The Spotlight : Security

PA-DSS Aspirations

Nicholai Burton — Fri, 23 Jan 2009 12:48:00 GMT

I'm sure by now you've heard plenty about the industry's movement towards PCI compliance and stamping all programs that touch credit cards with the PA-DSS certification, and not enough about Blackbaud's progress with Patron Edge. Here is a quick breakdown about some of the features and enhancements we have made in Patron Edge 3.340, and changes that we are continuing to work on as we work to get the PA-DSS stamp put on Patron Edge:

As of version 3.340, credit card information is now encrypted with an administrator-defined encryption key as transactions are queued to be cleared.
As soon as a transaction clears, every reference to a credit card number is permanently truncated. The last four digits of the card number are the only data retained.
Any reports that display transaction data will only show the final four digits of a credit card or less, depending on user security.
Credit card transaction log files (Tix_PSC logs) no longer store credit card details beyond the last four digits of the card number.
Password rules, such as password length, rotation, and account lockouts, will go into effect for all user accounts.
Audit trails will be implemented for all system components in order to be able to recreate system events.
The installation package will be digitally signed to ensure file integrity and prevent any kind of tampering.

The audit of Patron Edge is being performed by a company called Trustwave, who we are using to audit all of our products in addition to our Hosting environment. Be assured that Patron Edge will be PA-DSS certified, but in the meantime there are more changes in the pipeline that are required to meet this changing standard. Have a question? Leave a note in the comments.

Manage Your Users' Access to Help Resources

Nicholai Burton — Mon, 20 Oct 2008 14:45:00 GMT

This post isn't specifically about Patron Edge, but it is a question that comes up on a weekly basis. The site administrator at your organization has the abiliy to add or remove access to the Blackbaud Support website. It's both easy and quick to do; here's the short version:

Click your name at the top right of any Blackbaud web page.
In the left nav bar under Organization Information, click Invite New User.
Enter the user's first name, last name, and email address.
Mark the new user's main role and click Submit to send an Invite Email to the user.
The user receives an invitation email, and you receive a copy for your records.
- If he doesn't have a Blackbaud profile, he will click the link to create a new one.
- If he has an existing Blackbaud profile, he can associate it with your organization by clicking your name at the top right of any Blackbaud web page and following these steps:
  1. Confirm Association with the new organization by clicking Submit.
  2. Enter the confirmation number from the invitation email and click Submit.
  3. Update any information on your Profile, such as phone number and email address.

Depending on your turnover, I recommend spending about 10 minutes once a month making sure that your new hires have access to the resources they need to do their job, and that those who are no longer with you don't have access to things like your support case history.

Important announcement regarding Patron Edge 3.340

Nicholai Burton — Wed, 03 Sep 2008 16:50:00 GMT

We are making several important changes to the next version of Patron Edge in an effort to meet PA-DSS rules. These changes are required in order for your organization to reach compliance with Payment Card Industry standards and continue to process credit cards. The most important changes are these:

Credit card storage - Patron Edge 3.340 will no longer store credit card data. In the event that your database is compromised, you can now be assured that no one will be able to manipulate or decrypt the credit card numbers of your patrons.

SQL upgrades - Patron Edge 3.340 will no longer be compatible with MS SQL Server 2000. This is required for our new key management policy, which is the encryption key that your organization will set so that credit cards in transit (waiting to be authorized) cannot be compromised. This change will increase security as only your database administrator will know your encryption key. If someone were to obtain the older, Blackbaud-generated encryption key, your Patron Edge 3.340 database will not be vulnerable. So if your organization is not already running SQL 2005, now is the best time to start planning for an upgrade.

More details will be coming related to our compliance measures as the next release approaches, both on The Spotlight and on the Patron Edge documentation page.

Has your organization started planning for PCI compliance? Share your thoughts or best practices in the comments.

Firefox 3 has been released!

