Transcription
CyberSourcePayment Manager 6.4PABP Implementation GuideOctober 2008
CyberSource Contact InformationFor questions about CyberSource Payment Manager, emailsoftware-support@cybersource.com.For general information about our company, products, and services, go tohttp://www.cybersource.com.For sales questions about any CyberSource Service, email sales@cybersource.com or call650-965-6000 or 888-330-2300 (toll-free in the United States).For support information about any CyberSource service, visit the Support Center athttp://www.cybersource.com/support.Copyright 2008 CyberSource Corporation. All rights reserved. CyberSource Corporation ("CyberSource")furnishes this document and the software described in this document under the applicableagreement between the reader of this document ("You") and CyberSource ("Agreement"). You mayuse this document and/or software only in accordance with the terms of the Agreement. Except asexpressly set forth in the Agreement, the information contained in this document is subject tochange without notice and therefore should not interpreted in any way as a guarantee or warrantyby CyberSource. CyberSource assumes no responsibility or liability for any errors that may appearin this document. The copyrighted software that accompanies this document is licensed to You foruse only in strict accordance with the Agreement. You should read the Agreement carefully beforeusing the software. Except as permitted by the Agreement, You may not reproduce any part of thisdocument, store this document in a retrieval system, or transmit this document, in any form or byany means, electronic, mechanical, recording, or otherwise, without the prior written consent ofCyberSource.Restricted Rights LegendsFor Government or defense agencies. Use,duplication, or disclosure by the Government ordefense agencies is subject to restrictions as set forth the Rights in Technical Data andComputer Software clause at DFARS 252.227-7013 and in similar clauses in the FAR andNASA FAR Supplement.For civilian agencies. Use, reproduction, or disclosure is subject to restrictions set forth insubparagraphs (a) through (d) of the Commercial Computer Software Restricted Rights clause at52.227-19 and the limitations set forth in CyberSource Corporation's standard commercialagreement for this software. Unpublished rights reserved under the copyright laws of the UnitedStates.TrademarksCyberSource, the CyberSource logo, SmartCert, and PaylinX are registered trademarks ofCyberSource Corporation in the U.S. and other countries. The Power of Payment, CyberSourcePayment Manager, CyberSource Risk Manager, CyberSource Decision Manager, and CyberSourceConnect are trademarks and/or service marks of CyberSource Corporation. All other brands andproduct names are trademarks or registered trademarks of their respective owners.CPM PCI Compliance Guide CyberSource Corporation October 2008ii
ContentsDocumentation Changes and Enhancements . ivPCI Compliance Guide .1What Is PCI?.1Protecting Stored Data.2Locating the CPM Database .2Separating CPM and Database Administration .4Using Database Encryption .4Key Management Best Practices .4Ensuring Passphrase Strength .5Preventing Storage of Certain Sensitive Data .6Secure Deletion of Sensitive Data .6Disposal of Settlement Files.6Using Record Format Logging Correctly .7Using Secure Passwords.8Password Management Rules .8Setting the Database Password .9Logging In to the Administration Client .9Turning On CPM Security .10Logging Application Activity.11Securing Data Transmission Across Networks.12Remote Access .12Wireless Access.12Building a Secure Application.13CPM PCI Compliance Guide CyberSource Corporation October 2008iii
Documentation Changes andEnhancementsThe following table lists changes made in recent releases of this document:ReleaseChanges6.4 Updated to comply with PABP version 1.4 standard.6.2.5 Updated the CPM version number to 6.2.5. Updated the CPM version number to 6.2. Initial creation in accordance with PABP version 1.1.6.26.0Updated gateway processor name: changed Midwest Payment Systems (MPS) to FifthThird Processing Solutions (FTPS).Added a new processing gateway, BA Merchant Services, to Table 1 on page 7.CPM PCI Compliance Guide CyberSource Corporation October 2008iv
