        You may NOT have to program your swipe if:

        1. it only has track II programed for it, you do not need to change it (these are generally swpes that are older than 2 or 3 years). You will know this if TM never shows you the swiped name in the card name field when you swipe it.
        2. you try it and there is no issues
        3. it is made by a vendor other than IDTech
        4. it is made by IDtech and the model number is IDT3331-02U

         

        Historically, the credit card swipes from Arts Management would work out of the box. On the PC, we have found that there are timing issues with the delimiters between tracks and how Theatre Manager accepts them. So, the object of reprogramming the swipes is simply to change the delimiter between the tracks from a 'CR'.

         

        To program a credit card swipe, you will need:

        Steps for IDtech models

        • IDMB3331-02UB
        • IDMB-334112B

        1. Download the installation software to a PC
        2. When you get it on your desktop, you will need to run the executable program and it will create a folder on your desktop.
        3. Look in that folder and run the 'Setup.exe' program that you see in the picture to the right.
        4. After you have installed the program, go to:
          1. Start Menu
          2. Program Files
          3. Mag Swipe Configuration Utility folder
          4. pick the Mag Swipe Configuration Utility application as per the side picture.

         

         

        Before starting, plug in the Credit Card reader into the computer.

         

        When you start the application, you will see some choices down the left side. The first step is to click the 'Select Reader Interface'

         

         

        The screen will change. Pick the interface for the swipe you have by clicking the little 'blue' dot until it turns into a checkmark.

         

        For most, this will the the USB interface

         

        For some, it will be the serial interface.

         

        Then click 'Continue'

         

         

        After clicking done, click the 'Change Basic Reader Settings' Swipe Setup

         

        The window will change an there are a number of tabs across the top in this option. Do not change anything else unless advised by Arts Management Systems.

         

         

        Click on the 'Track Settings' tab at the top and the screen should look similar to the left.

         

        Click on the 'Track Separator' field.

         

        Type a '~' into that field. On most keyboards, this will be on the upper left area and you likely will have to hold the shift key to get it.

         

        When the screen looks like that on the right, click 'Send to MSR'. The credit card swipe should beep.

         

        When that is done, click 'close' on this screen.

         

        Click Exit.

         

         

        If you have more than one swipe, unplug the first one from this machine and then plug the second one in.

         

        Repeat the steps above until all are programmed.

         

        Test the swipes with theatre manager on the patron payment window.

         

        Schedule A/B/C/D Compliance - Self Assessment Questionnaire

        The Self Assessment Questionnaire (SAQ) is a self-validation tool for merchants who, because of transaction volume or other criteria, are not required to do on-site assessments for PCI DSS compliance. The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQ was revised and now allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation (see chart below). The SAQ validation type does not correlate to the merchant classification or risk level. Source: PCI 3.0 quick reference guide

        The PCI council has established 4 main levels for merchant compliance; schedules 'A', 'B','C' or 'D' with some variations at each level. You can use the table to the right to help determine the level that applies to your organization below.

         

        Compliance Summary

        Theatre Manager can achieve compliance for

        • schedule 'A' using Moneris Hosted Payment Page and only web sales with no card holder data storage
        • schedule 'B' or 'B-IP' if using pin pad machines for walk up and using Moneris Hosted Payment Page for web sales with no card holder data storage
        • schedule 'C' using a setting in System Preferences for venues processing cards through TM for both box office and e-comerce -and- no storage of card holder data
        • schedule 'D' using a setting in System Preferences for venues processing cards through TM for both box office and e-comerce -and- storing cardholder data for any purpose such as recurring transactions and post date payments.
        • schedule 'A-EP' Merchants using hosted payments for web sales like Moneris

         

        Compliance Levels

        The inherent nature of the ticketing business with a combination of walk up, phone and/or internet sales means that Theatre Manager (or any other ticketing system for that matter - hosted or non-hosted) probably results in Schedule 'C' or 'D' compliance when card data is stored. Per the table above, Schedule 'A' may be possible for venues using Moneris Hosted Payment Page and e-commerce only. Schedule 'B' may be possible if using point of sale terminals and no card holder data storage.

        • Schedule "A": means that credit card information is never touched, stored or processed within an organization. This is possible for organizations doing web sales using a hosted payment page (eg Moneris Hosted Payment Page. If phone or walk up ticket sales by credit card are entered to a pin pad terminal, it may allow you to stay at Schedule 'A' or move you to Schedule 'B' - please talk to your PCI assessor.
        • Schedule "B": could apply to merchants who only use point of sales terminals at box office and do not store any card data:
          • Schedule 'B' Those who do not use electronic processing and write credit card slips by hand apply to this level. Those that use stand alone DIAL UP terminals to process credit cards may also apply. DIAL UP means that the standalone POS terminal is not connected to a processor until an authorization is required. Not applicable to e-commerce channels.
          • Schedule 'B-IP' Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
        • Schedule "C": means that Theatre Manager will render the cards useless by shredding them after use and never storing the data in the database (voids are done by sending a token, refunds may need the card entered again). If you do not want credit card information onsite, please select this option and select a merchant provider from one of the Direct Credit Card Processors.

          This also changes the scope of which part of the system is needs to be included for PCI reasons.

        • Schedule "D": means that you wish to store some or all credit card data using strong encryption for a period of time. Possible uses are for recurring credit card transaction for monthly donations, or the need to refund to a patron if they are displeased with the show. If you chose this option, you can also chose how long to store data for previously authorized cards. After this 'Retention Period', all credit cards are shredded doing a deposit (end of day process) unless still required for a future post dated payment, or it has been specifically marked as retain permanently under the patron record.

         

        Shredding Credit Cards

        Theatre Manager can implement either Schedule "C" or "D" for the SAQ - the choice is yours. You can define a retention period for credit card information in Theatre Manager on the System Preferences on the PCI Security Screen before it is 'shredded' per PCI DSS standard 3.1
        A card is stored in the database is only contained in one table/field called fCreditCards.CD_CARD_NO. There are no other permanent or temporary locations where it is stored. The card number can be removed using the shred feature. PCI DSS standard 3.1

        Notes:

        • A shredded card is stored in the database as '#### **** **** ####'. This renders the PAN useless for all purposes. However, if given the first 4 and last 4 digits of any card, you can still search for and find the patron who used a card starting and ending with those digits (the card, of course, will not exist in the database).
        • Schedule "D" compliance with about 120 days of retention is sufficient for most venues, especially if you are using post dated payments or may have to deal with refunds for cancelled events
        • Schedule "C" compliance means that no card information will every be stored in the database. It means cancellation of an event will need the customer service team to call a patron to get the card to process a refund, or to convert any refund to patrons to store credit such as a gift certificate.

        Reencrypting Credit Cards

        Credit cards stored in a database must be encrypted using a key that is distinct to the venue per PCI DSS standard 3.6. This must occur:
        • Immediately after the initial implementation and data conversion has taken place
        • on a minimum of an annual basis. If the procedure is not invoked manually, it will be done automatically during any upgrade.
        • if there is any suspected security breach at the organization
        It can be invoked manually by using a button on the System Preferences on the PCI Security Screen to re-encrypt cards.

        CVV2 requirement and possible effect on post dated payments

        Your merchant processor may be set up to require use of CVV2 - which is a setting you may wish to turn off in their online portal, if you follow the steps below.

        Theatre manager cannot store the CVV2 data per the PCI council.

        The chart on the right indicates which data can be stored and it is explained further in PCI Requirement 3 rules.

         

        Since the vast majority of credit card transactions are real time with a CVV2, most venues will see limited effect for 99% of credit card authorizations:

        It will affect:

        • situations where the credit card provider is down or unreachable - a rare occurrence which does happen
        • authorizing existing post dated payments and recurring donations
        It may affect:
        • Mail order - since your customers should not write the CVV2 on any form you send to them to remain PCI compliant.

         

        Set your MERCHANT SETUP to NOT require CVV2 in their ONLINE PORTAL

        Theatre Manager does not store CVV2 data (per PCI compliance). It cannot send CVV2 for post dated payments. You have two ways to address this:

        • Turn OFF CVV2 requirements for your merchant account AT THE BANK
            Log in to your ONLINE merchant profile and
          • Turn off CVV2 requirements at your merchant
          • Leave CVV2 as a requirement in TM's merchant setup
          • Authorize the post dated payment in end of day.
          • This means TM will send one if it has one (for first time authorizations), and the bank will accept a charge if it does not (post dated payments)
        • Use Theatre Manager's Merchant Profiles feature. (note: do not use this feature for Moneris)
          • This is a feature where you initially send all the credit card data to the bank
          • The bank returns a token to Theatre Manager, which is stored in the database
          • From that point on, Theatre Manager will use the token for post dated payments, eliminating the need to store the credit card
          • This works because the token uniquely identifies the merchant (you), the patron, and a specific card.

         

        Setting Theatre Manager to Require CVV2

        Please confirm the following three settings for your venue:

         

        Effect of CVV2 on Emergency Mode

        Theatre Manager's Emergency Mode was designed for situations where the credit card company's processing was down or not available. This requirement for CVV2 (plus the inability to store it) means that the Credit Card companies prefer Real Time Authorizations.

         

        Note: if a card is declined for lack of CVV2 after emergency mode is tuirned off, it likely would have been declined anyway. you'll need to call the patron to get the CVV2 # when your services come back.

