PCI Compliance for RezOvation

From RezOvation Wiki

The information provided below is for reference purposes only. Please note that credit card security standards are subject to change, and some standards may be enforced differently based on the merchant provider. For specific guidance, you should contact your merchant provider. See "Who do I contact for more information" below.

1 Overview
2 Types of PCI compliance
- 2.1 PCI DSS
- 2.2 PA-DSS
3 How RezOvation products meet the PCI standards
4 PCI Compliance Requirements
5 What innkeepers need to do in order to maintain compliance
6 Key terms
7 FAQs
8 Where to get more information

Overview

The PCI standard, as defined by the PCI council, is designed to ensure that credit card data is secured throughout the entire lifecycle of a credit card transaction. The PCI standard is made up of two major components: PCI DSS, and PA DSS. Depending on your role in the lifecycle of a credit card transaction, different standards will apply. Innkeepers must follow PCI-DSS.

Types of PCI compliance

PCI DSS

PCI DSS is the Payment Card Industry Data Security Standard that applies to end-users (innkeepers) and service providers (Webervations, RezOvation, BedandBreakfast.com).

For more information, please visit the PCI Security Standards Council website.

PA-DSS

PA-DSS is the Payment Application Data Security Standard which applies to software used to store or transmit credit card data, which includes RezOvation GT.

For more information, please visit the PCI Security Standards Council website.

How RezOvation products meet the PCI standards

RezOvation GT

RezOvation GT is certified as PA-DSS compliant, which means that it was audited by the PCI Security Standards Council and certified as a compliant payment application. As of March 2009, it is the very first hotel property management software to be certified under the latest PA-DSS 1.2 standard, which is the most strict and current standard available. To view the official PA-DSS certification, please visit the PA-DSS website at https://www.pcisecuritystandards.org/security_standards/vpa/. When prompted, accept the agreement, then filter by Application Vendor then RezOvation LLC.

RezOvation GT uses the following methods to ensure compliance:

All credit cards are encrypted in the database using strong encryption methods.
The software can be configured to require a password when logging in to the application.
Encryption keys are automatically changed every 12 months.
Encryption keys can be manually changed as needed.
SSL is used whenever transmitting sensitive data.
Restricted data, including card security codes, are never stored.
Please read the RezOvation GT PA-DSS Implementation Guide for more details.

RezOvation Desktop

RezOvation Desktop is compliant with PCI standards.

RezOvation Desktop uses the following methods to ensure compliance:

All credit cards are encrypted in the database using strong encryption methods.
A password is required to log in to the application.
SSL is used whenever transmitting sensitive data.
Restricted data, including card security codes, are never stored.
All RezOvation Booking Engine sites are regularly scanned by McAfee to ensure that no security vulnerabilities exist.

RezOvation Booking Engine

Secure encrypted sessions are used for the checkout process (RezOvation GT)
SSL is used whenever transmitting sensitive data.
All credit cards are encrypted in the database.
Credit cards are not stored and are purged within 24 - 72 hours.
All RezOvation Booking Engine sites are regularly scanned by McAfee to ensure that no security vulnerabilities exist.
Restricted data, including card security codes, are never stored.

Webervations

Webervations is compliant with PCI standards.

Webervations uses the following methods to ensure compliance:

All credit cards are encrypted in the database.
A password is required to log in to the application.
Credit card data is deleted within 72 hours after reservation departure date.
All Webervations sites are regularly scanned by McAfee to ensure that no security vulnerabilities exist.
Restricted data, including card security codes, are never stored.

PCI Compliance Requirements

The basic requirements of PCI compliance are listed below.

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

What innkeepers need to do in order to maintain compliance

Review the PCI DSS document for details. If you are using PA-DSS certified software, read the PA-DSS implementation guide provided with your software. The RezOvation GT PA-DSS implementation guide can be found here.
Obtain a security scan of your website / network by a PCI Security Standards Council approved scanning vendor.
Use software that is PA-DSS certified whenever possible (this will be required as of Feb 2010, but is recommended immediately to ensure that your credit card data is not at risk).
Whenever possible, limit the sensitive data stored. This means destroying any documents that contain credit card data, security codes, or PIN codes, and destroying any stored credit card data that is no longer needed.
You should not write down credit card numbers, unless you are writing down only the last 4 digits of the card.
You should never record or store restricted data, such as card verification codes (CVV codes) or card swipe data.
Install anti-virus and firewall software to protect your network.
You should keep your computer up to date by using the latest version of Windows and installing the most current security patches and service packs.
You should install and maintain a firewall as well as anti-virus and anti-spyware programs on your computer.
Whenever possible, computers should not be openly accessible to the public.
All computers should employ basic user level security including unique user names and passwords.
Public computers should always be locked from access when not in use.
Wireless networks should not allow access to sensitive data, including database files or customer records.
Your credit card terminal should not print the full credit card number. Only masked numbers (last 4 digits of CC #) should be printed.

Key terms

PCI-DSS: Payment Card Industry Data Security Standard.
PA-DSS: Payment Application Data Security Standard. The standard that all applications which take a process payment information must follow. This requires an audit and official certification by the PCI Compliance Board.
CISP: Cardholder Information Security Program. A set of guidelines and rules set by Visa with regards to credit card security. See http://www.visa.com/cisp/ for details.
PAN: Personal Access Number, aka credit card number.
CVC / CVV: Security code, usually 3 digits (for Visa / MC / Discover) or 4 digits (for Amex).

FAQs

Why am I not able to get security code (CVV) data?

CVV (security code) data is considered restricted, sensitive data by the PCI standard. As such, this data cannot be stored. It is only allowed to be used when a card is processed. So, you should either a) use the automatic deposit system for your booking engine (available with RezOvation booking engine), or obtain the security code directly from the guest.

For more information, please see the PCI Quick Reference Guide.

Who do I contact for more information?

If you are using RezOvation Desktop, then you should contact your processor or merchant provider for more information.
If you are using RezOvation GT with QuickBooks Merchant Service, please see http://www.quickbooksmerchantservice.com/services/data_security_req.php
If you need assistance with obtaining or maintaining compliance, then there are various firms that can help. Some links for reference:
- Trustwave
- Trustkeeper

Do these security requirements apply to all card types?

Yes, all card types are affected.

Why are credit card numbers not always downloaded from my online availability service?

If the credit card information being sent from the online availability service is either a) not secured (card #s not encrypted) or b) not acceptable according to PCI Data standards (includes CVV2 number) then this information is not downloaded.

Where to get more information

Main PCI site: https://www.pcisecuritystandards.org/
PCI DSS 1.2 document: https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
Standards as far as they apply to most Innkeepers: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
Visa Cardholder Information Security Program (CISP) page - Visa is one of the key members in deciding PCI standards so this is a good reference: http://usa.visa.com/merchants/risk_management/cisp.html
Good overview of Visa CISP: http://usa.visa.com/download/merchants/cisp_overview.pdf
RezOvation GT PA-DSS Implementation Guide: http://downloads.rezovation.com/RezOvationGT_PA-DSS_ImplementationGuide.pdf

Retrieved from "http://www.rezovationwiki.com/index.php?title=PCI_Compliance_for_RezOvation"

Categories: RezOvation GT | RezOvation Desktop | Webervations | Public