Installing Theatre Manager

This guide provides instructions for installing or upgrading Theatre Manager that is very similar on all platforms. Since Theatre Manager is a point of sale application for your venue that can deal with credit card information, care must be taken to install it using the steps that follow to ensure PCI compliance.

There are three components to the Theatre Manager System

  • The Postgresql database server
  • The Theatre Manager desktop application used by Box Office, Development, Marketing, Finance, etc for daily activities
  • The Web Services (also known as the Director) that can be configured to handle various web related functions including:
    • The TM Web Listener service that responds to all online patron requests.
    • The Web server that passes web requests from Patrons to the TM Web Listener

The installation of the database server, Theatre Manager and web sales is relatively simple and can be done in a few minutes.

The installation procedures are constantly updated with the latest instructions to implement Theatre Manager in a PCI manner.

Achieving PCI compliance for your venue comes with how you install it on your network and other protections you put in place. These protections are mandated by PCI standards regardless of whether or not you use software in your operation. We hope that our instructions make it easy for a merchant to meet PCI DSS compliance.

We have placed alerts similar to this throughout the installation documentation to signify areas of particular concern to the PCI standards council. Please pay particular attention to these alerts as they contain valuable information to assist venues meeting PCI compliance.

The steps that follow indicate how to install and run Theatre Manager in a manner that will help you meet your PCI compliance requirements as outlined in the latest PCI quick reference guide. A venue that chooses to opt out of some of the safety and security measures in this document needs to be aware that they have chosen to bypass some aspects of the compliance required in the merchant agreement with their bank and the PCI Security Standards Council that is operated by the credit card companies.

Venues may opt out of any compliance step by signing the appropriate area. The credit card companies have placed the onus on all point of sale software providers to help merchants meet compliance (instead of the banks) and highlight areas to address.

Theatre Manager assists you in meeting PCI compliance because:

  • it is audited and certified per PCI requirements by an accredited third party for your protection
  • it provides the following PA-DSS installation instructions designed to help you implement your internal card practices in a safe manner
Step Purpose Optional Installation instructions or link Who
1. Network Setup Mandatory Setting up network for PCI compliance Artsman Venue
2. Installation of Postgres Server Mandatory Platform specific install instructions ArtsMan
3. Installation of Theatre Manager Mandatory Platform specific install instructions Venue
4. Installation of a customer database Optional If this is the first time that Theatre Manager is being installed at a venue, an 'empty' venue specific serialized database will be provided. It will only contain the zip code lookup table and sample code tables. ArtsMan
5. Credit Card Authorization Optional Theatre Manager provides a selection of service providers for credit card authorization.

Venue Artsman

6. Installation of the Nginx Server Optional Installation of the Nginx server is platform specific if you are using web sales. ArtsMan
7. Setup TLS certificate Optional If you are using web sales, you must set up an TLS certificate and configure your firewall to allow web traffic. You will need to set up a DNS record for 'tickets.yourvenue.org' rather than assigning the TLS to a static IP address. ArtsMan
8. Upgrade of existing web pages Optional This step indicates the general changes to existing web pages that must be made when migrating from any version to any other version.

In addition, a venue must be aware of OWASP and should bookmark it in their browser. This site has a 'top 10' list of ongoing security considerations and standards for web site development. Arts Management reviews and implements each years suggestions annually - see this years top 10.

Finally, if you accept credit cards on the internet, you may need an application firewall as per PCI requirement 6.6 and the web pages are significantly changed. We are looking at mod_security and may put that into a future release of the apache server on your behalf.

Venue
9. Initial settings in TM Mandatory After Theatre Manager and the database have been installed, you will need to review minimum key standards and other security features for PCI compliance. ArtsMan Venue
10. Remote Access Optional This step is a discussion on remote access and what a venue need to do if they wish to provide that for themselves, for Remote Box Offices.

There are considerations for using RDP within the network and enabling security.

Arts Management uses a tool for remote remote support called teamviewer.

ArtsMan Venue
11. Policy Manual Additions mandatory These are some policies that should be added to the customer service and/or security policy manual at a venue for PCI compliance. Venue ArtsMan

Adjusting Security Settings

There are some settings in Theatre Manager that a venue must examine during installation and may need to be changed for PCI standard 8.5 compliance.

If you are upgrading from a demo version of TM, some of these settings were optional to facilitate the purposes of a demo and need implemented for a production system.

Credit Card Authorization

Theatre Manager provides connectivity to a few different service providers for credit card authorization, along with the ability to implement either Schedule "C" or Schedule "D" compliance.

Our sales team will happily discuss your needs, provide contact information for each option, and help quickly and seamlessly setup credit card processing in Theatre Manager. Ultimately, the final choice of processor is up to the venue and we will certainly assist in the implementation.

Service Providers provide the infrastructure to authorize cards under your merchant account and then deposit YOUR funds directly in YOUR bank with minimum delay.

License Agreement

Copyright

ARTS MANAGEMENT SYSTEMS LIMITED
1988 - 2022 All rights reserved.

All software developed by Arts Management Systems Ltd. is furnished under a license agreement and is not sold to the end user. The software may be used or copied only in accordance with the terms of the agreement. Names of persons, corporations or products used in the tutorials and examples of this manual are fictitious.

No part of this web site (hereinafter referred to as a manual) may be reproduced, transmitted, stored in a retrieval system or translated into any language in any form by any means without the written permission of ARTS MANAGEMENT SYSTEMS LIMITED. The information in this manual is subject to change without notice and does not represent a commitment on the part of ARTS MANAGEMENT SYSTEMS LIMITED to the functionality described herein. You may develop your own web pages and custom documentation that refer to (or hyper-link with) web pages within the manual with the understanding that links could be changed or removed in the future and content within each page of this manual may also change as functionality within the software changes. The manual is not guaranteed to match your version of the software as it will be amended constantly to reflect the current state of any software.

This licence agreement may change without notice. Any changes and amendments to the licence agreement are also binding.


Trademarks

  • IBM, IBM PC and AT are registered trademarks of International Business Machines Corporation.
  • Windows, Microsoft and MS-DOS are registered trademarks, and Microsoft Windows are trademarks of Microsoft Corporation.
  • Apple, the Apple logo, Apple Talk, LaserWriter, OSX and Macintosh are registered trademarks and Finder is a trademarks of Apple Computer, Inc.
  • PostScript is a registered trademark of Adobe Systems, Inc.
  • oWrite, oGantt, oSpell are a registered trademarks of Brainy Data Ltd.
  • Other products mentioned are trademarks or registered trademarks of their respective corporations.


Warranties

ARTS MANAGEMENT SYSTEMS LIMITED makes no warranties, either expressed or implied, regarding the described computer software package of its fitness for any particular purpose.


Agreement

DO NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE UNTIL YOU HAVE CAREFULLY READ AND AGREED TO THE FOLLOWING TERMS AND CONDITIONS WHICH SET OUT THE TERMS OF THE LICENSE AGREEMENT BETWEEN YOU AND ARTS MANAGEMENT SYSTEMS LIMITED. IF YOU INSTALL THE SOFTWARE AND CLICK 'I AGREE' DURING THE INSTALLATION, YOU EXPLICITLY AGREE TO ALL TERMS AND CONDITIONS OF THE SOFTWARE LICENCE. YOU MAY NOT USE THE ENCLOSED SOFTWARE, RECEIVE SUPPORT OR BENEFIT FROM THE WARRANTY SET FORTH BELOW UNLESS YOU AGREE TO THE TERMS OF THE LICENCE WITH ARTS MANAGEMENT SYSTEMS LIMITED. IF YOU DO NOT AGREE WITH THE LICENSE TERMS AND CONDITIONS, PROMPTLY DESTROY THE INSTALLER AND YOUR MONEY WILL BE REFUNDED.

  1. Ownership. Arts Management Systems Limited retains ownership of all software and programs provided to you. This software is licensed to you for use under the following conditions:
  2. Software License. Subject to the terms and conditions set forth below and upon receipt by Arts Management Systems Limited of a contract that has been signed by you, you (the "Licensee") are hereby granted a non-exclusive, non-transferable, limited license (the "License") to use the Arts Management Systems Limited programs described below (the "Program") and the associated documentation (the "Documentation") (the Program and the Documentation are collectively referred to herein as the "Software") on any number of compatible computers within your organizations as specified explicitly in the contract. Access to the use of the Software by Licensee shall be limited to no more than the designated number of Licensed Users as set out in the contract. The designated number of License Users may be altered by the Licensee at any time upon receipt of a supplemental signed contract by Arts Management Systems Limited's with pricing and additional licence arrangements stated in the contract.

    Number of Licensed Users: Refer to original Contract and supplemental Contracts or amendments

    Program (includes but is not limited to): Theatre Manager, scanner software, web servers, and any software that may be provided by Arts Management Systems Ltd. or downloaded electronically from our web sites or App Stores (such as Apple's App store). Download of any software created by Arts Management Systems from any source automatically makes that software subject to this licence agreement.
  3. Copies. This license allows you to make any number of copies of the software provided in the Contract in machine-readable form for deployment within your organization or backup purposes only. You must reproduce on each copy the Arts Management Systems Limited copy right notice and any other proprietary legends that were on the original copy of the Arts Management Systems Limited software.
  4. Property Rights. The software contains copyrighted material, trade secrets and other proprietary materials, all of which are owned by Arts Management Systems Limited or its suppliers who retain title to the Software and all copies thereof, and Licensee shall not sell, transfer, rent, lease, loan, distribute, disclose, display or otherwise make available any portion of the Software to others. Licensee may not engage in, or permit third parties to engage in any activities which would have the effect of infringing on or derogating from Arts Management Systems Limited's ownership in the software. Without limiting the foregoing and except as provided in paragraph 2 above, Licensee may not engage or permit third parties to engage in any of the following: (A) the provision or permitted use or disclosure of the Software to third parties; (B) provision of the Software for use in a computer service business, network, timesharing, multiple CPU or multiple user arrangement, or by telecommunications to users who are not individually licensed by Arts Management Systems Limited; (C) removal or obscuring of the copyright and other proprietary notices from any of the programs, screens, media, installers, or any of the Documentation; (D) reverse engineering or attempting to disassemble or decompile the Software; (E) granting sublicenses, leases or other rights in the Software to others; and (F) making copies or verbal or media transmissions, of the Documentation. Licensee may physically transfer the Programs from one computer to another provided the programs are used by no more that the designated Number of Licensed Users at the same time.
    Licensee agrees to secure and protect the Software in a manner consistent with the maintenance of Arts Management Systems Limited ownership and proprietary rights therein and to take appropriate action by instruction or agreement with the Licensed Users to satisfy its obligations hereunder.
  5. Limited Warranty. Arts Management Systems Limited warrants that the Software will substantially conform to published specifications and the Documentation, provided that the Software is used on computer hardware and with the operating system for which it was designed. Arts Management Systems Limited warrants that the installer will be free from defects in material and workmanship, under normal use, for ninety (90) days after the date of the original purchase. If a defect occurs during such ninety (90) day period, the Licensee may download a replacement without charge or, at Arts Management Systems Limited's option, a refund of the purchase price. This is Licensee's sole remedy and Arts Management Systems Limited entire liability in the event of a defect in the media, installer, or software. Further, Arts Management Systems Limited hereby limits the duration on any implied warranty(ies) on the media or installers to the period stated above.

