Support Advisories

Monetra 8.11.0 Available - Security Fixes Included

Posted by SpeedLine Support on Oct 3, 2019 1:02:21 PM

Monetra 8.11.0 has been released and is available for immediate upgrade.

This update contains security vulnerability updates. Customers should upgrade within 30 days. 

  • PCI Requirement 6.2 states: Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.

Release notes from Monetra are below.

Monetra 8.11.0 released

September 23, 2019

Effective 09/23/2019

Monetra 8.11.0 has been released to the public and is a feature enhancement/maintenance release.

This release is highly recommended for all users of Monetra and should be considered the most modern and stable release available.

Changelog

Database Schema: v4.10 (compatible with v4.0)

Security:

Features:

  • A RESTful API has been added with documentation generated via the OpenAPI v3 standard. Please see https://developers.monetra.com/ for this new specification and documentation. The specification layers naturally with our current specification that depends on key/value pairs, so those familar with our existing specifications will find it easy to understand.
  • Account Updater is now supported for cards stored in the DSS subsystem using the Tsys EnsureBill platform. Account Updater allows merchants to retrieve updated card numbers and expiration dates for customer accounts (whether due to a card being lost or stolen, or simply a new card being issued). Currently only Tsys is supported for Account Updater, and requires a special setup from Tsys and a sponsoring bank for approval during the account setup with Tsys.
  • Push Notifications/WebHook support. It is possible to configure an endpoint to send notifications via HTTPS-JSON for the occurence of merchant-level events. There are a series of flags that can be configured to determine which events will trigger a notification. Different merchants can be assigned to different endpoints.
  • Customer Database support. It is now possible to add customer and company details to the Monetra database including multiple addresses per listing and assigning multiple DSS tokens to a single customer. The customer database honors token groups for sharing of customers between accounts.
  • TLSv1.3 is now supported. This feature is disabled by default for inbound connections due to compatibility issues with UniTerm and other applications previously provided that predate this release. Outbound connections support both TLSv1.2 and TLSv1.3 by default. Once UniTerm is upgraded to v9.5 and above, or if not using UniTerm, this feature can be safely enabled via the ssl_server_protocols=tlsv1.2+ setting in main.conf. The current default is coded as tlsv1.2 only. In approximately 1 year we intend to change this default to ensure our customers are able to take advantage of the security features and performance improvements in TLSv1.3.
  • AES-GCM mode is now supported for database encryption instead of the default AES-CBC mode as a stronger chaining mode of operation. However, this change can only be made on a new database and cannot be made to an existing database without a full export/import operation.
  • The monetra_setdebug utility allows for tracing specific users to memory rather the entire system to assist with debugging large production environments.

Certification:

  • NCR Payment Services (NCRPS fka JetPay) is now certified across all industries for MSR and key entry modes of operation. EMV certifications are underway and expected for the next release.

Integration Changes:

