Implement Strong Access Control Measures

Access control allows merchants to permit or deny the use of physical or technical means to access PAN and other cardholder data. Access must be granted on a business need-to-know basis. Physical access control entails the use of locks or restricted access to paper-based cardholder records or system hardware. Logical access control permits or denies use of PIN entry devices, a wireless network, PCs and other devices. It also controls access to digital files containing cardholder data.

Requirement 7: Restrict access to cardholder data

Restrict access to cardholder data by business need-to-know

To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities.

Need-to-know is when access rights are granted to only the least amount of data and privileges needed to perform a job.

Section	PCI Requirement	Comments	Responsibilities on Artsman Cloud
7.1	Limit access to system components and cardholder data to only those individuals whose job requires such access.		Artsman: web sales and database Customers: user access setup/permissions
7.1.1	Define access needs for each role, including: System components and data resources that each role needs to access for their job function Level of privilege required (for example, user, administrator, etc.) for accessing resources	Access to various data can be set on a per user basis in Employee Access	Customers: user access setup/permissions
7.1.2	Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.	Creating a user in Theatre Manger defaults to minimal access to card data/ and/or functions. Users are advised to only use the administrator account on a rare-need to administer the system basis.	Customers: user access setup/permissions
7.1.3	Assign access based on individual personnel's job classification and functions		Customers: user access setup/permissions
7.1.4	Require documented approval by authorized parties specifying required privileges		Customers: user access setup/permissions
7.2	Establish an access control system for systems components that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system must include the following:
7.2.1	Coverage of all system components	Refer to employee settings and function access for credit cards	Customers: user access setup/permissions
7.2.2	Assignment of privileges to individuals based on job classification and function		Customers: user access setup/permissions
7.2.3	Default "deny-all" setting		Customers: user access setup/permissions
7.3	Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.		Customers: user access setup/permissions

Requirement 8: Assign a unique ID to each person

Assign a unique ID to each person with computer access

Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes.

The effectiveness of a password is largely determined by the design and implementation of the authentication system—particularly, how frequently password attempts can be made by an attacker, and the security methods to protect user passwords at the point of entry, during transmission, and while in storage.

Note:

These requirements are applicable for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. This includes accounts used by vendors and other third parties (for example, for support or maintenance).
However, Requirements 8.1.1, 8.2, 8.5, 8.2.3 through 8.2.5, and 8.1.6 through 8.1.8 are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts).

