Search Patron Data for Credit Card Information

Mask PAN when displayed; the first six and last four digits are the maximum number of digits you may display. Not applicable for authorized people with a legitimate business need to see the full PAN. Does not supersede stricter requirements in place for displays of cardholder data such as on a point-of-sale receipt. PCI DSS standard 3.3.

Use this feature to identify where there may be data attached to patrons that could be construed as a possible clear text credit card in violation of PCI DSS standard 3.3.

When using this search option, patrons will be listed that have a series of 3 or 4 numbers repeated 4 times. This means that anything with at least 12 contiguous digits in the various search fields might result in a match (note: it may not be a credit card).

Searching for at least 13 contiguous digits might find things like 4500 000 000 000 or 5200 0000 0000 0000. It doesn't matter if there are one or more spaces between the numbers or not. Data that will not be found are phone numbers like 518-444-5555. However, it may find conditions where numbers are separated by something other than spaces.

When searching for card information, the prospective full credit card number is subjected to the same LUHN test the bank uses to identify if it is a card. If the string of numbers do not pass the LUHN text, it will not be identified as a credit card
A full PCI scan on the raw files in machine with a TM database on it COULD provide FALSE POSITIVES, if you are using SVG maps and pick your own seats. The vector information for points in a map contain a lot of numbers which consistently fool disk level PCI scan's into thinking they are credit cards.

 

Fields searched for possible card data are:

  • Patron
    • general notes, volunteer notes, donor notes, household notes, and the three customizable note fields on the notes tab
    • marketing field #5
    • donor publication name
    • Special Needs Notes
    • GST/HST numbers
    • Client asset notes entered on the client asset setup in the 'donor' tab on the patron window.
    • These could be entered on the various tabs in the patron window.
  • Donation
    • Donation notes, custom fields, donation publication name, tax receipt name and other donation text fields.
    • These would be seen on the donation window.
  • Order
    • Internal and external order notes and ticket comments
    • The order PO number
    • These would be seen on an order payment window and can also be seen in a list of orders
  • Subscriptions
    • The subscription seat change requests
  • Credit card
    • comments or name on card
    • These would be seen on the credit card tab on the patron window.
  • Task/Project notes
    • on the task comments window or the project description
  • Staff/Volunteer History
    • Notes on the Activity setup window
    • Notes on the history evaluation and duties fields

 

Fields not searched for any card data

  • Transaction card number field (T_CARD_NO) is not validated as it contains reference numbers for other payments (e.g. check #'s). If somebody used any payment method that is not of type credit card -- but they typed a valid card number in the field -- there is not much Theatre Manager can do. Since there is no way to manually place an edit check on check number field to verify that it is an actual check number (that look like credit cards) after the fact in Theatre Manager because that leads to audit issues; such as changing past information which Theatre Manager doesn't allow. If there are credit card numbers in the check # field, then it's a manual task for Arts Management Support to find them and clear them. Please contact Arts Management Support directly if this applies to your specific situation.
  • Theatre Pricing map SVG data - which can be false positive

 

To search the database for credit card information, you perform the following steps:

  1. Select Setup->Batch Functions->Check Patron Fields For PCI Data

    Refer to the menu selection to the right

    A window opens that allows the search to begin. Follow the instructions:

    • Click the search button on the upper right side of the window to begin
    • Wait a while as the system is checking many fields and many database records. It might take up to a minute on larger databases

  2. After clicking the Search button.

    Any patrons who have a 13 digit or longer string stored in any of the fields indicated will be displayed.

  3. You can now go through and manually remove the data.

    Double click on each line and it will take you to the window where Theatre Manager suspects the issue to be

  4. Click the icon to download the checklist.