cybersource payment manager™ 6.0 · bank. each processor or merchant bank has a different format...

CyberSource Payment Manager™ 6.0.1Database Utility Guide

March 2006

CPM Database Utility Guide • CyberSource Corporation • March 2006 ii

CyberSource Contact InformationFor questions about CyberSource Payment Manager, [email protected].

For general information about our company, products, and services, go tohttp://www.cybersource.com.

For sales questions about any CyberSource Service, email [email protected] or call 650-965-6000 or 888-330-2300 (toll-free in the United States).

For support information about any CyberSource service, visit the Support Center athttp://www.cybersource.com/support.

Copyright© 2006 CyberSource Corporation. All rights reserved. CyberSource Corporation ("CyberSource") furnishes this document and the software described in this document under the applicable agreement between the reader of this document ("You") and CyberSource ("Agreement"). You may use this document and/or software only in accordance with the terms of the Agreement. Except as expressly set forth in the Agreement, the information contained in this document is subject to change without notice and therefore should not interpreted in any way as a guarantee or warranty by CyberSource. CyberSource assumes no responsibility or liability for any errors that may appear in this document. The copyrighted software that accompanies this document is licensed to You for use only in strict accordance with the Agreement. You should read the Agreement carefully before using the software. Except as permitted by the Agreement, You may not reproduce any part of this document, store this document in a retrieval system, or transmit this document, in any form or by any means, electronic, mechanical, recording, or otherwise, without the prior written consent of CyberSource.

Restricted Rights LegendsFor Government or defense agencies. Use, duplication, or disclosure by the Government or defense agencies is subject to restrictions as set forth the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and in similar clauses in the FAR and NASA FAR Supplement.

For civilian agencies. Use, reproduction, or disclosure is subject to restrictions set forth in subparagraphs (a) through (d) of the Commercial Computer Software Restricted Rights clause at 52.227-19 and the limitations set forth in CyberSource Corporation's standard commercial agreement for this software. Unpublished rights reserved under the copyright laws of the United States.

TrademarksCyberSource, the Power Behind the Buy Button, the CyberSource logo, SmartCert, and PaylinX are registered trademarks of CyberSource Corporation in the U.S. and other countries. The Power of Payment, CyberSource Payment Manager, CyberSource Risk Manager, CyberSource Decision Manager, and CyberSource Connect are trademarks and/or service marks of CyberSource Corporation. All other brands and product names are trademarks or registered trademarks of their respective owners.

http://www.cybersource.com

mailto:[email protected]

http://www.cybersource.com/support/

mailto:[email protected]

Contents

Documentation Changes.............................................................................................................. v

Chapter 1CPM Database Utility for Windows...........................................................................................1Creating Database Tables...............................................................................................................1

Creating the Main Tables ........................................................................................................1Creating BIN Information Tables ..........................................................................................3

Obtaining the BIN Information.......................................................................................3Creating a BIN Information Table ..................................................................................3

Configuring Database Settings......................................................................................................4Setting Aging and Volume Options ......................................................................................5Setting the Export Directory ...................................................................................................6Setting the Database Timeout Limit ......................................................................................6

Encrypting Database Tables ..........................................................................................................7How Database Encryption Works .........................................................................................8Components Required for Database Encryption.................................................................8Split-Knowledge Keys ...........................................................................................................10Key Management Best Practices ..........................................................................................10Ensuring Passphrase Strength..............................................................................................11Setting Up Database Encryption..........................................................................................12

Generating a Database Encryption Key File ...............................................................12New CPM Users: Preparing the CPM Server to Use Encryption ............................14Existing CPM Users: Encrypting Existing Database Tables .....................................14Importing Your Existing Key (for Merchants Upgrading to 6.0).............................16

Other Key Management Tasks .............................................................................................17Deleting a Key from the Registry .................................................................................17Backing Up Your Key(s).................................................................................................17Restoring Your Key(s) ....................................................................................................19Replacing Your Encryption Key ...................................................................................19

Exporting CPM Transaction Data ...............................................................................................22Importing CPM Transaction Data...............................................................................................23Purging Information from a CPM Database .............................................................................23Updating Database Tables ...........................................................................................................24Saving Merchant/Agreement Settings ......................................................................................25Loading Merchant/Agreement Settings....................................................................................25Database Utility Log .....................................................................................................................26

Chapter 2CPM Database Utility for Unix .................................................................................................28

CPM Database Utility Guide • CyberSource Corporation • March 2006 iii

Contents

Creating Database Tables.............................................................................................................28Creating the Main Tables ......................................................................................................28Creating BIN Information Tables ........................................................................................29

Obtaining the BIN Information.....................................................................................29Creating a BIN Information Table ................................................................................29

Encrypting Database Tables ........................................................................................................30How Database Encryption Works .......................................................................................31Components Required for Database Encryption...............................................................31Split-Knowledge Keys ...........................................................................................................32Key Management Best Practices ..........................................................................................33Ensuring Passphrase Strength..............................................................................................33Setting Up Database Encryption..........................................................................................34

Generating a Database Encryption Key File ...............................................................34New CPM Users: Preparing the CPM Server to Use Encryption ............................35Existing CPM Users: Encrypting Existing Database Tables .....................................36

Replacing Your Encryption Key ..........................................................................................37Replacing the Key for General Security Purposes .....................................................38Replacing a Compromised Key ....................................................................................38

Exporting CPM Transaction Data ...............................................................................................39Importing CPM Transaction Data...............................................................................................40Purging Information From a CPM Database ............................................................................40Updating Database Tables ...........................................................................................................41Saving Merchant/Agreement Settings ......................................................................................41Loading Merchant/Agreement Settings....................................................................................41Database Utility Log .....................................................................................................................42

Appendix AExample Key Custodian Agreement Form ..............................................................................44

CPM Database Utility Guide • CyberSource Corporation • March 2006 iv

Documentation Changes

The following table lists changes made in the last six releases of this document:

Release Changes

6.0.1 • Updated the CPM version number to 6.0.1.

6.0 • Updated all of the information about setting up database encryption and how and when to replace database encryption keys. For Windows, see Encrypting Database Tables on page 7. For Unix, see Encrypting Database Tables on page 30.

• Added Appendix A, Example Key Custodian Agreement Form, on page 44.

5.7 • Updated the CPM version number to 5.7.


5.6.4 • Added a section about updating the database tables for Unix. See Updating Database Tables on page 41.


CPM Database Utility Guide • CyberSource Corporation • March 2006 v

Chapter 1

CPM Database Utility for Windows

This chapter contains instructions for using the CPM Database Utility for Windows:

Creating Database TablesConfiguring Database SettingsEncrypting Database TablesExporting CPM Transaction DataImporting CPM Transaction DataPurging Information from a CPM DatabaseUpdating Database TablesSaving Merchant/Agreement SettingsLoading Merchant/Agreement SettingsDatabase Utility Log

If you use a database reporting utility other than the CPM Reports application or if you poll your CPM database for other purposes, refer to the CPM database schema in the CPM API Reference Guide. Back up your transaction database in a timely manner.

