PCI Security Tab

The PCI Security tab allows the Master User to set the overall parameters of how Employees will log on to the database, the structure of their passwords, and important PCI Compliance considerations for managing retention of credit card data.

Employee Access Management

Logon Window Setting	Offers the option to have Employees login: As a List of Employees Using their Access ID and password
Minimum Length	Sets the minimum length of logon passwords. For PCI compliance, the minimum length is 7 characters.
Unique Passwords	The number of unique passwords required by the system. If set to zero, then passwords are not required to be unique. If set to 2, then the same password may be shared by two employees. If set to 3, then the same password may be shared by three employees.
Days til Change Allowed	The minimum number of days that a password must be used before it is allowed to be changed.
Days until Expiry	The maximum number of days that a password may be used. For PCI compliance, this must not exceed 90 days.
Attempts til Lockout	This determines how many incorrect attempts an employee may make before Theatre Manager will lock them out of the system and must be manually re-instated.
IP addresses that can accept cards	PCI documentation indicates that any machine that touches credit card information becomes within scope of PCI compliance requirements. If you identify which machines process credit cards (such as box office), then other machines on the network that are used for reporting, management, etc, can be taken out of scope for PCI compliance. To do so, you can indicate a white-list specific machines or subnet of machines that will process cards by: leaving the list blank to indicate ALL machines process cards Entering one or more specific ip address (eg 192.168.0.10) to indicate specific machines that accept cards Entering one or more subnet masks using CIDR format to indicate a range of machines. For example: 10.10.1.0/24 means all machines on the 10.10.1.x subnet. 10.100.0.0/16 means all machines on the 10.100.x.x subnet. Entering a combination of specific ip addresses or subnet masks Enter a specific IP address that is not on your network so that NO user workstations can accept credit cards anywhere If a machine is whitelisted to allow entering credit cards, then those payment methods appear on the payment window as normal. Machines that are not part of the whitelist, then the credit card payment methods are removed from the payment window and the user at that workstation will not be able to enter cards at all - they will need to go to another machine with permissions to process a credit card payment.
	Clicking this button changes options to the current PCI Standards for employee passwords and logon attempts.

Patron Access Management

Patron Password Complexity

You can set the required complexity of patron passwords in Theatre Manager to two levels:

Passwords must meet the minimum length only. This is the historical setting - and forces the passwords to be at least the same length as the employee PCI passwords. It does not enforce any other rules. Normally, this is sufficient and the web pages give a strength meter to people to indicate if the password is good enough, or not. The reason this is the default setting is because many people have complex enough passwords that they use with modification on various sites, simply by meeting the length criteria, but may not have a special character or some other element. It also helps avoid patron frustration.
Passwords used by patrons must meet the same PCI standards enforced on employees that are:
- At least one upper case character
- At least one lower case character
- At least one number
- At least one special character
- and minimum length as described in your employee password settings.

Credit Card Management

Theatre Manager can implement either Schedule "A-EP", "C" or "D" for the Self-Assessment Questionnaire (SAQ) - the choice is yours and is dependant on the merchant processor you've selected.

You can define a retention period for credit card information before it is 'shredded' per PCI DSS standard 3.1

Note: Users find ways to type credit card into note fields, more so when using Schedule 'C' compliance because the credit card storage capability has been disabled.

You can use a feature in the Patron List window to search and identify data that could be construed as clear text credit cards attached to patrons. That kind of data would be in violation of PCI guidelines.

A shredded card means that it will be stored in the database as '#### **** **** ####'. This renders the PAN useless for all purposes. However, given the first 4 and last 4 digits of any card, you can still search for the patron.

Converting from schedule D to Schedule C compliance will shred all cards currently in the database EXCEPT those set up for future post dated payments. Since that business already exists, those few cards will remain until the final post date payment is take for the patron. At that time, the card will be shredded immediately. This prevents disruption of existing commitments to patrons.

Generally, if you want to take post dated payments and retain the minimum card data in the database, use Schedule D with one day retention.

Schedule C: Shred cards immediately after use	Using an online payment gateway and the Schedule "C" setting means that cards will not be stored in the database. The PAN is sent to the processor to get the authorization code and token from the merchant provider. Those are stored in TM (not the card itself) and the merchant token is what is used for voiding cards. It puts the workstation in scope of a PCI device, but not the database.
Schedule D: Encrypted credit card data	Schedule "D" compliance with about 120 days of retention is sufficient for most venues, especially if you are using post dated payments or may have to deal with refunds for cancelled events.
Retention Period	The number of days credit card information will be retained before it is shredded in a Schedule D environment. Normally 90 days will handle most business cases, and the recommended maximum is 365 days. If you set it to one day, then all cards are shredded right away, except those that are saved for post dated payments.
Schedule D: Post Dated Payments	This option allows storage of encrypted cards for post dated or recurring payments only. Once the last payment is authorized, the card is shredded. It effectively, is the same as the above option with 1 day retention, except that it is far more restrictive in when Theatre Manager will try to make a stored card. This should result is a venue having vastly reduced exposure risk for stored cards under PCI.
	Generates a completely random 60 character key to use as part of the encryption key process that will be unique to the venue and re-encrypt all cards in the database.
	Immediately shreds credit cards longer than the Retention Period as noted above.