Section	PCI Requirement	Comments	Responsibilities on Artsman Cloud
8.1	Define and implement policies and procedures to ensure proper user identification management for non- consumer users and administrators on all system components as follows:	Theatre Manager implements PCI standards. You may need a manual process for other applications or hardware.	Customer: via Theatre Manager
8.1.1	Assign all users a unique ID before allowing them to access system components or cardholder data.
8.1.2	Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
8.1.3	Immediately revoke access for any terminated users.
8.1.4	Remove/disable inactive user accounts within 90 days.	Refer to the PCI Security Tab in System Preferences for settings. Theatre Manager enforces stronger password policies than the minimum PCI standards.
8.1.5	Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: Enabled only during the time period needed and disabled when not in use. Monitored when in use.	Theatre Manager uses Teamviewer for one-time access, granted as needed.
8.1.6	Limit repeated access attempts by locking out the user ID after not more than six attempts.	Theatre Manager limits incorrect password attempts to a total of 6 since the last successful attempt and locks out the account on failure.
8.1.7	Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.	Lockout duration in Theatre Manager is permanent. Locked out employee must be re-instated by administrator.
8.1.8	If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.	Theatre Manager has two timeouts. After 15 minutes of inactivity, the user will see a lock screen and need only put in their password again to continue. There is a longer timeout in Company Preferences->Reports where you can specify when an idle user will be forced log off the system. The process is: After 15 minutes, lock the screen and require a only a password to continue. This means any sales in progress or reports on screen will not be closed and are available once you enter your password after 15 minutes After the longer timeout, quit Theatre Manager completely. In addition to the feature built into Theatre Manager for auto log out, you are encouraged to use the screen saver provisions that require passwords after the screen saver is activated.
8.2	In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: Something you know, such as a password or passphrase Something you have, such as a token device or smart card, specific IP, key access to a locked room Something you are, such as a biometric		Customer: password via Theatre Manager, tokens and biometrics for Operating System login
8.2.1	Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.	Passwords are never transmitted in clear text when logging on to the database. User Passwords are stored in the database in encrypted format and established in PostgreSQL as a hash of that encrypted value. When a user logs in, the password is converted to the salted hash and that is used to login. All communication to the PostgreSQL Database is over a secure connection, currently TLS 1.2 or better.	automatic via Theatre Manager
8.2.2	Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys.	Only administrators are able to reset a password, reinstate an employee and/or regenerate credit card encryption keys.	automatic via Theatre Manager
8.2.3	Passwords/phrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.	Theatre Manager enforces Minimum 7 One upper One lower One numeric One Special No repeated characters	automatic via Theatre Manager
8.2.4	Change user passwords/passphrases at least once every 90 days.	Theatre Manager enforces this	Customer: follow Theatre Manager prompts to change password
8.2.5	Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used.	Theatre Manager enforces 12 and that can be raised	automatic via Theatre Manager
8.2.6	Set passwords/phrases for first- time use and upon reset to a unique value for each user, and change immediately after the first use.	Theatre Manager enforces change of password at time of login for first time users	automatic via Theatre Manager
8.3	Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance). Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication. Examples of two-factor tehcnologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens, and other technologies that facilitate two-factor authentication.	Two factor authentication means something you know and something you are given. Our QSA (the auditor who assesses Theatre Manager's ability to meet PCI compliance) has indicated that Teamviewer meets that requirement when used per the instructions. The multiple factors include: The user must start the application manually (it is not active by default) A unique Id must be provided to Artsman by the customer A single use token must be provided to ArtsMan that cannot be reused. effectively being 3 factors that must occur for access to be granted successfully.	automatic via Theatre Manager
8.4	Document and communicate authentication policies and procedures to all users including: Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions to change passwords if there is any suspicion the password could be compromised.	All Theatre Manager user passwords are encrypted in the database. MD5 authentication is recommended at a minimum for accessing the database (this is the default standard in the pg_hba.conf file)	automatic via Theatre Manager
8.5	Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: Generic user IDs are disabled or removed. Shared user IDs do not exist for system administration and other critical functions. Shared and generic user IDs are not used to administer any system components.	There are no generic passwords. User ID's and Passwords are created by the user on installation.	automatic as part of Theatre Manager installation practices
8.5.1	Additional requirement for service providers only: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer. Note: This requirement is not intended to apply to shared hosting providers accessing their own hosting environment, where multiple customer environments are hosted.	Arts Management does not require permanent remote access to your servers. Temporary access is always initiated by the customer as described in the teamviewer remote support help page.	Customer: provides Local access via Teamviewed if required
8.6	Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows: Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.		Artsman: cloud Customer: workstation
8.7	All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: All user access to, user queries of, and user actions on databases are through programmatic methods. Only database administrators have the ability to directly access or query databases. Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).	Access to the db is controlled by the pg_hba.conf file and it is set so that all users must log in to read data. The user's id for the database is set by the application and not known. The password in postgres is set by the application and stored encrypted. Thus, the user cannot access the database even knowing their user ID and password because it is not the same as plain-text. Cloud database access for users is managed through an access broker system (with revokable tokens) followed by customer user id/password	Artsman: cloud Customer: workstation
8.8	Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.		Artsman: cloud Customer: workstation

PCI UserId and Password Requirements

Theatre Manager implements fully PCI DSS compliant AES256 encrypted passwords per PCI DSS standard 8.1 and this feature cannot be changed or overridden.