         

        Effect of CVV2 on Post Dated Payments

        If you can make one post dated payment work (without CVV2), then they will likely all work. Theatre Manager does not store CVV2 data (per PCI requirement 3.3).

        A alternative is to explore merchant profiles as mentioned above (do not do this for Moneris)

         

        How will Theatre Manager respond to Post Dated Payments?

        We have felt for a long time that the unstated direction of the bank industry was elimination of card data storage at a merchant. It is fortunate that we anticipated this as have a project underway to migrate patron card information to the bank and use tokenization instead. Effectively, this means:

        • When a patron use a card for the first time, TM will direct your merchant processor to store the card data and provide Theatre Manager a unique token for that card
        • If you are setting up post dated payments, TM will then refer to the patrons token at the bank for future authorizations - which is consistent with the Bambora statement

         

        How will switching merchant providers affect Tokenized Post Dated Payments?

        If the post dated payment token is stored at the merchant processor and is unique to your merchant account, it adds a step when switching from one merchant provider to another. You will need to keep your old merchant account active until all future post dated payments set up for your original merchant provider are completed and authorized.

        Adjusting Security Settings

        There are some settings in Theatre Manager that a venue must examine during installation and may need to be changed for PCI standard 8.5 compliance.

        If you are upgrading from a demo version of TM, some of these settings were optional to facilitate the purposes of a demo and need implemented for a production system.

        Minimum Password Settings for All Users

        For PCI compliance, a user MUST:
        • be required to enter a password to access Theatre Manager -and-
        • have their own user id and password to track access within the database -and-
        • ALSO have a unique logon to access the computer prior to accessing Theatre Manager that is PCI/DSS compliant.

        Ensure that the minimum recommended settings are met and increase the security as you see fit. If the minimum recommended settings change, Theatre Manager will automatically update the current settings to any more current minimum during any upgrade.

        The steps to increase security strength are:

        • Log in as Master User (this System Administrator account is only person with access to System Preferences)
        • go to 'Setup->System Preferences'
        • click on the 'Security' Tab. The minimum recommended settings are below.
        • Click on the 'Use PCI Card Industry Standards' to reset all password settings to the minimum acceptable standards.
        • Make any adjustments you wish to the policies such as requiring longer passwords, or increasing the minimum number of unique passwords before a repeat password can be used.
        • Close the window to save the changes.

        Changing User ID's

        (optional step)

        If you wish to implement login by user id in addition to password, the change all the user id's in the system to a scheme that is suited to your network security needs. Since you will be logging in with a User Id and Password, it can be a good idea to make user names more difficult to determine.

        To change user names and password settings, repeat the following steps for all users EXCEPT the Master User:

        • go to Setup->Users & Access->Employee List
        • Click the 'search' icon (the magnifying glass) or hit enter to see a list of users
        • Double click on the name in the list to change
        • Click on the 'Access' Tab
        • Click on the 'Access Id' field and change that to something suitable for the employee
        • Make sure the Logon Level selection is either 'No Access' if they are not allowed to use the system -or- 'Normal' if they are allowed to access the system.
        • If the user can log in, click the 'Set Password' button and assign them an initial random password (or have the user type in their own). It is not necessary to know or record each users password - in fact we recommend that you do not write those down. If a user forgets their password, you can always re-assign a new one here.
        • If user's access to parts of the system is similar to another users, you can use the 'Copy Access' button to make them like each other. You may wish to create a template for some of the important job functions that make copying easier.

        Verify Credit Card Access

        You must at least visit the 'Functions' tab and make sure that any of the privileges that say 'Credit Card' in the second column are all unchecked to start with. Then enable those that you wish the user to have. Creating any new normal user will default to a 'deny-all' setting per PCI DSS 7.2

        All existing users can be easily reset to the 'deny-all' at one button click (see below)

        Click on the 'Data' and 'Functions' tab and make any changes to the employee's access that you wish. To reset this employee to the standard 'deny-all' access to credit cards, click the lock on the toolbar. Two you may consider overriding relatively safely are:
        • 'Allow empty CID even if required for credit card payments'. If this is unchecked, the user must ask the customer for a CID/CVV2 number on the back of the credit card if it is required for the credit card type or by the processor. If your service provider does not accept or check CVV2 data, you may need to check this. You may also want to check this for at least one of the box office supervisory personnel who can then provide an operator over-ride to any other user if need be.
        • 'Able to Search for Patron using a card number'. This should be checked for a finance position or a box office supervisor so that a patron can be found when all we are given is the credit card number - such as in the case of charge backs. When searching for a patron by credit card, only the first 4 and last 4 digits in the care are required for a search.

        You can do reset all employees with non-administrative access at one time by selecting them all on the list of employees and clicking the 'PCI' button.

        Change the Master User Password

        There should only be one 'Master User' account.

        Per PCI requirements, this password for this account must be changed at the initial installation of Theatre Manager by the venue so that it is something unique to the venue.

        No user of Theatre Manager is required to have these privileges in order to use the system - except to create another user account. If any user is set as a Master User for the duration of the installation process, those privileges should be revoked per PCI compliance.

        • Find any user with Master User access using Setup->Employees and Access->Employee List
        • Click on the 'Access' tab
        • Make sure that the 'Logon Level' is 'Master User' for only one administrative account. Change all others to normal users.
        • Click 'Set Password' and give this special user a unique password. You will be asked to confirm the current password before you are allowed to change the password.
        • You may want to log out of theatre manager and then log back in as the special 'Master User' account before continuing - just to make sure you have the user id and password set.
        • This is one user id and password combination that you do wish to record on a paper and put in a sealed envelope in your safe with instructions to open under emergency only.

        PCI DSS Cross Reference/Index

        This section indicates where to find information about selected PCI DSS requirements in the Theatre Manager installation documentation. The purpose of this section is so that you can look at a PCI requirement and then view where in our implementation documentation this is referenced.

        The PCI Security Council supplies a document to merchants that provides a Prioritized Approach to PCI compliance. This document is quite good because it breaks down the standards into 6 milestones - what to do first, what to do second, etc. according to what will have the biggest impact in safeguarding your customer data.

        Following the document and this index should help you address that most important PCI implementation standards quickly.

        Source: PCI Prioritized Approach

        Build and Maintain a Secure Network

        In the past, theft of financial records required a criminal to physically enter an organization’s business site. Now, many payment card transactions (such as debit in the U.S. and “chip and pin” in Europe) use PIN entry devices and computers connected by networks. By using network security controls, organizations can prevent criminals from virtually accessing payment system networks and stealing cardholder data.

        Requirement 1: Install and maintain a firewall

        Install and maintain a firewall and router configuration to protect cardholder data

        Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity’s internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity’s trusted network.

        A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.

        All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.

        Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in Requirement 1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included within the scope and assessment of Requirement 1.

        Section PCI Requirement Comments Provided by Artsman Cloud
        1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data (including wireless); that use various technical settings for each implementation; and stipulate a review of configuration rule sets at least every six months. You will need a hardware router to protect your network.

        However, if you need to set up firewalls on computers themselves, the built in firewall on windows is very flexible. On OSX, do not manage the built in firewall via System Preferences on servers - instead, consider using a tool like Murus Firewall to unlock the power of the OSX PF firewall.

        YES
        1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations
          YES
        1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks Refer to Recommended Network Diagram and adapt as neccessary N/A
        1.1.3 Current diagram that shows all cardholder data flows across systems and networks Refer to cardholder flow N/A
        1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone Refer to NGINX Server setup to describe DMZ with one or two router situation. SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        1.1.5 Description of groups, roles, and responsibilities for logical management of network components   YES
        1.1.6 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure

        Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.

        Refer to Firewall rules for purpose of ports that are open. YES
        1.1.7 Requirement to review firewall and router rule sets at least every six months   YES
        1.2 Build a firewall configuration that denies all traffic from "untrusted" networks and hosts, except for protocols necessary for the cardholder data environment.

        Note: An "untrusted network" is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.

        Refer to Firewall rules to see the ports to open. YES
        1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.   YES
        1.2.2 Secure and synchronize router configuration files.   YES
        1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. refer to venue lan setup. Wireless is not to be used in the Theatre Manager LAN segment and should be setup carefully on another separate, isolated VLAN SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.   YES
        1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols and ports   YES
        1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.   YES
        1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.   SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        1.3.4 Implement anti-spoofing measures to detect and block forged source IP address from entering the network.

        (For example, block traffic originating from the internet with internal source addresses).

        Use commercial grade firewall YES
        1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. Implement specific permissions as per the firewall rules SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only "established" connections are allowed into the network.) Use commercial grade firewall YES
        1.3.7 Place the components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. This is generally interpreted to mean:
        • The web server should be on its own machine or VM so that it can, in effect, be sacrificed if hacked. It should have really tight firewall rules managing traffic into the device and out to ONLY the web lsitener on specific ports
        • The database and web listeners could be on the same machine as long as access to each is carefully managed with appropriate firewall rules and they are not exposed to traffic from the the main firewall appliance directly
        YES
        1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.

        Note: Methods to obscure IP addressing may include, but are not limited to:

        • Network Address Translation (NAT)
        • Placing servers containing cardholder data behind proxy servers/firewalls or content caches
        • Removal or filtering of route advertisements for private networks that employ registered addressing
        • Internal use of RFC1918 address space instead of registered addresses.
          YES
        1.4 Install personal firewall software on any mobile and/or employee-owned computers that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the organization's network.

