PA-DSS Implementation Guide |
Top Previous Next |
Also see:
1 | Payment Systems Security |
1.1 | Introduction |
In order to address the growing national and international concern for securing credit card information, Visa began to develop standards and announced the Cardholder Information Security Program (CISP) in April, 2000. These standards became required in June, 2001, for all entities that store, process or transmit Visa cardholder data.
Since that time, other credit card companies have become involved, and a new group called the Payment Card Industry Security Standards Council was formed to standardize security requirements across the entire credit card industry. The result is a new security standard called Payment Card Industry Data Security Standard (PCI-DSS or simply 'PCI') which is designed to ensure standardized compliance for multiple associations.
This document is provided to guide users of Campground Master into becoming and remaining PCI compliant.
1.2 | Why you need to be concerned about this |
Credit Card companies are requiring compliance with PCI standards for every entity that is involved in the storage, processing, or transmission of credit card information. Failure to comply can result in denial or revocation of your organization's ability to process credit cards.
Furthermore, as these standards have become widely recognized, non-compliance places your organization at risk of legal and/or civil consequences if credit card information becomes compromised.
Compliance with PCI standards is necessary whether or not you use Campground Master to process transactions "online." Even if you use a POS terminal or other method to process transactions, and simply retain information in Campground Master, you must be concerned about proper use of the program to maintain security and confidentiality of customer data.
As of October 1, 2008, Credit Card Processors and Bank Card Acquirers must only accept level 3 and 4 merchants that are PCI-DSS compliant or that utilize PA-DSS compliant applications.
Beginning October 1, 2009, all payment applications which are not PA-DSS compliant will be decertified.
Beginning July 1, 2010, Credit Card Processors and Bank Card Acquirers must ensure that merchants and agents use only PA-DSS compliant applications.
1.3 | The PCI Data Security Standard |
The "PCI-DSS" is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
To learn more about PCI, visit www.pcisecuritystandards.org.
The standard must constantly evolve in order to remain viable in today's rapidly changing internet and computing environment. Thus, the PCI-DSS will be reviewed at least every 24 months, and can be updated at any time.
Campground Master Version 6 has been certified as compliant under the Payment Application Data Security Standard (PA-DSS) 1.2. The PA-DSS is a separate security standard that applies to software vendors that develop applications for sale to merchants to process and/or store cardholder data. Just because Campground Master has been certified as PA-DSS 1.2 compliant does not automatically make you, as a merchant, PCI compliant. It is an important and necessary step toward that goal. Payment applications validated per the PA-DSS, when implemented in a PCI-DSS-compliant manner, will minimize the potential for security breaches leading to compromises of sensitive cardholder data, and the damaging fraud resulting from these breaches, and speed you on your way to PCI compliance.
2 | Merchant and Requirements for Compliance |
There are twelve basic requirements (organized in six areas) which a merchant must meet in order to become certified as PCI-compliant. Each of these requirements, along with POS Vendor's recommendations, is noted in this document. However, you must familiarize yourself with the details of each requirement as set forth in the PCI Data Security Standard documentation. (Refer to Section 4 "Resources" for guidance on where to get more information.) The following table lists the twelve basic requirements.
PCI Requirements
PCI Topic Basic Requirement
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
3 | Campground Master PCI Security Practices |
Because it has been certified as compliant under the PA-DSS 1.2 requirements, using Campground Master as a tool will support you in meeting some of your merchant requirements to become and remain PCI-DSS compliant. However, it is important that you use the software as designed, and that you follow certain practices and procedures internally both when you install the software and as you enter transactions.
Compliance with PCI standards is necessary and you must be concerned about proper use of the program to maintain security and confidentiality of customer data. Therefore, the following sections provide guidance on how to implement and maintain the Campground Master application per PA-DSS requirements (as they relate to PCI) along with other general PCI security information.