    EXCEPT AS PROVIDED ABOVE, LICENSEE ACKNOWLEDGES AND AGREES THAT THE SOFTWARE IS USED BY LICENSEE AT LICENSEE'S SOLE RISK AND IS PROVIDED "AS IS" WITHOUT WARRANT OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, QUALITY, NON-INFRINGEMENT, TITLE, RESULTS, EFFORT OR QUIET ENJOYMENT. ARTS MANAGEMENT SYSTEMS LIMITED DOES NOT GUARANTEE, WARRANT OR MAKE ANY REPRESENTATION THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET LICENSEE'S REQUIREMENTS, OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT THE DEFECTS IN THE SOFTWARE WILL BE CORRECTED. FURTHERMORE, ARTS MANAGEMENT SYSTEMS LIMITED DOES NOT GUARANTEE, WARRANT OR MAKE ANY REPRESENTATION REGARDING THE USE OF THE RESULTS OF THE USE OF THE SOFTWARE IN TERMS OF THEIR CORRECTNESS, ACCURACY, RELIABILITY, CURRENTNESS, OR OTHERWISE. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY ARTS MANAGEMENT SYSTEMS LIMITED, OR ANY AUTHORIZED REPRESENTATIVE OF ARTS MANAGEMENT SYSTEMS LIMITED, SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF THIS WARRANTY. SHOULD THE SOFTWARE PROVE DEFECTIVE, YOU (AND NOT ARTS MANAGEMENT SYSTEMS LIMITED OR ITS AUTHORIZED REPRESENTATIVES) ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. SOME STATES OF THE UNITED STATES OF AMERICA DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES LICENSEE LIMITED, SPECIFIC RIGHTS. LICENSE MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE.
  6. Limitation Of Liability. In no event, including negligence, will Arts Management Systems Limited or its directors, officers or agents be liable to licensee for indirect, special, incidental or consequential damages, including, but not limited to any loss of data or business information or loss of profits, arising out of the use or inability to use the software, even if Arts Management Systems Limited or an authorized representative thereof has been advised of the possibility of such damages. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to licensee. In no event shall Arts Management Systems Limited total liability hereunder for all damages, losses, and causes of action whether in contract, tort (including negligence) exceed the amount paid by licensee for the software.
  7. Termination. This license is effective until terminated. This License will terminate automatically without notice from Arts Management Systems Limited upon breach of Licensee or any of the Licensed Users of any provision of this license relating to the confidentiality and protection of Arts Management Systems Limited proprietary rights in the Software, use of the Software by more than the designated number of Licensed Users, or the termination of Licensee's business or the filing of a petition in bankruptcy or insolvency with respect to Licensee. In the event of termination to this License, Licensee shall immediately return the Software to Arts Management Systems Limited and destroy all copies thereof. All provisions of this License relating to disclaimers of warranties, limitations of liability, remedies or damages and Arts Management Systems Limited proprietary rights shall survive termination.
  8. Export Law Assurances. Licensee agrees and certifies that the Software, and the direct product thereof, will not be exported outside Canada and The United States except as permitted by the laws and regulations of either country or exported or used outside the country in which originally licensed.

    This License shall be governed by and construed in accordance with the laws of Canada and the Province of Alberta, as applied to agreements entered into and to be performed entirely within Alberta between Alberta residents and the parties hereto irrevocably attorn to the jurisdiction of the Courts of the Province of Alberta. If for any reason a court of competent jurisdiction finds any provision of this License, or portion thereof, to be unenforceable, that provision of the License shall be enforced to the maximum extent permissible so as to effect the intent of the parties, and the remainder of this License shall continue in full force and effect.

ARTS MANAGEMENT SYSTEMS LIMITED, 1110 Maggie St. SE, Calgary, Alberta, Canada T2G 4M1

LICENSEE ACKNOWLEDGES THAT IT HAS READ AND UNDERSTANDS THIS AGREEMENT AND AGREES TO BE BOUND BY ITS TERMS. LICENSEE FURTHER AGREES THAT THIS AGREEMENT IS THE COMPLETE AND EXCLUSIVE STATEMENT OF THE AGREEMENT BETWEEN LICENSEE AND ARTS MANAGEMENT SYSTEMS LIMITED AND SUPERSEDES ANY PROPOSAL OR PRIOR AGREEMENT, ORAL OR WRITTEN, AND ANY OTHER COMMUNICATION RELATING TO THE SUBJECT MATTER OF THIS AGREEMENT AND MAY NOT BE MODIFIED EXCEPT IN A WRITTEN AGREEMENT SIGNED BY AN AUTHORIZED REPRESENTATIVE OF LICENSEE AND ARTS MANAGEMENT SYSTEMS LIMITED.

Monitoring Theatre Manager Services

You can quickly monitor the overall health of the Theatre Manager system with simple URL. If that does not respond as expected, there are some other things that you can do monitor the internal components. The following table gives you some ways to check the system and diagnose what is working and what is not.

ArtsMan uses open source software called Nagios to check your 'ticketing' web site every 90 seconds via the top link in the table below (Ubuntu install instructions for technically minded).

The monitoring is a free service. Our support team monitors this tool through out the day and if we notice outages during normal support hours (Monday-Friday 8-5 MST, excluding holidays), we will try to let you know. However, it is not substitute for your own monitoring services.

Monitoring

Item Purpose Monitoring Tool Expected Results
1 Verify entire system is up https://tickets.yourvenue.org/TheatreManager/1/time?force_proxy

This sends a web request asking for the time from the web services. If you get the results expected, then the database, web server, TM listener and classic listener are all working

Web page with the text TIME=20 somewhere in it
2 Verify everything but classic listeners running https://tickets.yourvenue.org/TheatreManager/1/time If the probe in #1 (above) fails, then sending the same command without '?force_proxy' tests to see if all but classic listeners are runing Web page with the text TIME=20 somewhere in it
3 Verify Web Server is up https://tickets.yourvenue.org

If the probes in #1 and 2 fail, his tests to see if NGINX is up

The url should generally change to https://tickets.yourvenue.org/TheatreManager/1/login?event=0

It means you should get a re-direct.

4 Verify Domain or Router in terminal or dos prompt, type:

NSLOOKUP tickets.yourvenue.org

you should see the static IP address for the outside your router. If you see that but get no other response to the above, then your web site is there, but perhaps your router is down.
5a Verify Database Server is Running Start up Theatre Manager on the database server machine. You should see the login window with the list of users. If so, skip to #6. If not, check that services are running.
  • OSX:, you should see 'postgres' in the activity monitor.
  • Windows: you should see postgres in the list of tasks.

Otherwise refer to starting and stopping the service for the appropriate platform.

5b Verify Database Server Running If nothing else seems to be running, you can test to see if the database server is working by remoting into the machine with the database server on it. Look for the program called 'pgadmin' and start it up.

It will have a list of connections. Pick the connection that is localhost or 127.0.0.1 and double click on it. You may need to know the password.

You should see a list of databases.
6 Verify NGINX server is running If you cannot see your web services externally from probe #1, you can test the server internally using:

http://127.0.0.1:8111/test.html

If you see the message on the web page The stage is set! then the TM server is running, but may not be configured for some services.
7a Verify TM Web Services are running Access the Director using http://127.0.0.1:3012

If you do this on each machine that is running the Director, it will tell you which components of the TM server are running on the machine and which are down, stopped, or in error

The Director web page with with a status showing that listeners, housekeepers, etc are up and running.

If you do not see this, it is stopped

7b Verify TM Web Services are running

Windows

You can also look to see if the service 'Theatre Manager Server' is running using the services control panel.

OSX

  • you can use the terminal commands to unload and reload the service to restart it
  • you can use tail to watch the log

    sudo tail -f /var/root/Library/Logs/Theatre\ Manager\ Server/activity.log

After playing with the service and/or restarting it, go back to '5a' to see if the director is running.

PCI Compliance

A Merchant's PCI compliance is obtained by setting up the network and office policies in the appropriate manner and following a few simple rules (green in the diagram). This is required regardless of the software used to process credit cards and can generally be done at a reasonable cost.

The software or hardware provided by any vendor is only a portion of the merchant's ability to meet PCI compliance. Software provided by vendors must meet the prevailing PCI PA-DSS standard to assist the merchant to meet overall PCI compliance.

Please familiarize yourself with the definitions of key terms used by the PCI DSS, PA-DSS, and key terms used by PCI SSF set by the Security Standards Council. Full documentation can be downloaded from the Official PCI Security Standards Council Site.

Meeting compliance requires some due diligence and is determined by the PCI compliance level guideline your organization needs to attain.

Depending on how your venue processes transactions, your venue can be Schedule 'A', 'A-EP', 'B','C', or 'D'.

The life cycle of a standard provided by the PCI Security Standards Council is approximately every 2 to 3 years. Once approved at a standard, it is valid even though future standards are being worked on.

