SECURITY UPGRADES AFFECTING ALL ACCOUNTS: EFFECTIVE September 18, 2010 (Changed from August 23, 2010)
On September 18, 2010 (Changed from August 23, 2010), Appointment-Plus will be making security upgrades that will affect all Appointment-Plus accounts. These changes will affect two primary areas of the system: (1) passwords, and (2) payment processing. The security changes are being made to further strengthen the security of your account data and to meet the payment processing requirements mandated by the Payment Card Industry - PCI.
You will need to take action if any of the following apply to your account:
- You process credit cards in Appointment-Plus
- You prompt end-users/customers for credit cards
- You store credit card data in Appointment-Plus
If you do not process payments, no action is required by you but password changes will affect your account as detailed below.
PASSWORD CHANGES: FAQs
Q: Why are these changes being made?
A: Data security standards and risks are constantly changing for internet-based software systems. To keep pace with these risks,
internet software providers are periodically required to implement additional safeguards. The current changes will provide your account and data with state of the art password protection. In addition, clients with additional safeguard requirements, such as HIPAA or payment processing, can continue to meet their obligations.
Q: What changes are being made to the password process?
A: Password-related changes will include:
- Hiding staff and customer passwords in AP accounts (currently optional)
- Enforcing strong passwords, including forced change to strong password (currently optional)
- New password retrieval system
Q: Do the password changes apply to staff and end-users/customers?
A: Yes. The password changes apply to any password in the system.
Q: Will all existing passwords need to be changed?
A: Yes, if they do not meet the requirements below. All staff and customer passwords must be "strong" passwords. The rules for strong passwords are:
- 1. At least 8 characters, but not longer than 20 characters
- 2. At least one upper case letter
- 3. At least one lower case letter
- 4. At least one number
- 5. Cannot contain your name
- 6. Cannot be the same as your user name or contain your user name
- 7. Cannot be a rearrangement of the letters in your username
- 8. Must be a unique password each time you reset it. Password cannot be one you have already used.
A new link with these strong password rules will appear wherever staff and customer password creation appears.
Q: Do I have to manually change any passwords or let customers know?
A: No. After September 18, 2010 (Changed from August 23, 2010), the system will automatically prompt staff and customers to update their passwords if they do not already meet the new "strong" password rules.
Q: What if one of my staff forgets their password?
A: There will be an "I forgot my password" link on the login page that will allow them to change
their password. They will no longer be able to retrieve an existing password.
Q: What if one of my customers forgets their password?
A: There will be an "I forgot my password" link on the login page that will allow them to change
their password. Customers will no longer be able to retrieve an existing password.
Q: We have a standard format for our passwords. What if it is not a "strong" password format?
A: The system will no longer accept passwords that do not pass the "strong" password criteria. For
existing users (both staff and customers) without "strong" passwords, the system will automatically prompt them to change their password upon login after September 18, 2010 (Changed from August 23, 2010).
Q: Will these changes apply to user names/logins also?
A: No, these requirements only apply to passwords.
Q: Will I be able to create/reset passwords for my staff?
A: If you are designated as a Headquarters or Location Administrator, you will be able to create
and reset passwords for your staff. However, once a password is created, it is no longer visible to anyone
through the system.
Q: What if I need to log in as if I was a particular end-user/customer to troubleshoot?
A: You will have three options: (1) Your customer will need to provide you the password to allow
you to access, (2) You will have to reset their password to access, or (3) You will need to contact our
support group. You will not have access to end-user/customer passwords.
Q: If I forget my account password, can I call into Support or open a support ticket to retrieve it?
A: Appointment-Plus Support staff will not have access to client passwords. You would use the
"I forgot my password" link on the login page to reset your password. Therefore, please be sure that your
staff user emails are up to date.
PAYMENT PROCESSING (CREDIT CARDS): FAQs
Q: What is PCI?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that companies that process (capture), store or transmit credit card information maintain a secure environment. PCI is a broad term that focuses on improving credit card data security throughout the transaction process. PCI is also a more generally used term for the related oversight organization that is run by Visa,
MasterCard, Amex and Discover.
Q: Are you PCI compliant?
A: As of September 18, 2010 (Changed from August 23, 2010), the entire Appointment-Plus system will be PCI-exempt. PCI-exempt requires an even higher level of credit card security. To be PCI-exempt, you cannot capture, transmit or store credit card information. Fortunately, the technology exists to continue to allow Appointment-Plus to offer payment processing while meeting these requirements.
Q: Can I still process credit card transactions through Appointment-Plus?
A: Yes, but you may need to change your credit card gateway. Note that you will not have direct access to credit card numbers.
See table below (if you do not know which of these applies to your account, click here (enable audio) for a video demonstrating where you can find out):
| If you use.. | What you have to do.. |
| Credit Card Capture Only | This applies to users who enable the credit card fields without a credit card gateway (do not prompt). You will be required to make changes because the credit card capture process will be changing. Click here for complete details on how to update your credit card capture only process. |
| Prompt but don't Process | You will be required to make changes, no matter which gateway you are using. Click here for complete details on how to update your prompt but don't process settings. |
| MerchantWare | You do not need to switch, however, if you store credit card data and you wish to process payments with them in the future, please contact us at security@stormsource.com for more information. |
| Authorize.Net | You may continue to use Authorize.net, but you will be required to enter a customer's credit card number for every transaction. If this is not an issue, you may remain with Authorize.net. If this is going to cause a problem in your business, you will need to switch to MerchantWare. Click here for specific information related to Authorize.net. |
| LinkPoint | You will be required to switch to another provider as we will no longer be supporting Linkpoint. For information on our preferred provider, MerchantWare, please click here. |
| Concord | You will be required to switch to another provider as we will no longer be supporting Concord. For information on our preferred provider, MerchantWare, please click here. |
| PayPal | You do not need to switch. PayPal already requires credit card information to be entered outside of Appointment-Plus. |
| PayFlow Pro | PayFlow Pro users will have to switch to another provider. For information on our preferred provider, MerchantWare, please click here. |
| PayPal Website Payments Pro | PayPal Website Payments Pro users will have to switch to another provider. For information on our preferred provider, MerchantWare, please click here. |
| eSelect (Canada) | You may continue to use eSelect, but you will be required to enter a customer's credit card number for every transaction. Click here for specific information related to eSelect. |
| eWay (Australia) | You may continue to use eWay, but you will be required to enter a customer's credit card number for every transaction. Click here for specific information related to eWay. |
For US-based clients who need to change gateways, we are suggesting MerchantWare because MerchantWare is currently the only provider that offers the necessary functionality to maintain a PCI-exempt environment. Click here to get more information on MerchantWare.
Q: If I currently use "prompt but don't process" to have my customers enter a credit card number to hold an appointment, what are my options?
A: You will be required to make changes, no matter which gateway you are using. Click here (enable audio) for complete details on how to update your prompt but don't process settings.
Q: What happens to all of the credit card information I currently have on file for customers?
A: You will no longer have access to any customer credit card information after September 18, 2010. We have several options available for clients facing this issue. Please contact us at security@stormsource.com for more information.
Q: Will I be able to see the last four digits of the credit card numbers for my customers?
A: If you are using MerchantWare as your gateway, you will be able to see the last four digits of your customers' credit card numbers. If you are not using MerchantWare, you will not be able to see this information.
Q: We currently copy the customer credit card number from Appointment-Plus and run it through our credit card terminal. Can we still do this?
A: No. You won't have access to the customer credit card numbers. An option is to use our "prompt but don't process" feature (discussed above) and then process credit card transactions directly through the Appointment-Plus POS module. For information on how the POS module works, click here (enable audio).