Mandatory / Artsman & Venue

Setting up network for PCI compliance

Mandatory / Artsman

Platform specific install instructions

Mandatory / Venue

Platform specific install instructions

Optional / Artsman

If this is the first time that Theatre Manager is being installed at a venue, an 'empty' venue specific serialized database will be provided. It will only contain the zip code lookup table and sample code tables.

Optional / Artsman & Venue

Theatre Manager provides a selection of service providers for credit card authorization:

• None of the involves any setup of additional software or hardware. Simply, enter the merchant information from your provider and go.
• Customers have the choice of how long credit card data is to be stored in order to meet Schedule "C" or "D" compliance.

Optional / Artsman

Installation of the TM Web Services Nginx server is platform specific if you are using web sales.

Optional / Artsman

If you are using web sales, you must set up an TLS certificate and configure your firewall to allow web traffic. You will need to set up a DNS record for 'tickets.yourvenue.org' rather than assigning the TLS to a static IP address.

Optional / Venue

This step indicates the general changes to existing web pages that must be made when migrating from any version to any other version.

In addition, a venue must be aware of OWASP and should bookmark it in their browser. This site has a 'top 10' list of ongoing security considerations and standards for website development. Arts Management reviews and implements each years suggestions annually.

Finally, if you accept credit cards on the internet, you may need an application firewall as per PCI requirement 6.6 and the web pages are significantly changed. We are looking at mod_security and may put that into a future release of the apache server on your behalf.

Mandatory / Artsman & Venue

After Theatre Manager and the database have been installed, you will need to review minimum key standards and other security features for PCI compliance.

Optional / Artsman & Venue

This step is a discussion on remote access and what a venue need to do if they wish to provide that for themselves, for Remote Box Offices. There are considerations for using RDP within the network and enabling security. Arts Management uses a tool for remote support called Teamviewer.

Mandatory / Artsman & Venue

These are some policies that should be added to the customer service and/or security policy manual at a venue for PCI compliance.

A Merchant's PCI compliance is obtained by setting up the network and office policies in the appropriate manner and following a few simple rules (green in the diagram). This is required regardless of software used to process credit cards and can generally be done at reasonable cost.

The software or hardware provided by any vendor is only a portion of the merchant's ability to meet PCI compliance. Software provided by vendors must meet the prevailing PCI PA-DSS standard to assist the merchant meet overall PCI compliance.

The life cycle of a standard provided by the PCI Security Standards Council is approximately every 2 to 3 years. Once approved at a standard, it is valid even though future standards are being worked on.

Self Assessment Questionnaire (SAQ)
This is a self-validation tool for merchants who, because of transaction volume or other criteria, are not required to do on-site assessments for PCI DSS compliance. The SAQ includes a series of yes-or-no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. In order to align more closely with merchants and their compliance validation process, the SAQ was revised and now allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation (see chart below). The SAQ validation type does not correlate to the merchant classification or risk level. Source: PCI 4.0 quick reference guide

The PCI council has established 4 main levels for merchant compliance; schedules A, B,C or D with some variations at each level. You can use this table to help determine the level that applies to your organization.

Compliance Levels
The inherent nature of the ticketing business with a combination of walk up, phone and/or internet sales means that Theatre Manager (or any other ticketing system for that matter - hosted or non-hosted) probably results in Schedule C or D compliance when card data is stored. Per this summary table, Schedule A may be possible for venues using Moneris Hosted Payment Page and e-commerce only. Schedule B may be possible if using point of sale terminals and no cardholder data storage.

• Schedule A
  • Means that credit card information is never touched, stored or processed within an organization.
  • This is possible for organizations doing web sales using a hosted payment page (e.g. Moneris Hosted Payment Page).
  • If phone or walk up ticket sales by credit card are entered to a pin pad terminal, it may allow you to stay at Schedule A or move you to Schedule B; please talk to your PCI assessor.
• Schedule B
  • Could apply to merchants who only use point of sales terminals at box office and do not store any card data:
    • Schedule B
      • Those who do not use electronic processing and write credit card slips by hand apply to this level.
      • Those that use stand-alone DIAL UP terminals to process credit cards may also apply. DIAL UP means that the stand-alone POS terminal is not connected to a processor until an authorization is required.
      • Not applicable to e-commerce channels.
    • Schedule B-IP
      • Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
      • Not applicable to e-commerce channels.
• Schedule C
  • Means that Theatre Manager will render the cards useless by shredding them after use and never storing the data in the database (voids are done by sending a token, refunds may need the card entered again).
  • If you do not want credit card information onsite, please select this option and select a merchant provider from one of the Direct Credit Card Processors.
  • This also changes the scope of which part of the system is needs to be included for PCI reasons.
• Schedule D
  • Means that you wish to store some or all credit card data using strong encryption for a period of time. Possible uses are for recurring credit card transaction for monthly donations, or the need to refund to a patron if they are displeased with the show.
  • If you chose this option, you can choose how long to store data for previously authorized cards. After this Retention Period, all credit cards are shredded doing a deposit (End-of-Day (EOD) process) unless still required for a future post dated payment, or it has been specifically marked as retain permanently under the patron record.

