Implementing Advanced PCI Compliance options
Implementing Advanced PCI Compliance options in iMIS is only one small part of your organization's journey. Completing the questionnaire is your first step toward certification: you then arrange for an Authorized Scanning Vendor to test each of your e-commerce IP addresses for security flaws, and after that you apply for certification. It can cost about $100 for scanning of one IP address and help in submitting the questionnaire.
The Payment Card Industry Self Assessment Questionnaire lets your organization determine if you meet mandated security levels for handling credit card transactions. The bulk of the questionnaire deals with firewalls and with clerical and network procedures. It focuses on the effects of software such as Microsoft Windows and SQL Server, as well as network authorizations and security. It does not apply to the vendors of the software you use, but the design of the software can affect what you must do to stay in compliance. Be sure to follow our guidelines for how to implement iMIS for optimal security.
There are a number of versions of the Self-Assessment Questionnaire. Consider the following when determining the correct version of the Self-Assessment Questionnaire to consult:
- SAQ A-EP:
- ASI-hosted and iMIS Advanced Accounting Console used only through an ASI terminal server
- E-commerce only
- No mail orders; no telephone orders
- No face-to-face transactions
- No payment terminals
- SAQ A:
- ASI-hosted and iMIS Advanced Accounting Console only through an ASI terminal server
- Mail orders or telephone orders allowed
- No face-to-face transactions
- SAQ D:
- Self-hosted on own premises
Note: The SAQ C is not applicable to e-commerce channels.
- From the Advanced Accounting Console, Finance > Options > Configure accounting options.
- Select Edit.
- Under General, check Advanced PCI Compliance.
- Select one of the following options:
- Maintain audit log when cardholder information is accessed
This option causes iMIS to perform audit logging each time a user accesses any cardholder information; no log entries exist for access that occurs before the option is enabled or after it is subsequently is disabled. It also logs attempts to access this information by outside processes, such as SQL scripts.
- Do not retain cardholder information (requires purge and disabling of deferred payments)
This option prevents iMIS from storing any cardholder data. To use this option, you have to disable all CCAuth accounts configured for deferred authorization (or have all related Cash Accounts removed). If you need to support deferred payment card processing, you must use the other option.
Note: If Do not retain cardholder information (requires purge and disabling of deferred payments) is enabled, iMIS saves transactions without cardholder data and shows only gateway reference number and authorization code fields.
Note: If you bypass these options by putting payment card data into user-defined tables or by using custom encryption methods, you are responsible for PCI Compliance in the handling of that data.
- Click Save.
- If you chose Do not retain cardholder information (requires purge and disabling of deferred payments), open DB Maintenance (go to Start > ASI > iMIS > Tools > iMIS DB Maintenance Utility) and complete the database preparation steps for your option on the PCI tab.
Depending on which option you choose in AR/Cash Setup, implementing advanced PCI Compliance support requires changes to your iMIS database:
- Remove all existing cardholder information from your iMIS system that predates your new security measures.
- Reset the encryption keys (including removal of previous keys) and re-encrypt cardholder data each year, as required.
DB Maintenance lets you complete these processes easily and reliably.
- Verify that you have a valid backup of your iMIS database before running DB Maintenance commands that modify the database.
- Ensure the database is protected from updates before modifying it, to prevent failures and data problems from changes occurring while entities are being reset/rebuilt/removed:
- Have all users log out.
- Stop webservers from updating the database, such as by stopping the app pool in IIS.
- While users are logged in, you can safely run Analyze Database and Table Details; however, analyzing the database can affect performance.
To maintain PCI compliance with stored cardholder data, you must complete all of the following steps:
- Choose a time when the database can be offline for several hours. Re-encryption can take minutes or hours, depending on your data. Once started, re-encryption must not be stopped.
- In DB Maintenance, open the PCI tab.
- To start the purge, click Reset Encryption Key and Data. A warning prompts you to confirm the process.
- Allow the process to complete without interruption. The output of the process displays in the main window of the utility.
- Click Remove Historical Encryption Keys, or, if postponing that purge, skip to the next step. If you do the purge later, be sure to recycle the application pool then, too.
- Recycle the IIS application pool for each application server that uses this database.
Note: You risk data corruption if you interrupt the process or close DB Maintenance, which appears unresponsive.
Note: Once you remove previous keys, clicking on any encrypted links that have already been embedded in emails (such as create new account emails) will no longer work. The user will see the error "Your session has timed out. Please try your operation again”.
Note: If you implement PCI Compliance with audit logging and later switch to storing no data, be aware that this purge routine leaves the existing audit log (PciAuditLog table) intact.
Deferred transactions are lost in a purge, so you need to resolve deferred data and disable settings that allow it.
- Find and change any gateway that is configured for Deferred Authorization:
- From the Advanced Accounting Console, go to Finance > Options > Configure accounting options.
- Click Credit Card Auth.
- Under Current Accounts, select the first gateway listed.
- If it is set to Deferred Authorization, change it to Immediate Authorization or Manual Authorization.
- Repeat for all other gateways.
- Submit any deferred transactions that are pending:
- Go to Continuum > Commerce and Customer Service Reports > Credit card reports.
- Run Print Deferred Pre-authorization Report.
- Run Submit Deferred Authorizations. Any deferred transaction remaining after the purge has no payment information, so it must be re-entered manually.
- In DB Maintenance, select the PCI tab.
- To start the purge, click Purge All Cardholder Information. A query runs and the Purge Payment Card Information window opens, reporting the number of records with cardholder information in each table that will be cleared by the purge.
- If the report identifies no problems and you want to complete the purge, select Continue with Purge to clear the cardholder information from the database. The output of the process displays in the main window of the utility.