PABP Implementation GuideThis document describes how a merchant using CyberSource Payment Manager (CPM)version 6.0 or later should configure and use CPM to facilitate the merchant’s compliancewith the Payment Card Industry (PCI) Data Security Standard.If you are not already familiar with the basic components of CPM, see the introductorychapter of the CPM Setup Guide.Also refer to the CPM Release Notes for version 6.0 and 6.4, which give further informationabout specific enhancements in the CPM software related to PCI.What Is PCI?The term PCI refers to the Payment Card Industry Data Security Standard. PCI givescommon industry security requirements for safeguarding cardholder data. Seewww.visa.com/cisp for more information. If you do not become compliant with theserequirements, the card associations or your acquirer may choose to impose fines orrestrictions on you.CPM 6.4 meets the Visa/MasterCard Payment Application Best Practices (PABP) version1.4 standard for PCI compliance as stipulated in version 1.1 of the PCI standard (CPM 6.0to 6.3 meets PABP version 1.1). If you are working to meet PCI compliance requirements,as part of your efforts you should upgrade to the latest version of CPM and follow theinstructions in this guide.Both you (the merchant) and CyberSource have specific responsibilities in the matter ofprotecting cardholder data and achieving PCI compliance. For example, in the area ofprotecting stored data, CyberSource developed CPM with a feature that allows thecardholder account number in the CPM database to be encrypted. Your responsibility is toturn on this encryption feature and use it according to the guidelines in this document.PCI compliance covers multiple aspects of your system, including CPM. This guide onlyaddresses PABP as it pertains to CPM and how to use it in a manner that will allow you tomeet PCI requirements. It is up to you to determine any changes needed in the rest of yoursystem to meet overall compliance. CyberSource offers a PCI Compliance Service that canCPM PCI Compliance Guide CyberSource Corporation October 20081
Chapter 1 PABP Implementation GuideProtecting Stored Datahelp you achieve and maintain compliance for your whole system. For more information,contact your CyberSource account representative.Protecting Stored DataThis section describes how to implement CPM to protect the cardholder data that is storedin the CPM system.Locating the CPM DatabaseWhen setting up your CPM system, make sure to install the CPM Server and database inthe protected area behind the firewall. Place the database so that communication betweenthe CPM Server and the CPM database does not have to go through the firewall.Cardholder data must never be stored on Internet accessible systems. For example, thewebserver and database server must not be on the same server.CPM PCI Compliance Guide CyberSource Corporation October 20082
Chapter 1 PABP Implementation GuideProtecting Stored DataWeb ClientInteractiveVoice Recorder (IVR)InternetPoint of SaleFirewallExternal Ethernet ewallExternal NetworkInternal NetworkInternal Ethernet NetworkDatabaseServerCPM Administration verCPM DatabaseCPM PCI Compliance Guide CyberSource Corporation October 20083
Chapter 1 PABP Implementation GuideProtecting Stored DataSeparating CPM and Database AdministrationAnyone in your company who is a CPM administrator should not also have responsibilityfor administering the database. Those two job functions should be separated and given todifferent people.Using Database EncryptionDatabase encryption is an optional feature that you must use to be PCI compliant. Whenyou turn on database encryption, CPM encrypts the credit card numbers that are stored inthe database.If you are a new CPM user installing CPM 6.x without a pre-6.0 version being installed,database encryption is enabled by default. As part of the installation process, you willcreate your database encryption key and set up your CPM Server(s) to use encryption.When CPM begins accepting transactions, the credit card numbers will be stored in anencrypted format in the database. For complete details, see the CPM Database UtilityGuide.If you are an existing CPM merchant upgrading to 6.x, and you were not previously usingdatabase encryption, you must turn it on to be PCI compliant. See the CPM DatabaseUtility Guide for complete details about turning on encryption and encrypting yourexisting database.If you are an existing CPM merchant using a Windows-based CPM Server, you areupgrading to 6.x, and you are already using database encryption, you must import yourdatabase encryption key from the Server directory on the CPM Server into the CPMServer’s registry. CPM 6.0 