Fore! Reservations PA-DSS Implementation Guide

Transcription

1 2011 Fore! Reservations PA-DSS Implementation Guide This document is intended as a quick reference guide to the implementation of Fore! Reservations 2011 version 14.8 in a manner that complies with PCI Data Security Standard (PCI DSS) concerning CISP compliance. 2/9/2010 Version 2.1

2 Information in this document is subject to change without notice. Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Fore! Reservations Technology, LLC Fore! Reservations Technology, LLC Fore! Reservations is a trademark of Fore! Reservations Technology, LLC. Windows XP, Windows Vista, and Windows 7 are trademarks of Microsoft Corporation. 2 P a g e

3 Table of Contents Introduction... 5 About this Document... 5 Who Should Read this Document?... 5 What Should the Reader Know?... 5 About the PCI Data Security Standard (PCI DSS)... 6 PCI DSS Objectives... 7 Build and Maintain a Secure Network... 7 Protect Cardholder Data... 7 Maintain a Vulnerability Management Program... 7 Implement Strong Access Control Measures... 7 Regularly Monitor and Test Networks... 7 Maintain an Information Security Policy... 7 Fore! Reservations and the PCI Data Security Standard... 8 Build and Maintain a Secure Network... 8 Network Environment... 8 Passwords Password Protected Screen Savers Protect Cardholder Data Locally Stored Data User Timeout and Password Expiration Reseller and Integrators Automatically Destroy Backups from Previous Versions Manually Destroy Other Sensitive Files Credit Card Retention Reservations Authorization Public Network Cardholder Data Access Maintain a Vulnerability Management Program Anti-Virus Software Implement Strong Access Control Measures Creating Users P a g e

4 Key Management Explanation of Types of Files and Keys Used Database Key Site File Procedures on Managing your Keys Create New Database Key Restore Database Key Rebuild Database Create Site File Loading Site File Site Files Regularly Monitor and Test Networks Remote Access... Error! Bookmark not defined. Windows Event Logs Employee Log General Log SQL Express Logs Workstation and Network Resources Maintain an Information Security Policy Clock Synchronization Customer Support P a g e

5 Introduction About this Document This document is intended as a quick reference guide to the implementation of Fore! Reservations 2011 version 14.8 in a manner that complies with PCI Data Security Standard (PCI DSS) concerning CISP compliance. Who Should Read this Document? This guide is intended for the following audiences: Fore! Reservations Customers Fore! Reservations Installers Fore! Reservations Technical Support Personnel Fore! Reservations Sales Personnel Any IT Personnel Hired by Customers What Should the Reader Know? This guide assumes that the readers of this document possess the following knowledge: Basic understanding of Windows-based personal computers Familiarity with basic computer networking concepts Experience with the Fore! Reservations product Familiarity with hardware peripherals compatible with Fore! Reservations 5 P a g e

6 About the PCI Data Security Standard (PCI DSS) (From The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. The PCI Security Standards Council will enhance the PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster large-scale adoption. Ongoing development of the standard will provide for feedback from the Advisory Board and other participating organizations. All key stakeholders are encouraged to provide input, during the creation and review of proposed additions or modifications to the PCI DSS. 6 P a g e

7 PCI DSS Objectives (From The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized: Build and Maintain a Secure Network Requirement 1: Install and maintain a configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security. 7 P a g e

8 Fore! Reservations and the PCI Data Security Standard Build and Maintain a Secure Network Fore! Reservations Black Box Because PCI DSS mandates that cardholder data must not be stored on a server that is accessible to the Internet, Fore! Reservations 2011 requires the use of a preconfigured server computer shipped from Fore! Reservations. This Black Box has been set up to only allow access to Fore! Reservations web servers on the Internet, and has all necessary SQL Server configurations. Any unnecessary networking protocols have already been disabled. The Black Box is shipped with Windows 2008 Foundation Server R2 and has Administrator access available for approved staff. The Black Box must remain in a location in the facility that is not accessible by the public, preferably in a locked server room or office. The Black Box must not be used for day-to-day business operations such as point-of-sale activities, running reports, etc. Network Environment To ensure compliance with PCI DSS, you must maintain a network environment that properly addresses threat prevention from the Internet and within the local area network. Among the requirements, cardholder data must not be stored on a server that is publicly accessible. Proper segmentation of your Fore! Reservations network from outside access and using a strong hardware firewall helps prevent unauthorized access to your server. The following image demonstrates a suitable network configuration. 8 P a g e

