Office LAN

The office LAN should be set up to isolate computers that may access credit cards from other general purpose machines. These machines should be hardwired to ethernet hubs and routers. Generally, this just means putting it on a different VLAN than the rest of the office to provide maximum cardholder security PCI requirement 1.2.1.

For example, if there is an area that provides free wireless in the lobby or access to the internet for actors in the green room. Those access points should be part of the 'Venue Lan' and not part of the 'Office Lan' (per the network diagram) to separate the segment of the network containing credit cards (office) from wireless part of the network.

You should not be able to access the internet from the database server or any machine that contains credit card information except as required to authorize the card or update system components. PCI requirement 1.3.2 to 1.3.5

Ports that should be open are defined in the section about firewall rules

When you need to set up firewalls on computers, the built-in firewall on windows is very flexible. On macOS, do not manage the built-in firewall via System Preferences on servers - instead, consider using a tool like Murus Firewall to unlock the power of the macOS PF firewall.

This section describes the components of the Office LAN.

Box Office Admin Computers

Office computers can be classified in two categories:
  • those where credit card data is typed or entered into the system (with or without credit card swipes)
  • and those computer where credit card information is not typed into the machine.

Computers accepting Credit Card Data

Any computer where credit card information is entered or that has an attached credit card swipe is effectively a point of sale device and needs to be protected from a particularly nasty form of virus called 'Bots'.

These are especially prevalent on PC's and if a computer were to become infected, this type of virus scans keystrokes at the computer and sends those key strokes to the 'bad guys' outside the network. Preventing this involves closing most ports and providing very limited access to the outside world, especially for mail and web browsing.

For this reason, on those computers, you should:

  • Close down all outgoing ports except those specified in firewall rules for workstations.
  • Disallow general internet access via the web browser to prevent the most common source of infection. You can allow people to access help.theatremanager.com for online help.
  • install virus protection software on these machines and regularly run it and update the software. There are a number of good alternatives from freeware like Avast! to Symantec (our least favourite)
Deploy anti-virus software on all systems commonly affected by malicious software, particularly personal computers and servers. PCI requirement 5.1

If these computers are using Theatre Manager, you may need to exclude the 'Theatre Manager' program files directory, depending on your virus software. Exclude all network traffic to port 5432 on postgres server.

Computers that do not accept Credit Card Information

Machines that are not entering credit card numbers may have general internet access. You can ensure that these workstations cannot enter cards into Theatre Manager by setting up specific workstations or network segments that can accept payments and excluding these workstations.

If those computers are on the same network segment as the machines accepting card numbers then they fall into the scope of a PCI assessment for the venue. This means those machines would need all of the anti-virus and anti-malware software as well as file integrity monitoring, log management, access control, etc. just like the machines that accept the cards.

To reduce the scope of the venue's PCI assessment needs, the venue should consider placing those machines (back office or manager machines usually) on a separate network segment with just the necessary ports between them and the cardholder data network open. Refer to the network diagram and firewall rules to separate the computers with card access from those without onto separate VLAN's within your network.

Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) PCI requirement 5.1

If these computers are using Theatre Manager, you may need to exclude the 'Theatre Manager' program files directory, depending on your virus software. Exclude all network traffic to port 5432 on postgres server.

Wireless Access Points

Theatre Manager does not require use of any wireless network for operation as all workstations and servers are to be connected via ethernet cabling.

Since many venues use wireless networks in the lobby for customers and green rooms for actor, or volunteer use, it is important to ensure that wireless routers are separated from the cardholder network and are on their own VLAN and all default settings are changed from factory. PCI requirement 1.2.3 and PCI requirement 2.1.1

The following must also be changed every time somebody with knowledge of the security changes positions or leaves the company. PCI requirement 4.1.1

Configuration of these should include:

  • Turn off all SSID broadcasting
  • Enter the MAC addresses (00:00:xx:xx:xx:xx) of the scanners into the acceptable list of devices at the remote site and only allow those devices to gain access to the network
  • Use strong encryption such as WPA2 (also sometimes called IEEE 802.11i) or better for access control.
  • Update the router to the latest firmware
  • Change the default user ID and password for the router to be different than the manufacturer-supplied defaults.
  • Change all wireless default encryption keys and SNMP community strings

Ticket Scanners

Wireless ticket scanners do not transmit any cardholder data at all so wireless ticket scanning can be implemented one of two ways. The scanners can be
  • part of a VLAN that is inside your main router/firewall and connected to the other parts of your network. This is known as the Venue LAN according to the network diagram. Scanners using this configuration are subject to PCI regulations to the extent that the firewall must be in place to regulate traffic.
  • completely outside the main firewall and directly connected to the internet via the ISP. In this situation, the ticket scanner is considered not part of your network and is out of scope of PCI compliance.

Wireless Scanners in the Venue Lan

If the ticket scanners are within your firewall and part of a VLAN connected to the Office LAN, you must implement TLS 1.2 or better security and firewall rules between the venue LAN and the office LAN per the network diagram. Refer to PCI 4.1.1

You can use a direct IP in the scanner to access the Apache server directly (e.g. 192.168.1.x), or you can refer to the server via the domain name (like tickets.yourvenue.org).

Wireless Scanners connected to the Internet

If the wireless scanners are connected to a router that is on the internet (and not connected in any way to the internal trusted networks) then you do not need any security on the scanners. Since the scanners simply send HTTP requests to the Apache Server, you can use the external DNS name like tickets.yourvenue.org.

The Linea Pro and iPhone/iPod combination support the latest required encryption technologies from end to end

Wireless Computer Access

If you permit wireless access to your network within your office, PCI compliance states that these computers should go through at least one router or firewall before accessing the office network or any part of the network where credit card information is stored.