Click to enlarge this diagram and step through teh data flow differences between Schedule C and D.

Version 11 PCI PA/DSS 3.20

• Upgrade automatically occurs July 2020
• Theatre Manager version 11.0.zz has been reviewed for its PCI PA/DSS 3.21 audit as part of the 3-year cycle.
• The audit took place in Sep 16-20, 2019 the final document was approved by the PCI council with an expiry date of Oct 28, 2022 for new installations. The image (above) is from the PCI council's website of validated applications. Search for Arts Management.

Version 10:06 PCI PA/DSS 3.1

• Upgrade Oct 2015
• Theatre Manager version 10.06.zz has been reviewed for its PCI PA/DSS 3.1 audit as part of the 3-year cycle.
• The audit took place in Oct 2015 the final document was approved by the PCI council with an expiry date of Oct 28, 2019 for new installations. The image (above) is from the PCI council's website of validated applications. Search for Arts Management.

Version 10:02 PCI PA/DSS 2.0

• Upgrade Oct 2014
• Theatre Manager version 10.02 was has been reviewed for its PCI PA/DSS 2.0 audit as part of the annual change cycle.
• The audit took place in Oct 2014 the final document was approved by the PCI council.
• All vendors are required to tell you this.

Version 10 PCI PA/DSS 2.0

• Upgrade Oct 2013
• Theatre Manager version 10 has been reviewed for its PCI PA/DSS 2.0 audit as part of the 3-year cycle.
• The audit took place in July 2013 the final document was approved by the PCI council in October 2013. The image to the left is from the PCI council's website of validated applications. Search for Arts Management.
• All vendors are required to tell you this.

Version 9 PCI PA/DSS 1.2

• Upgrade to version 9 ASAP
• Meets the PCI PA/DSS 1.2 standard and approved by the PCI council in Dec 2010.

Version 8 PABP 1.4

• Meets the PABP 1.4 standard and was certified in Oct 2008. Please refer to our certificate and approval by Visa - page 6.

Version 7 - Self Assessed in 2006

• Implements the standards required of PABP 1.4 (as of 2006), including 3DES high encryption of cards and does not store any track II or CVV2 information. However, this version is neither audited nor certified by an external vendor (not a requirement from the PCI council at the time). Version 7 has name security measures as version 8 and was simply renamed version 8 as part of the audit.

Version 6 - Self Assessed in 2003

• Implements almost all PCI security features in effect at the time (early 2000's). Card encryption is DES and it does not track CVV2 information. Version 6 can be considered PCI-compliant.

This block diagram explains the general setup of a network that is required to implement Theatre Manager in a PCI-compliant manner. Feel free to print this setup document. If any part of the network setup cannot be made to comply with the diagram, you will need to address that at a later date to become PCI-compliant. Some sample machine requirements are in the table in the picture, or you can view descriptive information on sample computer specs.

• PCI compliance requirements for Credit Card authorization
  • Overview
    • There are 7 parts to the basic network in the diagram above that are described in more detail in the following sections. The firewall is the glue that connects them all together, yet protects each part from the other (also see firewall rules). Only 4 parts are in PCI scope, the others are simply illustrations of how customers, volunteers, actors and other devices interact with your network.
  • In PCI Scope (inside the firewall) if they touch credit card info:
    • The main firewall
    • The DMZ contains only the Apache server and restricts what can be accessed from the internet.
    • OFFICE Lan - all wired devices in the office. Computers that access any Credit Card information should always be hardwired, or access via a secure VPN
    • Remote box office
  • Out of PCI Scope
    1. You can exclude ranges of workstations if you've told TM that they cannot process cards by creating a subnet mask that focuses on only those that can in the System Preferences->PCI Tab
    2. You can exclude the database server if you set TM to be PCI Schedule Ccompliance in the System Preferences->PCI Tab and sue P2PE decides and hosted payments for online.
    3. Outside the firewall - basically the internet and customers purchasing online
    4. VENUE Lan - any staff, volunteers, or actors using wired or wireless devices and who are not capable of processing or looking at credit cards.
    5. Ticket scanners used at the venue
    6. P2PE devices like Moneris P400 which do not share PCI related data with Theatre Manager. Theatre Manager simply activates the P2PE device, which is outside PCI scope as there is no direct connection to the device from Theatre Manager.