Nicholai Burton — Tue, 17 Jun 2008 20:35:00 GMT

Firefox, the greatest of the modern browsers, released version 3 of their product just about four hours ago and it has already been downloaded nearly 3 million (million!) times. It's more secure, prettier, faster and smarter than anything else out there (yes, even you Safari). I encourage all of you to download and use it exclusively for a better browsing experience. If you need to access your Patron Edge Online Administration Site, you can install the excellent IETab extension and do it all in one browser. With this extension I don't think I've purposely launched Internet Explorer in two or three years, and haven't had run-ins with malware of any kind. And now it even integrates with web apps. For example, I can click a mailto link and it will launch my Gmail composer.

For those who have done a fair amount of PEO design work and had to do any special browser-specific tweaks to make things look the way you want, make sure to test your site in this newest version to ensure that your patrons won't experience any display issues. The US and Canada together have almost hit the one million download mark, so you can be sure that your patrons are using it already.

Keep your Administration Site safe

Nicholai Burton — Fri, 06 Jun 2008 15:37:00 GMT

One of the easiest things you can do to protect your organization online is to ensure the security of your Patron Edge Online Administration site. I bring this up because the majority of Admin sites that I have seen are not well-protected. While an attacker wouldn’t be able to get credit card numbers or anything of that nature via the Administration site, there’s still a lot of potential for mischief, or even damage. An attacker could bring down your site by changing Site Settings, redirect all your menu items to a different site, or all kinds of other bad stuff.

Luckily, beefing up security is pretty easy. There are three key things to do, and your system administrator will be able to handle all of them in a matter of minutes.

Change your password - This literally takes seconds but I have seen people who have used PEO for years and still log in with the default login and password. To change the password, go to Administration, System Setup, System Users. Double-click on Supervisor and enter a new password. Done!

Have different Windows accounts run the public and admin sites - When using anonymous authentication for your website, the Administration site account should not be the same as the public site account. The default account for anonymous authentication is Internet Guest Account (also called IUSR_MachineName). Keep this one for the public site and use a different one for the Admin site, since it needs greater write and edit privileges on the public site folder. Even better, turn off anonymous access to the Admin site altogether and use Windows Integrated Authentication so that only members of your network are able to get as far as the PEO Admin login page.

Lock down rights to Administration site pieces - Create logins for each person who needs access (done in the same place where you changed your password above). Then determine what each person should be able to see. Generally a content creator only needs access to the Site Design and Events sections so turn off their ability to get to other administrative pieces.

What other measures are you taking to secure your website? Leave a message in the comments.

Preventing Fraud, Part III (with free stuff!)

Nicholai Burton — Thu, 20 Mar 2008 18:16:00 GMT

At the last Blackbaud Conference, one client shared an experience where several cashiers had defrauded her organization via a pretty clever scheme. For cash transactions, the cashier would sell a Member or Child ticket in PE but charge the patron a Full Price admission and then pocket the difference. Once Jeff Heffner and I heard the story, we decided to come up with some reporting ideas to help catch a thief in the act.

After some brainstorming, we created the Cashier Audit Report. It displays a breakdown of price types sold by each user and their relative percent of total. See this screenshot for an example of the report. With it, you can look for trends and see if anything weird is going on with the distribution of price types. For example, you could see that four of your cashiers sell Student tickets as about 8% of their total sales, but the fifth cashier is selling 15% of his tickets as Student. It could be completely innocent, or it could be that he is letting his friends in at a discount or taking money. Either way, you now have the information you need to take action at your fingertips.

Alyssa Wigton, our report writer in Professional Services, provided a couple of great tips and helped us get it working in PECRViewer.exe so it can be run directly from Patron Edge. To use it:

Download this set of files: Cashier Audit.zip
Add the stored procedure to your PE database
Add the report into Patron Edge per Knowledgebase solution BB142029

As with any custom stuff I give out on the blog, this isn’t an official piece of Patron Edge. My analysts can’t take questions on it, and I can’t be responsible if it leaves the bathroom light on, tramples your flowers, or rearranges the numbers on your speed dial!

