|
The information provided below is for reference purposes only. Please note that credit card security standards are subject to change, and some standards may be enforced differently based on the merchant provider. For specific guidance, you should contact your merchant provider. See "Who do I contact for more information" below.
What is the Visa Cardholder Information Security Program (CISP)?
Due to increasing amounts of credit card theft, identity theft, etc. the credit card industry has put together a security standard designed to protect sensitive cardholder information, such as name, address, and credit card number.
Visa CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce.
To achieve compliance with CISP, merchants and service providers must
adhere to the Payment Card Industry (PCI) Data Security Standard, which
offers a single approach to safeguarding sensitive data for all card
brands.
For more information on the CISP program, click here.
Are RezOvation products compliant with these security standards?
Yes.
We use payment application best practices for how all of our data is stored and transferred, including:
- Swiped credit card data is never stored
- Credit card security codes (CVV / CVV2 codes) are never stored
- Credit card data in our hosted databases is stored using strong encryption and are purged within 72 hours (24 hours for RezOvation GT)
- Credit card data in client databases is stored using strong 128-bit encryption
- Credit card data in client databases is never printed or displayed in full format, and are masked when printing (e.g. xxxx1234)
- Online reservation sessions are encrypted with secure session IDs so that data cannot be compromised
What is the PCI Data Security Standard?
The PCI Data Security Standard consists of twelve basic requirements supported by more detailed sub-requirements:
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information across public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
What does the PCI Data Security Standard mean for me?
- You should keep your computer up to date by using the latest version of Windows and installing the most current security patches and service packs.
- You should install and maintain a firewall as well as anti-virus and anti-spyware programs on your computer.
- Whenever possible, computers should not be openly accessible to the public.
- All computers should employ basic user level security including unique user names and passwords.
- Public computers should always be locked from access when not in use.
- Wireless networks should not allow access to sensitive data, including database files or customer records.
- You should not write down credit card numbers, unless you are writing down only the last 4 digits of the card. Credit card numbers that are written down or printed should be stored in a secure location, and destroyed when no longer needed.
- Your credit card terminal should not print the full credit card number. Only masked numbers (last 4 digits of CC #) should be printed.
- You should never record or store restricted data, such as card verification codes (CVV codes) or card swipe data.
What is RezOvation doing to meet these requirements?
RezOvation Desktop:
- RezOvation Desktop has always included a security feature which requires the user to log in before access to the program is granted.
- We offer secure, 128-bit credit card encryption within the RezOvation Desktop database.
- RezOvation Desktop also requires that the user sign in again before accessing any credit cards.
- We do not store restricted data such as credit card swipe information or CVV2 (card verification) codes.
RezOvation GT:
- User log in can be enabled if desired.
- Strong user passwords can be used.
- Stored card cards are encrypted in the database using 128-bit encryption.
- Restricted data such as credit card swipe information or CVV2 code (card verification code) is not stored.
RezOvation Booking Engine:
- Our Booking Engine encrypts all customer information and credit card data using 128 bit encryption and transmits this data securely to the RezOvation Desktop and RezOvation GT application.
- Credit card numbers are not permanently stored on the Booking Engine servers, only in the individual property database which is resident on your computer.
Why can't I store the CVV2 (card verification) code?
According to the Cardholder Information Security Program (CISP), it is never acceptable to store CVV2 numbers.
Why do I have to sign in to RezOvation Desktop in order to view the credit card number?
This method ensures that credit cards cannot be accessed by non-authorized persons.
However, it is still recommended that you use the Windows "computer locking" function whenever you are not present at your computer. To lock your computer, hold the WINDOWS key then press the L key. To access your computer, you must then enter your Windows login password.
Are credit cards encrypted in RezOvation Desktop and RezOvation GT?
Yes. All credit cards are encrypted using secure 128 bit encryption.
Why are credit card numbers not always downloaded from my online availability service?
If the credit card information being sent from the online availability service is either a) not secured (card #s not encrypted) or b) not acceptable according to PCI Data standards (includes CVV2 number) then this information is not downloaded.
Do these security requirements apply to all card types?
Yes, all card types are affected.
Do I need to run a Quarterly Network Security Scan?
According to PCI standards, a Quarterly Network Security Scan may be required for merchants that process less than 20,000 Visa transactions a year (level 4 merchant). This requirement may need to be met if your processor requires it. You should contact your processor / merchant provider for more information.
The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Level 1, 2, and 3 merchants are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by a qualified independent scan vendor. The Quarterly Network Security Scan is optional, but highly recommended for Level 4 merchants.
For more information about network security scans and specific requirements for each type of merchant, please visit this page on the Visa website.
You may also download the PCI Security Scanning Procedures (PDF, 105k).
Where can I find more information about CISP (Cardholder Information Security Program)?
For more information on the CISP program, click here.
For an FAQ explaining CISP, click here (PDF, 147k)
Who do I contact for more information?
If you are using RezOvation Desktop, then you should contact your processor or merchant provider for more information.
If you are using RezOvation GT with QuickBooks Merchant Service, please see http://www.quickbooksmerchantservice.com/services/data_security_req.php
If you need assistance with obtaining or maintaining compliance, then there are various firms that can help. Some links for reference:
Trustkeeper
Trustwave
|