The legend shows machines and network segments:

• Organizational Areas:
  • that will never see credit cards (GREEN)
  • where a credit card passes through the machine while in flight to the bank during an authorization and is immediately gone (PURPLE). Cards in these zones are:
    • transmitted via TLS and
    • live for an instant in time and
    • are NEVER stored in a database
  • where the card data is outside the boundaries of the organization. Examples are in the customers hands (or wallet) or at your bank or service provider (who are required to perform their own PCI compliance) (RED)
• TCP/IP Traffic:
  • RED ARROWS - traffic where there is absolutely NO card data ever transmitted
  • BLUE ARROWS - traffic where card data travels (encrypted and via TLS) while it is IN FLIGHT for an authorization. This means that a message is sent for credit card authorization and the card resides only in memory (and is never stored in any disk file)

WORKSTATION OUT OF SCOPE

• Possible PCI Level(s)
  • B
  • B-IP
  • C
• Goals
  • Use a POS pin pad device
  • This takes a workstation out of PCI scope and allows the workstation to use any software on it that can reach the internet (e.g. email and web browsing).
  • Credit Card authorization is via a P2PE pin-pad using:
    • Dial up or IP connectivity that is completely independent of Theatre Manager and not connected in any way
    • OR using a device like the Moneris P400 where Theatre Manager talks to Moneris cloud to activate the pin pad. There is no direct connection between Theatre Manager and the P400
  • If all workstations are subject to this rule, then Schedule B compliance may be possible (subject to your Bank's ruling).
  • Risk of card being part of TM components is ZERO.
  • Risk of any data breach limited to person hacking the standalone POS terminal.
• Steps
  • Indicate to TM that a workstation cannot authorize credit cards by indicating a CIDR subnet that is outside scope of the network
  • Use a stand-alone P2PE pin pad device that talks to the bank without connecting to the Theatre Manager Workstation. These must be purchased from your bank or service provider and come in many varieties such as wireless, dial up, ethernet connected, accept Apple Pay, chip and pin cards, etc.
• Pros & Cons
  • Can still authorize credit cards for walk up and phone sales via external terminal.
  • Workstation can be used for any purpose such as email, web, analytics as it is not subject to PCI scope.
  • End of day is broken into web sales and other payments for box office.

WORKSTATION OUT OF SCOPE

• Possible PCI Level(s)
  • B
• Goals
  • No credit card authorization at all
  • This option should definitely be used for all non-box office computers or computers used primarily for setup, reporting and analysis.
• Steps
  • Indicate to TM that a workstation cannot authorize credit cards by indicating a CIDR subnet that is outside scope of the network
• Pros & Cons
  • Workstation can be used for any purpose such as email, web, analytics as it is not subject to PCI scope.
  • Only web sales will have a settlement for credit cards.

DEFINED WORKSTATIONS IN SCOPE

• Possible PCI Level(s)
  • C
• Goals
  • The workstation is defined as one of those that may accept credit cards entered into the system so that it does.
• Steps
  • Restrict workstations which can authorize credit cards to specific machine or subnet using IP addresses or CIDR masks
• Pros & Cons
  • Since Theatre Manager does the authorization, it can also do a void or refund. Depending on the credit card provider, it can be as long as a year after Bambora using authorization toke.
  • Authorization will use higher level TLS transport encryption if supported by merchant services provider.

TM SERVERS

• Possible PCI Level(s)
  • A
  • C
• Goals
  • NGINX and TM Server can be in or out of scope depending on processor choices
• Steps
  • To take the servers out of scope, you will need a merchant provider for Moneris Hosted Payment Page.
• Pros & Cons
  • Under Moneris hosted payment page processing, TM does not see any card data, just the authorization, allowing for PCI A.
  • Hosted payments does not support the feature of post dated payments online.
  • Advantages are no data enters the network, and you can be PCI A compliant.
  • Disadvantages come with inability to use post dated payments, and perhaps processing refunds.

Credit card data can never be stored on the AMS Cloud, taking the database server out of scope. Credit card data can pass through the firewalls and security appliances on the way to your Service Provider for authorization. It is transferred via TLS 1.2 and is subject to SPI (Stateful Packet Inspection), DOS detection, rate limitation, etc. to ensure security and privacy.

This is the merchant provider you selected out of those supported by Theatre Manager. The bank is not in scope of you PCI compliance requirements.