9 Windows Firewall New Windows computers have the Windows Firewall enabled by default. Leaving this firewall turned on to complement the hardware firewall provides an additional level of security that helps prevent breaches from outside threats. If your firewall is turned off, here is how to turn it on: Windows XP: 1.) Go to Start > Control Panel > Windows Firewall. 2.) Select On (recommended). Windows Vista: 1.) Go to Start > Control Panel > Windows Firewall. 2.) Select On (recommended). 9 P a g e

10 Windows 7: 1.) Go to Start > Control Panel > System and Security > Windows Firewall > Turn Windows Firewall on or off. 2.) Select Turn on Windows Firewall. Passwords Fore! Reservations requires that customers change all default passwords for any computer operating system (Windows) and routers/firewalls that interact with the Fore! Reservations application. Password requirements: 1.) Passwords must be at least seven characters in length. 2.) Passwords must contain both numeric and alphabetic characters. 3.) Passwords must be changed every 90 days. 4.) Passwords cannot be the same as any of the last four passwords used. Other requirements regarding passwords: 1.) Limit repeated access attempts by locking out the user account after not more than six attempts. 2.) Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user account. 3.) If a session has been idle for more than 15 minutes, the user must re-enter the password to reactivate the computer. To change a password in Windows: Windows XP: 1.) Log in to Windows as the user you want to change. 2.) Go to Start > Control Panel > User Accounts. 3.) Click Change My Password. Windows Vista: 1.) Log in to Windows as the user you want to change. 2.) Go to Start > Control Panel > User Accounts. 3.) Click Change Your Password. 10 P a g e

11 Windows 7: 1.) Log in to Windows as the user you want to change. 2.) Go to Start > Control Panel > User Accounts and Family Safety > User Accounts. 3.) Click Change your Password. It is strongly encouraged that all Windows users who access Fore! Reservations are set up as either Limited (XP) or Standard (Vista, 7) users. This prevents the unauthorized installation of other programs, changes to network setup, peripheral installation, etc. Password Protected Screen Savers Any Windows user s setup in the Administrators group must have a workstation lockout after 15 minutes of idle time to comply with PCI. Enabling the Windows screen saver and requiring login on resume meets this requirement. To enable this: Windows XP: 1.) Go to Start > Control Panel > Display. 2.) Click the Screen Saver tab. 3.) Select any screen saver other than None. 4.) Place a check next to On resume, display Welcome screen. 11 P a g e

12 Windows Vista: 1.) Go to Start > Control Panel > Personalization. 2.) Click Screen Saver. 3.) Select any screen saver other than None. 4.) Place a check next to On resume, display logon screen. Windows 7: 1.) Go to Start > Control Panel > Appearance and Personalization > Personalization > Change Screen Saver. 2.) Select ay screen saver other than None. 3.) Place a check next to On resume, display logon screen. 12 P a g e

13 Protect Cardholder Data Locally Stored Data Fore! Reservations uses credit card masking, user-level security, and AES 256-bit encryption to store the personal account number (PAN), account name, and expiration date in the local database inside the network. These multiple levels of security ensure credit card data is stored in a manner that is compliant with PCI DSS. User-Level Cardholder Data Access When setting up employee user names in Fore! Reservations, the administrator is able to define whether or not a user is able to view full credit card numbers, or just the last four digits with the rest of the number masked. Use the following steps to set this up: 1.) Log in to Fore! Reservations as an admin user. 2.) Go to File > Setup > Users. 3.) Place a check under CC Security for any users who need the ability to view full credit card numbers. It is important to remember that only users who truly need the ability to see full credit card numbers have access. Reducing the amount of access to this data lessens the potential for security breaches. User Timeout and Password Expiration PCI DSS requires that any user who has access to sensitive cardholder data must have their sessions log out when there has been up to 15 minutes of idle time. Fore! Reservations enforces this for all users marked as either Admin or CC Security in the Users setup screen (see above). Reseller and Integrators Cardholder data for customers and resellers/integrators should only collect sensitive authentication only when needed to solve a specific problem. This data is only to be stored in specific, known locations with limited access. Collect only the limited amount of data needed to solve a specific problem. Encrypt sensitive authentication data while stored. Securely delete such data immediately after use. Automatically Destroy Backups from Previous Versions Backups from previous versions of Fore! Reservations may contain sensitive cardholder data. These backups may be destroyed in a secure manner, and Fore! Reservations provides the tools to do so. After an upgrade to Fore! Reservations 2011, the user is prompted at login if old files still exist. Since previous versions of Fore! Reservations are stored as backups on each computer, this prompt will appear on every computer installed with Fore! Reservations 2011 until all backups are shredded on that computer. 13 P a g e

14 The deletion of any historical data is absolutely necessary for PCI DSS compliance. Place a checkmark next to each file that must be removed and click OK. Click OK to the confirmation warning stating that the files will be shredded and to begin the automatic shredding process. 14 P a g e

15 As an extra level of security, all temporary files should be shredded from the computer. This is accomplished by doing the following: 1.) Start > All Programs > Accessories > Command Prompt. 2.) Type cipher /w:c: where 'c' is the drive Fore! Reservations is installed, and strike Enter on the keyboard. Depending on the size of the partition, this step may take as long as 24 hours or more. Since this procedure utilizes a great deal of the system's resources, it is recommended this be allowed to run overnight to least impact day to day operations. Click OK to the message to continue with the Fore! Reservations upgrade. Manually Destroy Other Sensitive Files There are cases in which Fore! Reservations 2011 cannot automatically detect files that must be shredded. Examples include backup files from previous versions of Fore! Reservations stored on a removable media and backup files stored on the computer locally that have been renamed. It is the responsibility of the facility to destroy these and any other files containing sensitive cardholder data that is not stored in a PCI compliant manner. Fore! Reservations provides a tool to destroy these files manually. To accomplish this: 1.) Open Fore! Reservations and stop at the login screen. 2.) Type your admin username and password. 3.) Hold down the shift key on the keyboard, and click Login. 4.) Select 4Tools and click OK. 15 P a g e

16 5.) Click Shred Old Files. 6.) Click the ellipses button to browse for the file to be shredded. 16 P a g e

17 7.) In the lower right, select the type of file to be shredded. 8.) Browse for the file to be shredded, and click Open. 17 P a g e

18 9.) Click the Shred button. 10.) Answer Yes to the message explaining that file shredding may take awhile and to allow ample time for shredding to complete. 18 P a g e

19 11.) Click OK once the file has been destroyed. Repeat these steps as necessary until all non-compliant files have been destroyed. If any Fore! Reservations backups are stored on CD, DVD, or other optical media, physically destroy the media. Credit Card Retention The PCI DSS encourages merchants to keep cardholder data storage to a minimum. Data retention should be limited to the least amount of time necessary to meet any required standard business practices customary to the individual merchant. Fore! Reservations provides a credit card retention feature that will take care of the removal and disposal of all sensitive card data after a defined amount of time. To set up Credit Card Retention: 1.) Log in to Fore! Reservations as an admin user. 2.) Go to File > Setup > Options > Credit Card Retention tab. 19 P a g e