4 | Securely implementing Campground Master |
4.1 | Sensitive Authentication Data |
Reference: PA-DSS 1.0 Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data
4.1.1 Previous Versions
Campground Master versions prior to 6.0 allowed the storage of magnetic stripe data and card validation values with a "weak" encryption. While the upgrade to 6.0 automatically corrects the encryption to be strong in your current database file, it does not automatically remove this information completely. In order to remove this information, you must perform these steps in Campground Master once version 6.0 is loaded:
1. | Go to Maintenance / Credit Cards / History/Security Cleanup. |
2. | Click the button "Remove Swipe data and CVC codes from ALL transactions", then click Yes to proceed. |
3. | Click the button "Remove Swipe data and CVC codes from ALL Guarantee info", then click Yes to proceed. |
Removal of this sensitive information is necessary for PCI compliance.
Backup and Log Files
The cleanup functions do not affect backup files or log files that may exist on your computer, removable drives, or off-site backups. These backup files and log files must be securely deleted in accordance with industry accepted standards for secure deletion, as defined, for example by the list of approved products maintained by the National Security Agency, or by other State or National standards or regulations.
Removal of this sensitive information is necessary for PCI compliance.
Note: Simply using the Windows functions to "delete" these files is not sufficient, since the file image will remain on the disk for an indefinite time. Contact your computer professional to make sure the proper tools are used for secure deletion of these files.
These files must be located and deleted on any computer that has had a previous version of Campground Master on it, or any removable drive containing a backup from a previous version (be sure you have new backups from version 6.0 or later before deleting old backups).
Old database files:
Campground Master database files have the file extension of ".prk". Your current database, which must not be deleted, can be found through the function Maintenance / Database Maintenance / Show current database / Show the current database location. All other files with a .prk extension, which may appear in various places on the disk drive depending on user actions when saving them, are old or unused databases that should be deleted.
Note: if you purposefully created multiple databases, e.g. to maintain multiple properties separately, be careful not to delete the files for the other properties.
Old log files:
Campground Master log files have the file extension ".prklog". Log files are only used when needed to efficiently synchronize networked computers, or to recover intermediate lost data when restoring from a backup. So if your current database is intact and you have a secure current backup, then it is safe to delete all .prklog files on your system.
Old auto-backups:
Campground Master backups have the file extension ".zip". However this extension is commonly used by other applications, so it is not safe to delete all .zip files. You must be able to recognize which .zip files are Campground Master backups, which is simple -- they file name will contain "Auto-backup" in the name, as well as the database name and a date. For instance: test_Auto_Backup_2009-11-01.zip. Once your current database and a new backup has been secured, all such auto-backup files should be deleted.
Other backups:
Any backups made manually through the Backup Database function, prior to version 6.0, should also be deleted. These will have a .zip extension like auto-backups, but may have any name entered by the user. Locate all such old backups and delete them. If they exist on CD-R media which cannot be deleted, then the media should be destroyed.
4.1.2 Troubleshooting
Campground Master support from Cottonwood Software is only done by phone or E-mail, and therefore does not involve the collection or storage of sensitive information (swipe data, CVC numbers, etc.) on the vendor's system.
4.2 | Protect Stored Cardholder Data |
Reference: PA-DSS 2.0 Protect stored cardholder data
4.2.1 Purge Stale Cardholder Data
Campground Master provides functions to delete cardholder data (credit card numbers and expiration dates) from "old" customer, reservation and transaction records. These functions should be used periodically to limit the retention of data to minimum, for instance 30 days (see PCI DSS Requirement 3.1 below).
To purge unused credit card data, go to Maintenance / Credit Cards / History/Security Cleanup. Perform each of the five functions in the 3rd section, labeled "These are also recommended to remove all unnecessary old card information". For more details, see the Help (press F1 while in that dialog).
PCI DSS Requirement 3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
4.2.2 Securely Delete Cryptographic Material
(Does not apply to Campground Master, no cryptographic key material or cryptogram is stored in this or previous versions.)