        Firewall configurations include:

        • Specific configuration settings are defined for personal firewall software
        • Personal firewall software is actively running
        • Personal firewall software is not alterable by users of mobile and/or employee-owned devices.
        These days, alll computers have one - it just needs enabled. SPLIT
        • Artsman: YES
        • Customer: Enable Firewall on Workstations
        1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.   YES

        Requirement 2: Change Vendor Passwords

        Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

        The easiest way for hackers to access your internal network is to try default passwords or exploits based on default system software settings in your payment card infrastructure. Far too often, merchants do not change default passwords or settings when they deploy the software. This is the same as leaving your store physically unlocked when you go home for the night. Default passwords and settings for most network devices are widely known. This information, combined with hacker tools showing them what devices are on your network, can make unauthorized entry a simple task – if you have failed to change the defaults.

        Section PCI Requirement Comments Provided by Artsman Cloud
        2.1 Always change vendor-supplied defaults and remove or disable unneccessary default accounts before installing a system on the network

        This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocl (SNMP), community strings, etc.

        Change the Master User password when setting up the system.

        Change any other vendor supplied passwords as described.

        NO
        2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Theatre Manager does NOT needs wifi for operation. Refer to venue lan setup for network diagram and what to do when placing wireless devices is a separate VLAN NO
        2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted hardening standards.

        Sources of industry-accepted system hardening standards may include, but are not limited to:

        Arts Management regularly reviews industry information and implements the latest components and security patches in installers as soon as possible. SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. For example, web servers, database servers and DNS servers should be on separate servers.

        Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.

        Refer to Network Diagram for components. Also, refer to postgres setup on windows servers YES
        2.2.2 Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system. refer to Disable SNMP service on Practical Automation Ticket Printers SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        2.2.3

        Implement additional security features for any required services, protocols, or daemons that are considered to be insecure—for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.

        Note: SSL, TLS 1.0 and TLS 1.1 are not considered strong cryptography and cannot be used as a security control after June 30, 2016.

        Effective immediately, new implementations must use TLS 1.2 or later.

        POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2016.

        The NGINX Server config disables all SSL protocols and enables only TLS 1.2

        Theatre Manager will connect to service providers using the latest TLS that they support and have been verified to connect via TLS 1.2 when available.

        YES
        2.2.4 Configure system security parameters to prevent misuse   SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.   SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        2.3 Encrypt all non-console administrative access such as browser/web-based management tools. Use technologies such as SSH, VPN, or TLS for web-based management and other non-console administrative access. Theatre manager does not provide or require web based management tools

        We suggest that customer use RDC, Teamviewer or equivalent internally for remote access management.

        and that strong security be implemented similar to the password requirements for PCI compliance and use of SSH or VPN's for conection
        N/A
        2.4 Maintain an inventory of system components that are in scope for PCI DSS For Theatre Manager, this includes You may need to include other point of sale terminals that you obtained from your bank. N/A
        2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.   NO
        2.6 Shared hosting providers must protect each entity's hosted environment and cardholder data. These providers must meed specific requirements as detailed in Appendix A: "Additional PCI DSS Requirements for Shared Hosting Providers." Not Applicable. Theatre Manager is not typically installed in a shared environment. N/A

        Protect Cardholder Data

        Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card. Organizations accepting payment cards are expected to protect cardholder data and to prevent their unauthorized use – whether the data is printed or stored locally, or transmitted over a public network to a remote server or service provider.

        Requirement 3: Protect stored cardholder data

        Protect stored cardholder data

        Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.

        Please refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for definitions of “strong cryptography” and other PCI DSS terms.

        Section PCI Requirement Comments Provided by Artsman Cloud
        3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all card holder data (CHD) storage:
        • Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements
        • Specific retention requirements for cardholder data
        • Processes for secure deletion of data when no longer needed
        • A quarterly automatic or manual process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements
        Theatre Manager provides automatic retention and shredding capability which removes stale card information based on a retention period and/or usage for recurring transactions.

        We generally recommend a maximum of 30 days for card retention, and this is only for future authorizations to supplement the original sales in case of changes. See below for post dated payments and/or which do not factor into the retention period.

        There is an option to never store card information allowing a venue to implement either Schedule C or D compliance. For web Sales you can even implement Schedule A if using Moneris hosted payment.

        Venues that occasionally refund to cancelled concerts do not need to store credit card data specifically for that purpose. All providers currently support linked refunds - meaning they refund to the same order and card using tokens, without needing card data stored in the database.

        Post dated payments cause a card to be retained until the last automatic payment is processed, after which it is deleted.

        Cloud only permits
        • Schedule A-EP - using Moneris Hosted Payments
        • Schedule C - keep no card data
        • Schedule D - with one day retention for post dated payments only
        3.2 Do not store sensitive authentication data after authorization (even if it is encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process

        Sensitive authentication data includes the data as cited in the following requirements 3.2.1 through 3.2.3

        Refer to PCI compliance statement on PAN etc.

        Should the end user put credit card data into any text field (against recommended practice), Theatre Manager offers an option to search the database for possible entry of credit card numbers in non-payment text fields.

        NO - Customer must occasionally search for end user entry errors
        3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data.

        Note: in the normal course of business, the following data elements fro mthe magnetic stripe may need to be retained:

        • The cardholders name
        • Primary account number (PAN)
        • Expiration Date
        • Service Code
        To minimize risk, store only these data elements as needed for business
        If a card is swiped, the only information retained from the swipe are the following
        • The cardholders name
        • Card number (PAN), encrypted
        • Expiration Date
        Theatre Manager has NEVER stored CVV2, mag stripe, or pin block data per PCI requirements.
        N/A
        3.2.2 Do not store the card-verification code or value (three-digit or four- digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization Theatre Manager does not store this data to disk under any circumstances - it is merely passed through to the credit card authorizer. N/A
        3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block. Theatre Manager does not support entry or storage of PIN. N/A
        3.3

        Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personell with a legitimate busines need can see the full PAN.

        Note: this requirement does not supercede stricter requirements in place for displays of cardholder data - for example, legal or payment card rand requirements for point-of-sale (POS) receipts

        Theatre Manager follows these rules. Card numbers are displayed as last four digits only and is only revealed if employee has permission - in which case it is logged.

        All reports and most windows mask PAN

        External receipt printing or web interface uses a common routine to mask the PAN immediately upon retrieval from the database so that last 4 digits only are displayed per law in most states.

        N/A
        3.4 Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs) by using any of the following approaches:
        • One-way hashes based on strong cryptography
        • Truncation (hashing cannot be used to replace the truncated segment of the PAN)
        • Index tokens and pads (pads must be securely stored)
        • Strong cryptography with associated key management processes and procedures
        Note: it is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to the truncated and hashed version of a PAN.
        Theatre Manager uses secure high encryption for all keys and card data. N/A
        3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts. Theatre Manager does not use Disk Encryption.

        It uses field level encryption for PAN.

        N/A
        3.5 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.

        Note: this requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data encrypting keys. Such key encrypting keys must be at least as strong as the data-encrypting key.

        Theatre Manager handles creation and hiding of keys automatically. The user never sees them and cannot input them.

        Mechanisms exist for re-encryption of any currently encrypted cards in one of two ways:

        • By the user, on demand where they invoke a function to re-encrypt all card data with a new key (that they don't know)
        • By the system, if cards have not been re-encrypted within the mandated PCI time frame, Theatre Manager will start re-encrpyting them with a new key automatically

        Key encryption keys use same cryptographic specification as the encryption keys.

        NO - Customer must protect user account passwords
        3.5.1 Restrict access to cryptographic keys to the fewest number of custodians necessary
        3.5.2

        Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:

        • Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data- encrypting key
        • Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS- approved point-of-interaction device)
        • As at least two full-length key components or key shares, in accordance with an industry- accepted method
        3.5.3

        Store crpytographic keys in the fewest possible locations

        3.6

        Fully document and implement all key management processes and procedures for cryptographic keys used for encryption of cardholder data including the following:

        refer to re-encryption of credit cards for discussion on keys, generation and re-encryption. Any upgrade will automatically perform this process if more than 300 days have elapsed since last re-encrption.

        Split 'knowledge' of the keys is achieved by bringing together a key generated programmatically and another portion generated by the customers interfacing with the key creation screen in system preferences.

        Both keys are required to generate the final encryption key. Arts Management never has knowledge of the customers portion of the key. The customer never knows the value of any key. A key valid for one database for a period of time will not work on any other database.

        Old keys are securely deleted from the database by writing over the key value and then deleting it immediately after a new seed key is generated.

        NO - Customer must protect user account passwords
        3.6.1 Generation of strong cryptographic keys
        3.6.2 Secure cryptographic key distribution
        3.6.3 Secure cryptographic key storage
        3.6.4

        Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher- text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57).

        3.6.5

        Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.

        3.6.6

        If manual clear-text cryptographic key management operations are used, these operations must be managed using split knowledge and dual control

        for example, requiring two or three people, each knowing only their own key component, to reconstruct the whole key.