The following table illustrates a brief historical summary of Theatre Manager PCI compliance

Version Standard Status Action
11.00

PCI PA/DSS 3.2.1

SSF 1.1

The next full external audit with Security Metrics is scheduled for November 2022

Theatre Manager version 11 has been reviewed for its PCI PA/DSS 3.2.1 audit as part of the 3 year cycle. A new audit for Secure Software Framework (SSF) 1.1 was done at the same time.

The onsite assessment audit took place November 7 - 10, 2022.

SecurityMetrics is in the process of submitting the Report on Validation to the PCI Council.

SecurityMetrics anticipates the report to be completed by the end of February 2023.

After the PCI Council is able to review the report, the validation certificate from the PCI Council will be posted here.

Upgrade automatically occurs November 2022
11.00 PCI PA/DSS 3.2.1 Theatre Manager version 11.0.zz has been reviewed for its PCI PA/DSS 3.2.1 audit as part of the 3 year cycle.

The audit took place in Sep 16-20, 2019 the final document was approved by the PCI council with an expiry date of Oct 28, 2022 for new installations. The image (above) is from the PCI council's web site of validated applications. Search for Arts Management.

Upgrade automatically occurs July 2020
10.06 PCI PA/DSS 3.1 Theatre Manager version 10.06.zz has been reviewed for its PCI PA/DSS 3.1 audit as part of the 3 year cycle.

The audit took place in Oct 2015 the final document was approved by the PCI council with an expiry date of Oct 28, 2019 for new installations. The image (above) is from the PCI council's web site of validated applications. Search for Arts Management.

Upgrade Oct 2015
10.02 PCI PA/DSS 2.0 Theatre Manager version 10.02 was has been reviewed for its PCI PA/DSS 2.0 audit as part of the annual change cycle.

The audit took place in Oct 2014 the final document was approved by the PCI council.

All vendors are required to tell you this.

Upgrade Oct 2014.
10.00 PCI PA/DSS 2.0 Theatre Manager version 10 has been reviewed for its PCI PA/DSS 2.0 audit as part of the 3 year cycle.

The audit took place in July 2013 the final document was approved by the PCI council in October 2013. The image to the left is from the PCI council's web site of validated applications. Search for Arts Management.

All vendors are required to tell you this.

Upgrade Oct 2013.
9 PCI PA/DSS 1.2 Meets the PCI PA/DSS 1.2 standard and approved by the PCI council in Dec 2010. Upgrade to version 9 ASAP
8 PABP 1.4 meets the PABP 1.4 standard and was certified in Oct 2008. Please refer to our certificate and approval by Visa - page 6. Install 2008
7 **Self Assessed in 2006 implements the standards required of PABP 1.4 (as of 2006), including 3DES high encryption of cards, and does not store any track II or CVV2 information. However, this version is neither audited nor certified by an external vendor (not a requirement from the PCI council at the time). Version 7 has name security measures as version 8 and was simply renamed version 8 as part of the audit. CD's sent
6 **Self Assessed in 2003 implements almost all PCI security features in effect at the time (early 2000's). Card encryption is DES and it does not track CVV2 information. Version 6 can be considered PCI compliant. Diskettes Sent

** Please note: PCI requirements have changed over the years. At one time, the PCI security council required that vendors of software 'self assess' that they have followed the guidelines. At Arts Management, we have always taken card security and privacy of information seriously and implemented many PCI features before there were published rules. That is why we felt able to meet the self assessment criteria in force at the time. However, there is a much greater need for security than ever before and we encourage merchants to fulfill their obligations to merchant agreements and upgrade to the 'certified' versions of Theatre Manager - which have been audited by external companies as meeting all the rules in effect at the time of the audit.

Main Firewall

You will need a router (with DMZ and VLAN and SPI capability) and two subnets are required within the office to implement PCI compliance. These can be reasonably priced such as the easily configurable SG-2440 pfSense router (approx $500 in 2015 prices) which has a lot of features. Please check techsoup.org if you are a not for profit organization as they have full cisco routers that you may be eligible to purchase at a discount.

We only recommend a router/firewall that has the ability to isolate the apache computer (i.e. designate an ip address for the DMZ).

Your firewall need to restrict connections between untrusted networks and any system components in the card holder environment PCI requirement 1.2.
  • Routers be a dedicated device, preferably a hardware router. If it is a software router such as one built on linux, then it must only be used only for this purpose and contain no other services.
  • It should be configured to shut down all incoming and outgoing ports except those required for business as per the following:

When you need to set up firewalls on computers, the built in firewall on windows is very flexible. On macOS, do not manage the built in firewall via System Preferences on servers - instead, consider using a tool like Murus Firewall to unlock the power of the macOS PF Firewall.

PCI DSS Cross Reference/Index

This section indicates where to find information about selected PCI DSS requirements in the Theatre Manager installation documentation. The purpose of this section is so that you can look at a PCI requirement and then view where in our implementation documentation this is referenced.

The PCI Security Council supplies a document to merchants that provides a Prioritized Approach to PCI compliance. This document is quite good because it breaks down the standards into 6 milestones - what to do first, what to do second, etc. according to what will have the biggest impact in safeguarding your customer data.

Following the document and this index should help you address that most important PCI implementation standards quickly.

Source: PCI Prioritized Approach

Requirement 1: Install and maintain a firewall

Install and maintain a firewall and router configuration to protect cardholder data

Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity’s internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity’s trusted network.

A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.

All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.

Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in Requirement 1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included within the scope and assessment of Requirement 1.

Section PCI Requirement Comments Provided by Artsman Cloud
1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data (including wireless); that use various technical settings for each implementation; and stipulate a review of configuration rule sets at least every six months. You will need a hardware router to protect your network.

However, if you need to set up firewalls on computers themselves, the built in firewall on windows is very flexible. On OSX, do not manage the built in firewall via System Preferences on servers - instead, consider using a tool like Murus Firewall to unlock the power of the OSX PF firewall.

YES
1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations
  YES
1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks Refer to Recommended Network Diagram and adapt as neccessary N/A
1.1.3 Current diagram that shows all cardholder data flows across systems and networks Refer to cardholder flow N/A
1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone Refer to NGINX Server setup to describe DMZ with one or two router situation. SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
1.1.5 Description of groups, roles, and responsibilities for logical management of network components   YES
1.1.6 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure

Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.

Refer to Firewall rules for purpose of ports that are open. YES
1.1.7 Requirement to review firewall and router rule sets at least every six months   YES
1.2 Build a firewall configuration that denies all traffic from "untrusted" networks and hosts, except for protocols necessary for the cardholder data environment.

Note: An "untrusted network" is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.

Refer to Firewall rules to see the ports to open. YES
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.   YES
1.2.2 Secure and synchronize router configuration files.   YES
1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. refer to venue lan setup. Wireless is not to be used in the Theatre Manager LAN segment and should be setup carefully on another separate, isolated VLAN SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.   YES
1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols and ports   YES
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.   YES
1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.   SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
1.3.4 Implement anti-spoofing measures to detect and block forged source IP address from entering the network.

(For example, block traffic originating from the internet with internal source addresses).

Use commercial grade firewall YES
1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. Implement specific permissions as per the firewall rules SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only "established" connections are allowed into the network.) Use commercial grade firewall YES
1.3.7 Place the components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. This is generally interpreted to mean:
  • The web server should be on its own machine or VM so that it can, in effect, be sacrificed if hacked. It should have really tight firewall rules managing traffic into the device and out to ONLY the web lsitener on specific ports
  • The database and web listeners could be on the same machine as long as access to each is carefully managed with appropriate firewall rules and they are not exposed to traffic from the the main firewall appliance directly
YES
1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.

Note: Methods to obscure IP addressing may include, but are not limited to:

  • Network Address Translation (NAT)
  • Placing servers containing cardholder data behind proxy servers/firewalls or content caches
  • Removal or filtering of route advertisements for private networks that employ registered addressing
  • Internal use of RFC1918 address space instead of registered addresses.
  YES
1.4 Install personal firewall software on any mobile and/or employee-owned computers that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the organization's network.

Firewall configurations include:

  • Specific configuration settings are defined for personal firewall software
  • Personal firewall software is actively running
  • Personal firewall software is not alterable by users of mobile and/or employee-owned devices.
These days, alll computers have one - it just needs enabled. SPLIT
  • Artsman: YES
  • Customer: Enable Firewall on Workstations
1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.   YES

Requirement 2: Change Vendor Passwords

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

The easiest way for hackers to access your internal network is to try default passwords or exploits based on default system software settings in your payment card infrastructure. Far too often, merchants do not change default passwords or settings when they deploy the software. This is the same as leaving your store physically unlocked when you go home for the night. Default passwords and settings for most network devices are widely known. This information, combined with hacker tools showing them what devices are on your network, can make unauthorized entry a simple task – if you have failed to change the defaults.

Section PCI Requirement Comments Provided by Artsman Cloud
2.1 Always change vendor-supplied defaults and remove or disable unneccessary default accounts before installing a system on the network

This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocl (SNMP), community strings, etc.

Change the Master User password when setting up the system.

Change any other vendor supplied passwords as described.

NO
2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Theatre Manager does NOT needs wifi for operation. Refer to venue lan setup for network diagram and what to do when placing wireless devices is a separate VLAN NO
2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted hardening standards.

Sources of industry-accepted system hardening standards may include, but are not limited to:

Arts Management regularly reviews industry information and implements the latest components and security patches in installers as soon as possible. SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. For example, web servers, database servers and DNS servers should be on separate servers.

Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.

Refer to Network Diagram for components. Also, refer to postgres setup on windows servers YES
2.2.2 Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system. refer to Disable SNMP service on Practical Automation Ticket Printers SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
2.2.3

Implement additional security features for any required services, protocols, or daemons that are considered to be insecure—for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.

Note: SSL, TLS 1.0 and TLS 1.1 are not considered strong cryptography and cannot be used as a security control after June 30, 2016.

Effective immediately, new implementations must use TLS 1.2 or later.

POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2016.

The NGINX Server config disables all SSL protocols and enables only TLS 1.2

Theatre Manager will connect to service providers using the latest TLS that they support and have been verified to connect via TLS 1.2 when available.