  • Token Groups now have an edit capability via recurringtokengroup=edit.
  • Account Updater integration changes.
    • On an adduser or edituser request, a new merch_flags flag of ACCOUNT_UPDATER has been added in order to mark the merchant's tokens as being eligible for account updater. Cannot be used if the merchant is part of a token group.
    • On an action=recurringtokengroup recurringtokengroup=create or recurringtokengroup=edit command, a new flags parameter can be specified as a pipe-delimited list. A flag of ACCOUNT_UPDATER can be used in orer to mark the group's tokens as being eligible for account updater.
    • The action=liststats MADMIN request can now take an argument of liststats=accountupdater to retrieve per user/group update counts. The report can optionally take user or token_group parameters to restrict the output.
    • The CRON subsystem has added new cron_task actions for account updater:
      • cron_task=ACCOUNT_UPDATER schedules when to run the account updater request. Recommended to run once per day.
      • cron_task=PURGE_ACCOUNT_UPDATER purges history of account updates and cron_data takes the number of days to keep. Recommended value is 120.
  • Customer Database new functions:
    • During a normal recurringadd or recurringedit request, a customer_id may now be specified to link a token to a specific customer.
    • During a normal recurringlist request, customer_id and customer_display_name columns will now be present in the result.
    • action=admin,admin=recurringadd,recurringadd=customer
      • Adds a customer to the database with these possible fields:
      • display_name - Required. Name of customer
      • flags - Optional. Pipe separated list of flags:
        • TAXEXEMPT
      • name_company - Optional. Company Name.
      • name_prefix - Optional. Name prefix, e.g. Mr, Mrs, Ms, Dr
      • name_first - Optional. First Name.
      • name_middle - Optional. Middle Name.
      • name_last - Optional. Last Name.
      • name_suffix - Optional. Name suffix, e.g. Jr, Sr, III
      • phone_work - Optional. Work Phone
      • phone_home - Optional. Home Phone
      • phone_mobile - Optional. Mobile Phone
      • phone_fax - Optional. Fax.
      • email - Optional. Email address
      • website - Optional. Website URL
      • business_id - Optional. Business ID, e.g. FEIN
      • notes - Optional. Merchant-defined notes.
      • Plus any token group custom_customer_fields or merchant merch_customer_fields.
      • Returns an assigned customer id as id
    • action=admin,admin=recurringadd,recurringadd=customeraddress
      • Adds a customer address to a customer record with these possible fields:
      • customer_id - Required. Customer id address is to be associated with.
      • display_name - Optional. Display Name of Address
      • address1 - Required. Address
      • address2 - Optional. Address line 2
      • city - Optional. City or Provence
      • state - Optional. State
      • country - Optional. Country ISO text code.
      • postal_code - Optional. Postal or Zip code.
      • delivery_notes - Optional. Delivery Notes.
      • Returns an assigned customer address id as id
    • action=admin,admin=recurringedit,recurringedit=customer
      • Edits a customer in the database, can use any of the recurringadd=customer fields, plus these:
      • id - Required. id returned from recurringadd=customer
      • default_billing_id - Optional. Address id record to set as default for billing purposes.
      • default_shipping_id - Optional. Address id record to set as default for shipping purposes.
      • default_token - Optional. token on record for customer to use as the default payment method.
    • action=admin,admin=recurringedit,recurringedit=customeraddress
      • Edits a customer address in the database, can use any of the recurringadd=customeraddress fields, with these modifications:
      • id - Required. id returned from recurringadd=customeraddress
      • customer_id - Should not be specified. If it is, it must not change.
    • action=admin,admin=recurringlist,recurringlist=customer
      • Lists customers, may specify an id if the id of the customer is already known.
      • Returns report with all the possible parameters specified during add and edit, plus columns for the default billing and shipping addresses prefixed with billing_ and shipping_, respectively.
    • action=admin,admin=recurringlist,recurringlist=customeraddress
      • Lists customer addresses, must specify either an id for the customer address or customer_id to get all addresses for a customer.
      • Returns report with all the possible parameters specified during add and edit.
    • action=admin,admin=recurringdel,recurringdel=customer
      • Deletes the referenced customer. Must specify the customer id as id
    • action=admin,admin=recurringdel,recurringdel=customeraddress
      • Deletes the referenced customer address. Must specify the customer address id as id
  • Push Notifications/WebHooks.
    • During adduser and edituser, may now specify merch_pushnotification_id to register a merchant to send notifications to a registered endpoint.
    • MADMIN action=pushnotification,pushnotification=add
      • Adds a new push notification endpoint with the following parameters:
      • url - Required. Url of the Endpoint with https:// prefix.
      • display_name - Required. Human-readable display name.
      • eventflags - Required. Pipe-delimited list of flags:
        • Transaction Types:
        • AUTH - include normal auths (SALE, PREAUTH, FORCE, RETURN)
        • VERIFY - include verification requests (balanceinq, avsonly)
        • SETTLE - include batch settlement requests
        • EDIT - include edit requests (adjust, preauthcomplete, fieldedit)
        • VOID - include void/reversal
        • Modifiers:
        • DECLINED - include declined transactions
        • Cardtypes:
        • CREDIT - include credit card transactions
        • DEBIT - include debit card transactions
        • GIFT - include private label gift transactions
        • ACH - include ACH transactions
        • EBT - include EBT transactions
      • authtype - NONE or BASIC
      • authname - currently unused, future use for header name
      • authdata - for BASIC, must be the base64-encoded user:password
      • Returns id of the push notification
    • MADMIN action=pushnotification,pushnotification=edit
      • Edits an existing push notifiation. Can use any of the add parameters but also must include id to indicate which notification is being modified.
    • MADMIN action=pushnotification,pushnotification=del
      • Deletes a push notification. Must specify the id to delete.
    • MADMIN action=pushnotification,pushnotification=list
      • List the push notification endpoints, may specify id if known. Will NOT return authdata.
    • MADMIN action=pushnotification,pushnotification=listusers
      • Lists the users associated with endpoints. Will return a report with userendpoint_id, and endpoint_url. May specify id to list only users associated with a single endpoint.