        3.6.7 Prevention of unauthorized substitution of cryptographic keys
        3.6.8 Requirement for cryptographic key custodians to sign a form stating that they understand and accept their key-custodian responsibilities

        Venues do not know the cryptographic key.

        However, they should have a form signed by the people/person responsible for key management that they reset the key once a year at a minimum or when suspected compromise occurs. Note it will be changed automatically on you during an upgrade if Theatre Manager detects it hasn't been changed for 300 days.

        3.7

        Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.

          SPLIT
        • Artsman: This documentation and Artsman staff training
        • Customer: Training of own staff

        Requirement 4: Encrypt transmission of cardholder data

        Encrypt transmission of cardholder data across open, public networks

        Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.

        Section PCI Requirement Comments Provided by Artsman Cloud
        4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
        • Only trusted keys and certificates are accepted.
        • The protocol in use only supports secure versions or configurations.
        • The encryption strength is appropriate for the encryption methodology in use

        Examples of open, public networks that are in scope of the PCI DSS include but are not limited to:

        • The Internet
        • Wireless technologies including 802.11 and Bluetooth
        • Global System for Mobile communications (GSM)
        • General Packet Radio Service (GPRS).
        • Satellite communications
        See Direct Card Processing which all use HTTPS.

        Theatre Manager uses TLS 1.2 wherever possible to connect to credit card authorization servers for one time authorization and only allows TLS 1.2 or later for incomming web sales.

        Theatre Manager does not use any wireless communication methodologies of any form.

        Theatre Manager does not transmit any credit card information across public networks for any reason except in the process of authorization

        SPLIT
        • Artsman: Uses TLS 1.2 and TLS 1.3, when available.
        • Customer: Must ensure that all workstations support TLS 1.2+
        4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i - aka WPA2) to implement strong encryption for authentication and transmission.

        Note: The use of WEP as a security control is prohibited.

        Theatre Manager does not use or require wireless capability when transmitting any card data. Refer to venue lan setup and considerations for separate wireless access points NO - If customer is using wireless networks to access cloud services, then they must secure them appropriately
        4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.). see misc PCI requirements N/A - authorization of cards is only supported in Theatre Manager
        4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. Venues are advised during installation about this requirement including not saving CVV2 and protecting card data in a safe if written down.

        You will need write a policy on how you manually save CC data, how you track who has access to it, how you store it in a safe and/or behind locked doors.

        Make sure the policy also includes that you never email card data in entirety and card data on paper is only kept as long as you need it.

        Theatre Manager handles all transmission of data via TLS 1.2 or better (it only users the latest transmission security protocols as mandated by PCI.)

        NO - Customer must educate own staff on card handling policies

        Maintain a vulnerability Management Program

        Vulnerability management is the process of systematically and continuously finding weaknesses in an organization’s payment card infrastructure system. This includes security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy.

        Requirement 5: Use and regularly update anti-virus software

        Protect all systems against malware and regularly update anti-virus software or programs

        Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many business- approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may be considered as a supplement to the anti-virus software; however, such additional solutions do not replace the need for anti-virus software to be in place.

        Section PCI Requirement Comments Provided by Artsman Cloud
        5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and file servers). See specifics for SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        5.1.1 Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. You must keep your anti-virus software up to date with latest definitions SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.

        For Theatre Manager database and TM server, ensure those processes are the only thing running on the machine. Keep them separate from a domain server to limit who can actually log in to the server.

        Check with the vendor of other systems in use.

        SPLIT
        • Artsman: Process isolation is used extensively and services are continuously monitored
        • Customer: Workstations must be audited
        5.2 Ensure that all anti-virus mechanisms are maintained as follows:   SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

        Note: Anti-virus solutions may be temporarily disabled only if there is a legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.

          SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.   SPLIT
        • Artsman: This documentation and staff training
        • Customer: Own staff training

        Requirement 6: Develop and maintain secure systems and applications

        Develop and maintain secure systems and applications

        Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.

        Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.

        Section PCI Requirement Comments Provided by Artsman Cloud
        6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as 'high', 'medium', or 'low') to newly discovered security vulnerabilities.

        Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected.

        Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization's environment and risk- assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a "high risk" to the environment. In addition to the risk ranking, vulnerabilities may be considered "critical" if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data.

          SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

        Note: Critical security patches should be identifies according to the risk ranking process defined in requirement 6.1

        There are two settings in Company Preferences Other Tab that enable:
        • checking daily for updates to TM processes and/or
        • automatically update affected components (optional).
        You may need to enable a specific outbound ports for update checking to www2.artsman.com.

        Refer to the list of past and present issues to assist you updating your own vulnerability assessment.

        We regularly review Postgres, NGINX & OpenSSL to provide the latest patches in each version our installers.

        SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        6.3 Develop internal and external software application (including web-based administrative access to applications) securely, as follows:
        • in accordance with PCI DSS (for example, secure authentication and logging)
        • based on industry standard and/or best practices.
        • Incorporating information security throughout the software development life cycle.

        Note: this applies to all software developed internally as well as bespoke or custom software developed by a third party.

          SPLIT
        • Artsman: Web sales and database
        • Customer: Workstations
        6.3.1 Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers.   N/A
        6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following:
        • Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices
        • Code reviews ensure code is developed according to secure coding guidelines
        • Appropriate corrections are implemented prior to release
        • Code-review results are reviewed and approved by management prior to release
          N/A
        6.4 Follow change control procedures for all changes to system components. The procedures must include the following:   SPLIT
        • Artsman: Theatre Manager applications, web sales and database
        • Customer: Workstations
        6.4.1 Separate development/test and production environments and enforce the separation with access controls  
        6.4.2 Separation of duties between development/test and production environments  
        6.4.3 Production data (live PANs) are not used for testing or development Only specified test cards are used
        6.4.4 Removal of test data and accounts before production systems become active  
        6.4.5 Change control procedures for the implementation of security patches and software modifications. Procedures must include the following:  
        6.4.5.1 Documentation of impact  
        6.4.5.2 Documented change approval by authorized parties.  
        6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system.  
        6.4.5.4 Back-out procedures. Development uses git and branches so that changes can be reverted.
        6.5 Address common coding vulnerabilities in software development process as follows:
        • Train developers in secure coding techniquies, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory
        • Develop applications based on secure coding guidelines

        Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.

        Refer to Current OWASP Top 10 SPLIT
        • Artsman: Applications and default web page templates
        • Customer: Customized web page templates
        6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws
        6.5.2 Buffer overflow
        6.5.3 Insecure cryptographic storage
        6.5.4 Insecure communications
        6.5.5 Improper error handling
        6.5.6 All 'high risk' vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1).
        6.5.7 Cross-site scripting (XSS)
        6.5.8 Improper Access Control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions)
        6.5.9 Cross-site request forgery (CSRF) TM server ensures all <form> have CSRF token for prevention.
        6.5.10 Broken authentication and session management Theatre Manager web services uses encrypted secure cookies that are httpd-only.
        6.6 For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
        • Reviewing public-facing Web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
        • Installing an automated technical solution that detects and prevents web-based attacks (for example web-application firewall) in front of public-facing web applications, to continually check traffic

        AMS updates NGINX builds as needed (and config settings) to respond to newly reported threats.

        AMS uses SPI for all web traffic internally.

        YES
        6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.   SPLIT
        • Artsman: This documentation and staff training
        • Customer: Own staff training

        Implement Strong Access Control Measures

        Access control allows merchants to permit or deny the use of physical or technical means to access PAN and other cardholder data. Access must be granted on a business need-to-know basis. Physical access control entails the use of locks or restricted access to paper-based cardholder records or system hardware. Logical access control permits or denies use of PIN entry devices, a wireless network, PCs and other devices. It also controls access to digital files containing cardholder data.

        Requirement 7: Restrict access to cardholder data

        Restrict access to cardholder data by business need-to-know

        To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities.

        Need-to-know is when access rights are granted to only the least amount of data and privileges needed to perform a job.

        Section PCI Requirement Comments Responsibilities on Artsman Cloud
        7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.   Artsman: web sales and database
        Customers: user access setup/permissions
        7.1.1 Define access needs for each role, including:
        • System components and data resources that each role needs to access for their job function
        • Level of privilege required (for example, user, administrator, etc.) for accessing resources
        Access to various data can be set on a per user basis in Employee Access Customers: user access setup/permissions
        7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. Creating a user in Theatre Manger defaults to minimal access to card data/ and/or functions. Users are advised to only use the administrator account on a rare-need to administer the system basis. Customers: user access setup/permissions
        7.1.3 Assign access based on individual personnel's job classification and functions   Customers: user access setup/permissions
        7.1.4 Require documented approval by authorized parties specifying required privileges   Customers: user access setup/permissions
        7.2 Establish an access control system for systems components that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed.

        This access control system must include the following:

           
        7.2.1 Coverage of all system components Refer to employee settings and function access for credit cards Customers: user access setup/permissions
        7.2.2 Assignment of privileges to individuals based on job classification and function Customers: user access setup/permissions
        7.2.3 Default "deny-all" setting Customers: user access setup/permissions
        7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.   Customers: user access setup/permissions

        Requirement 8: Assign a unique ID to each person

        Assign a unique ID to each person with computer access

        Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes.

        The effectiveness of a password is largely determined by the design and implementation of the authentication system—particularly, how frequently password attempts can be made by an attacker, and the security methods to protect user passwords at the point of entry, during transmission, and while in storage.

