Configure system security
Configure different parts of PBA security system.
Generate two RSA key pairs to encrypt customers' credit card data
- Log into PBA Provider Control Panel
- Go to Configuration Director > E-Commerce Settings > Encryption Keys
- Create two RSA key pairs using the Generate New Key buttons for Encryption Key 1 and Encryption Key 2
Note: public RSA key is stored in PBA database and is used to encrypt credit card data, while private key must be stored separately in secure place and loaded into PBA on system start.
Create key custodians
Create system role with the privilege
KEY_CUSTODIAN and assign it to two different Provider staff members who will load private key and password accordingly. This may be done in PBA Provider Control Panel at Configuration Director > Security Manager > Roles.
Enable AES encryption
Enable AES encryption to encrypt passwords in PBA. See the following article for details: kb #9103
Configure PBA to purge unused credit cards data after retention period
It is not necessary to store cardholder data forever in the system, define a retention policy to purge unused cardholder data after some time. E.g. use a period of 13 months if you have customers on yearly plans that will pay once every 12 months.
Set retention periods (in hours) in PBA Provider Control Panel at Configuration Director > E-Commerce Settings > E-Commerce Settings.
Implement centralized logging server (since PBA 5.4 only)
PBA may be integrated with centralized log server using industry standard syslog protocol. On the logging server side install any syslog-compatible server (e.g. rsyslogd for Linux and WinSyslog for Windows). Then, configure PBA to use centralized logging server following instructions in the corresponding Deployment Guide:
Configure system roles
PBA provides wide set of privileges which may be used to create system roles in Provider Control Panel at Configuration Director > Security Manager > Roles.
Follow the principle of minimal privileges creating roles - include only privileges which allow staff member to perform their tasks in PBA Control Panel.
Set password quality level
Set desired password quality level at Configuration Director > Security Manager > Login Settings.
- It is recommended to set password quality level to High at least.
- If PBA is integrated with POA then password quality must be set to the same level in both systems.
Configure password expiration policies
Configure password expiration policies at Configuration Director > Security Manager > Login Settings.
To be PCI compliant set password expiration period to 90 days or less.
See the global article #113946 Parallels Automation Maintenance Guide for checking other important settings.