20 Reservations Reservation retention is the amount of days after the reservation to keep the credit card. If the reservation retention is set to two days, and today is October 10, 2010, and a reservation is made for January 4, 2011, the credit card will remain in Fore! Reservations until January 6, Select Always Retain to permanently keep the credit card in the reservations. Customer Profile Customer profile retention determines if a credit card can be stored in a customer's profile. Customer History Customer history retention is the amount of days to keep credit card history in the customer history table. Select Always Retain to permanently keep the credit card history. Payment History Payment history retention is the amount of days to keep the credit card information after an invoice is completed. Select Always Retain to permanently keep the credit card payment history. Offline Processing Offline processing retention is the amount of days to keep credit cards while in offline mode. If your offline processing retention is set to three and you are processing credit cards in offline mode for five days, when you activate credit card processing, only the three previous days transactions will be processed (the first two day's credit cards were cleared). Select Always Retain to permanently keep the credit card information in offline mode. Customer Billing Customer billing retention determines if a credit card can be stored in a customer's profile. This option will 20 P a g e

21 always override the Customer Profile retention policy. When this option is enabled, credit cards are only stored in a profile if the Charge Card option is selected for customer billing statements in the customer's profile. This screen also appears after the successful installation of or upgrade to Fore! Reservations Please consult with the Upgrade Guide for the exact steps following an upgrade. The credit card retention policies are enforced by a reaper built into the Fore! Reservations server scheduler. This reaping is run nightly. Authorization Sensitive authentication data is not captured or stored. This includes: Card validation value or code PIN or encrypted PIN blocks CVS information Incoming transaction data All logs (for example: transaction, history, debugging, error) History and Trace files Non-volatile memory, including non-volatile cache Database schemas and contents Public Network Cardholder Data Access Golfers who book reservations over the Internet are required to enter a credit card number during the booking process or when creating Internet profiles. This data is secured with 256-bit SSL encryption throughout the transmission process. An option available to a facility implementing Fore! Internet is the ability to disallow the golfer's credit card number to be sent into the local database during the booking process. Please speak with your Fore! Reservations Installer or Technical Support about setting this up, and whether or not it would be a good fit for your facility. Things to Consider Credit card or other personal data should never be transferred over an unsecured, unencrypted medium. This would include sending data over , writing credit card numbers on pieces of paper, storing data in notes fields in Fore! Reservations, and others. Keep in mind that you should never store any personal customer data on any device or any software field that is not explicitly designed to handle such data in a secure manner. 21 P a g e

22 Maintain a Vulnerability Management Program Anti-Virus Software All computers running Fore! Reservations must be installed with anti-virus software. Before installing Fore! Reservations, full system scans must be performed to ensure that the hard drive is free of any malware. Popular brands such as Symantec, McAfee, Computer Associates are others are sufficient. Windows Defender provides an additional layer of malware protection to complement your anti-virus software. This product comes pre-installed in Windows Vista, and is a free download from Microsoft's website for other versions of Windows. The Fore! Reservations server will be shipped with McAfee VirusScan Enterprise Edition. The server already has firewall exceptions created to allow access to McAfee s update sites. Should the customer choose to utilize a different anti-virus product, it is the responsibility of the customer to make exceptions in the Windows Firewall to accommodate access to that product's virus definition update site. Procedures for creating exceptions for some of the more popular anti-virus suites can be found on the Fore! Reservations Customer Support website. Regardless of which anti-virus suite you choose, the software must be configured to perform regular full system scans and to download definition updates when they are available. Windows Update All computers on which Fore! Reservations will be installed, including the server, should have Automatic Updates enabled. Windows frequently identifies vulnerabilities in its operating systems and releases security patches, or updates, to resolve the issues. To enable Automatic Updates: Windows XP: 1.) Start > Control Panel > Automatic Updates. 2.) Select Automatic (recommended). 22 P a g e

