Aeon 4.1 PCI Security Release Notes

Print Friendly and PDF Follow

Important Update Information

Release Date: 20 May 2019

To keep up-to-date with the latest Payment Card Industry (PCI) security requirements, the 4.1 update features enhanced password security methods to include the following:

  • User & Staff Password Expiration
  • Staff Account Lock after Failed Login Attempts
  • Staff Unique Password Requirements
  • Encryption for Stored Passwords
  • And many more...

Considerations Before You Update

All patron and Staff users will be required to reset their password upon the first login after the 4.1 update even if the UserPasswordExpirationEnabled key is turned off.

This does not affect Patron users whose authType is set to Default on their user record and the WebAuthType customization key is either set to LDAP or RemoteAuth. This includes Shibboleth users.

For any questions on the Aeon 4.1 features & fixes, please see the Aeon 4.1 PCI Release FAQ. For all other questions, please contact support at

Additional information on PCI security requirements and recommendations can be found at:

Bug fixes and new features are added periodically as point releases:

Aeon 4.1 Features & Fixes 

Password Security |  AdministrativePayment GatewaySystem Manager | Bug Fixes

Password Security


Passwords are no longer stored on the web server logs due to the new process of redacting sensitive information. If a user's session expires while they are changing their password and they attempt to log back using the same formstate, the user will need to re-enter their passwords to complete the change password process.


The StaffPreviousPasswordCount, customization key has been added to check the new password against a configurable number (default value: 4) of previous passwords for uniqueness when a staff user is changing his/her password. This will prevent staff users from reusing a previous password or rotating through similar passwords.

  • If the value is set to 4, then the user must have 4 unique passwords before an old password can be reused.
  • Note: A bug is causing the system to read the 0 as a null value. Until the bug is fixed do not set the value to 0. For more information, see Bug# 4238.

    Normally the system should operate: If the value is set to 0, the password should default to a minimum of 4.
New  The WebPasswordHashingIterations and StaffPasswordHashingIterations customization keys have been added to set the number of hash iterations (default value: 156,000 iterations) when storing a password. All passwords will now utilize the Password-Based Key Derivation Function 2 (PBKDF2) hashing strategies. For more information, see the Password table in the Aeon Customization Keys article.
The StaffLoginAttemptsBeforeLock, customization key has been added to set a maximum number (default value: 6 attempts) of failed login attempts before a staff account is locked out. A locked account can't be used until the password is reset by another staff member with access to the Staff Manager.
  • When set to less than 1, the number of attempts will default to 6.
New  The UserPasswordExpirationEnabled (default value: yes) and UserPasswordExpirationDays (default value: 180 days) customization keys have been added to enable user password expiration and set default dates for expiration.
New The StaffPasswordExpirationDays (default value:180 days) customization key has been added to set the number of days before a password expires for a Staff member.
New  The SLUserPasswordExpired status line customization key has been added to appear if a user attempts to login with an expired password. The default verbiage is set to say "Your password is expired. Please update your password.".
New The Customization Manager and the Staff Manager now include a Change Password button on the ribbon under the main drop-down menu allowing for the user to change their own password.
New A Force Reset checkbox has been added to the Staff Manager's change password form for a selected user. When checked, the force reset will prompt the Staff member to reset their password upon attempting to login. This allows a staff member to force their own password reset. SecurityKeys2.png
New A Force Reset checkbox has been added to the Client's change password form generated on the FormUserInfo. When checked, the force reset will prompt the user to reset their password upon attempting to login.
New The autocompletion feature has been disabled on all password fields in the default pages. This prevents the fields from storing and prepopulating secure information such as passwords.
The ReferenceRequestImportSSLEnabled (default value: yes) Customization Key has been added to determine if the requirement for SSL should be enabled or disabled for POP server.


Changed The Customization value fields have been increased from 255 characters to 1000 characters for existing values.
The ValueChangedFrom and ValueChangedTo were also changed from 255 to 1000 characters for new values.
Changed The Description field in the Customization table has increased to be a nvarchar(max) to allow for longer customization key descriptions.

Payment Gateway

Changed Added support for Cybersource ( as a payment gateway option for Aeon web servers. For instructions on configuration, see CyberSource Configuration. Additional information can be found on the CyberSource website at Secure Acceptance Hosted Checkout.

System Manager

Changed The System Manager will check the Atlas servers for new client releases 10 seconds after startup, after which it will resume the behavior of only checking once every 15 minutes. The default interval at which updates are checked can be customized in the SystemManager.exe.config file by editing the value of the UpdateServiceInterval setting.

Bug Fixes

Fixed Increased system verification requirements used when creating active user web sessions for remote auth users.

Web Applications

New AtlasBI will lock out after a configurable number of failed login attempts. This value matches what is set in the StaffPreviousPasswordCount Customization Key.
New Aeon Web API has a new endpoint added for marking requests as reshelved by barcode. For additional information, see Aeon API.
Change JQuery which is used to build the Aeon default web pages has been updated to version 1.12.4. A new set of default webpages will be automatically installed during the update to accommodate the updated version.


Aeon 4.1 Point Releases

14 April 2020 ( Server Release

This update only impacts institutions during the 4.1 installation/update. 


Fixed an installer issue that would in certain circumstances cause updates to time out and fail when trying to update the Tracking and History database tables. We had previously offered a workaround for sites who ran into this problem but ultimately decided to correct the issues in our update scripts and rebuild the Aeon 4.1 server installer.


If this article didn’t resolve your issue, please contact Atlas Support for assistance:

Contact Support