Did you find this report helpful for preventing fraud? Are there any other reports in the system that you use on a regular basis to look out for thieves? Leave a note in the comments.

Preventing Fraud, Part II

Nicholai Burton — Thu, 20 Mar 2008 18:14:00 GMT

So now that you have locked down the system appropriately per my previous post on the subject, it’s time to take advantage of one of the controls in PE regarding end-of-day procedures. I am referring to the Drawer Cash Out function. If you are not familiar with this feature, it allows your cashiers to enter their end of day cash drawer totals directly into PE, so that you can view their totals side-by-side with the system totals for that drawer. Using this method is easier on the cashier, more secure, and a lot harder to fudge than a paper count-out sheet. Here is how to set up the feature:

Enable the feature in Company and for each Cash Drawer:

Go to Administration, System Setup, Company and select the Close Drawer tab
Set Manage Floating Till to Yes and click OK
Now to to User Setup, Cash Drawers
Edit each drawer and set Display Actual Payment Done to Yes

Set up the payment methods to display on the Cash Out:

Go to Administration, System Setup, Cash Drawer Payment Methods
Create a new entry for each kind of bill or coin, where the Value is relative to a dollar. For example, you will make an entry called Quarters with a value of .25
Create an entry for Check, Clearing and Gift Certificate, if necessary. Feel free to break this down as much as you feel comfortable; some people have one Credit Card entry, some people use one for each card type, and some don’t record this pay type at all on the Cash Out. Just stay consistent with your business practices

Disable the Close Drawer function and enable the Drawer Cash Out function in Profiles:

Go to Administration, User Setup, Profiles
Edit the needed profiles by expanding the Main Menu section, checking Drawer Cash Out, and unchecking Close Drawer

Not too difficult, right? The reason we turn off the Close Drawer is because only managers should have the ability to do this (or even run draft reports). A cashier should always be reporting her drawer totals blind.

Are you currently using the Drawer Cash Out function? Do you feel it has helped in preventing fraud or streamlined your end of day process? Leave a note in the comments.

Preventing Fraud, Part I

Nicholai Burton — Wed, 19 Mar 2008 12:30:00 GMT

Fraud is a problem in all types of organizations, but it can be especially tough for performing arts organizations and museums since we’re frequently dealing with temps for most of the front desk work. As consultant Leslie Bradford discussed in her Blackbaud Conference session To Catch A Thief, there are a lot of ways you can get ripped off. Since not everyone was able to make the conference, I’ve decided to do a series of posts on some things you can do to prevent fraud at your organization.
Restrict Access to the system
Every user should not have a System Administrator profile, and every user should belong to a user group. If a cashier’s only function is selling tickets, he should not have access to Administration or reports at all. Think carefully about what users need what level of permissions.

Give everyone a unique login and cash drawer
Your login should be treated as your signature. I know logins like User1, User2, User3 are a lot easier to manage than dealing with creating new logins every few months. But it becomes a lot harder to track down where the money went at the end of the day when everyone is using the same generic login.

Use secure passwords
Require a password that’s different from the login (there is a setting in Administration>Company that can enforce this). Make it have at least eight characters and consist of both letters and numbers. Most importantly, never share your password. It does no good to give everyone their own login if they can all log in as Supervisor or as each other. Be sure to change passwords at least every 90 days.

Change the Supervisor password
There are two default login/pass combinations that come with PE, depending on how long you’ve had the program. I can’t tell you how many people my analysts get onto screenshare with and see the user enter pe/1 or Supervisor/admin. If your database still uses this default, change it immediately. Ideally, only one or two people at the organization should have access to this password and if the login is used frequently then the same 90-day password rotation applies here.

Next time I will discuss using the Drawer Cash Out feature and how it helps in combating fraud at your organization. How are you handling access to the system? Leave a note in the comments.