comes with a tool that does this. See the CPM 6.0 Release Notesor the CPM Database Utility Guide for information about how to import your databaseencryption key into the registry.Key Management Best PracticesFollow these best practices for managing your database encryption keys: Have all key custodians sign an agreement acknowledging their responsibilitiesas key custodians. See the appendix in the CPM Database Utility Guide for anexample agreement.For Windows-based CPM Severs, do not store the database encryption keys in theServer directory or anywhere in the file system on the CPM Server; store themonly in the CPM Server’s registry as instructed in the CPM Database Utility Guide.CPM PCI Compliance Guide CyberSource Corporation October 20084
Chapter 1 PABP Implementation Guide Protecting Stored DataFor Unix-based CPM Servers, make sure to set the permissions for the databaseencryption key files so that no one can access the key files.For Windows-based CPM Servers, make sure that access to the Keystore locationin the CPM Server’s registry is limited: HKEY LOCAL MACHINES\SOFTWARE\CyberSource\Keystore.When a database encryption key is no longer needed, delete it:–From the registry for Windows-based CPM Servers–From the Server directory for Unix-based CPM ServersSee the procedure in the CPM Database Utility Guide for information aboutreplacing a key and determining when the old key is no longer needed. Create a site security system that provides secure storage of the passphrases usedto create your database encryption key(s) and/or a backup copy of the databaseencryption key(s).Ensuring Passphrase StrengthWhen you create your database encryption key, two passphrases are required. See theDatabase Utility Guide for details. This section lists several best practices for creating strongpassphrases. Passphrases should be difficult to guess. This means they should not be related tothe user’s personal life or job. For example, a car license plate number, a spouse’sname, a pet’s name, a Social Security number, a family member’s birthday, orfragments of an address. Also, proper names, places, technical terms, or slangshould not be used.These suggestions are useful in making the passphrase easy to remember:–Shift a word up, down, left, or right one row on the keyboard–Move characters in a word a certain number of letters up or down in thealphabet–Combine punctuation and numbers with a regular word–Create acronyms from words in a song, poem, or other sequence of wordsCPM PCI Compliance Guide CyberSource Corporation October 20085
Chapter 1 PABP Implementation GuideProtecting Stored Data–Deliberately misspell a word, do not use a common misspelling–Combine a number of facts like favorite colors and foodsPreventing Storage of Certain Sensitive DataYou should never store the card verification number (CVV/CVC/CID) for card-notpresent transactions or the card’s track data for retail transactions. CPM passes thesevalues to the payment processor but does not store them in the CPM database. Whensending these values to CPM, you should use the CVV API field to send the cardverification number. You should use the Track 1 Data and Track 2 Data API fields to sendthe track data. See the CPM API Reference Guide for more information about these fields.Make sure that you do not send the card verification number or the card track data in anyof the user-defined API fields: User Defined 1, User Defined 2, and so on. If you do, thissensitive data will be stored in the CPM database in direct violation of PCI requirements.Secure Deletion of Sensitive DataSecure removal of sensitive data is absolutely necessary for PCI compliance. TheWindows version of CPM provides a PABP compliant secure wipe utility located in theCPM server directory. This utility has been integrated into Install Shield for the uninstallof CPM. This utility can also be run from the command line for removal of files or folderson an as needed basis. Syntax for invoking the utility is as follows: eraserl - method DoD- silent - file [full path to file].For the Unix version of CPM, use the shred command which is provided with the Solarisoperating system. Syntax for the shred command is as follows: shred -force -n 7 -u -zFILE [file name].Secure Deletion of the CPM DatabaseThe CPM uninstall process does not remove the database. It is the merchantsresponsibility to securely remove the CPM database and it’s contents.Disposal of Settlement FilesFor some of the gateways, CPM uses FTP to transfer the daily settlement files to theprocessor. Depending on which gateway you are using, either you define the localdirectory where CPM writes these files or CPM automatically writes the files to aCPM PCI Compliance Guide CyberSource Corporation October 20086