Creating Database TablesIf you did not choose the option of creating the required data tables for your CPM database during installation of CPM, use the following steps to create them with the CPM Database Utility.

Creating the Main TablesNote Before creating tables in the CPM database, you need to obtain passwordinformation from your database administrator. Your network administratorshould also provide you with the IP address of the computer running the databaseyour CPM Server will use. Use a separate computer for the CPM Server and theCPM database. A high-speed data connection should exist between the CPMServer and the computer running the database.

CPM Database Utility Guide • CyberSource Corporation • March 2006 1

Chapter 1 CPM Database Utility for Windows Creating Database Tables

1 On your desktop, select Start > Programs > CyberSource > Payment Manager > CPM Database Utility.

2 In the Connect to Database dialog box, select your CPM datasource and enter the username and password. Click OK.

Note Use the Windows ODBC Data Sources control panel to create andconfigure data sources.

3 In the menu, click Create.

4 Click OK to create the tables in your database.

Note The CPM Database Utility also gives you the option of exporting the database table creation scripts to a text file that can be reviewed for schema structure, or executed externally from the database's native SQL command window. If you elect to use text files, you must ensure that your tables and any CPM field-specific contents match the naming and table/field format conventions contained in the CPM database schema. Do not change the CPM table and field names or their lengths.

5 In the confirmation dialog box, click OK.

6 When the tables have been successfully created, click OK.


Chapter 1 CPM Database Utility for Windows Creating Database Tables

If you get a warning message indicating that the tables were not successfully created, check the following items:

• Ensure that the database is set up correctly in the DSN tab of the Windows ODBC Data Sources control panel.

• Ensure that your database application is using the correct ODBC driver.

• Check that the network connection is in place and that network traffic is not interfering with connectivity between the Windows server running CPM and the computer hosting your database.

Creating BIN Information TablesIf you choose to use the BIN Lookup transaction type, you must create database tables to store the BIN information that you obtain from the processor or bank. To create a BIN Information table, you use the Database Utility in a command-line environment instead of from the Start menu.

Obtaining the BIN InformationYou first must obtain the BIN information from your payment processor or merchant bank. Each processor or merchant bank has a different format for the BIN information they provide. You receive this information in one or more files which you store locally. You then use CyberSource’s Database Utility to load that information into a database table. You can then use CyberSource’s BIN Lookup function to easily look up the BIN information for a particular card number.

You must discuss with your processor or bank how you can determine from the BIN information they provide whether a card can be processed as a PIN-based or PIN-less debit card. The processor or bank may have specific business rules that you should follow when deciding whether to accept a card for a certain type of payment. When you receive the reply from CyberSource’s BIN Lookup function, you must parse the reply for the information that you need to make that decision.

Your processor or bank will tell you how often they update their BIN files and how you obtain the updated information.

Creating a BIN Information TableOnce you have received the BIN file(s) from your processor, you must create a database table to hold the BIN information. When it comes time for you to update the BIN information, you should create a new, separate database table with the updated information so as to not create availability conflicts while you are in the process of


Chapter 1 CPM Database Utility for Windows Configuring Database Settings

updating. A possible strategy for managing this is to have one database table for each day of the week. You update the BIN information daily and switch to the next day’s BIN information table at midnight. Another possible method is to have only two tables and to switch between the two each day.

To create a BIN information database table, you use the CPM Database Utility from a command line. The Database Utility is typically located in the Server directory, which is in the CPM installation directory.

To create a table, use the following command at a command prompt:

cpm_dbutil_win –binload <filename> <tablename> <processor> [-silent]

where:

• <filename> is the name of the BIN file you obtained from the processor or bank. The utility automatically looks for the BIN file in the c:\Program Files\CyberSource\PaymentManager\Server\Export directory. Specify the full path if you store the file elsewhere.

• <tablename> is the name you want to assign to the table. If a table with that name already exists, the original table will be erased and a new table will be created. Use a maximum of 20 characters. Do not use any spaces or special characters except underscores. The table name is not case-sensitive; when creating the name, be consistent with how you handle case sensitivity elsewhere.

• <processor> is the name of the processor (currently you may only use fdmssouth or chase for this value).

• -silent is an optional parameter that when included suppresses a confirmation prompt and any error notifications.

Later, when you need to look up BIN information, you use the BIN Lookup transaction and provide the account number on the card and the name of the database table containing the BIN information. For more information, see the CPM API Reference Guide.

Configuring Database SettingsThe Settings dialog box in the CPM Database Utility contains the following four basic configuration options that allow you to manage your database:

• Aging Parameters — Designate when the CPM Server should issue a warning that your database contains transaction data older than a specified number of days.



• Automatically Extract/Purge — Designate when the CPM Server should extract (export) old transaction data and in which directory you want this older data stored.

• Volume Parameters — Designate when the CPM Server should issue a warning that your database contains too many transactions and when the CPM Server should extract (export) those transactions.

• Database Timeout — Designate the timeout limit for connections between your database and the CPM Server.

Note Contact your database administrator, accounting group, and financial pro-cessor before setting these options to determine what best suits your businessneeds.

Setting Aging and Volume Options1 In the CPM Database Utility menu, click Settings.

2 In the CPM Database Utility Settings dialog box, click the Auto Extract Parameters tab.

3 Select the check box for Utilize Aging Parameters and enter the number of days the database should store transactions before issuing a warning indicating you have old transactions.

4 Enter the number of days the database should store old transactions before automatically purging or exporting the transaction data out of the database.



5 Select the check box for Utilize Volume Parameters and enter the maximum number of transactions the database should store before issuing a warning indicating the number of transactions in the database.

6 Enter the maximum number of transactions the database should store before automatically purging or exporting the transaction data out of the database.

Note Generate transaction reports on a regular basis using the CPM Reports application to keep track of the number of transaction records in your database.

Setting the Export Directory1 Click the Export Directory tab and then click Browse.

2 During installation, CPM automatically creates a default directory named export. Select this default directory or another directory to save the exported transaction logs and click OK.

Setting the Database Timeout LimitThis option sets a timeout limit for the network connection between the CPM Database Utility and the database that stores CPM transactions. Typically, the slower the network connection, the longer the timeout setting should be. You may want to coordinate this setting with your database administrator.


Chapter 1 CPM Database Utility for Windows Encrypting Database Tables

1 In the CPM Database Utility Settings dialog box, click the Database Timeout tab.

2 Enter the amount of time, in seconds, that the CPM Database Utility should wait before timing out and click OK.

3 Close the CPM Database Utility.

Encrypting Database TablesThe CPM Server has a database encryption option that provides greater security for sensitive information contained in your transaction database. With CPM database encryption, credit card numbers stored in the database are encrypted so that no one inside or outside of your organization can decrypt them. If you want to be PCI compliant, you must use database encryption (see the CPM PCI Compliance Guide for more information about PCI).

Important Database encryption must be run on the same server that CPM is run-ning on.