        Note:

        • These requirements are applicable for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. This includes accounts used by vendors and other third parties (for example, for support or maintenance).
        • However, Requirements 8.1.1, 8.2, 8.5, 8.2.3 through 8.2.5, and 8.1.6 through 8.1.8 are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts).

        Section PCI Requirement Comments Responsibilities on Artsman Cloud
        8.1 Define and implement policies and procedures to ensure proper user identification management for non- consumer users and administrators on all system components as follows: Theatre Manager implements PCI standards. You may need a manual process for other applications or hardware. Customer: via Theatre Manager
        8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.
        8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.  
        8.1.3 Immediately revoke access for any terminated users.  
        8.1.4 Remove/disable inactive user accounts within 90 days. Refer to the PCI Security Tab in System Preferences for settings. Theatre Manager enforces stronger password policies than the minimum PCI standards.
        8.1.5 Manage IDs used by vendors to access, support, or maintain system components via remote access as follows:
        • Enabled only during the time period needed and disabled when not in use.
        • Monitored when in use.
        Theatre Manager uses Teamviewer for one-time access, granted as needed.
        8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts. Theatre Manager limits incorrect password attempts to a total of 6 since the last successful attempt and locks out the account on failure.
        8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. Lockout duration in Theatre Manager is permanent. Locked out employee must be re-instated by administrator.
        8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. Theatre Manager has two timeouts. After 15 minutes of inactivity, the user will see a lock screen and need only put in their password again to continue.

        There is a longer timeout in Company Preferences->Reports where you can specify when an idle user will be forced log off the system.

        The process is:

        • After 15 minutes, lock the screen and require a only a password to continue. This means any sales in progress or reports on screen will not be closed and are available once you enter your password after 15 minutes
        • After the longer timeout, quit Theatre Manager completely.
        In addition to the feature built into Theatre Manager for auto log out, you are encouraged to use the screen saver provisions that require passwords after the screen saver is activated.
        8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:
        • Something you know, such as a password or passphrase
        • Something you have, such as a token device or smart card, specific IP, key access to a locked room
        • Something you are, such as a biometric
          Customer: password via Theatre Manager, tokens and biometrics for Operating System login
        8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. Passwords are never transmitted in clear text when logging on to the database.

        User Passwords are stored in the database in encrypted format and established in PostgreSQL as a hash of that encrypted value.

        When a user logs in, the password is converted to the salted hash and that is used to login. All communication to the PostgreSQL Database is over a secure connection, currently TLS 1.2 or better.

        automatic via Theatre Manager
        8.2.2 Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys. Only administrators are able to reset a password, reinstate an employee and/or regenerate credit card encryption keys. automatic via Theatre Manager
        8.2.3 Passwords/phrases must meet the following:
        • Require a minimum length of at least seven characters.
        • Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.
        Theatre Manager enforces
        • Minimum 7
        • One upper
        • One lower
        • One numeric
        • One Special
        • No repeated characters
        automatic via Theatre Manager
        8.2.4 Change user passwords/passphrases at least once every 90 days. Theatre Manager enforces this Customer: follow Theatre Manager prompts to change password
        8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. Theatre Manager enforces 12 and that can be raised automatic via Theatre Manager
        8.2.6 Set passwords/phrases for first- time use and upon reset to a unique value for each user, and change immediately after the first use. Theatre Manager enforces change of password at time of login for first time users automatic via Theatre Manager
        8.3 Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).

        Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.

        Examples of two-factor tehcnologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens, and other technologies that facilitate two-factor authentication.

        Two factor authentication means something you know and something you are given. Our QSA (the auditor who assesses Theatre Manager's ability to meet PCI compliance) has indicated that Teamviewer meets that requirement when used per the instructions. The multiple factors include:
        • The user must start the application manually (it is not active by default)
        • A unique Id must be provided to Artsman by the customer
        • A single use token must be provided to ArtsMan that cannot be reused.
        effectively being 3 factors that must occur for access to be granted successfully.
        automatic via Theatre Manager
        8.4 Document and communicate authentication policies and procedures to all users including:
        • Guidance on selecting strong authentication credentials
        • Guidance for how users should protect their authentication credentials
        • Instructions not to reuse previously used passwords
        • Instructions to change passwords if there is any suspicion the password could be compromised.
        All Theatre Manager user passwords are encrypted in the database. MD5 authentication is recommended at a minimum for accessing the database (this is the default standard in the pg_hba.conf file) automatic via Theatre Manager
        8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:
        • Generic user IDs are disabled or removed.
        • Shared user IDs do not exist for system administration and other critical functions.
        • Shared and generic user IDs are not used to administer any system components.
        There are no generic passwords. User ID's and Passwords are created by the user on installation. automatic as part of Theatre Manager installation practices
        8.5.1 Additional requirement for service providers only: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.

        Note: This requirement is not intended to apply to shared hosting providers accessing their own hosting environment, where multiple customer environments are hosted.

        Arts Management does not require permanent remote access to your servers. Temporary access is always initiated by the customer as described in the teamviewer remote support help page. Customer: provides Local access via Teamviewed if required
        8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows:
        • Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.
        • Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.
          Artsman: cloud
        Customer: workstation
        8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows:
        • All user access to, user queries of, and user actions on databases are through programmatic methods.
        • Only database administrators have the ability to directly access or query databases.
        • Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).

        Access to the db is controlled by the pg_hba.conf file and it is set so that all users must log in to read data.

        The user's id for the database is set by the application and not known.

        The password in postgres is set by the application and stored encrypted. Thus, the user cannot access the database even knowing their user ID and password because it is not the same as plain-text.

        Cloud database access for users is managed through an access broker system (with revokable tokens) followed by customer user id/password

        Artsman: cloud
        Customer: workstation
        8.8 Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.   Artsman: cloud
        Customer: workstation

        PCI UserId and Password Requirements

        Theatre Manager implements fully PCI DSS compliant AES256 encrypted passwords per PCI DSS standard 8.1 and this feature cannot be changed or overridden.

        In addition, Merchants must use PCI DSS compliant passwords to access to all system components (i.e. any computer, firewall, router, etc. on the network) and these passwords must be changed from any vendor supplied initial values per PCI standard 2.1.

        Note: Do not reduce the level of authentication complexity or compliance in these other system components if it will result in PCI non-compliance.

        This means all login passwords must be:

        • reviewed and changed every 90 days. Theatre Manager will enforce password changes automatically. This must be manually done on those devices that do not force change of passwords like routers and firewalls. (PCI DSS 8.1.4)
        • 7 characters or more (PCI DSS 8.2.3)
        • mixed case consisting of at least uppercase and one lowercase letter (PCI DSS 8.2.3)
        • contain at least one number and special character (PCI DSS 8.2.3)
        • cannot be the same as an previous 12 passwords (PCI DSS 8.2.5)
        • cannot have characters or numbers repeated together
        Change all passwords from any vendor default password that might be used for installation per PCI DSS 2.1. For example, you must:
        • Change the Theatre Manager 'Master User' password when the system is installed.
        • Change the user and password on any router from anything printed in the manufacturer's documentation
        • Make sure that accessing each computer requires a password and does not 'auto-login'
        • Ensure that screen savers are implemented that require passwords to be entered whenever the screen saver is activated. Screensavers (or some other mechanism for locking computers) must activate after 15 minutes of idle time or less on all workstations and servers. Theatre Manager also has an inactivity timeout that will log people out of the application. Using both features improves security. (PCI DSS 8.1.8)

        Each user that has access to any systems in your network must have a unique user id and password per PCI-DSS standard 8.1.1

        Never use the Master User account for daily operations.

        It should only be used when creating other accounts or for other very specialized needs as directed by Arts Management Systems.

        If your network has 'master' domain server (or open directory on OSX) available that could control password authentication for all machines, please ensure that the security policies on the domain/directory server is set to enforce PCI/DSS passwords and that all machines in the network log in using authentication from the server.

        If a domain/open directory server is not available to enforce password settings, then each machine/user must use PCI/DSS compliant passwords.

        If a user tries more than 6 times to gain access to the system, Theatre Manager automatically resigns the user - which means that they are locked out permanently until manually re-instated per PCI-DSS standard 8.1.6 and 8.1.8

        Teamviewer: ArtsMan Technical Support

        Theatre Manager staff should not required permanent access to your machines, except under very specific circumstances. The remote access feature in Theatre Manager is designed for one time, permitted access.

        Remote Access/Support

        The process for actual access to the remote machine is as follows:

        • The customer must initiate a support request that involves a phone conversation
        • In that phone conversation, it is determined that a timely resolution involves connecting remotely to provide assistance
        • Arts Management confirms the identity to the customer by providing the customer with the case number they created to continue with support (PCI requirement for second authentication).
        • The customer then starts the remote assistance software by either:
          • clicking the Remote Assistance button on the toolbar after logging into Theatre Manager. It is on the right side of the toolbar as per the above image. Since you must have logged into Theatre Manager to activate remote support, It is not active by default. -OR-
          • By starting Theatre Manager and clicking the Support button on the login page as per the diagram to the right. This is useful if you are unable to log in for any purpose
        • The customer provides two keys created by Teamviewer: an ID and a random generated 8 character password (containing numbers and letters and, unique to the session) as per the image below. Both of these are conveyed to the AMS support representative.
        • Arts Management Support activates remote assistance manager and enters both keys to gain remote access
        When Remote Access is disconnected, another remote support session requires a new set of keys to be provided. The customer is in complete control of the session at all times with a visual indicator showing the connection status.

