Arts Management Systems - Installing Postgres Server Instructions

There are some settings in Theatre Manager that must be changed for PABP compliance. If you are upgrading from a demo version of TM or from version 6 of Theatre Manager, these settings were optional and need implemented

Step

Purpose

Installation instructions or link

Minimum Password Settings

for PCI compliance, a user MUST:

be required to enter a password to access Theatre Manager -and-
have their own user id and password to track access within the database -and-
ALSO have a unique logon to access the computer prior to accessing Theatre Manager that is PCI/DSS compliant.

Ensure that the minimum recommended settings are met and increase the security as you see fit. The steps are:

Log in as Master User (this System Administrator account is only person with access to System Preferences)
go to 'Setup->System Preferences'
click on the 'Security' Tab. The minimum recommended settings are below.
Click on the 'Use PCI Card Industry Standards' to reset all password settings to a minimum
Make any adjustments you wish to the policies such as requiring longer passwords, or increasing the minimum number of unique passwords before a repeat password can be used.
Close the window to save the changes.

User Settings

Change all the user id's in the system to a scheme that is suited to your network security needs. Since you will be logging in with a User Id and Password, it can be a good idea to make user names more difficult to determine.

To change user names and password settings, repeat the following steps for all users EXCEPT the Master User:

go to Setup->Users & Access->Employee List
Click the 'search' icon (the magnifying glass) or hit enter to see a list of users
Double click on the name in the list to change
Click on the 'Access' Tab
Click on the 'Access Id' field and change that to something suitable for the employee
Make sure the Logon Level selection is either 'No Access' if they are not allowed to use the system -or- 'Normal' if they are allowed to access the system.
If the user can log in, click the 'Set Password' button and assign them an initial random password (or have the user type in their own). It is not necessary to know or record each users password - in fact we recommend that you do not write those down. If a user forgets their password, you can always re-assign a new one here.
If user's access to parts of the system is similar to another users, you can use the 'Copy Access' button to make them like each other. You may wish to create a template for some of the important job functions that make copying easier.

Click on the 'Data' and 'Functions' tab and make any changes to the employee's access that you wish.
For PCI compliance, you must at least visit the 'Functions' tab and make sure that any of the privileges that say 'Credit Card' in the second column are all unchecked to start with. Then enable those that you wish the user to have. Two to consider overriding are:
- 'Allow empty CID even if required for credit card payments'. If this is unchecked, the must must ask the customer for a CID/CVV2 number on the back of the credit card if it is required for the credit card type or by the processor. If your service provider does not accept or check CVV2 data, you may need to check this. You may also want to check this for at least one of the box office supervisory personnel who can then provide an operator over-ride to any other user if need be.
- 'Able to Search for Patron using a card number' - this should be checked for a finance position or a box office supervisor so that a patron can be found when all we are given is the credit card number - such as in the case of charge backs.

Master User

Change the Master User password.

Find the Master User record as per above.
Click on the 'Access' tab
Change the 'Access ID' to be something unique to your organization
Make sure that the 'Logon Level' is 'Master User'
Click 'Set Password' and give this special user a unique password. You will be asked to confirm the current password before you are allowed to change the password.
You may want to log out of theatre manager and then log back in as the special 'Master User' account before continuing to step 4 - just to make sure you have the user id and password set.
This is one user id and password combination that you do wish to record on a paper and put in a sealed envelope in your safe with instructions to open under emergency only.

Note: There should only be one 'Master User' account. If other users have those settings from an upgrade from version 6, those privileges should be removed and the reasons explained to the customer.

Credit Card Encryption

After the initial data conversion has taken place and before you leave the client site for the first time, you need to re-encrypt the credit cards using a new key. To do this:

Log in as Master User
Go to the System Preferences->Security Tab
Click 'Change Card Encryption key' button at the bottom left

You will see a dialog similar to the one below that asks you to confirm the step and the reasons why the step is required. Click 'Yes' to continue.

Some notes about this process:

Theatre Manager will generate a completely random a 40 character key to use as half of the encryption key process that will be unique to the venue and re-encrypt all cards in the database.
You can still use theatre manager while this process occurs to sell tickets and take credit cards.
This process should be performed at least annually (the venue will be reminded to do it after 350 days)
It should be performed at any time you suspect a security breach to any part of your network (make sure you also address whatever the security breach might have been).