Fixes:

  • Prior versions would always set the TLS Fallback SCSV POODLE mitigation flag on outbound connections which causes issues with TLS v1.3 due to its use being misinterpreted. This flag is now removed and can now connect to remote TLS v1.3 servers (which as of this date, no processors have added TLS v1.3 support, but once they do, prior versions of Monetra will stop functioning).
  • SNMP should not cache license data as if license is updated it needs to be reflected.
  • A preauth should not allow a 'capture' request as it causes the record to be malformed in the database and is unable to be settled.

ThirdParty Library Updates:

  • SQLite updated to 3.29.0
  • OpenSSL updated to 1.1.1d

 

 

Monetra Administrator v8.11.0 released

September 23, 2019

Effective 09/23/2019

Monetra Administrator v8.11.0 has been released to the public and is considered a maintenance related release.

This release is strongly recommended for all users of Monetra and should be considered the most stable available.

Changelog

  • OpenSSL has been updated to 1.1.1d
  • TLSv1.3 is now supported. This feature is disabled by default for inbound connections due to compatibility issues with applications using SCSV. The current default is TLSv1.0-TLSv1.2. In approximately 1 year we intend to change this default to ensure our customers are able to take advantage of the security features and performance improvements in TLSv1.3.

 

 

Monetra Client v8.11.0 released

September 23, 2019

Effective 09/23/2019

Monetra Client v8.11.0 has been released to the public and is considered a feature and maintenance related release.

This release is strongly recommended for all users of Monetra and should be considered the most stable available.

Changelog

  • OpenSSL has been updated to 1.1.1d
  • TLSv1.3 is now supported. This feature is disabled by default for inbound connections due to compatibility issues with applications using SCSV. The current default is TLSv1.0-TLSv1.2. In approximately 1 year we intend to change this default to ensure our customers are able to take advantage of the security features and performance improvements in TLSv1.3.

 

 

Monetra Installer 1.1.2 released

September 23, 2019

Effective 09/23/2019

Monetra Installer v1.1.2 has been released to the public and is a maintenance release.

This release is strongly recommended for all users of Monetra and should be considered the most stable available.

Changelog

  • OpenSSL has been updated to 1.1.1d
  • TLSv1.3 is now supported. This feature is disabled by default for inbound connections due to compatibility issues with applications using SCSV. The current default is TLSv1.0-TLSv1.2. In approximately 1 year we intend to change this default to ensure our customers are able to take advantage of the security features and performance improvements in TLSv1.3.

 

Monetra Manager v8.11.0 released

September 23, 2019

Effective 09/23/2019

Monetra Manager v8.11.0 has been released to the public and is considered a maintenance release.

This release is strongly recommended for all users of Monetra and should be considered the most stable available.

Changelog

  • OpenSSL has been updated to 1.1.1d
  • TLSv1.3 is now supported. This feature is disabled by default for inbound connections due to compatibility issues with applications using SCSV. The current default is TLSv1.0-TLSv1.2. In approximately 1 year we intend to change this default to ensure our customers are able to take advantage of the security features and performance improvements in TLSv1.3.

Topics: Credit Cards, payment security, Restaurant Security and PCI, Security