YES
2.2.4 Configure system security parameters to prevent misuse   SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.   SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
2.3 Encrypt all non-console administrative access such as browser/web-based management tools. Use technologies such as SSH, VPN, or TLS for web-based management and other non-console administrative access. Theatre manager does not provide or require web based management tools

We suggest that customer use RDC, Teamviewer or equivalent internally for remote access management.

and that strong security be implemented similar to the password requirements for PCI compliance and use of SSH or VPN's for conection
N/A
2.4 Maintain an inventory of system components that are in scope for PCI DSS For Theatre Manager, this includes You may need to include other point of sale terminals that you obtained from your bank. N/A
2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.   NO
2.6 Shared hosting providers must protect each entity's hosted environment and cardholder data. These providers must meed specific requirements as detailed in Appendix A: "Additional PCI DSS Requirements for Shared Hosting Providers." Not Applicable. Theatre Manager is not typically installed in a shared environment. N/A

Requirement 3: Protect stored cardholder data

Protect stored cardholder data

Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.

Please refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for definitions of “strong cryptography” and other PCI DSS terms.

Section PCI Requirement Comments Provided by Artsman Cloud
3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all card holder data (CHD) storage:
  • Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements
  • Specific retention requirements for cardholder data
  • Processes for secure deletion of data when no longer needed
  • A quarterly automatic or manual process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements
Theatre Manager provides automatic retention and shredding capability which removes stale card information based on a retention period and/or usage for recurring transactions.

We generally recommend a maximum of 30 days for card retention, and this is only for future authorizations to supplement the original sales in case of changes. See below for post dated payments and/or which do not factor into the retention period.

There is an option to never store card information allowing a venue to implement either Schedule C or D compliance. For web Sales you can even implement Schedule A if using Moneris hosted payment.

Venues that occasionally refund to cancelled concerts do not need to store credit card data specifically for that purpose. All providers currently support linked refunds - meaning they refund to the same order and card using tokens, without needing card data stored in the database.

Post dated payments cause a card to be retained until the last automatic payment is processed, after which it is deleted.

Cloud only permits
  • Schedule A-EP - using Moneris Hosted Payments
  • Schedule C - keep no card data
  • Schedule D - with one day retention for post dated payments only
3.2 Do not store sensitive authentication data after authorization (even if it is encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process

Sensitive authentication data includes the data as cited in the following requirements 3.2.1 through 3.2.3

Refer to PCI compliance statement on PAN etc.

Should the end user put credit card data into any text field (against recommended practice), Theatre Manager offers an option to search the database for possible entry of credit card numbers in non-payment text fields.

NO - Customer must occasionally search for end user entry errors
3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data.

Note: in the normal course of business, the following data elements fro mthe magnetic stripe may need to be retained:

  • The cardholders name
  • Primary account number (PAN)
  • Expiration Date
  • Service Code
To minimize risk, store only these data elements as needed for business
If a card is swiped, the only information retained from the swipe are the following
  • The cardholders name
  • Card number (PAN), encrypted
  • Expiration Date
Theatre Manager has NEVER stored CVV2, mag stripe, or pin block data per PCI requirements.
N/A
3.2.2 Do not store the card-verification code or value (three-digit or four- digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization Theatre Manager does not store this data to disk under any circumstances - it is merely passed through to the credit card authorizer. N/A
3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block. Theatre Manager does not support entry or storage of PIN. N/A
3.3

Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personell with a legitimate busines need can see the full PAN.

Note: this requirement does not supercede stricter requirements in place for displays of cardholder data - for example, legal or payment card rand requirements for point-of-sale (POS) receipts

Theatre Manager follows these rules. Card numbers are displayed as last four digits only and is only revealed if employee has permission - in which case it is logged.

All reports and most windows mask PAN

External receipt printing or web interface uses a common routine to mask the PAN immediately upon retrieval from the database so that last 4 digits only are displayed per law in most states.

N/A
3.4 Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs) by using any of the following approaches:
  • One-way hashes based on strong cryptography
  • Truncation (hashing cannot be used to replace the truncated segment of the PAN)
  • Index tokens and pads (pads must be securely stored)
  • Strong cryptography with associated key management processes and procedures
Note: it is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to the truncated and hashed version of a PAN.
Theatre Manager uses secure high encryption for all keys and card data. N/A
3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts. Theatre Manager does not use Disk Encryption.

It uses field level encryption for PAN.

N/A
3.5 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.

Note: this requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data encrypting keys. Such key encrypting keys must be at least as strong as the data-encrypting key.

Theatre Manager handles creation and hiding of keys automatically. The user never sees them and cannot input them.

Mechanisms exist for re-encryption of any currently encrypted cards in one of two ways:

  • By the user, on demand where they invoke a function to re-encrypt all card data with a new key (that they don't know)
  • By the system, if cards have not been re-encrypted within the mandated PCI time frame, Theatre Manager will start re-encrpyting them with a new key automatically

Key encryption keys use same cryptographic specification as the encryption keys.

NO - Customer must protect user account passwords
3.5.1 Restrict access to cryptographic keys to the fewest number of custodians necessary
3.5.2

Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:

  • Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data- encrypting key
  • Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS- approved point-of-interaction device)
  • As at least two full-length key components or key shares, in accordance with an industry- accepted method
3.5.3

Store crpytographic keys in the fewest possible locations

3.6

Fully document and implement all key management processes and procedures for cryptographic keys used for encryption of cardholder data including the following:

refer to re-encryption of credit cards for discussion on keys, generation and re-encryption. Any upgrade will automatically perform this process if more than 300 days have elapsed since last re-encrption.

Split 'knowledge' of the keys is achieved by bringing together a key generated programmatically and another portion generated by the customers interfacing with the key creation screen in system preferences.

Both keys are required to generate the final encryption key. Arts Management never has knowledge of the customers portion of the key. The customer never knows the value of any key. A key valid for one database for a period of time will not work on any other database.

Old keys are securely deleted from the database by writing over the key value and then deleting it immediately after a new seed key is generated.

NO - Customer must protect user account passwords
3.6.1 Generation of strong cryptographic keys
3.6.2 Secure cryptographic key distribution
3.6.3 Secure cryptographic key storage
3.6.4

Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher- text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57).

3.6.5

Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.

3.6.6

If manual clear-text cryptographic key management operations are used, these operations must be managed using split knowledge and dual control

for example, requiring two or three people, each knowing only their own key component, to reconstruct the whole key.

3.6.7 Prevention of unauthorized substitution of cryptographic keys
3.6.8 Requirement for cryptographic key custodians to sign a form stating that they understand and accept their key-custodian responsibilities

Venues do not know the cryptographic key.

However, they should have a form signed by the people/person responsible for key management that they reset the key once a year at a minimum or when suspected compromise occurs. Note it will be changed automatically on you during an upgrade if Theatre Manager detects it hasn't been changed for 300 days.

3.7

Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.

  SPLIT
  • Artsman: This documentation and Artsman staff training
  • Customer: Training of own staff

Requirement 4: encrypt transmission of cardholder data

Encrypt transmission of cardholder data across open, public networks

Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.

Section PCI Requirement Comments Provided by Artsman Cloud
4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
  • Only trusted keys and certificates are accepted.
  • The protocol in use only supports secure versions or configurations.
  • The encryption strength is appropriate for the encryption methodology in use

Examples of open, public networks that are in scope of the PCI DSS include but are not limited to:

  • The Internet
  • Wireless technologies including 802.11 and Bluetooth
  • Global System for Mobile communications (GSM)
  • General Packet Radio Service (GPRS).
  • Satellite communications
See Direct Card Processing which all use HTTPS.

Theatre Manager uses TLS 1.2 wherever possible to connect to credit card authorization servers for one time authorization and only allows TLS 1.2 or later for incomming web sales.

Theatre Manager does not use any wireless communication methodologies of any form.

Theatre Manager does not transmit any credit card information across public networks for any reason except in the process of authorization

SPLIT
  • Artsman: Uses TLS 1.2 and TLS 1.3, when available.
  • Customer: Must ensure that all workstations support TLS 1.2+
4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i - aka WPA2) to implement strong encryption for authentication and transmission.

Note: The use of WEP as a security control is prohibited.

Theatre Manager does not use or require wireless capability when transmitting any card data. Refer to venue lan setup and considerations for separate wireless access points NO - If customer is using wireless networks to access cloud services, then they must secure them appropriately
4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.). see misc PCI requirements N/A - authorization of cards is only supported in Theatre Manager
4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. Venues are advised during installation about this requirement including not saving CVV2 and protecting card data in a safe if written down.

You will need write a policy on how you manually save CC data, how you track who has access to it, how you store it in a safe and/or behind locked doors.

Make sure the policy also includes that you never email card data in entirety and card data on paper is only kept as long as you need it.

Theatre Manager handles all transmission of data via TLS 1.2 or better (it only users the latest transmission security protocols as mandated by PCI.)

NO - Customer must educate own staff on card handling policies

Requirement 5: Use and regularly update anti-virus software

Protect all systems against malware and regularly update anti-virus software or programs

Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many business- approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may be considered as a supplement to the anti-virus software; however, such additional solutions do not replace the need for anti-virus software to be in place.

Section PCI Requirement Comments Provided by Artsman Cloud
5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and file servers). See specifics for SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
5.1.1 Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. You must keep your anti-virus software up to date with latest definitions SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.

For Theatre Manager database and TM server, ensure those processes are the only thing running on the machine. Keep them separate from a domain server to limit who can actually log in to the server.

Check with the vendor of other systems in use.

SPLIT
  • Artsman: Process isolation is used extensively and services are continuously monitored
  • Customer: Workstations must be audited
5.2 Ensure that all anti-virus mechanisms are maintained as follows:   SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

Note: Anti-virus solutions may be temporarily disabled only if there is a legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.

  SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.   SPLIT
  • Artsman: This documentation and staff training
  • Customer: Own staff training

Requirement 6: Develop and maintain secure systems and applications

Develop and maintain secure systems and applications

Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.

Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.

Section PCI Requirement Comments Provided by Artsman Cloud
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as 'high', 'medium', or 'low') to newly discovered security vulnerabilities.

Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected.

Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization's environment and risk- assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a "high risk" to the environment. In addition to the risk ranking, vulnerabilities may be considered "critical" if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data.

  SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Note: Critical security patches should be identifies according to the risk ranking process defined in requirement 6.1

There are two settings in Company Preferences Other Tab that enable:
  • checking daily for updates to TM processes and/or
  • automatically update affected components (optional).
You may need to enable a specific outbound ports for update checking to www2.artsman.com.

Refer to the list of past and present issues to assist you updating your own vulnerability assessment.

We regularly review Postgres, NGINX & OpenSSL to provide the latest patches in each version our installers.

SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
6.3 Develop internal and external software application (including web-based administrative access to applications) securely, as follows:
  • in accordance with PCI DSS (for example, secure authentication and logging)
  • based on industry standard and/or best practices.
  • Incorporating information security throughout the software development life cycle.

Note: this applies to all software developed internaly as well as bespoke or custom software developed by a third party.

  SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
6.3.1 Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers.   N/A
6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following:
  • Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices
  • Code reviews ensure code is developed according to secure coding guidelines
  • Appropriate corrections are implemented prior to release
  • Code-review results are reviewed and approved by management prior to release
  N/A
6.4 Follow change control procedures for all changes to system components. The procedures must include the following:   SPLIT
  • Artsman: Theatre Manager applications, web sales and database
  • Customer: Workstations
6.4.1 Separate development/test and production environments and enforce the separation with access controls  
6.4.2 Separation of duties between development/test and production environments  
6.4.3 Production data (live PANs) are not used for testing or development Only specified test cards are used
6.4.4 Removal of test data and accounts before production systems become active  
6.4.5 Change control procedures for the implementation of security patches and software modifications. Procedures must include the following:  
6.4.5.1 Documentation of impact  
6.4.5.2 Documented change approval by authorized parties.  
6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system.  
6.4.5.4 Back-out procedures. Development uses git and branches so that changes can be reverted.
6.5 Address common coding vulnerabilities in software development process as follows:
  • Train developers in secure coding techniquies, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory
  • Develop applications based on secure coding guidelines

Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.

Refer to Current OWASP Top 10 SPLIT
  • Artsman: Applications and default web page templates
  • Customer: Customized web page templates
6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws
6.5.2 Buffer overflow
6.5.3 Insecure cryptographic storage
6.5.4 Insecure communications
6.5.5 Improper error handling
6.5.6 All 'high risk' vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1).
6.5.7 Cross-site scripting (XSS)
6.5.8 Improper Access Control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions)
6.5.9 Cross-site request forgery (CSRF) TM server ensures all <form> have CSRF token for prevention.
6.5.10 Broken authentication and session management Theatre Manager web services uses encrypted secure cookies that are httpd-only.
6.6 For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
  • Reviewing public-facing Web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
  • Installing an automated technical solution that detects and prevents web-based attacks (for example web-application firewall) in front of public-facing web applications, to continually check traffic

AMS updates NGINX builds as needed (and config settings) to respond to newly reported threats.

AMS uses SPI for all web traffic internally.

YES
6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.   SPLIT
  • Artsman: This documentation and staff training
  • Customer: Own staff training

Requirement 7: Restrict access to cardholder data

Restrict access to cardholder data by business need-to-know

To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities.

Need-to-know is when access rights are granted to only the least amount of data and privileges needed to perform a job.

Section PCI Requirement Comments Responsibilities on Artsman Cloud
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.   Artsman: web sales and database
Customers: user access setup/permissions
7.1.1 Define access needs for each role, including:
  • System components and data resources that each role needs to access for their job function
  • Level of privilege required (for example, user, administrator, etc.) for accessing resources
Access to various data can be set on a per user basis in Employee Access Customers: user access setup/permissions
7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. Creating a user in Theatre Manger defaults to minimal access to card data/ and/or functions. Users are advised to only use the administrator account on a rare-need to administer the system basis. Customers: user access setup/permissions
7.1.3 Assign access based on individual personnel's job classification and functions   Customers: user access setup/permissions
7.1.4 Require documented approval by authorized parties specifying required privileges   Customers: user access setup/permissions
7.2 Establish an access control system for systems components that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed.

This access control system must include the following:

   
7.2.1 Coverage of all system components Refer to employee settings and function access for credit cards Customers: user access setup/permissions
7.2.2 Assignment of privileges to individuals based on job classification and function Customers: user access setup/permissions
7.2.3 Default "deny-all" setting Customers: user access setup/permissions
7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.   Customers: user access setup/permissions

Requirement 8: Assign a unique ID to each person

Assign a unique ID to each person with computer access

Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes.

The effectiveness of a password is largely determined by the design and implementation of the authentication system—particularly, how frequently password attempts can be made by an attacker, and the security methods to protect user passwords at the point of entry, during transmission, and while in storage.

Note:

  • These requirements are applicable for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. This includes accounts used by vendors and other third parties (for example, for support or maintenance).
  • However, Requirements 8.1.1, 8.2, 8.5, 8.2.3 through 8.2.5, and 8.1.6 through 8.1.8 are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts).

Section PCI Requirement Comments Responsibilities on Artsman Cloud
8.1 Define and implement policies and procedures to ensure proper user identification management for non- consumer users and administrators on all system components as follows: Theatre Manager implements PCI standards. You may need a manual process for other applications or hardware. Customer: via Theatre Manager
8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.
8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.  
8.1.3 Immediately revoke access for any terminated users.  
8.1.4 Remove/disable inactive user accounts within 90 days. Refer to the PCI Security Tab in System Preferences for settings. Theatre Manager enforces stronger password policies than the minimum PCI standards.
8.1.5 Manage IDs used by vendors to access, support, or maintain system components via remote access as follows:
  • Enabled only during the time period needed and disabled when not in use.
  • Monitored when in use.
Theatre Manager uses Teamviewer for one-time access, granted as needed.
8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts. Theatre Manager limits incorrect password attempts to a total of 6 since the last successful attempt and locks out the account on failure.
8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. Lockout duration in Theatre Manager is permanent. Locked out employee must be re-instated by administrator.
8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. Theatre Manager has two timeouts. After 15 minutes of inactivity, the user will see a lock screen and need only put in their password again to continue.

There is a longer timeout in Company Preferences->Reports where you can specify when an idle user will be forced odd the system.

The process is:

  • After 15 minutes, lock the app and require a password
  • After the longer timeout, shut down the application completely.
In addition to the feature built into Theatre Manager for auto log out, you are encouraged to use the screen saver provisions that require passwords after the screen saver is activated.
8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:
  • Something you know, such as a password or passphrase
  • Something you have, such as a token device or smart card, specific IP, key access to a locked room
  • Something you are, such as a biometric
  Customer: password via Theatre Manager, tokens and biometrics for Operating System login
8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. Passwords are never transmitted in clear text when logging on to the database.

User Passwords are stored in the database in encrypted format and established in PostgreSQL as a hash of that encrypted value.

When a user logs in, the password is converted to the salted hash and that is used to login. All communication to the PostgreSQL Database is over a secure connection, currently TLS 1.2 or better.

automatic via Theatre Manager
8.2.2 Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys. Only administrators are able to reset a password, reinstate an employee and/or regenerate credit card encryption keys. automatic via Theatre Manager
8.2.3 Passwords/phrases must meet the following:
  • Require a minimum length of at least seven characters.
  • Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.
Theatre Manager enforces
  • Minimum 7
  • One upper
  • One lower
  • One numeric
  • One Special
  • No repeated characters
automatic via Theatre Manager
8.2.4 Change user passwords/passphrases at least once every 90 days. Theatre Manager enforces this Customer: follow Theatre Manager prompts to change password
8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. Theatre Manager enforces 12 and that can be raised automatic via Theatre Manager
8.2.6 Set passwords/phrases for first- time use and upon reset to a unique value for each user, and change immediately after the first use. Theatre Manager enforces change of password at time of login for first time users automatic via Theatre Manager
8.3 Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).

Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.

Examples of two-factor tehcnologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens, and other technologies that facilitate two-factor authentication.

Two factor authentication means something you know and something you are given. Our QSA (the auditor who assesses Theatre Manager's ability to meet PCI compliance) has indicated that Teamviewer meets that requirement when used per the instructions. The multiple factors include:
  • The user must start the application manually (it is not active by default)
  • A unique Id must be provided to Artsman by the customer
  • A single use token must be provided to ArtsMan that cannot be reused.
effectively being 3 factors that must occur for access to be granted successfully.
automatic via Theatre Manager
8.4 Document and communicate authentication policies and procedures to all users including:
  • Guidance on selecting strong authentication credentials
  • Guidance for how users should protect their authentication credentials
  • Instructions not to reuse previously used passwords
  • Instructions to change passwords if there is any suspicion the password could be compromised.
All Theatre Manager user passwords are encrypted in the database. MD5 authentication is recommended at a minimum for accessing the database (this is the default standard in the pg_hba.conf file) automatic via Theatre Manager
8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:
  • Generic user IDs are disabled or removed.
  • Shared user IDs do not exist for system administration and other critical functions.
  • Shared and generic user IDs are not used to administer any system components.
There are no generic passwords. User ID's and Passwords are created by the user on installation. automatic as part of Theatre Manager installation practices
8.5.1 Additional requirement for service providers only: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.

Note: This requirement is not intended to apply to shared hosting providers accessing their own hosting environment, where multiple customer environments are hosted.

Arts Management does not require permanent remote access to your servers. Temporary access is always initiated by the customer as described in the teamviewer remote support help page. Customer: provides Local access via Teamviewed if required
8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows:
  • Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.
  • Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.
  Artsman: cloud
Customer: workstation
8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows:
  • All user access to, user queries of, and user actions on databases are through programmatic methods.
  • Only database administrators have the ability to directly access or query databases.
  • Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).

Access to the db is controlled by the pg_hba.conf file and it is set so that all users must log in to read data.

The user's id for the database is set by the application and not known.

The password in postgres is set by the application and stored encrypted. Thus, the user cannot access the database even knowing their user ID and password because it is not the same as plain-text.