         

        How does it work?

        TeamViewer uses SSH for authentication and brokering of session keys. It communicates with the master cluster through DNS names, which delegates the brokering of the session to the TeamViewer servers. Connection to the routing server and KeepAlive server is done directly via IP addresses.

        The servers are spread across the globe and located at large data centers; their IP addresses are not organized in common subnets or IP ranges. TeamViewer continuously top scales the server network as the number of TeamViewer users grows, so it is not possible to have a fixed set of IP addresses, because this list would very soon be outdated.

        Communication is done to URLs of the format:

        • *.teamviewer.com
        • *.dyngate.com
        By default TeamViewer uses only the outgoing port 80 (HTTP) so that no firewall configuration is necessary. Alternatively you can open port 5938 (TCP) for outgoing connections if you wish to block port 80.

        Requirement 9: Restrict physical access to cardholder data

        Restrict physical access to cardholder data

        Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. “Media” refers to all paper and electronic media containing cardholder data.

        Section PCI Requirement Comments Responsibilities on Artsman Cloud
        9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. This means locks on a computer room door or places (like box office) where people can access machines that can access card holder data. Artsman: cloud
        Customer: workstation
        9.1.1 Use video cameras or other access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.

        Note: "Sensitive areas" refers to any data center, server room or any area trefers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of- sale terminals are present, such as the cashier areas in a retail store.

          Artsman: cloud - SOC 2 compliant data centres
        9.1.2 Implement physical and/or logical controls to restrict access to publicly accessible network jacks.

        For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.

          Artsman: cloud - SOC 2 compliant data centres
        Customer: internal network
        9.1.3 Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.   Artsman: cloud - SOC 2 compliant data centres
        Customer: internal network
        9.2 Develop procedures to easily distinguish between onsite personnel and visitors, to include:
        • Identifying onsite personnel and visitors (for example, assigning badges)
        • Changes to access requirements
        • Revoking or terminating onsite personnel and expired visitor identification (such as ID badges).
        Artsman: cloud - SOC 2 compliant data centres
        Customer: internal network
        9.3 Control physical access for onsite personnel to sensitive areas as follows:
        • Access must be authorized and based on individual job function.
        • Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
          Artsman: cloud - SOC 2 compliant data centres
        Customer: internal procedures
        9.4 Implement procedures to identify and authorize visitors.

        Procedures should include the following:

          Artsman: cloud - SOC 2 compliant data centres
        Customer: internal procedures
        9.4.1 Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained.  
        9.4.2 Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel.  
        9.4.3 Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.  
        9.4.4 A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.

        Document the visitor's name, the firm represented, and the onsite personnel authorizing physical access on the log.

        Retain this log for a minimum of three months, unless otherwise restricted by law.

         
        9.5 Physically secure all media   Artsman: cloud - SOC 2 compliant data centres
        Customer: internal procedures
        9.5.1 Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location's security at least annually.   Artsman: cloud - SOC 2 compliant data centres
        9.6 Maintain strict control over the internal or external distribution of any kind of media, including the following:   Artsman: cloud - SOC 2 compliant data centres
        Customer: internal procedures
        9.6.1 Classify media so the sensitivity of the data can be determined.  
        9.6.2 Send the media by secured courier or other delivery method that can be accurately tracked.  
        9.6.3 Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).  
        9.7 Maintain strict control over the storage and accessibility of media.    
        9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually.   Artsman: automated backups, recycle and deletion policies
        9.8 Destroy media when it is no longer needed for business or legal reasons as follows:    
        9.8.1 Shred, incinerate, or pulp hard- copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.   Artsman: automated secure deletion
        9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed. There is a tool on windows called Eraser that will handle this for you. On the Mac, use Secure-Empty Trash. Refer to this link for more information about using them. Artsman: automated secure deletion Customer: should ensure no local cardholder storage in spreadsheets etc
        9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

        Note: These requirements apply to card- reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.

        This does not apply to Theatre Manager as it does not use card reading devices for card present transactions. Customer: protect any pin pad devices accordingly
        9.9.1 Maintain an up-to-date list of devices. The list should include the following:
        • Make, model of device
        • Location of device (for example, the address of the site or facility where the device is located)
        • Device serial number or other method of unique identification.
        For point of sale devices Customer: wokstation inventory
        9.9.2 Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

        Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.

        For point of sale devices Customer: wokstations and /or pinpad
        9.9.3 Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:
        • Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
        • Do not install, replace, or return devices without verification.
        • Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
        • Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
        For point of sale devices Customer: wokstations and/or pinpad
        9.10 Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.   Artsman: Cloud
        Customer: wokstations and devices

        Regularly Monitor and Test Networks

        Physical and wireless networks are the glue connecting all endpoints and servers in the payment infrastructure. Vulnerabilities in network devices and systems present opportunities for criminals to gain unauthorized access to payment card applications and cardholder data. To prevent exploitation, organizations must regularly monitor and test networks to find and fix vulnerabilities.

        Requirement 10: Track and monitor all access to network

        Track and monitor all access to network resources and cardholder data

        Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.

        Section PCI Requirement Comments Responsibilities on Artsman Cloud
        10.1 Implement audit trails to link all access to system components to each individual user.   Artsman: via Theatre Manager
        Customer: workstation
        10.2 Implement automated audit trails for all system components to reconstruct the following events:    
        10.2.1 All individual accesses to cardholder data Refer to PCI Audit Logs. Theatre Manager tracks every time a user views the entire credit card data for any patron.

        The Theatre Manager logs can be exported to your common logging tools. Refer to exporting logs to see how to accomplish this.

        Theatre Manager tracks access to card data for Customers
        10.2.2 All actions taken by any individual with root or administrative privileges Not applicable to Theatre Manager - it is applicable to your operating system. Only access to CC data is via Theatre Manager
        10.2.3 Access to all audit trails   via Theatre Manager
        10.2.4 Invalid logical access attempts Incorrect login attempts to Theatre Manager are tracked in the audit logs. via Theatre Manager
        10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges Theatre Manager tracks each log in and log out, user creations and when people are given a temporary priviledge. These transaction are of type 'A' in the database (for Audit) via Theatre Manager
        10.2.6 Initialization, stopping, or pausing of the audit logs Theatre Manager access audit logs cannot be stopped or deleted via Theatre Manager
        10.2.7 Creation and deletion of system-level objects This is not possible in Theatre Manager Theatre Manager does not allow entity deletion
        10.3 Record at least the following audit trail entries for all system components for each event: refer to PCI audit Log description via Theatre Manager
        10.3.1 User identification
        10.3.2 Type of event
        10.3.3 Date and time
        10.3.4 Success or failure indication
        10.3.5 Origination of event
        10.3.6 Identity or name of affected data, system component, or resource
        10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.

        Note: One example of time synchronization technology is Network Time Protocol (NTP).

        You must allow each computer to access a respected NTP Server (network time protocol). This is typically built into the operating system and firewall rules should automatically enable this feature.

        Theatre Manager uses the time at the postgres server as the single time source for transactions across all workstations. All data istimestamped with now(), making time diferences on workstations irrelevant.

        Regardless, an alert is given to a user if their workstation does not match the server to within 30 seconds.

        Effectively, if the postgres server is set according to an NTP server; all workstations transactions are synced with the postgres server to create a unified approach to time.

        via Theatre Manager
        10.4.1 Critical systems have the correct and consistent time
        10.4.2 Time data is protected
        10.4.3 Time settings are received from industry-accepted time sources
        10.5 Secure audit trails so they cannot be altered   Artsman: SOC 2 compliant data centres with real time monitoring and logging
        Customer: Workstation controls
        10.5.1 Limit viewing of audit trails to those with a job-related need Theatre Manager logs are not sensitive in themselves due to what they track. However, after exporting them and storing them in your centralized logging facility, you will need to limit access because of the other systems you may be logging.
        10.5.2 Protect audit trail files from unauthorized modifications. You cannot modify or delete Theatre Manager logs
        10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter. In addition to exporting logs, the multiple daily database backups create redundancy in the storage of the TM audit logs.
        10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. This means things like router logs need to be stored internally.
        10.5.5 Use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).  
        10.6 Review logs and security events for all system components to identify anomalies or suspicious activity Refer to exporting logs to see how to export TM access logs in excel format so that you can import to your common log server. Artsman: SOC 2 compliant data centres with real time monitoring and logging
        Customer: Workstation controls
        10.6.1 Review the following at least daily:
        • All security events
        • Logs of all system components that store, process, or transmit CHD and/or SAD
        • Logs of all critical system components
        • Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)
        PCI Audit Logs
        10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.  
        10.6.3 Follow up exceptions and anomalies identified during the review process.  
        10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). PCI logs are permanent in the database via Theatre Manager
        10.8 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.   Artsman: web sales and database
        Customer: workstation

        Requirement 11: Regularly test security systems and processes

        Regularly test security systems and processes

        Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.

        Section PCI Requirement Comments Responsibilities on Artsman Cloud
        11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

        Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.

        Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.

        iStumbler is a great little tool on the mac that is donation ware - it can find a lot of items that are broadcasting signals.

