Credit Card PCI Compliance Issues,
Data Encryption & Security

Trainer: Denise McLean

Session 3:   2:00 p.m. - 2:45 p.m.

RDP now has 4 levels of credit card security, which is one step in PCI compliance.  Each property should review the “Visa Compliance Validation” requirements.  This can be found at www.usa.visa.com/merchants/risk_management/cisp.html and clicking on How To Comply.  This will give you a list of the 12 different requirements, which include installing and maintaining a firewall, use anti-virus software, and assigning a unique ID to each person with computer access.  There is a link on the right labeled “PCI Data Security Standard” which brings you to a PDF file explaining those 12 steps in more detail.

Payment Card Industry (PCI) Compliance
and RDPWin

April, 2008

Payment Card Industry (PCI) compliance is different for every RDP customer based on the volume of credit card transactions. RDP software may not be PCI compliant for all customers.  There are many PCI compliance requirements that must be satisfied which have nothing to do with the RDP system. Every RDP customer must carefully examine the full PCI requirements.  It is the responsibility of each customer to assure full PCI compliance.  RDP is NOT LIABLE for damages or fines related to any level of credit card security.  RDP offers no assistance, guarantees, or advice regarding PCI compliance, and cannot be held liable for any damages resulting from customer failure to comply with full PCI compliance standards.

RDP Suggests...

1. Read and implement all non-RDP requirements, some of which are outlined on Visa’s website at Visa Compliance Validation.
2. Upgrade to the current version of all RDP products.
3. Upgrade to the current version of Southern Datacomm Software or contact SDC's Technical Support at (866) 709-7880.
4. Review data encryption documentation and select Level 3 or 4, which may or may not be PCI compliant, based on your credit card transaction level. 

Encryption Level 1

The first level of credit card security (Level 1) is no security at all.

• The full credit card number is displayed and stored on reservations, transactions, and guest history masters.
• It is not PCI compliant and not recommended by RDP.

Encryption Level 2

Level 2 provides limited security. 

• Credit card numbers are masked, showing only  the last 5 digits for users on screens and Crystal reports.
• Administrators are able to see the full credit card number.
• This level is not PCI compliant and not recommended by RDP.

Encryption Level 3

Level 3 provides a much greater level of security.

• