Skip to main content

PCI 4.0.1 Compliance Update

Paige Freeman
  • Updated

Personify is implementing new enhanced security features in the ThreeSixty Web Client, Web Admin, and Desktop applications to meet PCI 4.0.1 requirements. The deadline to implement these features and remain PCI compliant is March 31, 2025.

All ThreeSixty clients MUST engage with Personify to implement the PCI Compliance Update prior to March 31, 2025 or they will not be able to stay in Personify’s PCI environment, meaning they may lose the ability to process credit cards or they may pay a significantly higher processing fee to process cards if their credit card merchant allows them to process cards outside of the PCI environment. There are no extensions; this date is mandated by the PCI Data Security Standards Council.

There are two major components of this PCI compliance update: 

  1. Staff user passwords must now meet a minimum length of 12 characters, including at least 1 character from each of the following groups: Upper Case, Lower Case, Numbers, Special Characters
  2. Multi-Factor Authentication is required for staff users for the Web Client, Web Admin, and Desktop applications.

Additional details on the rollout and delivery of these features will be shared as they are available.

Client Actions

The following actions should be completed now by the client to prepare for the upcoming PCI compliance update release. For additional information on these requirements and actions, please review the sections below.

  • Update the PASSWORD_VALIDATION_MASK application parameter regex to 12 characters, including at least 1 character from each of the following groups: Upper Case, Lower Case, Numbers, Special Characters.
  • Update the PASSWORD_EXPIRATION_PERIOD and PASSWORD_REMINDER_PERIOD application parameters to ensure all users are required to update their password prior to the PCI compliance date and all users are notified of the upcoming password expiration.
  • Identify service accounts and ensure passwords are updated to avoid potential service disruption.
  • Ensure all PSM users have a unique email address configured per user.

Password Requirement Updates

PCI 4.0.1 includes a requirement that user passwords must meet a minimum length of 12 characters, including at least 1 character from each of the following groups: Upper Case, Lower Case, Numbers, Special Characters. Clients who have made changes to the PASSWORD_VALIDATION_MASK parameter must update their regex to 12 characters to remain PCI compliant. Additionally, service accounts (i.e., Webadmin, TRSAdmin, etc.) are now required to rotate passwords at a minimum of every 90 days.

With the upcoming release, the PASSWORD_VALIDATION_MASK regex parameter will be updated automatically for clients who have not made changes to this parameter. Clients who have made changes to this parameter must update this parameter manually.

Sample PASSWORD_VALIDATION_MASK Regex Parameter Value: ^(?=[^_].)(?!.*!!$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%])(\w|[!@#$%]){12,}

Sample PASSWORD_VALIDATION_MASK Comments: The password format required to set password. The default enforces that the password is at least 12 digits long and that it contains at least one numeric, one upper case, one lower case, and special character.

image (2).png

Additionally, the Regenerate Password button has been updated to regenerate a password of at least 12 characters.

The PASSWORD_EXPIRATION_PERIOD and PASSWORD_REMINDER_PERIOD application parameters has also been updated. Clients can utilize these application parameters to help notify users of the need to update their passwords. 

  • The PASSWORD_EXPIRATION_PERIOD application parameter sets the period (in days) in which the user’s password expires. The default and recommended value is 90 days.
  • The PASSWORD_REMINDER_PERIOD application parameter sets the number of days before a user’s password expires that an in-application pop-up window displays that lets the user know their password is about to expire. For example, if this parameter is set to 7, then 7 days before the password expires the user will see a pop-up window within the application that lets them know their password will expire in 7 days. The default and recommended value is 14 days.

Service Account Password Rotation

PCI 4.0 requires service accounts that deal with payment or credit card data to rotate their password every 90 days. To meet this requirement and make it easier for clients to manage password rotation, Personify is implementing a solution that will be able to distinguish PCI service accounts from other accounts.

PSM_USER accounts that are required to enter an MFA token to log in to either the desktop or web client are not required to change their password every 90 days.

A new security group called _SERVICE_ACCOUNTS_IN_PCI_SCOPE has been created. Clients can add PSM_USER Service Accounts used in vendor integrations to this security group if the integration deals with payment or credit card data.

PSM_USER accounts with the Super User flag checked will be considered as in PCI scope even if they are not a member of the security group _SERVICE_ACCOUNTS_IN_PCI_SCOPE. Personify does not recommend using Super User accounts as Service Accounts.

Users within this security group and Super Users will have the password expiration set to 90 days. Data services within PCI scope will be authorized to access resources only through PSM_USER Service Accounts within PCI Scope, provided that these Service Account credentials (e.g., passwords, access keys) are rotated with a maximum interval of 90 days.

Please note that eBusiness may be impacted if the password for the PSM_USER Service Account used for eBusiness is not rotated every 90 days or less. If the password for this account is allowed to expire, eBusiness will be impacted. For hosted clients, the Cloud Ops team will take care of password rotation for the PSM_USER Service Account used for eBusiness.

It is incumbent upon clients to notify Personify if they have created or implemented any custom data services that process cardholder data, which should be considered in PCI scope. This should be done by submitting an OCR with the Data Service operation name that needs to be incorporated into PCI processing scope.

Multi-Factor Authentication

Multi-Factor Authentication (MFA) is a security mechanism that enhances the protection of user accounts by requiring two or more forms of verification before granting access. PCI 4.0.1 now requires MFA for staff users to meet security compliance standards. Personify will be supporting MFA with email-based authentication for the Web Client, Web Admin, and Desktop applications.

