Implementing Advanced PCI Compliance options

Implementing Advanced PCI Compliance options in iMIS is only one small part of your organization's journey. Completing the questionnaire is your first step toward certification: you then arrange for an Authorized Scanning Vendor to test each of your e-commerce IP addresses for security flaws, and after that you apply for certification. It can cost about $100 for scanning of one IP address and help in submitting the questionnaire.

The Payment Card Industry Self Assessment Questionnaire lets your organization determine if you meet mandated security levels for handling credit card transactions. The bulk of the questionnaire deals with firewalls and with clerical and network procedures. It focuses on the effects of software such as Microsoft Windows and SQL Server, as well as network authorizations and security. It does not apply to the vendors of the software you use, but the design of the software can affect what you must do to stay in compliance. Be sure to follow our guidelines for how to implement iMIS for optimal security.

Note: There are a number of versions of the Questionnaire. Customers that maintain the audit log (option 1, below), must use version SAQ-D. However, if you do not retain cardholder information (option 2) and if you meet other security requirements, including segmenting iMIS from less secure systems, you may be able to use the much shorter SAQ-C. Note that iMIS version 15.1.2 was validated as meeting PCI requirements and is listed on the PCI web site as such.

To set up Advanced PCI Compliance support

In iMIS Desktop, open AR/Cash > System Setup.
Select Edit.
Under General, check Advanced PCI Compliance. Two options appear to specify which method to apply.

Warning!

If you bypass these options by putting payment card data into user-defined tables or by using custom encryption methods, you are responsible for PCI Compliance in the handling of that data.

Choose between the first and second options and click Save.
- Maintain audit log when cardholder information is accessed
- Do not retain cardholder information
If you chose the second option, open DB Maintenance (Start > ASI > iMIS > Tools > iMIS DB Maintenance) and complete the database preparation steps for your option on the PCI tab, below.

DB Maintenance: PCI tab

Depending on which option you choose in AR/Cash Setup, implementing advanced PCI Compliance (see Implementing Advanced PCI Compliance options) support requires changes to your iMIS database, either by

removing all existing cardholder information from your iMIS system that predates your new security measures, or
resetting the encryption keys (including removal of previous keys) and re-encrypting cardholder data each year, as required

DB Maintenance lets you complete these processes easily and reliably through the PCI tab.

Precautions for using DB Maintenance

Verify that you have a valid backup of your iMIS database before running DB Maintenance commands that modify the database.
Ensure the database is protected from updates before modifying it, to prevent failures and data problems from changes occurring while entities are being reset/rebuilt/removed:

Have all users log out.
Stop webservers from updating the database, such as by stopping the AppPool in IIS.

While users are logged in, you can safely run Analyze Database and Table Details; however, analyzing the database can affect performance.

To reset encryption keys and data

To maintain PCI compliance with stored cardholder data, you must complete all of the steps below.

Choose a time when the database can be offline for several hours. Re-encryption can take minutes or hours, depending on your data; once started, it must not be stopped.
In DB Maintenance, open the PCI tab.
To start the purge, click Reset Encryption Key and Data.
A warning prompts you to confirm the process.
Allow the process to complete without interruption.

Warning!

You risk data corruption if you interrupt the process or close DB Maintenance, which appears unresponsive.

The output of the process displays in the main window of the utility.

Click Remove Historical Encryption Keys, or, if postponing that purge, skip to the next step. (If you do the purge later, be sure to recycle the application pool then, too.)

Warning!

Once you remove previous keys, clicking on any encrypted links that have already been embedded in emails (such as "create new account" emails) will no longer work. The user will see the error "Your session has timed out. Please try your operation again”.

Recycle the IIS Application Pool (iMISApp AppPool) for each application server that uses this database.

To purge cardholder data

Warning!

If you implement PCI Compliance (see Implementing Advanced PCI Compliance options) with audit logging and later switch to storing no data, be aware that this purge routine leaves the existing audit log (PciAuditLog table) intact.

Deferred transactions are lost in a purge, so you need to resolve deferred data and disable settings that allow it.

Find and change any gateway that is configured for Deferred Authorization:

In Desktop, open AR/Cash > Set up module and select Credit Card Auth.
Under Current Accounts, select the first gateway listed.
If it is set to Deferred Authorization, change it to Immediate or Manual Authorization.
Repeat for all other gateways.

Submit any deferred transactions that are pending: In Desktop, open AR/Cash > Credit card reporting and run Submit Deferred Authorizations.
Any deferred transaction remaining after the purge has no payment information, so it must be re-entered manually.
In DB Maintenance, open the PCI tab.
To start the purge, click Purge All Cardholder Information.
A query runs and the Purge Payment Card Information window opens, reporting the number of records with cardholder information in each table that will be cleared by the purge.
If the report surfaces no problems and you want to complete the purge, select Continue with Purge to clear the cardholder information from the database.
The output of the process displays in the main window of the utility.

Fields affected by the purge

Table: [dbo].[ASI_temp_trans] if exists

[CC_NUMBER] - masked (shows last 4)
[CC_EXPIRE] - masked
[CC_NAME] - cleared

Table: [dbo].[Trans]

[CC_NUMBER] - masked (shows last 4)
[CC_EXPIRE] - masked
[CC_NAME] - cleared
[ENCRYPT_CC_NUMBER] - cleared
[ENCRYPT_CC_EXPIRE] - cleared
[ENCRYPT_CSC] - cleared
[ISSUE_DATE] - cleared
[ISSUE_NUMBER] - cleared

Table: [dbo].[Orders]

[PAY_NUMBER] - masked (shows last 4)
[CREDIT_CARD_EXPIRES] - masked
[CREDIT_CARD_NAME] - cleared
[ENCRYPT_PAY_NUMBER] - cleared
[ENCRYPT_CREDIT_CARD_EXPIRES] - cleared
[ENCRYPT_CSC] - cleared
[ISSUE_DATE] - cleared
[ISSUE_NUMBER] - cleared

Table: [dbo].[Basket_Payment]

[PAY_NUMBER] - masked (shows last 4)
[CREDIT_CARD_EXPIRES] - masked
[CREDIT_CARD_NAME] - cleared
[ENCRYPT_CREDIT_CARD_EXPIRES] - cleared
[ENCRYPT_PAY_NUMBER] - cleared
[ENCRYPT_CSC] - cleared
[ISSUE_DATE] - cleared
[ISSUE_NUMBER] - cleared

Table: [dbo].[Order_Payments]

[PAY_NUMBER] - masked (shows last 4)
[CREDIT_CARD_EXPIRES] - masked
[CREDIT_CARD_NAME] - cleared
[ENCRYPT_CREDIT_CARD_EXPIRES] - cleared
[ENCRYPT_PAY_NUMBER] - cleared
[ENCRYPT_CSC] - cleared
[ISSUE_DATE] - cleared
[ISSUE_NUMBER] - cleared

Table: [dbo].[OrderCheckout]

[CreditCardNumber] - masked (shows last 4)
[CreditCardExpiration] - masked
[CreditCardName] - cleared
[CreditCardAddress] - cleared
[CreditCardAddress2] - cleared
[CreditCardAddress3] - cleared
[CreditCardCity] - cleared
[CreditCardState] - cleared
[CreditCardPostalCode] - cleared
[CreditCardCountry] - cleared
[ISSUE_DATE] - cleared
[ISSUE_NUMBER] - cleared

More:
Reading the PciAuditLog table