23 Windows Vista: 1.) Start > Control Panel > Windows Update. 2.) On the left click Change Settings. 3.) Select Install updates automatically (recommended). Windows 7: 1.) Start > Control Panel > System and Security > Windows Update. 2.) On the left click Change settings. 3.) Select Install updates automatically (recommended). To lessen the impact on daily operations, you may want to schedule the updates to be performed during off hours. By default, both Windows XP and Vista schedule Automatic Updates for every day at 3:00 am. The Fore! Reservations server has been configured with exceptions to allow for Internet connections to the Windows Update domains from all services that need access. Therefore, the steps listed above will not need to be performed on the server. 23 P a g e

24 Data Execution Prevention (DEP) Data Execution Prevention is a security feature introduced in Windows XP SP2, and included in all versions of Windows since, designed to prevent a malicious application from executing code in a non-executable memory region. The programs can cause memory overflow and other errors that may compromise the integrity of data on a computer system. Out of the box, Windows XP, Vista, and 7 have DEP enabled for Windows code only. Fore! Reservations strongly recommends that this is enabled for ALL programs that run on the computer. To enable DEP for all programs: Windows XP: 1.) Right-Click My Computer > Properties. 2.) Click the Advanced tab. 3.) In the Performance section, click Settings. 4.) Click the Data Execution Prevention tab. 5.) Select Turn on DEP for all programs and services except those I select. 24 P a g e

25 Windows Vista and Windows 7: 1.) Right-click Computer > Properties. 2.) Click Advanced System Settings. 3.) Click the Advanced tab. 4.) In the Performance section, click Settings. 5.) Click the Data Execution Prevention tab. 6.) Select Turn on DEP for all programs and services except those I select. 7.) Click OK Windows requires a reboot after adjusting these settings. 25 P a g e

26 Implement Strong Access Control Measures It is important to limit employee access to the various features of Fore! Reservations on a need-to-know basis. Fore! Reservations does this through the use of site keys required to install Fore! Reservations software on a workstation and by establishing feature access based on user security levels. This helps ensure that all data in the system, personal to the customer or otherwise, is restricted only to those assigned with unique user names and complex passwords and computers loaded with the correct site file. See Procedures on Managing your Keys on page 28 for a more in depth look at keys. Creating Users When installing Fore! Reservations with a brand new database and server for the first time, the user will be asked to create a user name and password. This is considered the Admin user. Remember that the password will need to meet complexity requirements (at least eight (8) characters, at least one (1) upper and one (1) lower case letter, and at least one (1) number). Once logged in, you can create additional users by doing the following: 1.) File > Setup > Users. 2.) Click New. Keep in mind that Fore! Reservations requires all user names be unique from one another, and that only an admin user is able to create new users. Do not use default account names to access the database, such as admin or sa. Security Levels Fore! Reservations gives you the capability of assigning access to certain features of the software based on security levels. To assign security levels to the feature of Fore! Reservations, go to View > Fore! Sell File > Setup > Options > Security tab. There you are able to assign security values to features covering both the point-of-sale and tee sheet. The values are based on a scale of 1 to 5, with 5 being the highest security level. 26 P a g e

27 Once the software security levels have been established, the user security levels can now be assigned. To do this, in Fore! Reservations go to File > Setup > Users. Use the Security column to assign values, again based on the same 1 to 5 scale. You will notice other fields in this screen. Those will be address later in this document or in the Fore! Reservations user manual. Consult with the Fore! Reservations 2011 user manual for definitions of all settings available on this window. 27 P a g e

28 Key Management Explanation of Types of Files and Keys Used Database Key This key is used to protect sensitive cardholder data within the Fore! Reservations database. This key is unique to every database that is housed on the Fore! Reservations server machine. AES 256-bit encryption is used to store secure information in the local database inside the network. Site File This file must be loaded into each client before you are able to use Fore! Reservations. It contains information necessary to allow a client to communicate with your Fore! Reservations server machine. The information in this file is unique to each Fore! Reservations server machine. Procedures on Managing your Keys Create New Database Key The Database Key is automatically created the first time you start up Fore! Reservations on a client machine once you have either upgraded to a PA-DSS compliant version of Fore! Reservations or performed a fresh installation of Fore! Reservations. The creation and backup of this key will be done behind the scenes and will not require any input from the user. Restore Database Key If a situation arises where the server is unable to access the Database Key, upon startup the Fore! Reservations user will receive the following prompt. Upon receiving this prompt contact Fore! Reservations Customer Support immediately to initiate the recovery process for your Database Key. Once support is contacted an will be sent to facility's e- mail on file containing half of the password needed to restore the Database Key. Fore! Reservations Customer Support will provide the other half of the password. Once the password is entered the database key will then be restored and available for use. 28 P a g e