Personify’s MFA solution includes:

  • MFA verification screen – Users must enter the correct User ID and Password to access this step
  • MFA verification email with verification code – Users must have email address to receive verification code
  • Ability to resend a new code if the user does not receive the code or if the code has expired
  • Informational error messages for invalid and expired verification codes

Staff users must have an email configured on the PSM User Setup screen to log in using MFA. Shared/group email accounts won't work; each staff user must have a dedicated email account. If the user does not have an email address configured, they will receive a message they must contact their administrator to resolve the issue before they can log in. Clients should make sure all users have an email address configured before MFA is implemented.

Users that enter the correct User ID and Password will be routed to the MFA screen. Users must enter the correct User ID and Password to access the MFA step.

Upon successfully entering the correct User ID and Password, the MFA verification screen displays and a verification email is sent to the email address for the user containing a one-time use verification code. The verification code will be six (6) digits and will expire in ten (10) minutes. The user must enter the code in the Verification Code field and then select Verify to log in. If the user does not receive the code or if the code has expired, they can select Resend Code to resend a new verification code to their email address.

If the user enters the wrong code into the Verification Code field and then selects Verify, an “Invalid Verification Code” message will display. If the user enters the correct code but it has expired, an error message will display.

MFA Remember Device (3/27/25)

After successfully logging in, the MFA verification will be remembered for 30 days by default. With this setting, if a user logs into the system using multiple computers or a different web browser, they will receive MFA once every 30 days, per computer per web browser.

This value is set on the MFA Configuration settings page within Web Admin. Clients can submit a ticket to request changes to this value, up to a maximum of 30 days.

MFA Application Parameters

The following application parameters are included for the implementation of MFA:

  • LOCK_USER_ACCOUNT_AFTER_ATTEMPTS
    The number of unsuccessful login attempts allowed before an account is locked. These attempts include password verification as well as pass code verification. The default value is 6.
  • USER_ACCOUNT_LOCKOUT_DURATION
    The amount of time (in minutes) that the user is locked out of their account after exceeding the number of allowed login attempts. The default value is 30 (minutes). Lockout is per user per database per environment. The counter indicates continuous failures (if there is any success, the counter will be reset). After lockout duration, the lockout counter resets.

Desktop Hotfixes

The following hotfixes will be applied (if they have not been applied previously) before the Desktop package is deployed.

  • Hotfix 1
    • Defect 97480: The Personify applications will now use a BOE key to access Data Analyzer. This fix also resolves any issue that was identified that prevented WebI reports from opening from eBusiness.
    • Internal ID 96948: The Cache Service and SQL Service Service being out-of-sync prevented batch (TRS) jobs from being picked up and processed. This fix updates the TRS Daemon service to resolve the issue.
    • Defect 4213: The Segmentation Enforced flag was causing database slowness due to locking.
    • Internal ID 97591: XSS Security Vulnerability - Sanitization was introduced so that users cannot enter scripts or malicious code from the web. What users can enter is controlled via a new app parameter that was introduced as part of this change.
  • Hotfix 2
    • Internal ID 101391: Update to NCR Response Codes & API update.
    • Internal ID 114082: CyberSource: Update source code to encrypt password and pass Partner Solution ID
    • Internal ID 101947: eBusiness Cross-site Scripting - The application parameter entry into API core was missing.
  • Hotfix 3
    • Internal ID 122240: Desktop Notification Templates causing performance issue
  • Hotfix 4
    • Internal ID 118123: Marketing Lists – Improved performance for the Data Analyzer Query chooser
    • Bug 31519: Transactions that have been created by FAR680 will not settle in CCP610
    • PCI & MFA Logo and Branding update (see below)

Desktop Logo Updates

The logos throughout the ThreeSixty Desktop application will be updated with the release of the PCI 4.0.1 Update package. This includes the logos on the login window, MFA window, About ThreeSixty window, Organization/Organization Unit chooser window, Database chooser window, Change Password window, application timeout window, and home page, as well as the icons on the top navigation bar, taskbar, and launcher.

FAQs

Q: Do these new requirements also apply to eBusiness?

A: No. If you are using Personify IDP, you can set up MFA through IDP if you wish, but it is not a requirement for PCI compliance. These updates specifically apply to staff who have the ability to interact with multiple accounts and credit cards that are not their own.

Q: Will users be able to receive verification codes through SMS on their mobile device?

A: At this time, we are only implementing email authentication for MFA.

Q: If we require users to update their password every 90 days, do we have to use MFA?

A: With the current implementation, there is no way to log in without using Multi-Factor Authentication.

Q:  Do the Data Service app pools need to be restarted after changing the password of a service account?

A: Yes, currently the Data Service app pools must be restarted after changing the password of a service account. Please submit a ticket to restart the app pools after changing service account passwords.

Q: How does the Remember Device setting work for MFA? (3/37/25)

A: With this setting, if a user logs into the system using multiple computers or a different web browser, they will receive MFA once every 30 days, per computer per web browser. This value is set on the MFA Configuration settings page within Web Admin. Clients can submit a ticket to request changes to this value, up to a maximum of 30 days.

Q: What does this look like in the Desktop Application?

A: The Desktop application functions the same way as the web client.

Article Version History

  • 3/27/25: Updated FAQs and added section for MFA Remember Device. Added Article Version History section.
  • 3/26/25: Added sections for information on Desktop Hotfixes and Logo Updates.
  • 3/20/25: Added FAQ on Data Service app pool refresh.
  • 3/11/25: Added information on extensions to deadline date - There are no extensions; this date is mandated by the PCI Data Security Standards Council.
  • 2/13/25: Added FAQ on whether MFA is required if passwords are updated every 90 days.
  • 2/7/25: Added information on what the password regex allows.
  • 2/4/25: Added FAQ with image of MFA in Desktop application.
  • 1/30/25: Added section on Service Account Password Rotation.
  • 1/9/25: Updated information on application parameters for passwords and MFA.
  • 12/16/24: Updated image and sample value for password regex.