Changing PCI Security

GlobalWare is Payment Card Industry (PCI) compliant when you first install it. This means that GlobalWare enables encryption for primary account numbers (PANs) and sets other PCI-related security options to the minimum PCI compliance standards by default. If you store sensitive cardholder data in your GlobalWare database, it is important that you not change these controls to less than PCI compliance standards. However, if you take GlobalWare out of PCI scope by truncating the PAN so that only the first six and last four characters are visible, you can use the PCI Security function to change PCI security settings as appropriate. Access to these settings should be limited to agency database administrators and GlobalWare password administrators.

Notes:

• Encryption and logging for PCI security consumes memory and storage resources, so if PANs are not required for your business needs, do not store them in the GlobalWare database. GlobalWare records all valid and invalid attempts by users of any type to connect to or disconnect from the GlobalWare database in the Admin Access Log and in the database log (DBlog.txt), which is located in the GlobalWare program folder (Gblware) on your computer. (You indicated where the Gblware folder should be located when you installed GlobalWare.)  For PCI compliance, you must keep log data for a minimum of 90 days unless you have taken GlobalWare out of PCI scope.
• Whether you have taken GlobalWare out of PCI scope or not, it is recommended that you use the Replace CC Numbers (RepCCNum.exe) utility to permanently alter historical PANs when a business need for them no longer exists. For more information, see Replace CC Numbers Utility.
• It is strongly recommend that you not store any PANs or other sensitive cardholder data outside of standard GlobalWare database fields designed for that purpose. However, if you need to store sensitive data apart from the standard database fields, GlobalWare provides secure comment fields that are dynamically encrypted per individual record, according to PCI encryption requirements.

For a linked list of documents related to GlobalWare and PCI compliance, see Documents Related to PCI Compliance.

Changing PCI Security Settings

To change PCI security settings:

1. On the System menu, click PCI Security.

   Note: To access the PCI Security function, your employee account profile must have Low or High permission selected under System Menu and PCI Security selected under System Access on the Employee Security screen. For more information, see Employee Security.

   The PCI Security screen appears.

   PCI Security screen

   

   Note: Default settings on this screen (as shown above) represent minimum requirements for PCI compliance. You can reset this screen to its default settings at any time by clicking RESTORE.

   Field and button descriptions

   The following table describes the fields on the PCI Security screen.