Note This chapter is for Windows-based CPM Servers only. If you are running aUnix-based CPM Server and want to encrypt the database, see Chapter 2, CPMDatabase Utility for Unix, on page 28.



How Database Encryption WorksWhen you enable database encryption, the CPM transaction API returns a masked credit card number field. If you attempt to use the CPM sequence number to perform field completion for a transaction, the CPM Server updates the account number field with the account number from the database and then masks it out upon completion.

When passing credit card numbers to the database, the CPM Server encrypts these numbers within the SQL statements passed to the Windows ODBC interface, and then the interface passes this information through the database driver.

The CPM Database Utility’s encryption process is fault tolerant. This means that if a database operation is interrupted, you can repeat the procedure using the same CPM license key and CPM encryption key file to complete the operation. The CPM Database Utility continues the operation from the point where it was interrupted.

Components Required for Database EncryptionThese are the components required for database encryption:

• CPM license key with database encryption enabled

• Database encryption key imported into the CPM Server’s registry

• cpm.cfg file set with the latest database encryption key serial number

• CPM Server(s) with database encryption enabled

CPM license key with database encryption enabled. If you included the CPM database encryption option with your CPM software purchase, you will receive a CPM license key with encryption enabled. The software license key works in conjunction with a database encryption key file to establish database encryption between the CPM Server and the CPM database.

Database encryption key. Starting with CPM 6.0, you now generate your own database encryption key instead of obtaining it from CyberSource. The key file is named with the key’s serial number, for example, 2D7C79FC.key.

CPM 6.0 comes with a tool for creating and managing your database encryption keys (see Generating a Database Encryption Key File on page 12). Once you create a key, you must import it into the registry of each CPM Server you are using. You can also export a key



from the registry back to a key file. The location in the registry where the keys reside is HKEY_LOCAL_MACHINES\SOFTWARE\CyberSource\Keystore.

Make a backup copy of the key file and securely store it off of the CPM Server. If at any time you feel that your database encryption key has been compromised, immediately replace it. See Replacing a Compromised Key on page 20.

cpm.cfg file set with the latest database encryption key serial number. On each CPM Server that you are using, you must ensure that the DBEncryptKeySN parameter in the cpm.cfg file is set with the serial number of the newest database encryption key. When you run the Database Utility’s encrypt function, it automatically updates the cpm.cfg file with the serial number on the particular CPM Server where you are running the Database Utility. You may also manually update the file. For example, if the key file is 2D7C79FC.key, you would edit cpm.cfg so that DBEncryptKeySN=2D7C79FC. When you replace a key, you must update the cpm.cfg on each CPM Server with the new key’s serial number.

CPM Server Registry

Imported key

Key File<serial number>.key

ImportExport



CPM Server(s) with database encryption enabled. You must enable database encryption on each CPM Server you are using. You do this in the Administration Client, in the properties for the CPM Server, on the Database tab.

Split-Knowledge KeysThe database encryption key generation tool that comes with CPM 6.x uses a split-knowledge technique that ensures that the key is under the control of two or more people. During key generation, two different people are required to provide passphrases separately. The key is generated based on those passphrases and can be reconstructed if needed with the passphrases. Each person must memorize his or her own passphrase and not tell anyone the phrase at any time.

You need two key custodians to provide passphrases. You also need to create a system whereby those two passphrases can be securely stored and retrieved in the event the key needs to be reconstructed and both key custodians are not available.

Key Management Best PracticesFollow these best practices for managing your database encryption keys:



• Have all key custodians sign an agreement acknowledging their responsibilities as key custodians (see Appendix A, Example Key Custodian Agreement Form, on page 44 for an example agreement).

• Do not store the database encryption keys in the Server directory or anywhere in the file system on the CPM Server; store them only in the CPM Server’s registry.

• Keep a secure backup copy of your passphrases and/or the key file(s) outside the CPM Server.

• Make sure that access to the Keystore location in the CPM Server’s registry is limited (HKEY_LOCAL_MACHINES\SOFTWARE\CyberSource\Keystore).

• When a database encryption key is no longer needed, delete it from the registry (see Deleting a Key from the Registry on page 17). See Replacing the Key for General Security Purposes on page 19 for information about replacing a key and determining when the old key is no longer needed.

Ensuring Passphrase StrengthThis section lists several best practices for creating strong passphrases. Passphrases are used to create the database encryption key.

• Passphrases should be difficult to guess. This means they should not be related to the user’s personal life or job (for example, a car license plate number, a spouse’s name, a pet’s name, a Social Security number, a family member’s birthday, or fragments of an address). Also, proper names, places, technical terms, or slang should not be used.

• To help make the passphrase easy to remember, use one of these suggestions:

– Shift a word up, down, left, or right one row on the keyboard

– Move characters in a word a certain number of letters up or down in the alphabet

– Combine punctuation and numbers with a regular word

– Create acronyms from words in a song, poem, or other sequence of words

– Deliberately misspell a word (but do not use a common misspelling)

– Combine a number of facts like favorite colors and foods



Setting Up Database EncryptionThe specific instructions for setting up database encryption vary depending on whether you are a new CPM user or an existing user:

• If you are a new CPM user, see New CPM Users: Preparing the CPM Server to Use Encryption on page 14.

• If you are an existing CPM customer and have just purchased the database encryption option, see Existing CPM Users: Encrypting Existing Database Tables on page 14.

• If you are an existing CPM customer, you have already been using database encryption, and you are upgrading from a pre-6.0 version to CPM 6.x, see Importing Your Existing Key (for Merchants Upgrading to 6.0) on page 16.

Generating a Database Encryption Key FileStarting with CPM 6.0, you must generate your own database encryption key file by using the procedure below:

1 On any CPM Server, go to the Server directory and double-click DBKeyGenerator.exe.

The menu is displayed.

2 Click Generate New Key.



3 When prompted for the first passphrase, have the first person enter the first passphrase.

4 When prompted for the second passphrase, have the second person enter the second passphrase.

The tool creates the key and displays the 8-character serial number (686F7573 in this example).

5 Write down the serial number, which you will need later when you set up the CPM Server(s) to use database encryption.

6 Select the check box for Write to Registry and click OK.

The key is imported into the registry.

7 If you are using multiple CPM Servers, import the key into the registries of all of the CPM Servers:

a While still on the first CPM Server, in the key tool menu, click Export Key.

b When prompted, select the key you want to export and click OK.

c When the Save As dialog box opens, click Save (do not change the name of the file).

The database encryption key file is saved to the Server directory on the CPM Server as <serial number>.key.



d Copy the key file to the Server directory on each of the other CPM Servers.

e On each CPM Server, run the DBKeyGenerator.exe tool and click Import Key to import the key from the key file.

f Delete the key file from the Server directory of each of the CPM Servers.

You have generated your database encryption key file and imported it into the registry on each CPM Server.

New CPM Users: Preparing the CPM Server to Use EncryptionUse this procedure if you are a new CPM user who has not processed any transactions yet.

To set up encryption:

1 Generate your database encryption key and import it into the registry on each CPM Server (see Generating a Database Encryption Key File on page 12).

