Using DB Repair for PCI compliance

Depending on which option you choose in AR/Cash Setup, implementing advanced PCI Compliance support requires changes to your iMIS database, either by

■    removing all existing cardholder information from your iMIS system that predates your new security measures, or

■    resetting the encryption keys (including removal of previous keys) and re-encrypting cardholder data each year, as required

DB Repair lets you complete these processes easily and reliably through the PCI tab.

Precautions for using DB Repair

■    Verify that you have a valid backup of your iMIS database before running DB Repair commands that modify the database.

■    Ensure the database is protected from updates before modifying it, to prevent failures and data problems from changes occurring while entities are being reset/rebuilt/removed:

1.  Have all users log out.

2.  Stop webservers from updating the database, such as by stopping the AppPool in IIS.

■    While users are logged in, you can safely run Analyze Database and Table Details; however, analyzing the database can affect performance.

To reset encryption keys and data

To maintain PCI compliance with stored cardholder data, you must complete all of the steps below.

1.  Choose a time when the database can be offline for several hours. Re-encryption can take minutes or hours, depending on your data; once started, it must not be stopped.

2.  In DB Repair, open the PCI tab.

3.  To start the purge, click Reset Encryption Key and Data.

A warning prompts you to confirm the process. 

4.  Allow the process to complete without interruption.

Caution! You risk data corruption if you interrupt the process or close DB Repair, which appears unresponsive.

The output of the process displays in the main window of the DBRepair utility.

5.  Click Remove Historical Encryption Keys, or, if postponing that purge, skip to the next step. (If you do the purge later, be sure to recycle the application pool then, too.)

Caution! Once you remove previous keys, clicking on any encrypted links that have already been embedded in emails (such as "create new account" emails) will no longer work. The user will see the error "Your session has timed out. Please try your operation again”.

6.  Recycle the IIS Application Pool (iMISApp AppPool) for each application server that uses this database.

To purge cardholder data

Important: If you implement PCI Compliance with audit logging and later switch to storing no data, be aware that this purge routine leaves the existing audit log (PciAuditLog table) intact.

Deferred transactions are lost in a purge, so you need to resolve deferred data and disable settings that allow it.

1.  Find and change any gateway that is configured for Deferred Authorization:

□    In iMIS Desktop, open AR/Cash > Set up module and select Credit Card Auth.

□    Under Current Accounts, select the first gateway listed.

□    If it is set to Deferred Authorization, change it to Immediate or Manual Authorization.

□    Repeat for all other gateways.

2.  Submit any deferred transactions that are pending: In iMIS Desktop, open AR/Cash > Credit card reporting and run Print Deferred Pre-authorization Report and Submit Deferred Authorizations.

Any deferred transaction remaining after the purge has no payment information, so it must be re-entered manually.

3.  In DB Repair, open the PCI tab.

4.  To start the purge, click Purge All Cardholder Information.

A query runs and the Purge Payment Card Information window opens, reporting the number of records with cardholder information in each table that will be cleared by the purge.

5.  If the report surfaces no problems and you want to complete the purge, select Continue with Purge to clear the cardholder information from the database.

The output of the process displays in the main window of the DBRepair utility.

Fields affected by the purge

Table:  [dbo].[ASI_temp_trans] if exists

□     [CC_NUMBER]   - masked (shows last 4)

□     [CC_EXPIRE]   - masked

□     [CC_NAME]   - cleared

Table:  [dbo].[Trans]

□     [CC_NUMBER]   - masked (shows last 4)

□     [CC_EXPIRE]   - masked

□     [CC_NAME]   - cleared

□     [ENCRYPT_CC_NUMBER]  - cleared

□     [ENCRYPT_CC_EXPIRE]  - cleared

□     [ENCRYPT_CSC]   - cleared

□     [ISSUE_DATE]   - cleared

□     [ISSUE_NUMBER]   - cleared

Table:  [dbo].[Orders]

□     [PAY_NUMBER]   - masked (shows last 4)

□     [CREDIT_CARD_EXPIRES]  - masked

□     [CREDIT_CARD_NAME]  - cleared

□     [ENCRYPT_PAY_NUMBER]  - cleared

□     [ENCRYPT_CREDIT_CARD_EXPIRES] - cleared

□     [ENCRYPT_CSC]   - cleared

□     [ISSUE_DATE]   - cleared

□     [ISSUE_NUMBER]   - cleared

Table:  [dbo].[Basket_Payment]

□     [PAY_NUMBER]   - masked (shows last 4)

□     [CREDIT_CARD_EXPIRES]  - masked

□     [CREDIT_CARD_NAME]  - cleared

□     [ENCRYPT_CREDIT_CARD_EXPIRES] - cleared

□     [ENCRYPT_PAY_NUMBER]  - cleared

□     [ENCRYPT_CSC]   - cleared

□     [ISSUE_DATE]   - cleared

□     [ISSUE_NUMBER]   - cleared

Table:  [dbo].[Order_Payments]

□     [PAY_NUMBER]   - masked (shows last 4)

□     [CREDIT_CARD_EXPIRES]  - masked

□     [CREDIT_CARD_NAME]  - cleared

□     [ENCRYPT_CREDIT_CARD_EXPIRES] - cleared

□     [ENCRYPT_PAY_NUMBER]  - cleared

□     [ENCRYPT_CSC]   - cleared

□     [ISSUE_DATE]   - cleared

□     [ISSUE_NUMBER]   - cleared

Table:  [dbo].[OrderCheckout]

□     [CreditCardNumber]  - masked (shows last 4)

□     [CreditCardExpiration]  - masked

□     [CreditCardName]  - cleared

□     [CreditCardAddress]  - cleared

□     [CreditCardAddress2]  - cleared

□     [CreditCardAddress3]  - cleared

□     [CreditCardCity]  - cleared

□     [CreditCardState]  - cleared

□     [CreditCardPostalCode]  - cleared

□     [CreditCardCountry]  - cleared

□     [ISSUE_DATE]   - cleared

□     [ISSUE_NUMBER]   - cleared