4.3 | Secure Authentication Features |
Reference: PA-DSS 3.0 Secure authentication features
4.3.1 Administrative and Privileged Access to the Application
The "out of the box" installation of Campground Master facilitates the use of unique user IDs and secure authentication (defined at PCI DSS Requirements 8.1, 8.2, and 8.5.8–8.5.15) for all administrative access and for all access to cardholder data.
a) | A default administrative login ("Administrator") exists in new databases. This operator login should not be used for entering payments, customer, or reservation data that may have credit card information, as it does not uniquely identify a user. |
b) | The default Administrator operator's password must be changed, or the default Administrator operator deleted in favor of a more unique administrative login. (through Maintenance / Park Setup / Operators). The first time a user attempts to log in with the default, they will automatically be prompted for a new password, and cannot continue without providing a new password. |
c) | Assign secure authentication (as per (d) below) to logins whenever possible. |
d) | To create PCI DSS-compliant secure logins, the Operator records must have "Force password change every 90 days" selected, "Complex password required" selected, and must have "Auto-Logout after" set to no more than 15 minutes. |
e) | Failure to follow the rules above will result in noncompliance with PCI DSS. |
4.3.2 General Non-privileged Access to the Application
An Operator record with a unique login/password should be assigned to every user of the Campground Master, through Maintenance / Park Setup / Operators.
PCI DSS Requirement 8.1: Assign all users a unique ID before allowing them to access system components or cardholder data.
PCI DSS Requirement 8.2: In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:
• | Password or passphrase |
• | Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys) |
4.4 | PA-DSS Requirement 4.0 |
4.0 Log payment application activity
Campground Master implements an automated Audit Trail to track and monitor access. This log is an integral part of the database, and entries cannot be manually altered by any operator (including administrators).
The length of time the log history is maintained may be set by the user, through View / Audit Trail, Audit Trail Options. To meet PCI DSS compliance, the "Permanently delete entries older than" setting should be at least 366 days. Alternatively, it may be set to 30 days if a manual backup is done at least every 30 days and these backups are kept for at least 1 year.
Disabling the audit trail (by setting it to delete log entries in less than 366 days, or by not keeping sufficient backups for a 1-year trail) will result in non-compliance with PCI DSS.
4.5 | Protect Wireless Transmissions |
Reference: PA-DSS 6.0 Protect wireless transmissions
4.5.1 Wireless Technology Included in or with the Payment Application
For payment applications using wireless technology, the wireless technology must be implemented securely. PCI Data Security Standard Requirements 1.2.3, 2.1.1 & 4.1.1
Campground Master utilizes wireless technology for networking (support of more than one computer), if your computers are attached to a wireless network. Configuration of this network is the responsibility of the end user. The security configuration must be compliant with PCI DSS Requirements 1.2.3, 2.1.1 & 4.1.1
Per PCI DSS Requirement 1.2.3 you must install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.
4.5.2 General Use of Wireless Technology
If wireless technology is (or can be) used to store, process, or transmit cardholder data (for example, point-of-sale transactions, "line-busting"), or if a wireless local area network (LAN) is connected to or part of the cardholder data environment (for example, not clearly separated by a firewall), the PCI DSS requirements and testing procedures for wireless environments apply and must be performed as well (for example, Requirements 1.2.3, 2.1.1, and 4.1.1). Before wireless technology is implemented, a company should carefully evaluate the need for the technology against the risk. Consider deploying wireless technology only for non-sensitive data transmission.
Wireless environments must be implemented and maintained per the following PCI DSS Requirements:
PCI-DSS 1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.
PCI-DSS 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission.
PCI-DSS 4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.
• | For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. |
• | For current wireless implementations, it is prohibited to use WEP after June 30, 2010. |
4.6 | Systems Connected to the Internet |
Reference: PA-DSS 9.0 Cardholder data must never be stored on a server connected to the Internet
Campground Master does not require data to be on a web server, therefore this requirement does not apply. If the customer implements their own web server for other purposes, this should not be on the same computer that also runs the Campground Master application.
4.7 | Secure Remote Software Updates |
Reference: PA-DSS 10.0 Facilitate secure remote software updates
Campground Master application updates are not delivered via remote access into customers' systems, therefore this requirement does not apply.