        Alternately, inspect each device that is within the card portion of the network and make sure wireless is off.

        Note: on AMS cloud servers, all network connections are physical wiring - there are no possible WIFI access points.

        Artsman: N/A - no access points
        Customer: workstations
        11.1.1 Maintain an inventory of authorized wireless access points including a documented business justification.   Artsman: N/A - no access points
        Customer: workstations
        11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.   Artsman: N/A - no access points
        Customer: workstations
        11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

        Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed.

        For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies

        1. the most recent scan result was a passing scan,
        2. the entity has documented policies and procedures requiring quarterly scanning, and
        3. vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
          Artsman: web sales and database scans
        Customer: workstation scans
        11.2.1 Perform quarterly internal vulnerability scans and rescans as needed, until all "high-risk" vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel.   Artsman: web sales and database
        Customer: workstations
        11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.

        Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).

        Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.

          Artsman: web sales and database
        Customer: workstations
        11.2.3 Perform internal and external scans, and rescans as needed, after any significant change.

        Scans must be performed by qualified personnel.

          Artsman: web sales and database
        Customer: workstations
        11.3 Implement a methodology for penetration testing that includes the following:
        • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
        • Includes coverage for the entire CDE perimeter and critical systems
        • Includes testing from both inside and outside the network
        • Includes testing to validate any segmentation and scope-reduction controls
        • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
        • Defines network-layer penetration tests to include components that support network functions as well as operating systems
        • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
        • Specifies retention of penetration testing results and remediation activities results.
          Artsman: web sales and database tests
        Customer: workstation tests
        11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).   Artsman: web sales and database
        Customer: workstations
        11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).   Artsman: web sales and database
        Customer: workstations
        11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.   Artsman: web sales and database
        Customer: workstations
        11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.   Artsman: web sales and database
        Customer: workstations
        11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.

        Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.

          Artsman: web sales and database
        Customer: workstations
        11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

        Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).

          Artsman: web sales and database
        Customer: workstations
        11.5.1 Implement a process to respond to any alerts generated by the change- detection solution.   Artsman: web sales and database
        Customer: workstations
        11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties   Artsman: web sales and database
        Customer: workstations

        Maintain an Information Security Policy

        A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment.

        Requirement 12: Maintain a policy that addresses information security for employees and contractors

        Maintain a policy that addresses information security for employees and contractors

        As part of Theatre Manager's PA-DSS implementation process, creating a policy guide will be brought to the attention of venues desiring to be PCI compliant

        Section PCI Requirement Comments Responsibilities on Artsman Cloud
        12.1 Establish, publish, maintain, and disseminate a security policy. This relates to practices surrounding PCI Card data Artsman: Network Security Policy for Employees/cloud (ams/network-security) Customer: employees & workstations
        12.1.1 Review the security policy at least annually and update the policy when the environment changes.   Artsman: cloud
        Customer: workstations
        12.2 Implement a risk-assessment process that:
        • Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
        • Identifies critical assets, threats, and vulnerabilities, and
        • Results in a formal, documented analysis of risk.
        Examples of risk-assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.
          Artsman: cloud
        Customer: Review own document
        12.3 Develop usage policies for critical technologies and define proper use of these technologies.

        Note: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e-mail usage and Internet usage.

        Ensure these usage policies require the following:

          Artsman: cloud
        Customer: workstations
        12.3.1 Explicit approval by authorized parties   Artsman: cloud
        Customer: workstations
        12.3.2 Authentication for use of the technology   Artsman: cloud
        Customer: workstations
        12.3.3 A list of all such devices and personnel with access Arts Management allows only tools approved for use by Management on workstations. The customer is responsible for tools on their machines. Artsman: cloud
        Customer: workstations
        12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)   Artsman: cloud
        Customer: workstations
        12.3.5 Acceptable uses of the technology   Artsman: cloud
        Customer: workstations
        12.3.6 Acceptable network locations for the technologies   Artsman: cloud
        Customer: workstations
        12.3.7 List of company-approved products   Artsman: cloud
        Customer: workstations
        12.3.8 Automatic disconnect of sessions for remote access technologies after a specific period of inactivity   Artsman: cloud
        Customer: Workstations have limited login time per System Preferences.
        12.3.9 Activation of remote access technologies for vendors only when needed by vendors, with immediate deactivation after use Team Viewer is designed in exactly this manner.
        • Artsman support is trained to only ask for one time access if needed and disconnect when done.
        • The customer is required to provide the access and quit Teamviewer when a session is over.
        Customer: workstations
        12.3.10 For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.

        Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.

        All card data in the database at rest is encrypted or shredded. All card data in motion is encrypted via TLS 1.2 between machines and enforced by database connection. Reports do not show complete PAN, per PCI compliance

        Customer: responsible for local policies secure storage of paper copies of PAN data and not transmitting to patrons via email.
        12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.   Artsman: cloud
        Customer: workstations
        12.5 Assign to an individual or team the following information security management responsibilities   Artsman: cloud
        Customer: workstations
        12.5.1 Establish, document, and distribute security policies and procedures.  
        12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel.  
        12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.  
        12.5.4 Administer user accounts, including additions, deletions, and modifications  
        12.5.5 Monitor and control all access to data.  
        12.6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.   Artsman: this document and staff training
        Customer: own staff training
        12.6.1 Educate employees upon hire and at least annually.

        Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.

          Artsman: cloud
        Customer: workstations
        12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. This can be a signed document that they have reviewed the security policy Artsman: cloud
        Customer: workstations
        12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.)

        Note: For those potential personnel to be hired for certain positions such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.

          Artsman: cloud
        Customer: workstations
        12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: Theatre Manager is designed so that cardholder data cannot be shared with any body. Staff do not have access to card data. Customer: workstations- inform staff not to share card data
        12.8.1 Maintain a list of service providers. We suggest placing them in Theatre Manager and adding them to a mail list called PCI Compliance contacts Artsman: cloud
        Customer: workstations
        12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment.

        Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.

          Artsman: cloud
        Customer: workstations
        12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.   Artsman: cloud
        Customer: workstations
        12.8.4 Maintain a program to monitor service providers' PCI DSS compliance status at least annually. Arts Management is responsible to ensure Theatre Manager is audited for PCI-DSS and approved by the PCI council. Artsman: vendor PCI DSS annually
        Customer: merchant responsibilities
        12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.   Customer: this document describes areas which Artsman is responsible
        12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment.

        Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include th

        • Theatre Manager provides technology to manage data securely in PCI context but does not enter or use card data, nor maintain any merchant accounts on behalf of the customers.
        • Each customer is solely responsible for engaging a merchant provider, processing all card (using Theatre Manager to assist). deciding on card data retention requirements, and maintaining policies for managing their data and merchant relationship.
        Customer
        12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach.   Artsman: cloud
        Customer: workstation
        12.10.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:
        • Roles, responsibilities and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
        • Specific incident response procedures
        • Business recovery and continuity procedures
        • Data backup processes
        • Analysis of legal requirements for reporting compromises
        • Coverage and responses of all critical system components
        • Reference or inclusion of incident response procedures from the payment brands
         
        12.10.2 Test the plan at least annually.  
        12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.  
        12.10.4 Provide appropriate training to staff with security breach response responsibilities.  
        12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion- prevention, firewalls, and file-integrity monitoring systems.  
        12.10.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.  

        License Agreement

        Copyright

        ARTS MANAGEMENT SYSTEMS LIMITED
        1988 - 2023 All rights reserved.

        All software developed by Arts Management Systems Ltd. is furnished under a license agreement and is not sold to the end user. The software may be used or copied only in accordance with the terms of the agreement. Names of persons, corporations or products used in the tutorials and examples of this manual are fictitious.

        No part of this web site (hereinafter referred to as a manual) may be reproduced, transmitted, stored in a retrieval system or translated into any language in any form by any means without the written permission of ARTS MANAGEMENT SYSTEMS LIMITED. The information in this manual is subject to change without notice and does not represent a commitment on the part of ARTS MANAGEMENT SYSTEMS LIMITED to the functionality described herein. You may develop your own web pages and custom documentation that refer to (or hyper-link with) web pages within the manual with the understanding that links could be changed or removed in the future and content within each page of this manual may also change as functionality within the software changes. The manual is not guaranteed to match your version of the software as it will be amended constantly to reflect the current state of any software.

        This licence agreement may change without notice. Any changes and amendments to the licence agreement are also binding.


        Trademarks

        • IBM, IBM PC and AT are registered trademarks of International Business Machines Corporation.
        • Windows, Microsoft and MS-DOS are registered trademarks, and Microsoft Windows are trademarks of Microsoft Corporation.
        • Apple, the Apple logo, Apple Talk, LaserWriter, OSX and Macintosh are registered trademarks and Finder is a trademarks of Apple Computer, Inc.
        • PostScript is a registered trademark of Adobe Systems, Inc.
        • oWrite, oGantt, oSpell are a registered trademarks of Brainy Data Ltd.
        • Other products mentioned are trademarks or registered trademarks of their respective corporations.


        Warranties

        ARTS MANAGEMENT SYSTEMS LIMITED makes no warranties, either expressed or implied, regarding the described computer software package of its fitness for any particular purpose.