29 Rebuild Database Rebuilding a database will cause the creation of a new Database Key and will re-encrypt all sensitive cardholder data in the database. To perform a Database Rebuild, complete the following steps. Create Site File 1.) Make sure you have done a Local Backup of your Database. 2.) Enter in your login information (Only Admin users can run a Rebuild). 3.) Hold down the Shift Key as you click the Login Button. 4.) Click the Rebuild Database Option on the System Utilities Screen that comes up. 5.) Click OK and allow the Rebuild to finish. Creating a Site file is necessary to allow client machines to connect to Fore! Reservations. Once Fore! Reservations is started for the first time on a new installation of Fore! Reservations, a Site File should be created and kept in a safe and secure place. To create a Site File, follow these steps: Loading Site File 1.) Enter in your login information. 2.) Hold down the Shift Key as you click the Login Button. 3.) Click the Create Site File Option on the System Utilities Screen that comes up. 4.) Click OK. 5.) Enter a secure password into the prompt that appears. 6.) Click OK. 7.) Enter the password again to verify it. Click OK. 8.) Choose a location to store the Site File. 10.) Click Save. If a client cannot access the database on the Fore! Reservation server machine, you will be prompted to load a Site File or Retrieve the Site File information from Fore! Reservations servers if a Site File is unavailable. Click Yes to this prompt if you have a Site File on hand that you can load into the system. To do this, use the following steps: 1.) Click Yes to the prompt. 2.) Navigate to the location of the Site File and Click Open. 3.) Enter the password that was used to create the Site File. 4.) If the Site File was successfully loaded you will be notified. If the password is incorrect, you are 29 P a g e

30 notified of the problem but will be unable to log into Fore! Reservations until the proper file or password is used. If a Site File is unavailable and there are no clients available to create a Site File, follow these steps: 1.) Click No to the prompt. 2.) Enter your facility's Internet Parent ID. If you do not know this ID, contact Fore! Reservations Support at (630) to request it. 3.) If you are logging in from a location known to Fore! Reservations, you are asked to verify your Course's Information in a prompt. 4.) If you are logging in from a location unknown to Fore! Reservations, you are prompted to contact Fore! Reservations Customer Support to obtain a password to verify your location. 5.) Verify the Facility Information in the prompt, if it matches click Yes. 6.) The following prompt appears. 7.) Contact Fore! Reservations Customer Support to obtain a password to enter into the screen. Once Fore! Reservations Customer Support generates a password, an will be sent to the facility's address on file with the other half of the password. 8.) Click Submit. The site information is now loaded onto your client. 9.) Use the procedure under the heading "Create Site File" to create a Site File so that a physical Site File is on hand. Site Files Other than the first client workstation installed with Fore! Reservations 2011, all new clients must be loaded with the Site File before the connection to an existing database is allowed. This is a combination of creating a Site File and loading a Site File previously described in this chapter. To generate a Site File from the first client and load onto the others: 1.) Open Fore! Reservations and stop at the login screen. 2.) Enter an admin user name and password. Hold down the shift key on the keyboard and click Login with the mouse. 30 P a g e

31 3.) Select Create Site File and click OK. 4.) Enter a complex password to encrypt the Site File, and click OK. 5.) Enter the password again to verify it. 6.) Insert a Fore! Reservations approved USB flash drive (NTFS formatted), and browse to and save the Site File to the flash drive. 31 P a g e