2 Stop any CPM Servers that are running:

a Go to the CPM Administration Client.

b For each CPM Server that is running, click Server > Stop Service.

3 On each CPM Server, update the cpm.cfg file with the encryption key serial number:

a Locate the cpm.cfg file (in the Server directory).b With a text editor, update the file so that the DBEncryptKeySN field is set to

the encryption key’s serial number.

c Save and close the file.

4 Start the CPM Server(s):


b For each CPM Server you are using, click Server > Start Service.

5 In the properties for each CPM Server, on the Database tab, select the check box for Database Encryption Enabled and click OK (note that this will already be done if you are a new CPM user who has just installed CPM 6.x.).

You have prepared each CPM Server to use encryption.

Existing CPM Users: Encrypting Existing Database TablesNote If you are an existing CPM user already using database encryption and youare upgrading from a pre-6.0 version to 6.x, all you need to do is import your exist-



ing database key into the registry on each CPM Server that you are using. SeeImporting Your Existing Key (for Merchants Upgrading to 6.0) on page 16.

If you are an existing CPM user and you are adding the encryption option for the first time now, we suggest you do this during a period when your transaction requests are lowest, because you must temporarily stop accepting transactions during the encryption process.

Prerequisite: Obtain your new CPM license key from CyberSource with database encryption enabled.


1 Replace your current CPM license key with the new license key. See the topic entitled “Change a License Key” in the Administration Client online help for instructions.

Note Do not restart the CPM Server after replacing the current license key.

2 Generate your database encryption key and import it into the registry on each CPM Server (see Generating a Database Encryption Key File on page 12).




4 On the CPM Server (or on just one of them if you have multiple CPM Servers), run the Database Utility encryption process (see the steps below). This encrypts your existing database and updates the cpm.cfg file on that CPM Server with the database encryption key serial number.

Note You must run the Database Utility procedure on the same physicalmachine that the CPM Server is running on.

a On your desktop, select Start > Programs > CyberSource > Payment Manager > CPM Database Utility.

b In the CPM Database Utility window, click Encrypt.

c In the Update CPM Database Encryption Key dialog box, enter the database key serial number into the New Key Serial Number field and click OK.



d At the update prompt, click Yes.

e When the encryption process is finished, click OK at the confirmation prompt.

f Close the CPM Database Utility.

5 If you are running multiple CPM Servers, manually update the cpm.cfg file on each of the other CPM Servers with the encryption key serial number:

a Locate the cpm.cfg file (in the Server directory).b With a text editor, update the file so that the DBEncryptKeySN field is set to



6 Start the CPM Server(s).

7 In the properties for each CPM Server, on the Database tab, select the check box for Database Encryption Enabled and click OK.

You have encrypted the database and prepared each CPM Server to use encryption.

Importing Your Existing Key (for Merchants Upgrading to 6.0)If you are upgrading to CPM 6.0 and are already using database encryption, you simply need to import your existing database encryption key(s) into the registry. You must also delete the existing key file(s) from the file system on the CPM Server.

1 If you do not already have a backup copy of your encryption key, copy the database encryption key file from the Server directory to a secure storage device. This is your backup copy.

2 Return to the Server directory on the CPM Server and double-click DBKeyGenerator.exe.

3 In the menu, click Import Key.

4 In the dialog box that is displayed, double-click the database encryption key that you want to import.



The key is imported to the registry. You can confirm that the key was imported by clicking Export Key in the menu. You should see the key in the list of keys in the registry that are available to export.

5 Click Exit to close the tool.

6 Delete the database encryption key file from the Server directory, as it is no longer needed there.

7 If you are using multiple CPM Servers, repeat steps 2–6 above on each of your CPM Servers.

You have imported the key into the registry and removed the key file from the Server directory where it is no longer needed.

Other Key Management TasksThe tasks discussed here include deleting a key, backing up keys, restoring keys, and replacing keys.

Deleting a Key from the Registry1 Go to the Server directory on the CPM Server and double-click

DBKeyGenerator.exe.

2 In the menu, click Delete Key.

3 When prompted, select the key you want to delete and click Delete.

The key is deleted from the registry.

Backing Up Your Key(s)You must create a backup of your database encryption key(s) in the event that something happens to the registry settings of your CPM Server and your keys are lost. If you have only one key, you can export that key to a key file and store it securely somewhere off the CPM Server. If you have more than one active key in the registry (if you recently replaced your key and have not yet purged the transactions that use the old key—see Replacing the



Key for General Security Purposes on page 19), you can back up multiple keys to a batch file and restore them from that batch file.

1 Run the DBKeyGenerator.exe tool.

2 If you have only one active key:

a In the menu, click Export Key.

b Select the key you want to export and click OK.

c When the Save As dialog box opens, click Save (do not change the name of the file).

The database encryption key file is saved to the Server directory on the CPM Server as <serial number>.key.

3 If you have multiple active keys:

a In the menu, click Backup, which creates a single batch file containing all of your keys.

b When the Save As dialog box opens, enter a name for the file (for example, key_backup).

The backup batch file is saved to the Server directory on the CPM Server as <filename>.dat.

4 Copy the single key file or backup key file to a secure storage device as a backup.

5 Delete any copies of the key file so that the file does not reside anywhere on any of your CPM Servers.

CPM Server Registry

Imported key

Key File<serial number>.key

ImportExport

CPM Server Registry

Imported keys

RestoreBack up

Backup Batch File<name>.dat



You have backed up your key(s).

Restoring Your Key(s)Important The registry must be empty (and have no database keys already storedin it) for the restore function to work properly.

1 Retrieve your file from wherever you have it safely stored and copy it to the Server directory on the CPM Server.

2 Run the DBKeyGenerator.exe tool.

3 If you are restoring a single key file (<serial number>.key):

a Click Import Key.

b Select the key to import and click Open.

The key is restored to the registry.

4 If you are restoring a batch key file (<filename>.dat):

a Click Restore.

b Select the batch file to restore and click Open.

The keys in the batch file are restored to the registry.

5 Repeat the above steps on each CPM Server you are using.

6 Delete any copies of the key file so that the file does not reside anywhere on any of your CPM Servers.

You have restored your key(s).

Replacing Your Encryption KeyThere are two reasons why you need to replace your encryption key:

• For general security purposes, replace your key every two to four years.

• If at any time you feel your key has been compromised, replace it immediately.

Replacing the Key for General Security Purposes. Every two to four years, replace your key by using this procedure:



1 Generate your new database encryption key and import it into the registry on each CPM Server (see Generating a Database Encryption Key File on page 12). Do NOT yet delete your old key from the registry.




3 On each CPM Server, manually update the cpm.cfg file with the new key serial number:

a Locate the cpm.cfg file (typically it is in the default installation directory C:\Cybersource\PaymentManager\Server)

b With a text editor, update the file so that the DBEncryptKeySN field is set to the new key’s serial number instead of the old key’s serial number.