In addition, Merchants must use PCI DSS compliant passwords to access to all system components (i.e. any computer, firewall, router, etc. on the network) and these passwords must be changed from any vendor supplied initial values per PCI standard 2.1.

Note: Do not reduce the level of authentication complexity or compliance in these other system components if it will result in PCI non-compliance.

This means all login passwords must be:

reviewed and changed every 90 days. Theatre Manager will enforce password changes automatically. This must be manually done on those devices that do not force change of passwords like routers and firewalls. (PCI DSS 8.1.4)
7 characters or more (PCI DSS 8.2.3)
mixed case consisting of at least uppercase and one lowercase letter (PCI DSS 8.2.3)
contain at least one number and special character (PCI DSS 8.2.3)
cannot be the same as an previous 12 passwords (PCI DSS 8.2.5)
cannot have characters or numbers repeated together

Change all passwords from any vendor default password that might be used for installation per PCI DSS 2.1. For example, you must:

Change the Theatre Manager 'Master User' password when the system is installed.
Change the user and password on any router from anything printed in the manufacturer's documentation
Make sure that accessing each computer requires a password and does not 'auto-login'
Ensure that screen savers are implemented that require passwords to be entered whenever the screen saver is activated. Screensavers (or some other mechanism for locking computers) must activate after 15 minutes of idle time or less on all workstations and servers. Theatre Manager also has an inactivity timeout that will log people out of the application. Using both features improves security. (PCI DSS 8.1.8)

Each user that has access to any systems in your network must have a unique user id and password per PCI-DSS standard 8.1.1

Never use the Master User account for daily operations.

It should only be used when creating other accounts or for other very specialized needs as directed by Arts Management Systems.

If your network has 'master' domain server (or open directory on OSX) available that could control password authentication for all machines, please ensure that the security policies on the domain/directory server is set to enforce PCI/DSS passwords and that all machines in the network log in using authentication from the server.

If a domain/open directory server is not available to enforce password settings, then each machine/user must use PCI/DSS compliant passwords.

If a user tries more than 6 times to gain access to the system, Theatre Manager automatically resigns the user - which means that they are locked out permanently until manually re-instated per PCI-DSS standard 8.1.6 and 8.1.8

Teamviewer: ArtsMan Technical Support

Theatre Manager staff should not required permanent access to your machines, except under very specific circumstances. The remote access feature in Theatre Manager is designed for one time, permitted access.

Remote Access/Support

The process for actual access to the remote machine is as follows:

The customer must initiate a support request that involves a phone conversation
In that phone conversation, it is determined that a timely resolution involves connecting remotely to provide assistance
Arts Management confirms the identity to the customer by providing the customer with the case number they created to continue with support (PCI requirement for second authentication).
The customer then starts the remote assistance software by either:
- clicking the Remote Assistance button on the toolbar after logging into Theatre Manager. It is on the right side of the toolbar as per the above image. Since you must have logged into Theatre Manager to activate remote support, It is not active by default. -OR-
- By starting Theatre Manager and clicking the Support button on the login page as per the diagram to the right. This is useful if you are unable to log in for any purpose
The customer provides two keys created by Teamviewer: an ID and a random generated 8 character password (containing numbers and letters and, unique to the session) as per the image below. Both of these are conveyed to the AMS support representative.
Arts Management Support activates remote assistance manager and enters both keys to gain remote access

When Remote Access is disconnected, another remote support session requires a new set of keys to be provided. The customer is in complete control of the session at all times with a visual indicator showing the connection status.

How does it work?

TeamViewer uses SSH for authentication and brokering of session keys. It communicates with the master cluster through DNS names, which delegates the brokering of the session to the TeamViewer servers. Connection to the routing server and KeepAlive server is done directly via IP addresses.