32 7.) Click OK once the Site File has exported successfully. 8.) Take the flash drive to the next client to be upgraded. When connecting to the database created above, the Site File will be imported to allow an approved connection to the server. 9.) At the message asking to load the Site File, click Yes. 32 P a g e

33 10.) Browse for and select the site file saved to the flash drive. 11.) Enter the password of the encrypted Site File, and click OK. 12.) Click OK to the message saying the Site File was loaded successfully. This new client computer will now be able to access the Fore! Reservations 2011 database on the server. 33 P a g e

34 Regularly Monitor and Test Networks The use of file-integrity monitoring or change-detection software on logs should be used to ensure that existing log data cannot be changed without generating alerts. New data being added does not need to cause an alert. In the event of a security breach, logs are critical in assessing the nature and severity of unauthorized access to customer data. Fore! Reservations provides comprehensive audit utilities that allow administrative users to track user activities within the software. A couple of different logging mechanisms are used to accomplish this, Windows Event Logs and the log tables stored within the Fore! Reservations database. Windows Event Logs To access the Windows Event Log: Windows XP: 1.) Right-click My Computer, select Manage. 2.) On the left, expand Event Viewer. Windows Vista and Windows 7: 1.) Right-click Computer, select Manage. 2.) On the left, expand Event Viewer. Fore! Reservations records a variety of things to these logs. In the Application Log, items such as starting or stopping Fore! Reservations services or errors triggered by these services are recorded. Here is an example of an event generated by the Fore! Internet service being started: 34 P a g e

35 Typically, Fore! Reservations events are found under the Application Log. Others logs track items such as users logging into Windows, installation of programs, Windows Updates, system restarts, and many others. For the most part, the majority of Event Viewer functionality is only available to Windows users with administrator privileges. This is another reason to limit this accessibility to a select few employees when possible. Fore! Reservations Log Tables At the core of Fore! Reservations audit tools are the log tables. These tables are accessible only to Fore! Reservations users who have been assigned admin rights. They can be viewed from any workstation as they are stored within the database. Credit Card Log This table is viewable from the View Tables Logs Credit Card menu. Anytime a user views a full credit card, a record of it is stored in this log, which includes the screen the credit card was viewed (TransCode of V) or added (TransCode of A), the date, the computer name, the user, and the suffix of credit card. 35 P a g e

36 Employee Log This table is viewable from the View Tables Logs Employee menu. Any time a user connects to the database by logging into Fore! Reservations, a record is stored in this log, which includes the user, type, the computer name, and date. General Log 36 P a g e

37 This table is viewable from the View Tables Logs General menu. Other system actions are stored in this log including (but not limited to) version updates, applied patches, retention changes, logs viewed, and ignored warning messages. SQL Express Logs SQL Express provides logs that are accessible for forensic analysis, if needed. These logs are available on the server only. Please consult with your Fore! Reservations Installer or Customer Support before accessing data on the server. Workstation and Network Resources The tracking and monitoring of all access to workstation and network resources is required by PCI DSS 10.2 and In particular, you must enable operating system audit policies to record: 1.) All actions taken by User IDs with root and administrative privileges. 2.) Access to operating system audit logs. 3.) Invalid logical access attempts (including logon failures). 4.) Creation and deletion of system-level objects (including operating system files and folders, and files and folders used by SQL Server). 5.) All access to the Fore! Reservations program folder and all subfolders and files within those folders. Failure to maintain these operating system audit logs will result in non-compliance with PCI DSS. 37 P a g e