You have replaced the encryption key file. CPM will now use the new key to encrypt data for all future transactions. Note that you do not need to re-encrypt the database with the new key. Instead, all of your existing transactions that used the previous key will remain encrypted as is. If you perform any follow-up transactions that reference those old transactions (such as returns), CPM uses the old encryption key to decrypt the data as needed.

Do not delete the old encryption key from the registry until it is no longer needed for any follow-on transactions. As you purge old transactions from your database, the transactions that used the old key will eventually be removed. To see if there are still transactions in the database that use the old key, look at the first 8 characters of the ACCOUNT_EXTENSION field in the CC_TRANSACTION table in the CPM database. Those 8 characters are the serial number of the key that was used to encrypt the transaction’s data. See Deleting a Key from the Registry on page 17 when you are ready to delete the old key.

Replacing a Compromised Key. If at any time you feel your key has been compromised, immediately replace it by using this procedure:

1 Generate your new database encryption key and import it into the registry on each CPM Server (see Generating a Database Encryption Key File on page 12).






3 On the CPM Server (or on just one of them if you have multiple CPM Servers), run the Database Utility encryption process (see the steps below). This re-encrypts the database with the new key and updates the cpm.cfg file on that CPM Server with the new serial number.

Note You must run the Database Utility procedure on the same physicalmachine that the CPM Server is running on.

a On your desktop, select Start > Programs > CyberSource > Payment Manager > CPM Database Utility.

b In the CPM Database Utility window, click Encrypt.

c In the Update CPM Database Encryption Key dialog box, enter the new database key serial number into the New Key Serial Number field and click OK.

d At the update prompt, click Yes.

e When the encryption process is finished, click OK in the confirmation prompt.

f Close the CPM Database Utility.

4 If you have multiple CPM Servers, manually update the cpm.cfg file on each CPM Server with the new encryption key serial number:

a Locate the cpm.cfg file (in the Server directory)b With a text editor, update the file so that the DBEncryptKeySN field is set to

the new key’s serial number instead of the old key’s serial number.



6 Delete the old key from the registry (see Deleting a Key from the Registry on page 17).

You have replaced the encryption key file.


Chapter 1 CPM Database Utility for Windows Exporting CPM Transaction Data

Exporting CPM Transaction DataThe CPM Database Utility allows you to set specific parameters for the automatic generation of flat files for export from the CPM database into another directory for storage or transaction reporting. Exported database files that are saved to another location can then be purged as part of a regular database maintenance program.

If you want to use the export option to store CPM transaction data outside the CPM database, establish a file naming scheme to track which files include what information.

1 In the CPM Database Utility menu, click Export.

2 In the Export Options dialog box, select an export start time. You can specify that the CPM Database Utility automatically export records beginning with the oldest it finds in the database, or you can specify a date and time range for records to export.

3 Select an export end time. You can specify that the export end at the newest transaction found in the database or you can specify that the export end at a certain date and time.

Note If you select Oldest Transaction in the start time and Newest Trans-action in the end time option, the CPM Database Utility will export everytransaction record in the database. Make sure this is what you want to dobefore setting this option.

4 If you want to delete the transaction records from the database after exporting them to a log file, select the Purge Transactions after export option.

5 Click Browse and enter a file name for the transaction log file, then select a directory into which it should go and click Save.

6 If you enabled the Purge on Export option, click OK in the warning dialog.

7 If the export is successful, click OK.

If the export is not successful, check the following:

• Ensure that the database is properly set up in the DSN tab of the Windows ODBC Data Sources control panel.

• Ensure that you are using the correct ODBC driver for your database application.



Chapter 1 CPM Database Utility for Windows Importing CPM Transaction Data

Importing CPM Transaction DataUse the following procedures to retrieve transaction log files that have been exported from a CPM database.

Note You can only import transaction logs from the same version of the database.

1 In the CPM Database Utility menu, click Import.

2 Locate and select the transaction log file you want and click Open.

3 When the import is finished, click OK.

Purging Information from a CPM DatabaseBack up your CPM database prior to doing a purge. To ensure that transaction information is available for reporting, create a reporting schedule based on both the storage capacity of your database system and the number of transactions your business does.

Use the CPM Reports application or some other reporting utility frequently to monitor the contents of your transaction database. Purge the database of old records before your database reaches full capacity.

Note Records purged from the database before report generation are deleted anddo not show up on the report.

1 Stop the CPM Server.

2 Make sure that no other applications or reporting tools are currently using the CPM database you want to purge.

3 Open the CPM Database Utility and log in to the database.

4 In the CPM Database Utility menu, click Purge.

5 In the Purge Options dialog box, select a Purge Start Date. You can specify that the CPM Database Utility automatically begin purging from the oldest transaction it finds in the database, or you can specify a date and time range for records to purge.


Chapter 1 CPM Database Utility for Windows Updating Database Tables

6 Select an End Purge Date. You can specify that the purge end with the newest transaction found in the database or you can specify that the purge end at a certain date and time.

Note If you select Oldest Transaction in the start purge and Newest Trans-action in the end purge option, the CPM Database Utility will purge everytransaction record in the database. Make sure this is what you want to dobefore setting this option.

7 Click OK to begin the purge.

8 In the confirmation dialog, click OK.

9 When the purge is finished, click OK.

If the purge is not successful, check the following:




Updating Database TablesIf you upgraded your CPM system to a new version but did not choose the option of updating your CPM Database, use the following steps to update the tables to the new version. We recommend that you perform a backup of the CPM database prior to updating the tables.

1 In the CPM Database Utility menu, click Update.



Chapter 1 CPM Database Utility for Windows Saving Merchant/Agreement Settings

The CPM Database tables are updated to the current version.


Saving Merchant/Agreement SettingsThis option saves the CPM Configuration settings (including gateway settings, agreement settings, merchant settings, and security settings). Use the export option to back up transaction data.

1 In the CPM Database Utility menu, click Save.

2 In the Save As Options dialog box, click Browse and enter a file name for the file, then select a directory into which it should go and click OK.


If the save is not successful, check the following:




Loading Merchant/Agreement SettingsNote You must stop the CPM Server and disconnect it from the database beforeloading the CPM Configuration settings.

This option loads the CPM Configuration settings (including gateway settings, agreement settings, merchant settings, and security settings). Use the import option to restore transaction data.


Chapter 1 CPM Database Utility for Windows Database Utility Log

The database tables that store the CPM Configuration settings MUST be empty before loading the CPM Configuration settings. These tables include the following items:

To restore the CPM Configuration settings, follow these steps:


2 Disconnect the CPM Server from the database. Refer to the Administration Client’s online help for more information.

3 In the CPM Database Utility menu, click Load.


The CPM Configuration settings are loaded.


If the load is not successful, check the following:




Database Utility LogCPM 6.x includes a log that records use of the Database Utility. The log is called DBUtilityActivity.log and is stored in the Server\Log directory of the CPM installation directory.