Chapter 1 PABP Implementation GuideProtecting Stored Datagateway-specific directory within the Server directory. As soon as you no longer need thefiles, you should delete them, or encrypt them and store them elsewhere. For the gatewaysin the table below, you can specify in the gateway settings the number of days CPMshould keep the settlement files before automatically deleting them. CPM securelyremoves settlement files by invoking the eraserl utility.The table below shows which gateways use FTP and where CPM stores the files.Table 1 Location of Settlement FilesGatewayFile LocationAmerican Express PhoenixYou define the location in the Gateway SettingsBA Merchant ServicesYou define the location in the Gateway SettingsFDMS NorthFDMS North FTP subdirectory in the Server directoryFDMS SouthYou define the location in the Job Card File path field in theAgreement SettingsFTPSFTPSFrame FTP subdirectory in the Server directoryNOVAYou define the location in the Gateway SettingsPaymentech TampaYou define the location in the Gateway SettingsFor all other gateways, CPM transfers the settlement information online and does notneed to store any settlement files.Using Record Format Logging CorrectlyImportant You should use Record Format Logging only at the direction and withthe assistance of CyberSource Customer Support.Record Format Logging is a CPM feature that allows you to record the communicationbetween the CPM Server and the processor. CyberSource Customer Support may directyou to use it if you have an issue that you need to troubleshoot. This feature is availableonly for certain gateways, and it is turned off by default.While Record Format Logging is on, CPM writes a text file containing the authorizationand settlement data sent to the processor and the return data received from the processor.CPM stores the log file in the ./server/ log directory. The file name is gateway log.txt.For example, if you are using Paymentech New Hampshire, the file is calledpaymentechlog.txt.CPM PCI Compliance Guide CyberSource Corporation October 20087
Chapter 1 PABP Implementation GuideUsing Secure PasswordsFollow these guidelines when using Record Format Logging: Use Record Format Logging only temporarily for diagnostic purposes. Do notleave it turned on for an extended period of time.If possible, use Record Format Logging only with test credit card numbers andnot real credit card numbers.Never email log files to CyberSource unencrypted. Always use some form ofstrong encryption on the files, such as PGP.Delete the log files as soon as you no longer need them using the eraserl securewipe utility.Using Secure PasswordsTable 2 describes the types of passwords you use with CPM. The sections following thetable give rules for managing the passwords.Table 2 Password DescriptionsType of PasswordWhen Password Set UpWhen Password UsedAdministratorCPM comes with a defaultadministrator, but you cancreate additionaladministrators. See LoggingIn to the Administration Clienton page 9.When administrators open theAdministration Client andconnect to a CPM Server, andwhen administrators log in to theAcctMaint.exe tool to manageadministrator usernames andpasswords.When you set up thedatabase.When administrators connectCPM to the database and whenthey use the CPM DatabaseUtility.When you set up the basicusers/passwords and theirlevels of permission in theAdministration Client.When users send a transactionto the CPM Server through aCPM API or through the CPMClient.Required in CPM bydefaultDatabaseRequired in CPM bydefaultCPM SecurityIMPORTANT To bePCI compliant, youmust enable CPMSecurity if your systemsends transactions toCPM from outside theframework of yourtrusted networkenvironment.CPM Security must beenabled in order for users toprovide usernames/passwords when sendingtransactions. See Turning OnCPM Security on page 10.CPM PCI Compliance Guide CyberSource Corporation October 2008
Oct 23, 2008 · CPM PCI Compliance Guide CyberSource Corporation October 2008 1 PABP Implementation Guide This document describes how a merchant using CyberSource Payment Manager (CPM) version 6.0 or later should configure and use CPM to facilitate the merchant’s compliance with the Payment Car