Step	Purpose	Installation instructions or link
1.	Minimum Password Settings	for PCI compliance, a user MUST: be required to enter a password to access Theatre Manager -and- have their own user id and password to track access within the database -and- ALSO have a unique logon to access the computer prior to accessing Theatre Manager that is PCI/DSS compliant. Ensure that the minimum recommended settings are met and increase the security as you see fit. The steps are: Log in as Master User (this System Administrator account is only person with access to System Preferences) go to 'Setup->System Preferences' click on the 'Security' Tab. The minimum recommended settings are below. Click on the 'Use PCI Card Industry Standards' to reset all password settings to a minimum Make any adjustments you wish to the policies such as requiring longer passwords, or increasing the minimum number of unique passwords before a repeat password can be used. Close the window to save the changes.
2.	User Settings	Change all the user id's in the system to a scheme that is suited to your network security needs. Since you will be logging in with a User Id and Password, it can be a good idea to make user names more difficult to determine. To change user names and password settings, repeat the following steps for all users EXCEPT the Master User: go to Setup->Users & Access->Employee List Click the 'search' icon (the magnifying glass) or hit enter to see a list of users Double click on the name in the list to change Click on the 'Access' Tab Click on the 'Access Id' field and change that to something suitable for the employee Make sure the Logon Level selection is either 'No Access' if they are not allowed to use the system -or- 'Normal' if they are allowed to access the system. If the user can log in, click the 'Set Password' button and assign them an initial random password (or have the user type in their own). It is not necessary to know or record each users password - in fact we recommend that you do not write those down. If a user forgets their password, you can always re-assign a new one here. If user's access to parts of the system is similar to another users, you can use the 'Copy Access' button to make them like each other. You may wish to create a template for some of the important job functions that make copying easier. Click on the 'Data' and 'Functions' tab and make any changes to the employee's access that you wish. For PCI compliance, you must at least visit the 'Functions' tab and make sure that any of the privileges that say 'Credit Card' in the second column are all unchecked to start with. Then enable those that you wish the user to have. Two to consider overriding are: 'Allow empty CID even if required for credit card payments'. If this is unchecked, the must must ask the customer for a CID/CVV2 number on the back of the credit card if it is required for the credit card type or by the processor. If your service provider does not accept or check CVV2 data, you may need to check this. You may also want to check this for at least one of the box office supervisory personnel who can then provide an operator over-ride to any other user if need be. 'Able to Search for Patron using a card number' - this should be checked for a finance position or a box office supervisor so that a patron can be found when all we are given is the credit card number - such as in the case of charge backs.
3.	Master User	Change the Master User password. Find the Master User record as per above. Click on the 'Access' tab Change the 'Access ID' to be something unique to your organization Make sure that the 'Logon Level' is 'Master User' Click 'Set Password' and give this special user a unique password. You will be asked to confirm the current password before you are allowed to change the password. You may want to log out of theatre manager and then log back in as the special 'Master User' account before continuing to step 4 - just to make sure you have the user id and password set. This is one user id and password combination that you do wish to record on a paper and put in a sealed envelope in your safe with instructions to open under emergency only. Note: There should only be one 'Master User' account. If other users have those settings from an upgrade from version 6, those privileges should be removed and the reasons explained to the customer.
4.	Credit Card Encryption	After the initial data conversion has taken place and before you leave the client site for the first time, you need to re-encrypt the credit cards using a new key. To do this: Log in as Master User Go to the System Preferences->Security Tab Click 'Change Card Encryption key' button at the bottom left You will see a dialog similar to the one below that asks you to confirm the step and the reasons why the step is required. Click 'Yes' to continue. Some notes about this process: Theatre Manager will generate a completely random a 40 character key to use as half of the encryption key process that will be unique to the venue and re-encrypt all cards in the database. You can still use theatre manager while this process occurs to sell tickets and take credit cards. This process should be performed at least annually (the venue will be reminded to do it after 350 days) It should be performed at any time you suspect a security breach to any part of your network (make sure you also address whatever the security breach might have been).

Key Settings in TM for PABP Security Compliance