• AGREEMENT • MERCHANT_VALUES

• AGREEMENT_VALUES • SEC_ALLOWED_MERCH

• GATEWAY • SEC_ALLOWED_TX

• GATEWAY_VALUES • SEC_GROUP_MAP

• MERCHANT_AGREEMENT • SEC_GROUPS

• MERCHANT • SEC_USER


Chapter 1 CPM Database Utility for Windows Database Utility Log

The log records use of any of the Database Utility’s functions (create tables, encrypt, export, purge, and so on).

For each action, the log includes:

• Date and time stamp

• Location where the Database Utility is being run

• Database username

• Type of event (examples: Create CPM Tables, Encrypt Data, Export Data)

• Success or failure indicator, if applicable

This is an excerpt of an example log:


Chapter 2

CPM Database Utility for Unix

This chapter contains instructions for using the CPM Database Utility for Unix:

Creating Database TablesEncrypting Database TablesExporting CPM Transaction DataImporting CPM Transaction DataPurging Information From a CPM DatabaseUpdating Database TablesSaving Merchant/Agreement SettingsLoading Merchant/Agreement SettingsDatabase Utility Log

If you use a database reporting utility other than the CPM Reports application, or if you poll your CPM database for other purposes, refer to the CPM database schema in the CPM API Reference Guide. Always make timely backups of your transaction database.

Note In the procedures in this chapter, [ ] indicate optional arguments. If anoptional argument is not entered, the default is used. Also, < > indicate requiredarguments.

To access syntax and command explanations online, enter cpm_dbutil -help or cpm_dbutil ? at the command line.

Creating Database Tables

Creating the Main TablesNote Before creating tables in the CPM database, you need to obtain a user ID andpassword information from your database administrator. Your network adminis-trator should also provide you with the IP address of the computer running thedatabase your CPM Server will use. Use a separate computer for the CPM Server


Chapter 2 CPM Database Utility for Unix Creating Database Tables

and the CPM database. A high-speed data connection should exist between theCPM Server and the computer running the database.

1 Log in as administrator to the server hosting the CPM Server.

2 At the command line, type:

cpm_dbutil -create [-file <filename>] -usr <username> -pwd <password> -db <datasourcename>

Excluding the -file argument instructs the CPM Database Utility application to create the tables.

Including the -file argument instructs the CPM Database Utility application to generate a SQL table create script. You then run this script to create the CPM tables.

Creating BIN Information TablesIf you choose to use the BIN Lookup transaction type, you must create database tables to store the BIN information that you obtain from the processor or bank.

Obtaining the BIN InformationYou first must obtain the BIN information from your payment processor or merchant bank. Each processor or merchant bank has a different format for the BIN information they provide. You receive this information in one or more files which you store locally. You then use CyberSource’s Database Utility to load that information into a database table. You can then use CyberSource’s BIN Lookup function to easily look up the BIN information for a particular card number.

You must discuss with your processor or bank how you can determine from the BIN information they provide whether a card can be processed as a PIN-based or PIN-less debit card. The processor or bank may have specific business rules that you should follow when deciding whether to accept a card for a certain type of payment. When you receive the reply from CyberSource’s BIN Lookup function, you must parse the reply for the information that you need to make that decision.

Your processor or bank will tell you how often they update their BIN files and how you obtain the updated information.

Creating a BIN Information TableOnce you have received the BIN file(s) from your processor, you must create a database table to hold the BIN information. When it comes time for you to update the BIN


Chapter 2 CPM Database Utility for Unix Encrypting Database Tables

information, you should create a new, separate database table with the updated information so as to not create availability conflicts while you are in the process of updating. A possible strategy for managing this is to have one database table for each day of the week. You update the BIN information daily and switch to the next day’s BIN information table at midnight. Another possible method is to have only two tables and to switch between the two each day.

To create a table, at a command line, type:

cpm_dbutil –binload <filename> <tablename> <processor> [-silent]

where:

• <filename> is the name of the BIN file you obtained from the processor or bank. The utility automatically looks for the BIN file in the /opt/cybersource/payment_manager/server/export directory. Specify the full path if you store the file elsewhere.

• <tablename> is the name you want to assign to the table. If a table with that name already exists, the original table will be erased and a new table will be created. Use a maximum of 20 characters. Do not use any spaces or special characters except underscores. The table name is not case-sensitive; when creating the name, be consistent with how you handle case sensitivity elsewhere.

• <processor> is the name of the processor (currently you may only use fdmssouth or chase for this value).

• -silent is an optional parameter that when included suppresses a confirmation prompt and any error notifications.

Later, when you need to look up BIN information, you use the BIN Lookup transaction and provide the account number on the card and the name of the database table containing the BIN information. For more information, see the CPM API Reference Guide.

Encrypting Database TablesThe CPM Server has a database encryption option that provides greater security for sensitive information contained in your transaction database. With CPM database encryption, credit card numbers stored in the database are encrypted so that no one inside or outside of your organization can decrypt them. If you want to be PCI compliant, you must use database encryption (see the CPM PCI Compliance Guide for more information about PCI).

Important Database encryption must be run on the same server that CPM is run-ning on.



How Database Encryption WorksWhen you enable database encryption, the CPM transaction API returns a masked credit card number field. If you attempt to use the CPM sequence number to perform field completion for a transaction, the CPM Server updates the account number field with the account number from the database and then masks it out upon completion.

When passing credit card numbers to the database, the CPM Server encrypts these numbers within the SQL statements passed to the database.

Components Required for Database EncryptionThese are the components required for database encryption:

• CPM license key with database encryption enabled

• Database encryption key

• cpm.cfg file set with the latest database encryption key serial number

• CPM Server(s) with database encryption enabled

CPM license key with database encryption enabled. If you included the CPM database encryption option with your CPM software purchase, you will receive a CPM license key with encryption enabled. The software license key works in conjunction with a database encryption key file to establish database encryption between the CPM Server and the CPM database.

Database encryption key. Starting with CPM 6.0, you now generate your own database encryption key instead of obtaining it from CyberSource. The key file is named with the key’s serial number, for example, 2D7C79FC.key.

CPM 6.0 comes with a tool for creating and managing your database encryption keys (see Generating a Database Encryption Key File on page 34). You must place a copy of your encryption key file in the Server directory on each of your CPM Servers and limit access to the key file.

Store a copy of the key file on a secure storage device as a backup. If at any time you feel that your database encryption key has been compromised, immediately replace it. See Replacing a Compromised Key on page 38.

cpm.cfg file set with the latest database encryption key serial number. On each CPM Server that you are using, you must ensure that the DBEncryptKeySN parameter in the cpm.cfg file is set with the serial number of the newest database encryption key. When you run the Database Utility’s encrypt function, it automatically updates the cpm.cfg file with the serial number on the particular CPM Server where you are running the Database



Utility. You may also manually update the file. For example, if the key file is 2D7C79FC.key, you would edit cpm.cfg so that DBEncryptKeySN=2D7C79FC. When you replace a key, you must update the cpm.cfg on each CPM Server with the new key’s serial number.

