PCI UserId and Password Requirements

Theatre Manager implements fully PCI DSS compliant AES256 encrypted passwords per PCI DSS standard 8.1 and this feature cannot be changed or overridden.

In addition, Merchants must use PCI DSS compliant passwords to access to all system components (i.e. any computer, firewall, router, etc. on the network) and these passwords must be changed from any vendor supplied initial values per PCI standard 2.1.

Note: Do not reduce the level of authentication complexity or compliance in these other system components if it will result in PCI non-compliance.

This means all login passwords must be:

  • reviewed and changed every 90 days. Theatre Manager will enforce password changes automatically. This must be manually done on those devices that do not force change of passwords like routers and firewalls. (PCI DSS 8.1.4)
  • 7 characters or more (PCI DSS 8.2.3)
  • mixed case consisting of at least uppercase and one lowercase letter (PCI DSS 8.2.3)
  • contain at least one number and special character (PCI DSS 8.2.3)
  • cannot be the same as an previous 12 passwords (PCI DSS 8.2.5)
  • cannot have characters or numbers repeated together
Change all passwords from any vendor default password that might be used for installation per PCI DSS 2.1. For example, you must:
  • Change the Theatre Manager 'Master User' password when the system is installed.
  • Change the user and password on any router from anything printed in the manufacturer's documentation
  • Make sure that accessing each computer requires a password and does not 'auto-login'
  • Ensure that screen savers are implemented that require passwords to be entered whenever the screen saver is activated. Screensavers (or some other mechanism for locking computers) must activate after 15 minutes of idle time or less on all workstations and servers. Theatre Manager also has an inactivity timeout that will log people out of the application. Using both features improves security. (PCI DSS 8.1.8)

Each user that has access to any systems in your network must have a unique user id and password per PCI-DSS standard 8.1.1

Never use the Master User account for daily operations.

It should only be used when creating other accounts or for other very specialized needs as directed by Arts Management Systems.

If your network has 'master' domain server (or open directory on OSX) available that could control password authentication for all machines, please ensure that the security policies on the domain/directory server is set to enforce PCI/DSS passwords and that all machines in the network log in using authentication from the server.

If a domain/open directory server is not available to enforce password settings, then each machine/user must use PCI/DSS compliant passwords.

If a user tries more than 6 times to gain access to the system, Theatre Manager automatically resigns the user - which means that they are locked out permanently until manually re-instated per PCI-DSS standard 8.1.6 and 8.1.8