PCI Data Security Standard Requirements 1 and 12.3.9
If remote access is used for other purposes on a computer with Campground Master, the user must properly configure a firewall or a personal firewall product to secure "always-on" connections.
4.8 | Secure Remote Access to Payment Application |
Reference: PA-DSS 11.0 Facilitate secure remote access to payment application
4.8.1 Two-Factor Authentication
Remote access to Campground Master only applies to the "networking" functionality (that is, a Campground Master client system connecting to the Campground Master server through an Internet connection). The communication is strictly between two instances of Campground Master, not through a "terminal" or "remote control" interface, and is limited to data transactions, not system commands. Establishing a connection requires having a copy of the application and the company's license authorization code, and knowing at least 3 pieces of information: The IP address of the server's internet connection, the port number assigned to the server's connection, and the network password. All of these are assigned by the administrator of the server. These are set in the remote system through Maintenance / Network Functions / Network Setup.
PCI DSS Requirement 8.3: Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.
4.8.2 Secure Remote Access Requirements
Remote access to Campground Master is part of the "networking" functionality (that is, a Campground Master client system connecting to the Campground Master server through an Internet connection).
Since access is strictly through another instance of Campground Master, all security features of Campground Master apply as per sections 4.3 and 4.4 above.
All cardholder data transmitted through the remote connection is protected with AES-256 encryption.
PCI DSS Requirement 4.1: Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS are:
o | The Internet, |
o | Wireless technologies, |
o | Global System for Mobile communications (GSM), and |
o | General Packet Radio Service (GPRS). |
4.9 | Encrypt Sensitive Traffic over Public Networks |
Reference: PA-DSS 12.0 Encrypt sensitive traffic over public networks
Campground Master uses strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
All cardholder data sent to other local computers or remote computers running Campground Master is encrypted using AES-256 encryption methods. The encryption key is unique to each installation and changes automatically each month. No configuration is required for this.
When processing payments through internet technologies, SSL protocols are used. No special configuration is required for this beyond the normal setup required to connect Campground Master to the credit card processing application or service, as described in the documentation.
4.10 | Encrypt all Non-console Administrative Access |
Reference: PA-DSS 13.0 Encrypt all non-console administrative access
Non-console administrative access is not a function that is available with Campground Master.
5 | Appendix |
PCI-DSS Requirement 8
Assign a Unique ID to each Person with Computer Access
PCI DSS 8.1: Assign all users a unique ID before allowing them to access system components or cardholder data.
PCI DSS 8.2: In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:
• | Password or passphrase |
• | Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys) |
PCI DSS 8.3: Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.
PCI DSS 8.4: Render all passwords unreadable during transmission and storage on all system components using strong cryptography (defined in PCI DSS Glossary of Terms, Abbreviations and Acronyms).
PCI DSS 8.5: Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows:
PCI DSS 8.5.1: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
PCI DSS 8.5.2: Verify user identity before performing password resets
PCI DSS 8.5.3: Set first-time passwords to a unique value for each user and change immediately after first use
PCI DSS 8.5.4: Immediately revoke access for any terminated users
PCI DSS 8.5.5: Remove/disable inactive user accounts at least every 90 days.
PCI DSS 8.5.6: Enable accounts used by vendors for remote maintenance only during the time period needed
PCI DSS 8.5.7: Communicate password procedures and policies to all users who have access to cardholder data
PCI DSS 8.5.8: Do not use group, shared, or generic accounts and passwords
PCI DSS 8.5.9: Change user passwords at least every 90-days
PCI DSS 8.5.10: Require a minimum password length of at least seven characters
PCI DSS 8.5.11: Use passwords containing both numeric and alpha characters
PCI DSS 8.5.12: Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.
PCI DSS 8.5.13: Limit repeated access attempts by locking out the user ID after not more than six attempts.
PCI DSS 8.5.14: Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID.
PCI DSS 8.5.15: If a session has been idle for more than 15 minutes, require the user to re-enter the password to reactivate the terminal.
PCI DSS 8.5.16: Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.