Cloud database access for users is managed through an access broker system (with revokable tokens) followed by customer user id/password

Artsman: cloud
Customer: workstation
8.8 Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.   Artsman: cloud
Customer: workstation

PCI UserId and Password Requirements

Theatre Manager implements fully PCI DSS compliant AES256 encrypted passwords per PCI DSS standard 8.1 and this feature cannot be changed or overridden.

In addition, Merchants must use PCI DSS compliant passwords to access to all system components (i.e. any computer, firewall, router, etc. on the network) and these passwords must be changed from any vendor supplied initial values per PCI standard 2.1.

Note: Do not reduce the level of authentication complexity or compliance in these other system components if it will result in PCI non-compliance.

This means all login passwords must be:

  • reviewed and changed every 90 days. Theatre Manager will enforce password changes automatically. This must be manually done on those devices that do not force change of passwords like routers and firewalls. (PCI DSS 8.1.4)
  • 7 characters or more (PCI DSS 8.2.3)
  • mixed case consisting of at least uppercase and one lowercase letter (PCI DSS 8.2.3)
  • contain at least one number and special character (PCI DSS 8.2.3)
  • cannot be the same as an previous 12 passwords (PCI DSS 8.2.5)
  • cannot have characters or numbers repeated together
Change all passwords from any vendor default password that might be used for installation per PCI DSS 2.1. For example, you must:
  • Change the Theatre Manager 'Master User' password when the system is installed.
  • Change the user and password on any router from anything printed in the manufacturer's documentation
  • Make sure that accessing each computer requires a password and does not 'auto-login'
  • Ensure that screen savers are implemented that require passwords to be entered whenever the screen saver is activated. Screensavers (or some other mechanism for locking computers) must activate after 15 minutes of idle time or less on all workstations and servers. Theatre Manager also has an inactivity timeout that will log people out of the application. Using both features improves security. (PCI DSS 8.1.8)

Each user that has access to any systems in your network must have a unique user id and password per PCI-DSS standard 8.1.1

Never use the Master User account for daily operations.

It should only be used when creating other accounts or for other very specialized needs as directed by Arts Management Systems.

If your network has 'master' domain server (or open directory on OSX) available that could control password authentication for all machines, please ensure that the security policies on the domain/directory server is set to enforce PCI/DSS passwords and that all machines in the network log in using authentication from the server.

If a domain/open directory server is not available to enforce password settings, then each machine/user must use PCI/DSS compliant passwords.

If a user tries more than 6 times to gain access to the system, Theatre Manager automatically resigns the user - which means that they are locked out permanently until manually re-instated per PCI-DSS standard 8.1.6 and 8.1.8

Teamviewer: ArtsMan Technical Support

Theatre Manager staff should not required permanent access to your machines, except under very specific circumstances. The remote access feature in Theatre Manager is designed for one time, permitted access.

Remote Access/Support

The process for actual access to the remote machine is as follows:

  • The customer must initiate a support request that involves a phone conversation
  • In that phone conversation, it is determined that a timely resolution involves connecting remotely to provide assistance
  • Arts Management confirms the identity to the customer by providing the customer with the case number they created to continue with support (PCI requirement for second authentication).
  • The customer then starts the remote assistance software by either:
    • clicking the Remote Assistance button on the toolbar after logging into Theatre Manager. It is on the right side of the toolbar as per the above image. Since you must have logged into Theatre Manager to activate remote support, It is not active by default. -OR-
    • By starting Theatre Manager and clicking the Support button on the login page as per the diagram to the right. This is useful if you are unable to log in for any purpose
  • The customer provides two keys created by Teamviewer: an ID and a random generated 8 character password (containing numbers and letters and, unique to the session) as per the image below. Both of these are conveyed to the AMS support representative.
  • Arts Management Support activates remote assistance manager and enters both keys to gain remote access
When Remote Access is disconnected, another remote support session requires a new set of keys to be provided. The customer is in complete control of the session at all times with a visual indicator showing the connection status.

 

How does it work?

TeamViewer uses SSH for authentication and brokering of session keys. It communicates with the master cluster through DNS names, which delegates the brokering of the session to the TeamViewer servers. Connection to the routing server and KeepAlive server is done directly via IP addresses.

The servers are spread across the globe and located at large data centers; their IP addresses are not organized in common subnets or IP ranges. TeamViewer continuously top scales the server network as the number of TeamViewer users grows, so it is not possible to have a fixed set of IP addresses, because this list would very soon be outdated.

Communication is done to URLs of the format:

  • *.teamviewer.com
  • *.dyngate.com
By default TeamViewer uses only the outgoing port 80 (HTTP) so that no firewall configuration is necessary. Alternatively you can open port 5938 (TCP) for outgoing connections if you wish to block port 80.

Requirement 9: Restrict physical access to cardholder data

Restrict physical access to cardholder data

Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. “Media” refers to all paper and electronic media containing cardholder data.

Section PCI Requirement Comments Responsibilities on Artsman Cloud
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. This means locks on a computer room door or places (like box office) where people can access machines that can access card holder data. Artsman: cloud
Customer: workstation
9.1.1 Use video cameras or other access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.

Note: "Sensitive areas" refers to any data center, server room or any area trefers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of- sale terminals are present, such as the cashier areas in a retail store.

  Artsman: cloud - SOC 2 compliant data centres
9.1.2 Implement physical and/or logical controls to restrict access to publicly accessible network jacks.

For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.

  Artsman: cloud - SOC 2 compliant data centres
Customer: internal network
9.1.3 Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.   Artsman: cloud - SOC 2 compliant data centres
Customer: internal network
9.2 Develop procedures to easily distinguish between onsite personnel and visitors, to include:
  • Identifying onsite personnel and visitors (for example, assigning badges)
  • Changes to access requirements
  • Revoking or terminating onsite personnel and expired visitor identification (such as ID badges).
Artsman: cloud - SOC 2 compliant data centres
Customer: internal network
9.3 Control physical access for onsite personnel to sensitive areas as follows:
  • Access must be authorized and based on individual job function.
  • Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
  Artsman: cloud - SOC 2 compliant data centres
Customer: internal procedures
9.4 Implement procedures to identify and authorize visitors.

Procedures should include the following:

  Artsman: cloud - SOC 2 compliant data centres
Customer: internal procedures
9.4.1 Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained.  
9.4.2 Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel.  
9.4.3 Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.  
9.4.4 A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.

Document the visitor's name, the firm represented, and the onsite personnel authorizing physical access on the log.

Retain this log for a minimum of three months, unless otherwise restricted by law.

 
9.5 Physically secure all media   Artsman: cloud - SOC 2 compliant data centres
Customer: internal procedures
9.5.1 Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location's security at least annually.   Artsman: cloud - SOC 2 compliant data centres
9.6 Maintain strict control over the internal or external distribution of any kind of media, including the following:   Artsman: cloud - SOC 2 compliant data centres
Customer: internal procedures
9.6.1 Classify media so the sensitivity of the data can be determined.  
9.6.2 Send the media by secured courier or other delivery method that can be accurately tracked.  
9.6.3 Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).  
9.7 Maintain strict control over the storage and accessibility of media.    
9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually.   Artsman: automated backups, recycle and deletion policies
9.8 Destroy media when it is no longer needed for business or legal reasons as follows:    
9.8.1 Shred, incinerate, or pulp hard- copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.   Artsman: automated secure deletion
9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed. There is a tool on windows called Eraser that will handle this for you. On the Mac, use Secure-Empty Trash. Refer to this link for more information about using them. Artsman: automated secure deletion Customer: should ensure no local cardholder storage in spreadsheets etc
9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

Note: These requirements apply to card- reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.

This does not apply to Theatre Manager as it does not use card reading devices for card present transactions. Customer: protect any pin pad devices accordingly
9.9.1 Maintain an up-to-date list of devices. The list should include the following:
  • Make, model of device
  • Location of device (for example, the address of the site or facility where the device is located)
  • Device serial number or other method of unique identification.
For point of sale devices Customer: wokstation inventory
9.9.2 Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.

For point of sale devices Customer: wokstations and /or pinpad
9.9.3 Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:
  • Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
  • Do not install, replace, or return devices without verification.
  • Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
  • Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
For point of sale devices Customer: wokstations and/or pinpad
9.10 Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.   Artsman: Cloud
Customer: wokstations and devices

Requirement 10: Track and monitor all access to network

Track and monitor all access to network resources and cardholder data

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.

Section PCI Requirement Comments Responsibilities on Artsman Cloud
10.1 Implement audit trails to link all access to system components to each individual user.   Artsman: via Theatre Manager
Customer: workstation
10.2 Implement automated audit trails for all system components to reconstruct the following events:    
10.2.1 All individual accesses to cardholder data Refer to PCI Audit Logs. Theatre Manager tracks every time a user views the entire credit card data for any patron.

The Theatre Manager logs can be exported to your common logging tools. Refer to exporting logs to see how to accomplish this.

Theatre Manager tracks access to card data for Customers
10.2.2 All actions taken by any individual with root or administrative privileges Not applicable to Theatre Manager - it is applicable to your operating system. Only access to CC data is via Theatre Manager
10.2.3 Access to all audit trails   via Theatre Manager
10.2.4 Invalid logical access attempts Incorrect login attempts to Theatre Manager are tracked in the audit logs. via Theatre Manager
10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges Theatre Manager tracks each log in and log out, user creations and when people are given a temporary priviledge. These transaction are of type 'A' in the database (for Audit) via Theatre Manager
10.2.6 Initialization, stopping, or pausing of the audit logs Theatre Manager access audit logs cannot be stopped or deleted via Theatre Manager
10.2.7 Creation and deletion of system-level objects This is not possible in Theatre Manager Theatre Manager does not allow entity deletion
10.3 Record at least the following audit trail entries for all system components for each event: refer to PCI audit Log description via Theatre Manager
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system component, or resource
10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.

Note: One example of time synchronization technology is Network Time Protocol (NTP).

You must allow each computer to access a respected NTP Server (network time protocol). This is typically built into the operating system and firewall rules should automatically enable this feature.

Theatre Manager uses the time at the postgres server as the single time source for transactions across all workstations. All data istimestamped with now(), making time diferences on workstations irrelevant.

Regardless, an alert is given to a user if their workstation does not match the server to within 30 seconds.