   Field	Description
   Encrypt DB Columns	Indicates whether to enable encryption of table columns in the GlobalWare database related to credit card numbers, comments, tax IDs, and Social Security numbers if selected for encryption. By default, only columns for credit card numbers are selected. To add a GlobalWare column for encryption, select the appropriate field in the GlobalWare Fields box and click the right-arrow () button to move it to the Columns to Encrypt box. To remove a GlobalWare column from encryption, select the appropriate column in the Columns to Encrypt box and click the left-arrow () button to move it to the GlobalWare Fields box. Credit card number columns in the database are encrypted with dynamic encryption keys that are unique to every GlobalWare database.
   Enable System Idle/Timeout	Indicates whether to enable timeout when computer idle time (with no keyboard or cursor activity) is reached, as specified in the Min field. This option is selected by default.
   Min	Number of minutes of computer idle time (with no keyboard or cursor activity) allowed before timeout occurs. You can select from 15 minutes to two hours in 15-minute increments from the drop-down list. The default is 15 minutes. To enable this feature, select the Enable System Idle/Timeout check box.
   Lockout After Invalid Attempts	Indicates whether lockout should occur after a user reaches the maximum number of invalid log-on attempts specified in the Num field. By default, a user is locked out after six invalid password attempts. A locked-out user can try again in 30 minutes. This option is selected by default. If the Enable E-Mail Password Reset check box is selected for the user on the Edit Employee screen, the user also receives an SMTP e-mail message after their last invalid password attempt, which provides a temporary password and asks the user a security question. GlobalWare verifies the user's answer before allowing access. The security question and its answer are set up for the user on the Employee Security screen. For more information, see Edit Employee Screen and Employee Security.
   Num	Maximum number of invalid log-on attempts a user is allowed before lockout occurs. You can select a number from 3 to 15 in increments of 3 from the drop-down list. The default is 6. To enable this feature, select the Lockout After Invalid Attempts check box.
   Days	For employee accounts and service accounts, set the number of days before a password expires. A Service Account is a robotic that accesses GlobalWare through a third-party application. The Service Account option must be selected in the Account ID settings. You can select from 30 to 360 days in 30-day increments from the drop-down list. You can also select 999 days. The default is 90 days. Note: Users must use a minimum of eight alphanumeric characters for passwords. GlobalWare stores the last four passwords for each user so they cannot be reused. GlobalWare encrypts password and historical password information and does not make this information accessible to GlobalWare users.
   Store Log	Indicates whether GlobalWare should store the Admin Access Log. This log records GlobalWare logon/logoff activity, GlobalWare install/uninstall activity, and other GlobalWare activity related to PCI security, such as viewing credit card data. This option is selected by default. Note: You can archive stored log data by clicking ARCHIVE. It is highly recommended (for PCI compliance) that you archive this log only for data that is 90 or more days old. For details, see Archiving the Admin Access Log below.
   Print Access Log	Indicates whether to print the Admin Access Log. The log records GlobalWare logon/logoff activity, GlobalWare install/uninstall activity, and other GlobalWare activity related to PCI security, such as views of credit card data. This option is selected by default. For more information, see Printing the Admin Access Log below.
   Print Employee Access Log	Indicates whether to print the Employee Access Log. The log records access-level settings related to PCI security for all employees. This option is selected by default. For more information, see Printing the Employee Access Log below.
   Enable Secure Delete	Indicates whether to enable automated secure deletion of PANs. This consists of three deletion passes over the data and a final pass to replace digits with the character specified in the Replace Others With field. This option is not selected by default. Secure Delete is a Sybase service that requires rebooting your computer (for standalone implementations) or your server (for multi-user implementations) after you enable it.
   For All Encrypted Fields	Indicates whether encrypted fields marked with an asterisk (*) in the Columns to Encrypt box should be excluded from automated secure deletion. These fields contain personally identifiable information (PII). This option is available only if Enable Secure Delete is selected.
   Run for Every number Days of Data	Number of days to collect PAN data before running the Secure Delete process. This process runs whenever the specified number of days passes after the previous run and deletes that number of days of data older than the specified number of days. For example, if you select 30 days, after 30 days pass, the next 30 days of data (after the 30th day and up to and including the 60th day) will be deleted. You can select from 15 to 90 days in 15-day increments from the drop-down list. The default setting is 15 days. This field is available and required only if Enable Secure Delete is selected. Note: This feature is not designed to delete historical PANs. You should use the Replace CC Numbers (RepCCNum.exe) utility to manually do this. For more information, see Replace CC Numbers Utility.
   Time At	System time when the Secure Delete process should run. Because this can be a lengthy process, it is recommended that you choose an off-peak time, such as at night. This field is available and required only if Enable Secure Delete is selected.
   Day On	Day of the week when the Secure Delete process should run. Alternatively, you can select the first day of the month, the 15th day of the month, or both. Because this can be a lengthy process, it is recommended that you choose an off-peak day, such as on the weekend. This field is available and required only if Enable Secure Delete is selected.
   Replace All Except Last number Digits	Number of digits at the end of PANs to not replace with the masking character specified in the Replace Others With field. The default is four digits. This field is available only if Enable Secure Delete is selected. You cannot leave this field blank.
   Replace All Except First number Digits	Number of digits at the beginning of PANs to not replace with the masking character specified in the Replace Others With field. The default is six digits. This field is available only if Enable Secure Delete is selected. You cannot leave this field blank.
   Replace Others With	Masking character with which to replace PAN digits, except those specified by the Replace All Except Last number Digits and Replace All Except First number Digits fields. The default masking character is 'X'. This field is available only if Enable Secure Delete is selected. You cannot leave this field blank.

   The following table describes the buttons on the PCI Security screen.