CPM Server(s) with database encryption enabled. You must enable database encryption on each CPM Server that you are using. You do this in the Administration Client, in the properties for the CPM Server, on the Database tab.

Split-Knowledge KeysThe database encryption key generation tool that comes with CPM 6.x uses a split-knowledge technique that ensures that the key is under the control of two or more people. During key generation, two different people are required to provide passphrases separately. The key is generated based on those passphrases and can be reconstructed if needed with the passphrases. Each person must memorize his or her own passphrase and not tell anyone the phrase at any time.

You need two key custodians to provide passphrases. You also need to create a system whereby those two passphrases can be securely stored and retrieved in the event the key needs to be reconstructed and both key custodians are not available.



Key Management Best PracticesFollow these best practices for managing your database encryption keys:

• Have all key custodians sign an agreement acknowledging their responsibilities as key custodians (see Appendix A, Example Key Custodian Agreement Form, on page 44 for an example agreement).

• Keep a secure backup copy of your passphrases and/or the key file(s) outside the CPM Server.

• Make sure to set the permissions for the key file(s) so that access is limited.

• When a database encryption key is no longer needed, delete it. See Replacing the Key for General Security Purposes on page 38 for information about replacing a key and determining when the old key is no longer needed.

Ensuring Passphrase StrengthThis section lists several best practices for creating strong passphrases. Passphrases are used to create the database encryption key.

• Passphrases should be difficult to guess. This means they should not be related to the user’s personal life or job (for example, a car license plate number, a spouse’s name, a pet’s name, a Social Security number, a family member’s birthday, or fragments of an address). Also, proper names, places, technical terms, or slang should not be used.

• To help make the passphrase easy to remember, use one of these suggestions:

– Shift a word up, down, left, or right one row on the keyboard

– Move characters in a word a certain number of letters up or down in the alphabet

– Combine punctuation and numbers with a regular word

– Create acronyms from words in a song, poem, or other sequence of words

– Deliberately misspell a word (but do not use a common misspelling)

– Combine a number of facts like favorite colors and foods



Setting Up Database EncryptionThe specific instructions for setting up database encryption vary depending on whether you are a new CPM user or an existing user:

• If you are a new CPM user, see New CPM Users: Preparing the CPM Server to Use Encryption on page 35.

• If you are an existing CPM customer and have just purchased the database encryption option, see Existing CPM Users: Encrypting Existing Database Tables on page 36.

Generating a Database Encryption Key FileStarting with CPM 6.0, you must generate your own database encryption key file by using the procedure below:

1 On the Windows system where the CPM Administration Client is installed, go to the Server directory and double-click DBKeyGenerator.exe.

The menu is displayed.

2 Click Generate New Key.



3 When prompted for the first passphrase, have the first person enter the first passphrase.

4 When prompted for the second passphrase, have the second person enter the second passphrase.

The tool creates the key and displays the 8-character serial number (686F7573 in this example).

5 Write down the serial number, which you will need later.

6 Select the check box for Write to File and click OK.

The file is written as <serial number>.key to the Server directory of the Windows-based system.

7 Copy the key file from the Windows-based system to the server directory on each CPM Server, and change the file permissions so that access to the file is limited.

8 Delete the key file from the Windows-based system.

You have generated your database encryption key file.

New CPM Users: Preparing the CPM Server to Use EncryptionUse this procedure if you are a new CPM user who has not processed any transactions yet.




1 Generate your database encryption key (see Generating a Database Encryption Key File on page 34).

2 On each CPM Server, if the CPM daemon is running, kill the CPM daemon.

Note You must kill the CPM daemon before encrypting the database.

3 On each CPM Server, update the cpm.cfg file with the encryption key serial number:

a Locate the cpm.cfg file (typically it is in the default installation directory opt/cybersource/payment_manager/server).

b With a text editor, update the file so that the DBEncryptKeySN field is set to the encryption key’s serial number.


4 On each CPM Server, restart the CPM service.

5 Open the Administration Client and connect to the CPM Server(s).

6 In the properties for each CPM Server, on the Database tab, select the check box for Database Encryption Enabled and click OK (note that this will already be done if you are a new CPM user who has just installed CPM 6.x.).

You have prepared each CPM Server to use encryption.

Existing CPM Users: Encrypting Existing Database TablesIf you are an existing CPM user and you are adding the encryption option, we suggest you add the encryption option during a period when your transaction requests are lowest, because you must temporarily stop accepting transactions during the encryption process.

Prerequisite: Obtain your new CPM license key from CyberSource with database encryption enabled.


1 Replace your current CPM license key with the new license key. See the topic entitled “Change a License Key” in the Administration Client online help for instructions.

Note Do not restart the CPM Server after replacing the current license key.



2 Generate your database encryption key (see Generating a Database Encryption Key File on page 34).



4 On the CPM Server (or on just one of them if you have multiple CPM Servers), go to the server directory and run the Database Utility’s encryption feature by using the command below. This encrypts your existing database and updates the cpm.cfg file on that CPM Server with the database encryption key’s serial number.

cpm_dbutil -encrypt <encryption key serial number> -usr <username> -pwd <password> -db <datasourcename>

Important You must run the Database Utility on the same physicalmachine that the CPM Server is running on.

5 If you are running multiple CPM Servers, update the cpm.cfg file on each of the other CPM Servers with the encryption key serial number:

a Locate the cpm.cfg file (in the server directory).b With a text editor, update the file so that the DBEncryptKeySN field is set to




7 Open the Administration Client and connect to the CPM Server(s).

8 In the properties for each CPM Server, on the Database tab, select the check box for Database Encryption Enabled and click OK.

You have encrypted the database and prepared each CPM Server to use encryption.

Replacing Your Encryption KeyThere are two reasons why you need to replace your encryption key:

• For general security purposes, replace your key every two to four years.

• If at any time you feel your key has been compromised, replace it immediately.



Replacing the Key for General Security PurposesEvery two to four years, replace your key by using this procedure:

1 Generate your new database encryption key file (see Generating a Database Encryption Key File on page 34).


3 On each CPM Server, update the cpm.cfg file with the new key serial number:





You have replaced the encryption key file. CPM will now use the new key to encrypt data for all future transactions. Note that you do not need to re-encrypt the database with the new key. Instead, all of your existing transactions that used the previous key will remain encrypted as is. If you perform any follow-up transactions that reference those old transactions (such as returns), CPM uses the old encryption key to decrypt the data as needed.

Do not delete the old encryption key until it is no longer needed for any follow-on transactions. As you purge old transactions from your database, the transactions that used the old key will eventually be removed. To see if there are still transactions in the database that use the old key, look at the first 8 characters of the ACCOUNT_EXTENSION field in the CC_TRANSACTION table in the CPM database. Those 8 characters are the serial number for the key that was used to encrypt the transaction’s data.