Effectively, if the postgres server is set according to an NTP server; all workstations transactions are synced with the postgres server to create a unified approach to time.

via Theatre Manager
10.4.1 Critical systems have the correct and consistent time
10.4.2 Time data is protected
10.4.3 Time settings are received from industry-accepted time sources
10.5 Secure audit trails so they cannot be altered   Artsman: SOC 2 compliant data centres with real time monitoring and logging
Customer: Workstation controls
10.5.1 Limit viewing of audit trails to those with a job-related need Theatre Manager logs are not sensitive in themselves due to what they track. However, after exporting them and storing them in your centralized logging facility, you will need to limit access because of the other systems you may be logging.
10.5.2 Protect audit trail files from unauthorized modifications. You cannot modify or delete Theatre Manager logs
10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter. In addition to exporting logs, the multiple daily database backups create redundancy in the storage of the TM audit logs.
10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. This means things like router logs need to be stored internally.
10.5.5 Use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).  
10.6 Review logs and security events for all system components to identify anomalies or suspicious activity Refer to exporting logs to see how to export TM access logs in excel format so that you can import to your common log server. Artsman: SOC 2 compliant data centres with real time monitoring and logging
Customer: Workstation controls
10.6.1 Review the following at least daily:
  • All security events
  • Logs of all system components that store, process, or transmit CHD and/or SAD
  • Logs of all critical system components
  • Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)
PCI Audit Logs
10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.  
10.6.3 Follow up exceptions and anomalies identified during the review process.  
10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). PCI logs are permanent in the database via Theatre Manager
10.8 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.   Artsman: web sales and database
Customer: workstation

Requirement 11: Regularly test security systems and processes

Regularly test security systems and processes

Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.

Section PCI Requirement Comments Responsibilities on Artsman Cloud
11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.

Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.

iStumbler is a great little tool on the mac that is donation ware - it can find a lot of items that are broadcasting signals.

Alternately, inspect each device that is within the card portion of the network and make sure wireless is off.

Note: on AMS cloud servers, all network connections are physical wiring - there are no possible WIFI access points.

Artsman: N/A - no access points
Customer: workstations
11.1.1 Maintain an inventory of authorized wireless access points including a documented business justification.   Artsman: N/A - no access points
Customer: workstations
11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.   Artsman: N/A - no access points
Customer: workstations
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed.

For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies

  1. the most recent scan result was a passing scan,
  2. the entity has documented policies and procedures requiring quarterly scanning, and
  3. vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
  Artsman: web sales and database scans
Customer: workstation scans
11.2.1 Perform quarterly internal vulnerability scans and rescans as needed, until all "high-risk" vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel.   Artsman: web sales and database
Customer: workstations
11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.

Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).

Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.

  Artsman: web sales and database
Customer: workstations
11.2.3 Perform internal and external scans, and rescans as needed, after any significant change.

Scans must be performed by qualified personnel.

  Artsman: web sales and database
Customer: workstations
11.3 Implement a methodology for penetration testing that includes the following:
  • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results.
  Artsman: web sales and database tests
Customer: workstation tests
11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).   Artsman: web sales and database
Customer: workstations
11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).   Artsman: web sales and database
Customer: workstations
11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.   Artsman: web sales and database
Customer: workstations
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.   Artsman: web sales and database
Customer: workstations
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.

Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.

  Artsman: web sales and database
Customer: workstations
11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).

  Artsman: web sales and database
Customer: workstations
11.5.1 Implement a process to respond to any alerts generated by the change- detection solution.   Artsman: web sales and database
Customer: workstations
11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties   Artsman: web sales and database
Customer: workstations

Requirement 12: Maintain a policy that addresses information security for employees and contractors

Maintain a policy that addresses information security for employees and contractors

As part of Theatre Manager's PA-DSS implementation process, creating a policy guide will be brought to the attention of venues desiring to be PCI compliant

Section PCI Requirement Comments Responsibilities on Artsman Cloud
12.1 Establish, publish, maintain, and disseminate a security policy. This relates to practices surrounding PCI Card data Artsman: employees/cloud Customer: employees & workstations
12.1.1 Review the security policy at least annually and update the policy when the environment changes.   Artsman: cloud
Customer: workstations
12.2 Implement a risk-assessment process that:
  • Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
  • Identifies critical assets, threats, and vulnerabilities, and
  • Results in a formal, documented analysis of risk.
Examples of risk-assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.
  Artsman: cloud
Customer: Review own document
12.3 Develop usage policies for critical technologies and define proper use of these technologies.

Note: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e-mail usage and Internet usage.

Ensure these usage policies require the following:

  Artsman: cloud
Customer: workstations
12.3.1 Explicit approval by authorized parties   Artsman: cloud
Customer: workstations
12.3.2 Authentication for use of the technology   Artsman: cloud
Customer: workstations
12.3.3 A list of all such devices and personnel with access Arts Management allows only tools approved for use by Management on workstations. Customer is responsible for tools on their machines. Artsman: cloud
Customer: workstations
12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)   Artsman: cloud
Customer: workstations
12.3.5 Acceptable uses of the technology   Artsman: cloud
Customer: workstations
12.3.6 Acceptable network locations for the technologies   Artsman: cloud
Customer: workstations
12.3.7 List of company-approved products   Artsman: cloud
Customer: workstations
12.3.8 Automatic disconnect of sessions for remote access technologies after a specific period of inactivity   Artsman: cloud
Customer: Workstations have limited login time per System Preferences.
12.3.9 Activation of remote access technologies for vendors only when needed by vendors, with immediate deactivation after use Team Viewer is designed in exactly this manner.
  • Artsman support is trained to only ask for one time access if needed and disconnect when done.
  • The customer is required to provide the access and quit Teamviewer when a session is over.
Customer: workstations
12.3.10 For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.

Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.

All card data in the database at rest is encrypted or shredded. All card data in motion is encrypted via TLS 1.2 between machines and enforced by database connection. Reports do not show complete PAN, per PCI compliance

Customer: responsible for local policies secure storage of paper copies of PAN data and not transmitting to patrons via email.
12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.   Artsman: cloud
Customer: workstations
12.5 Assign to an individual or team the following information security management responsibilities   Artsman: cloud
Customer: workstations
12.5.1 Establish, document, and distribute security policies and procedures.  
12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel.  
12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.  
12.5.4 Administer user accounts, including additions, deletions, and modifications  
12.5.5 Monitor and control all access to data.  
12.6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.   Artsman: this document and staff training
Customer: own staff training
12.6.1 Educate employees upon hire and at least annually.

Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.

  Artsman: cloud
Customer: workstations
12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. This can be a signed document that they have reviewed the security policy Artsman: cloud
Customer: workstations
12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.)

Note: For those potential personnel to be hired for certain positions such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.

  Artsman: cloud
Customer: workstations
12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: Theatre Manager is designed so that cardholder data cannot be shared withany body. Staff do not have access to card data. Customer: workstations- inform staff not to share card data
12.8.1 Maintain a list of service providers. We suggest placing them in Theatre Manager and adding them to a mail list called PCI Compliance contacts Artsman: cloud
Customer: workstations
12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment.

Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.

  Artsman: cloud
Customer: workstations
12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.   Artsman: cloud
Customer: workstations
12.8.4 Maintain a program to monitor service providers' PCI DSS compliance status at least annually. Arts Management is responsible to ensure Theatre Manager is audited for PCI-DSS and approved by the PCI council. Artsman: vendor PCI DSS annually
Customer: merchant responsibilities
12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.   Customer: this document describes areas which Artsman is responsible
12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data environment.

Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include th

  • Theatre Manager provides technology to manage data securely in PCI context but does not enter or use card data, nor maintain any merchant acconts on behalf of the customers.
  • Each customer is solely responsible for engaging a merchant provider, processing all card (using Theatre Manager to assist). deciding on card data retention requirements, and maintaining policies for managing their data and merchant relationship.
Customer
12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach.   Artsman: cloud
Customer: workstation
12.10.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:
  • Roles, responsibilities and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Data backup processes
  • Analysis of legal requirements for reporting compromises
  • Coverage and responses of all critical system components
  • Reference or inclusion of incident response procedures from the payment brands
 
12.10.2 Test the plan at least annually.  
12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.  
12.10.4 Provide appropriate training to staff with security breach response responsibilities.  
12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion- prevention, firewalls, and file-integrity monitoring systems.  
12.10.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.  

PostgreSQL Database Server

The following instructions are used to set up a PostgreSQL server for use with the Theatre Manager application. Please follow the directions appropriate for the server platform you are using.

  • Installation on a Macintosh
  • Installation on Windows
  • Postgres will run on Linux and other Unix variants. You will have to install the server yourself by obtaining it from the PostgreSQL web site and follow much of the Macintosh setup steps for configuration and backups. We do not provide automatic installers or configuration/operational support for Linux servers.

The server only needs to be set up on one machine where you want the database to reside. Theatre Manager can be set up on as many machines as you wish.

  • Always make off machine AND offsite backups of the database. Consider implementing streaming replication. Backups are your best protection against almost all disasters, viruses or ransomware.
  • NEVER join a domain. This limits the people who can see or get into the machine remotely and largely avoids viruses.
  • Only allow external access via port 5432 for SQL traffic. Do not allow file server access.
  • If you must, only install virus software on the PostgreSQL Server under very controlled circumstances and never allow virus scanners to scan the actual Postgres database directories.

    Remember that Virus Software is the strongest attack vector for the bad guys and not guaranteed safety.

Replication is a feature of Postgres and is automatically set up for venues using AMS Cloud. Self service venues may set this up if they wish - the support team is unable to help you.
If you are using PCI schedule 'A", 'B', or 'C' compliance, credit card information will never pass through the database and it can effectively be taken out of PCI scope.

Refer to Postgres security notices for list of security issues addressed in each version.

Theatre Manager Desktop Application

Installing or Updating??