   Button	Description
   PRINT	Prints the Admin Access Log for the date or range of dates you specify and/or prints the Employee Access Log. For details, see Printing the Admin Access Log and Printing the Employee Access Log below.
   ARCHIVE	Archives the Admin Access Log. It is highly recommended (for PCI compliance) that you archive this log only for data that is 90 or more days old. This button is available only if Store Log is selected. For details, see Archiving the Admin Access Log below.
   RESTORE	Restores PCI security settings on this screen to the default settings, which meet minimum PCI compliance standards. For details, see Restoring PCI Security to Default Settings below.
   SAVE	Saves changes and closes the screen.

2. Complete the fields as appropriate.

3. Click SAVE.

   By default, all controls on the PCI Security screen are set to the minimum PCI compliance standards. A message appears if you set these controls to less than what PCI compliance requires. However, the message allows you to continue.

4. If you selected Enable Secure Delete, you receive a message indicating that you must restart your GlobalWare service before your PCI settings can take effect. Click OK, exit GlobalWare, and reboot your computer (for standalone implementations) or your server (for multi-user implementations).

Printing the Admin Access Log

The Admin Access Log records GlobalWare logon/logoff activity, GlobalWare install/uninstall activity, and other GlobalWare activity related to PCI security, such as views of credit card data.

To print the log:

1. On the PCI Security screen, ensure Print Access Log is selected, and then click PRINT.

   The Choose a Date dialog box appears.

   Choose a Date dialog box

   

2. Specify dates related to admin access events, as follows:

   • For a range of dates, specify a beginning date in the From field and an ending date in the To field.
   • For a range of dates with no beginning date, leave the From field blank and specify an ending date in the To field.
   • For a range of dates with no ending date, specify a beginning date in the From field and leave the To field blank.
   • For a particular date, specify the same date in the From and To fields.

3. Click OK.

   The Send to dialog box appears. Select a report destination. For more information, see Printing Overview.

Log Example

Archiving the Admin Access Log

You might need to archive and purge data in the Admin Access Log to conserve memory and storage resources.

To archive and purge log data:

1. On the PCI Security screen, ensure Store Log is selected, and then click ARCHIVE.

2. In the Choose a Date dialog, select a date up to which you want log data archived and purged.

   Note: For PCI compliance, do not specify a date within 90 days of the current date. You must keep log data for a minimum of 90 days unless you have taken GlobalWare out of PCI scope.

3. Click OK.

   GlobalWare archives and purges log data up to the date you specified. The archived data is in an Excel spreadsheet (.CSV file) in an ARCHIVE folder in the GlobalWare program folder (Gblware) on your computer. You indicated where the Gblware folder should be located when you installed GlobalWare.

   Note: A message appears if you specified a date within 90 days of the current date, which is a violation of what PCI compliance requires. However, the message allows you to continue. You can continue if you have taken GlobalWare out of PCI scope.

Printing the Employee Access Log

The Employee Access Log records access-level settings related to PCI security for all employees. Specifically, the log shows the following access levels for each employee:

• System Security (No Access, None, Low, or High)
• Employee Security (Y or N)
• Mask Credit Card Number (Y or N)
• Mask Social Security Number (Y or N)
• Mask Tax ID Number (Y or N)

Every Y in the log is bold and green to easily see access levels.

The Employee Security function determines security levels for each employee. For more information, see Employee Security.

To print the log, ensure Print Employee Access Report is selected on the PCI Security screen, and then click PRINT. The Send to dialog box appears. Select a report destination. For more information, see Printing Overview.

Notes:

• If you select both Print Access Log and Print Employee Access Log, GlobalWare prints the Admin Access Log first. Therefore, the Choose a Date dialog box appears. For details, see Printing the Admin Access Log above.
• The log displays every Y in bold and green to make it easier to find them.

Log Example

Restoring PCI Security to Default Settings

To restore PCI security settings on the PCI Security screen to their default settings, click RESTORE. You should do this if you were out of PCI scope and changed these controls, but now want to start storing PANs for business needs.