        Agreement

        DO NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE UNTIL YOU HAVE CAREFULLY READ AND AGREED TO THE FOLLOWING TERMS AND CONDITIONS WHICH SET OUT THE TERMS OF THE LICENSE AGREEMENT BETWEEN YOU AND ARTS MANAGEMENT SYSTEMS LIMITED. IF YOU INSTALL THE SOFTWARE AND CLICK 'I AGREE' DURING THE INSTALLATION, YOU EXPLICITLY AGREE TO ALL TERMS AND CONDITIONS OF THE SOFTWARE LICENCE. YOU MAY NOT USE THE ENCLOSED SOFTWARE, RECEIVE SUPPORT OR BENEFIT FROM THE WARRANTY SET FORTH BELOW UNLESS YOU AGREE TO THE TERMS OF THE LICENCE WITH ARTS MANAGEMENT SYSTEMS LIMITED. IF YOU DO NOT AGREE WITH THE LICENSE TERMS AND CONDITIONS, PROMPTLY DESTROY THE INSTALLER AND YOUR MONEY WILL BE REFUNDED.

        1. Ownership. Arts Management Systems Limited retains ownership of all software and programs provided to you. This software is licensed to you for use under the following conditions:
        2. Software License. Subject to the terms and conditions set forth below and upon receipt by Arts Management Systems Limited of a contract that has been signed by you, you (the "Licensee") are hereby granted a non-exclusive, non-transferable, limited license (the "License") to use the Arts Management Systems Limited programs described below (the "Program") and the associated documentation (the "Documentation") (the Program and the Documentation are collectively referred to herein as the "Software") on any number of compatible computers within your organizations as specified explicitly in the contract. Access to the use of the Software by Licensee shall be limited to no more than the designated number of Licensed Users as set out in the contract. The designated number of License Users may be altered by the Licensee at any time upon receipt of a supplemental signed contract by Arts Management Systems Limited's with pricing and additional licence arrangements stated in the contract.

          Number of Licensed Users: Refer to original Contract and supplemental Contracts or amendments

          Program (includes but is not limited to): Theatre Manager, scanner software, web servers, and any software that may be provided by Arts Management Systems Ltd. or downloaded electronically from our web sites or App Stores (such as Apple's App store). Download of any software created by Arts Management Systems from any source automatically makes that software subject to this licence agreement.
        3. Copies. This license allows you to make any number of copies of the software provided in the Contract in machine-readable form for deployment within your organization or backup purposes only. You must reproduce on each copy the Arts Management Systems Limited copy right notice and any other proprietary legends that were on the original copy of the Arts Management Systems Limited software.
        4. Property Rights. The software contains copyrighted material, trade secrets and other proprietary materials, all of which are owned by Arts Management Systems Limited or its suppliers who retain title to the Software and all copies thereof, and Licensee shall not sell, transfer, rent, lease, loan, distribute, disclose, display or otherwise make available any portion of the Software to others. Licensee may not engage in, or permit third parties to engage in any activities which would have the effect of infringing on or derogating from Arts Management Systems Limited's ownership in the software. Without limiting the foregoing and except as provided in paragraph 2 above, Licensee may not engage or permit third parties to engage in any of the following: (A) the provision or permitted use or disclosure of the Software to third parties; (B) provision of the Software for use in a computer service business, network, timesharing, multiple CPU or multiple user arrangement, or by telecommunications to users who are not individually licensed by Arts Management Systems Limited; (C) removal or obscuring of the copyright and other proprietary notices from any of the programs, screens, media, installers, or any of the Documentation; (D) reverse engineering or attempting to disassemble or decompile the Software; (E) granting sublicenses, leases or other rights in the Software to others; and (F) making copies or verbal or media transmissions, of the Documentation. Licensee may physically transfer the Programs from one computer to another provided the programs are used by no more that the designated Number of Licensed Users at the same time.
          Licensee agrees to secure and protect the Software in a manner consistent with the maintenance of Arts Management Systems Limited ownership and proprietary rights therein and to take appropriate action by instruction or agreement with the Licensed Users to satisfy its obligations hereunder.
        5. Limited Warranty. Arts Management Systems Limited warrants that the Software will substantially conform to published specifications and the Documentation, provided that the Software is used on computer hardware and with the operating system for which it was designed. Arts Management Systems Limited warrants that the installer will be free from defects in material and workmanship, under normal use, for ninety (90) days after the date of the original purchase. If a defect occurs during such ninety (90) day period, the Licensee may download a replacement without charge or, at Arts Management Systems Limited's option, a refund of the purchase price. This is Licensee's sole remedy and Arts Management Systems Limited entire liability in the event of a defect in the media, installer, or software. Further, Arts Management Systems Limited hereby limits the duration on any implied warranty(ies) on the media or installers to the period stated above.

          EXCEPT AS PROVIDED ABOVE, LICENSEE ACKNOWLEDGES AND AGREES THAT THE SOFTWARE IS USED BY LICENSEE AT LICENSEE'S SOLE RISK AND IS PROVIDED "AS IS" WITHOUT WARRANT OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, QUALITY, NON-INFRINGEMENT, TITLE, RESULTS, EFFORT OR QUIET ENJOYMENT. ARTS MANAGEMENT SYSTEMS LIMITED DOES NOT GUARANTEE, WARRANT OR MAKE ANY REPRESENTATION THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET LICENSEE'S REQUIREMENTS, OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT THE DEFECTS IN THE SOFTWARE WILL BE CORRECTED. FURTHERMORE, ARTS MANAGEMENT SYSTEMS LIMITED DOES NOT GUARANTEE, WARRANT OR MAKE ANY REPRESENTATION REGARDING THE USE OF THE RESULTS OF THE USE OF THE SOFTWARE IN TERMS OF THEIR CORRECTNESS, ACCURACY, RELIABILITY, CURRENTNESS, OR OTHERWISE. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY ARTS MANAGEMENT SYSTEMS LIMITED, OR ANY AUTHORIZED REPRESENTATIVE OF ARTS MANAGEMENT SYSTEMS LIMITED, SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF THIS WARRANTY. SHOULD THE SOFTWARE PROVE DEFECTIVE, YOU (AND NOT ARTS MANAGEMENT SYSTEMS LIMITED OR ITS AUTHORIZED REPRESENTATIVES) ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. SOME STATES OF THE UNITED STATES OF AMERICA DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES LICENSEE LIMITED, SPECIFIC RIGHTS. LICENSE MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE.
        6. Limitation Of Liability. In no event, including negligence, will Arts Management Systems Limited or its directors, officers or agents be liable to licensee for indirect, special, incidental or consequential damages, including, but not limited to any loss of data or business information or loss of profits, arising out of the use or inability to use the software, even if Arts Management Systems Limited or an authorized representative thereof has been advised of the possibility of such damages. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to licensee. In no event shall Arts Management Systems Limited total liability hereunder for all damages, losses, and causes of action whether in contract, tort (including negligence) exceed the amount paid by licensee for the software.
        7. Termination. This license is effective until terminated. This License will terminate automatically without notice from Arts Management Systems Limited upon breach of Licensee or any of the Licensed Users of any provision of this license relating to the confidentiality and protection of Arts Management Systems Limited proprietary rights in the Software, use of the Software by more than the designated number of Licensed Users, or the termination of Licensee's business or the filing of a petition in bankruptcy or insolvency with respect to Licensee. In the event of termination to this License, Licensee shall immediately return the Software to Arts Management Systems Limited and destroy all copies thereof. All provisions of this License relating to disclaimers of warranties, limitations of liability, remedies or damages and Arts Management Systems Limited proprietary rights shall survive termination.
        8. Export Law Assurances. Licensee agrees and certifies that the Software, and the direct product thereof, will not be exported outside Canada and The United States except as permitted by the laws and regulations of either country or exported or used outside the country in which originally licensed.

          This License shall be governed by and construed in accordance with the laws of Canada and the Province of Alberta, as applied to agreements entered into and to be performed entirely within Alberta between Alberta residents and the parties hereto irrevocably attorn to the jurisdiction of the Courts of the Province of Alberta. If for any reason a court of competent jurisdiction finds any provision of this License, or portion thereof, to be unenforceable, that provision of the License shall be enforced to the maximum extent permissible so as to effect the intent of the parties, and the remainder of this License shall continue in full force and effect.

        ARTS MANAGEMENT SYSTEMS LIMITED, 1110 Maggie St. SE, Calgary, Alberta, Canada T2G 4M1

        LICENSEE ACKNOWLEDGES THAT IT HAS READ AND UNDERSTANDS THIS AGREEMENT AND AGREES TO BE BOUND BY ITS TERMS. LICENSEE FURTHER AGREES THAT THIS AGREEMENT IS THE COMPLETE AND EXCLUSIVE STATEMENT OF THE AGREEMENT BETWEEN LICENSEE AND ARTS MANAGEMENT SYSTEMS LIMITED AND SUPERSEDES ANY PROPOSAL OR PRIOR AGREEMENT, ORAL OR WRITTEN, AND ANY OTHER COMMUNICATION RELATING TO THE SUBJECT MATTER OF THIS AGREEMENT AND MAY NOT BE MODIFIED EXCEPT IN A WRITTEN AGREEMENT SIGNED BY AN AUTHORIZED REPRESENTATIVE OF LICENSEE AND ARTS MANAGEMENT SYSTEMS LIMITED.