38 Maintain an Information Security Policy A strong company security policy is the key to maintaining a safe and secure environment for processing and storing personal cardholder data. Every employee must be properly trained in the responsibilities involved in keeping sensitive data safe. Once trained, it is the responsibility of management to monitor staff access to this data using any and all of the tracking tools provided. Again, the number of employees that have access to this database should be restricted to only those that have the business need. Create a set of written policies and procedures to handle all aspects of receiving, recording, and processing sensitive card data. Thorough documentation of any discovered breaches of these policies is encouraged. Other Considerations Wireless Networks Fore! Reservations DOES NOT support wireless networks of any type. If your facility chooses to implement a wireless hot spot for customer Internet access, please consult with a properly trained IT professional that will ensure the security of the network. Removable Backups Fore! Reservations provides 10 pre-formatted flash drives for removable backup purposes. The flash drives are labeled by day of the week and additional off site backup. These flash drives should be stored in a fireproof safe when not in use, and should only be used for Fore! Reservations backups. File and Printer Sharing According to PA-DSS, file and printer sharing must be disabled on all devices within the payment application network. All printers that are accessible from other workstations must be network interface printers, meaning they must have onboard network cards. Feel free to contact Fore! Reservations for advice on compatible printers. If upgrading from an earlier version of Fore! Reservations (2009 and before), any folder shares that were necessary for client access to the database must be removed. To disable File and Printer sharing: 38 P a g e

39 Windows XP: 1.) Go to Start > Control Panel > Network Connections. 2.) Right-click on the Local Area Connection, and select Properties. 3.) Uncheck File and Printer Sharing for Microsoft Networks. Windows Vista: 1.) Go to Start > Control Panel > Network and Sharing Center. 2.) Under File Sharing, select Turn off file sharing. 3.) Under Printer Sharing, select Turn off printer sharing. 39 P a g e

40 Windows 7: 1.) Go to Start > Control Panel > Network and Internet > Network and Sharing Center. 2.) On the left, select Change advanced sharing settings. 3.) Under File and printer sharing, select Turn off file and printer sharing. Clock Synchronization Fore! Reservations automatically enforces a time synchronization environment dictated by the server. Disabling any network time protocol features on any workstations is strongly discouraged. Remote Access Fore! Reservations does not provide technical support for any remote access technology to connect to the facility's payment network from an outside location. Windows Remote Desktop, GoToMyPC, and LogMeIn are popular technologies used today. If your facility does choose to implement such a setup, you must use a method of two-factor authentication to establish a secure connection between networks. Remote Desktop connections through VPNs based on SSL/TLS or IPSEC, and LogMeIn Professional using PhoneFactor are both examples of two-factor authentication. Consult with a fully qualified IT professional for assistance in the set up and support of these technologies. Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: 1.) Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. 2.) Verify user identity before performing password resets. 3.) Set first-time passwords to a unique value for each user and change immediately after the first use. 4.) Immediately revoke access for any terminated users. 5.) Remove inactive user accounts at least every 90 days. 6.) Enable accounts used by vendors for remote maintenance only during the time period needed. 7.) Communicate password procedures and policies to all users who have access to cardholder data. 8.) Do not use group, shared, or generic accounts and passwords. 9.) Change user passwords at least every 90 days. 10.) Require a minimum password length of at least seven characters. 11.) Use passwords containing both numeric and alphabetic characters. 12.) Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. 40 P a g e

41 13.) Limit repeated access attempts by locking out the user ID after not more than six attempts. 14.) Set the lockout duration to 30 minutes or until administrator enables the user ID. 15.) If a session has been idle for more than 15 minutes, require the user to re-enter the password to reactivate the terminal. 16.) Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other. Customer Support Fore! Reservations Customer Support, Installers, and customers must never send any sensitive data through any medium that is not properly secured within the standards set forth by PCI DSS, such as or physical shipment of data (US Postal Service, UPS, etc.). Fore! Reservations 2011 provides the tools necessary for the secured transmission of data from the customer's facility to the support staff and vice versa. These tools are available in the System Utilities window and utilize two-factor authentication, whether through phone or , to securely transmit databases or other files needed for customer support troubleshooting. Please consult with Fore! Reservations Customer Support before using these features. Fore! Reservations Customer Support and Installers will never ask for passwords. All passwords and other sensitive data are to be kept and managed by the customer. 41 P a g e

42 42 P a g e

43 I acknowledge that I have received and read all documents pertaining to PA-DSS and understand them. Print Name Signature Position Facility Name Date 43 P a g e