The servers are spread across the globe and located at large data centers; their IP addresses are not organized in common subnets or IP ranges. TeamViewer continuously top scales the server network as the number of TeamViewer users grows, so it is not possible to have a fixed set of IP addresses, because this list would very soon be outdated.

Communication is done to URLs of the format:

*.teamviewer.com
*.dyngate.com

By default TeamViewer uses only the outgoing port 80 (HTTP) so that no firewall configuration is necessary. Alternatively you can open port 5938 (TCP) for outgoing connections if you wish to block port 80.

Requirement 9: Restrict physical access to cardholder data

Restrict physical access to cardholder data

Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. “Media” refers to all paper and electronic media containing cardholder data.

Section	PCI Requirement	Comments	Responsibilities on Artsman Cloud
9.1	Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.	This means locks on a computer room door or places (like box office) where people can access machines that can access card holder data.	Artsman: cloud Customer: workstation
9.1.1	Use video cameras or other access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. Note: "Sensitive areas" refers to any data center, server room or any area trefers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of- sale terminals are present, such as the cashier areas in a retail store.		Artsman: cloud - SOC 2 compliant data centres
9.1.2	Implement physical and/or logical controls to restrict access to publicly accessible network jacks. For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.		Artsman: cloud - SOC 2 compliant data centres Customer: internal network
9.1.3	Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.		Artsman: cloud - SOC 2 compliant data centres Customer: internal network
9.2	Develop procedures to easily distinguish between onsite personnel and visitors, to include: Identifying onsite personnel and visitors (for example, assigning badges) Changes to access requirements Revoking or terminating onsite personnel and expired visitor identification (such as ID badges).		Artsman: cloud - SOC 2 compliant data centres Customer: internal network
9.3	Control physical access for onsite personnel to sensitive areas as follows: Access must be authorized and based on individual job function. Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.		Artsman: cloud - SOC 2 compliant data centres Customer: internal procedures
9.4	Implement procedures to identify and authorize visitors. Procedures should include the following:		Artsman: cloud - SOC 2 compliant data centres Customer: internal procedures
9.4.1	Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained.
9.4.2	Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel.
9.4.3	Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.
9.4.4	A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. Document the visitor's name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law.
9.5	Physically secure all media		Artsman: cloud - SOC 2 compliant data centres Customer: internal procedures
9.5.1	Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location's security at least annually.		Artsman: cloud - SOC 2 compliant data centres
9.6	Maintain strict control over the internal or external distribution of any kind of media, including the following:		Artsman: cloud - SOC 2 compliant data centres Customer: internal procedures
9.6.1	Classify media so the sensitivity of the data can be determined.
9.6.2	Send the media by secured courier or other delivery method that can be accurately tracked.
9.6.3	Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).
9.7	Maintain strict control over the storage and accessibility of media.
9.7.1	Properly maintain inventory logs of all media and conduct media inventories at least annually.		Artsman: automated backups, recycle and deletion policies
9.8	Destroy media when it is no longer needed for business or legal reasons as follows:
9.8.1	Shred, incinerate, or pulp hard- copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.		Artsman: automated secure deletion
9.8.2	Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.	There is a tool on windows called Eraser that will handle this for you. On the Mac, use Secure-Empty Trash. Refer to this link for more information about using them.	Artsman: automated secure deletion Customer: should ensure no local cardholder storage in spreadsheets etc
9.9	Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. Note: These requirements apply to card- reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.	This does not apply to Theatre Manager as it does not use card reading devices for card present transactions.	Customer: protect any pin pad devices accordingly
9.9.1	Maintain an up-to-date list of devices. The list should include the following: Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification.	For point of sale devices	Customer: wokstation inventory
9.9.2	Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.	For point of sale devices	Customer: wokstations and /or pinpad
9.9.3	Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).	For point of sale devices	Customer: wokstations and/or pinpad
9.10	Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.		Artsman: Cloud Customer: wokstations and devices