Installing or Updating Theatre Manager is a similar process. If you do not already have the latest TM installer, you can obtain in one of three ways:

  • If you have Theatre Manager, you can check to see if an update is available which you can copy to any machine, even one without TM on it.
  • If TM notices an out-of-date component, it downloads the latest installer while you work and prompts for an update when you log in.
  • If you are new to Theatre Manager, you will have been provided a link in an email

Once you have the latest available version of the Theatre Manager installer/updater, please follow the specific instructions for:

  • Macintosh - macOS 11 Monterey and later recommended - MacOS 12 Big Sur and later will work with 64 bit -or-
  • Windows - Windows 11 recommended - Windows 8.1 or later will work for 64-bit
  • using the General Upgrade Steps as an overall guide.

 

If you set the PCI setting in Theatre Manager 'C', credit cards are never placed in the database. Thee card information is merely passed to the processor and immediately forgotten.
Running an upgrade will, if appropriate, automatically generate a random new PCI seed key and re-encrypt credit cards using the new key. In the process, this destroys any previous crypto keys per PCI DSS standard 3.6.

Credit cards that have been shredded are not affected by the re-encryption process.

Refer to re-encrypting cards if you wish to do this manually.

Theatre Manager has never stored CVV2, Track II or any other non PCI compliant information so removal is not necessary per PCI DSS standard 3.3.

  • Version 8 was certified under PABP 1.4. This audit provided verifiability that there was no CVV2 data.
  • Version 9 was certified under PA-DSS 1.2, also verifying there was no CVV2 data.
  • Version 10 was certified under PA-DSS 2.0, also verifying there was no CVV2 data
  • Version 10.6 was certified under PA-DSS 3.1, also verifying there was no CVV2 data
  • Version 11.0 was certified under PA-DSS 3.2.1, also verifying there was no CVV2 data
  • Future versions will never have any protected data as per PCI requirements.

Macintosh Theatre Manager

Now that the database server is setup and a sample database is imported, we can install Theatre Manager on the machine. These instructions are for installing on Macintosh. If you are using a mixed environment, please refer to the Windows instructions as well.
During a Full Install you will need to provide the administrator password to your machine. If you do not know this, contact your IT support or Systems Administrator.
You may need to go to Apple Menu >> System Preferences >> Security & Privacy to allow apps that are downloaded from anywhere.
If you are unable to install, you might need to use the following command in terminal before running the installer More info is under disable power saving settings - Step 1:

sudo spctl --master-disable

1. Download the Theatre Manager Mac installer if you have not done so. This link is supplied upon request.
When downloading any update for Theatre Manager, please make sure your personal firewall is turned on PCI requirement 1.4
2.
  • Double click on the TMSetup.zip program you downloaded to extract the TheatreManager.pkg file.
  • Double click on the TheatreManager.pkg that was just extracted to begin the install process and respond to the prompts as follows
In recent versions of macOS, you may need to make a change in System Preferences after attempting to run the installer the first time before it will work.

Click continue

Click continue and read the license agreement

Click 'Agree' to accept the agreement and continue

Click Install

Enter your password (or if you have a Mac with Touch ID, use your finger)

Click 'Close' when done.

3. After installation, look for Theatre Manager link on the desktop and double-click on it to start it up. There will also be a file called TMPreview.pdf on the desktop that illustrates some key features of TM.
4.
For databases on your local server: enter the IP address of your server and click search to see the list of databases.
If your real database is in the AMS cloud, follow these instructions.
For Demo databases: If you get asked to find a database, enter the IP address 127.0.0.1 below and click Search. Normally, you should not need to do this, as the Demo database is always assumed to be on the local machine.

If you cannot connect to the database, check the following settings:

  • make sure port 5432 is open on your machine
  • make sure that the TheatreManagerDemo database got installed by using pgAdmin as per the section below, then come back and try connecting again.
5. (optional) If you are running a demonstration copy of Theatre Manager, you will see a first time setup screen asking you for your company information. All fields except the second line of address and the web site are mandatory. After you put this in the first time, you will not see it again.

These fields are used during the demo to show how Theatre Manager verifies information for you. For example, the city, state and country you enter becomes the default country for new patrons that you may add to the database. The area code for the phone number fields becomes the default for patron entry, etc.

Notice how Theatre Manager converts whatever you type into the proper case as it tries to assist in data entry.

6. Then, if you are able to connect to the database and enter the company information, you will see the login window below. The password for any of the users in the demo is 'master' (without the single quotes).
7. (Optional) if you are running Catalina, you may need to make a change to system preferences to allow permission.
  • Open System Preferences
  • Click on the Security & Privacy preferences
  • Click on the Privacy tab
  • click on Input Monitoring
  • Unlock the preferences to allow changes
  • Click on the checkbox beside Theatre Manager to enable the permission
8. In a production environment, once connected to the database in step 5, you can run the TMSetup file on any other machine in the network. After changing the pg_hba.conf file, and by editing the serial.txt file, you should be able to connect to the database.
You will need to use the IP address of the server to connect, instead of 127.0.0.1, and if you cannot connect to the server:
  • make sure port 5432 is open on the server
  • make sure that the real database is installed and setup using pgAdmin
  • there are no firewalls blocking access
  • the pg_hba.conf IP settings are correct and the server has been restarted

Windows Theatre Manager

Now that the database server is setup and a sample database is imported, we can install Theatre Manager on the machine. These instructions are for installing on Windows. If you are using a mixed environment, please refer to the Macintosh instructions as well.
During a Full Install you may need to:
  • provide the administrator password to your machine. If you do not know this, contact your IT support or Systems Administrator
  • Disable anti-virus software temporarily and/or provide an exclusion for the c:\Program Files\TheatreManager directory.

1. Download the TheatreManager PC installer if you have not done so. This link is supplied upon request
When downloading any update for Theatre Manager, please make sure your personal firewall is turned on PCI requirement 1.4
2. Run the TMSetup.exe program and respond to all prompts as follows.

Click 'Next'

Read the licence agreement and click 'Yes' to agree to its terms and conditions

Click 'Next'

The installer will begin putting Theatre Manager into the 'C:\Program Files' folder.

Click 'Close'

3. After installation, look for a TheatreManager icon on the desktop or in the Start Menu and open Theatre Manager
4.

If you get asked to find a database, enter the IP address 127.0.0.1 below and click search. Normally, you should not need to do this as the Demo database is always assumed to be on the local machine.

If you cannot connect to the database, check the following settings:

  • make sure port 5432 is open on your machine
  • make sure that 'everyone' has access to all files in the 'C:\Program Files\Theatre Manager' directory
  • make sure that the demo database was installed by using pgAdmin as per the section below... then come back and try connecting again.
5. (Optional) If you are running a demonstration copy of Theatre Manager, you will see a first time setup screen asking you for your company information. All fields except the second line of address and the web site are mandatory. After you put this in the first time, you will not see it again.

These fields are used during the demo to show how Theatre Manager verifies information for you. For example, the city, state, and country you enter becomes the default country for new patrons that you may add to the database. The area code for the phone number fields becomes the default for patron entry, etc.

Notice how Theatre Manager converts whatever you type into the proper case as it tries to assist in data entry.

6.

Then, if you are able to connect to the database and enter the company information, you will see the login window below. The password for any of the users in the demo is 'master'

7.

In a production environment, once you are connected to the database in step 5, you can run the TMSetup.exe file on any other machine in the network. After changing the pg_hba.conf file, you should be able to connect to the database.

You will need to use the IP address of the server to connect instead of 127.0.0.1 and if you cannot connect to the server:
  • make sure port 5432 is open on the server
  • make sure that 'everyone' has access to all files in the 'C:\Program Files\Theatre Manager' directory
  • make sure that the real database is installed and setup using pgAdmin
Make sure to also turn off power saving on your ethernet card on all servers and workstations.

Theatre Manager Web Services

Theatre Manager web services need 3 components set up in order to work. These are illustrated below and are:

You can access the Director to configure services at any time using http://127.0.0.1:3012 on a machine containing TM Server.

Since the director uses javascript, please make sure you have the latest version of your browser installed on your machine or mobile device: Safari, Firefox, Chrome, Opera, IE 11 or Edge browsers are known to be compatible.

 

For PCI compliance, if TM Server is configured as a web server, it must be installed in a DMZ and separated from the rest of the network so that card holder data would never be on the same part of the lan as the DMZ.
The above diagram illustrates a standard installation. Depending on security and/or performance requirements; other parameters can be altered to affect load balancing across multiple machines. This should only be done under guidance of AMS staff
The diagram above shows the flow of data for web sales. The general setup involves:

  • The firewall directs incoming traffic on ports 80 and 443 to the web server from the internet. The web server is configured to elevate all port 80 traffic to use TLS on port 443.
  • The web server can be on the same subnet as the firewall (or not, as you wish). This allows:
    • web traffic from the internet on ports 80 and 443
    • provides dynamic load balancing to a number of Theatre Manager Servers and passes web requests to port 5000 on each of those servers
  • A TM Server in Services Configuration receives communication on port 5000 and talks back to the web server on internal port 8111 (a separate virtual server) to retrieve custom web pages for merging
  • Some configuration of the services in Company Preferences 'Director Tab'

The actual installation of the is described for Macintosh and Windows. While unsupported by Arts Management, you can use Linux if you know how to use apt-get and install and configure NGINX (we can provide a template nginx.conf file for you.

 

The diagram refers to 192.168.1.x for the internal network and is used throughout the documentation as a sample lan addresses. Your IP addresses may be different

Starting the NGINX server

Use terminal Start or Stop the Theatre Manager Server on OSX.

Step Action
Step 1 Open Terminal on your computer
Step 2 To completely stop and restart the server (note: it should have already been stopped during the install process), you will need
sudo launchctl unload /Library/LaunchDaemons/com.artsman.theatremanagerserver.plist
sudo chown -R root:wheel /Library/Application\ Support/TheatreManager/
sudo chown root:wheel /Library/LaunchDaemons/com.artsman.theatremanagerserver.plist
sudo launchctl load /Library/LaunchDaemons/com.artsman.theatremanagerserver.plist
Step 3 Use the Director to configure the second generation server for the first time.
Step 4 Disable all Power Saving options on OSX so that the server doesn't go to sleep - its not a good idea for it to so so for web sales. In addition, please read the note below.

on OSX, a user must be AUTO-0logged in to run TM server (classic services) on mac. In most version of OSX, the screen can be locked, but sometimes not. Make the user autologin is set.