Replacing a Compromised KeyIf at any time you feel your key has been compromised, immediately replace it by using this procedure:

1 Generate your new database encryption key file (see Generating a Database Encryption Key File on page 34).



3 On the CPM Server (or on just one of them if you have multiple CPM Servers), go to the server directory and run the Database Utility’s encryption feature by using


Chapter 2 CPM Database Utility for Unix Exporting CPM Transaction Data

the command below. This re-encrypts the database with the new key and updates the cpm.cfg file on that CPM Server with the new serial number.

cpm_dbutil -encrypt <new encryption key serial number> -usr <username> -pwd <password> -db <datasourcename>

4 On each CPM Server, update the cpm.cfg file with the new encryption key serial number:





6 Delete the old key.

You have replaced the encryption key file.

Exporting CPM Transaction DataThe CPM Database Utility allows you to generate flat files for export from the CPM database into another directory for storage or transaction reporting. Exported database files that are saved to another location can then be purged as part of a regular database maintenance program.

If you want to use the export option to store CPM transaction data outside the CPM database, establish a file naming scheme to track which files include which information.



cpm_dbutil -export <file> -usr <username> -pwd <password> -db <datasourcename> [-start <YYYY-MM-DD:HH:MM:SS>] [-end <YYYY-MM-DD:HH:MM:SS>] [-purge]

The -start argument indicates the oldest date and time of a transaction to export. If a start date is not provided, the CPM Database Utility exports transactions beginning with the oldest transaction date.

The -end argument indicates the newest date and time of a transaction to export. If a end date is not provided, the CPM Database Utility exports transactions up to the most recent transaction date.

Appending -purge to the command purges transactions that were exported to the flat file from the database.


Chapter 2 CPM Database Utility for Unix Importing CPM Transaction Data

Importing CPM Transaction DataUse the following procedures to import transaction flat files that have been exported from a CPM database.

Note You can only import transaction flat files from the same version of the data-base.



cpm_dbutil -import <file> -usr <username> -pwd <password> -db <datasourcename>

Purging Information From a CPM DatabaseBack up the CPM database prior to doing a purge. To ensure that transaction information is available for reporting, create a reporting schedule based on both the storage capacity of your database system and the number of transactions your business does.

Use the CPM Reports application or some other reporting utility frequently to monitor the contents of your transaction database. Purge the database of old records before your database reaches full capacity.

Note Records purged from the database before report generation are deleted anddo not show up on the report.



cpm_dbutil -purge -usr <username> -pwd <password> -db <datasourcename> [-start <YYYY-MM-DD:HH:MM:SS>] [-end <YYYY-MM-DD:HH:MM:SS>]

The -start argument indicates the oldest date and time of a transaction to purge. If a start date is not provided, the CPM Database Utility purges transactions beginning with the oldest transaction date.

The -end argument indicates the newest date and time of a transaction to purge. If a start date is not provided, the CPM Database Utility purges transactions up to the most recent transaction date.


Chapter 2 CPM Database Utility for Unix Updating Database Tables

Updating Database TablesIf you upgraded your CPM system to a new version but did not choose the option of updating your CPM Database, use the following command to update the tables to the new version. We recommend that you perform a backup of the CPM database prior to updating the tables.

cpm_dbutil -update -usr <username> -pwd <password> -db <datasourcename>

Saving Merchant/Agreement SettingsThis option saves the CPM Configuration settings (including gateway settings, agreement settings, merchant settings, and security settings). Use the export option to back up transaction data.

1 Log in as administrator to the server hosting the CPM server.


cpm_dbutil -save <file> -usr <username> -pwd <password> -db <datasourcename>

Loading Merchant/Agreement SettingsNote You must stop the CPM Server and disconnect it from the database beforeloading the CPM Configuration settings.

This option loads the CPM Configuration settings (including gateway settings, agreement settings, merchant settings, and security settings). Use the import option to restore transaction data.

The database tables that store the CPM Configuration settings MUST be empty before loading the CPM Configuration settings. These tables include the following items:

• AGREEMENT • MERCHANT_VALUES

• AGREEMENT_VALUES • SEC_ALLOWED_MERCH

• GATEWAY • SEC_ALLOWED_TX


Chapter 2 CPM Database Utility for Unix Database Utility Log

To restore the CPM Configuration settings, follow these steps:


2 Disconnect the CPM Server from the database. Refer to the Administration Client’s online help for more information.



cpm_dbutil -load <file> [-overwrite] -usr <username> -pwd <password> -db <datasource>

If the load is not successful, check the following:

• Ensure that the database is properly set up in the DSN tab of the Unix ODBC Data Sources control panel.


• Check that the network connection is in place and that network traffic is not interfering with connectivity between the Unix server running CPM and the computer hosting your database.

Database Utility LogCPM 6.x includes a log that records use of the Database Utility. The log is called DBUtilityActivity.log and is stored in the server/log directory of the CPM installation directory.

The log records use of any of the Database Utility’s functions (create tables, encrypt, export, purge, and so on).

For each action, the log includes:

• Date and time stamp

• Location where the Database Utility is being run

• Database username

• Type of event (examples: Create CPM Tables, Encrypt Data, Export Data)

• GATEWAY_VALUES • SEC_GROUP_MAP

• MERCHANT_AGREEMENT • SEC_GROUPS

• MERCHANT • SEC_USER


Chapter 2 CPM Database Utility for Unix Database Utility Log

• Success or failure indicator, if applicable

This is an excerpt of an example log:


Appendix A

Example Key Custodian Agreement Form

This appendix contains an example key custodian agreement form that you can use for the custodians of your database encryption key.

Key Custodian Agreement

All <insert company name> staff that hold responsible authorized positions where they manage or handle encryption keys must sign the following document.

As a condition of continued employment with <insert company name>, as an employee that has access to key management tools and equipment, you are obligated to sign this document to indicate acceptance of your responsibility.

The signatory of this document is in full employment with <insert company name> on the date shown below and has been afforded access key management devices, software and equipment, and hereby agrees that, he or she:

• Has read and understood the policies and procedures associated with key management and agrees to comply with them to the best of his/her ability; has been trained in security awareness, and has had the ability to raise questions and has had those questions answered satisfactorily.

• Understands that non-compliance with the key management procedures can lead to disciplinary action including termination and prosecution.

Exceptions to compliance only occur where such compliance would violate local, state or federal law or where a senior officer of the company or law enforcement officer has given prior authorization.

• Agrees never to divulge to any third party any key management or related security systems, passwords, processes, security hardware or secrets associated with the <insert company name> systems, unless authorized by an officer of <insert company name> or required to do so by law enforcement officers.

• Agrees to report promptly and in full to the correct personnel any suspicious activity including but not limited to key compromise or suspected key compromise. Suspicious activity can include signs of unauthorized equipment


Chapter A Example Key Custodian Agreement Form

usage during evenings and weekends, phone requests from unidentifiable callers for access to secure information, unidentifiable files found on file servers, and unusual activity recorded in log files.

I agree to the above and understand that this original copy will be held on my personnel record and kept by the company indefinitely.

Signed: _____________________________ Witnessed: ___________________________

Print Name: __________________________ Print Name: __________________________

Date: ______________


cybersource payment manager™ 6.0 · bank. each processor or merchant bank has a different format...

Documents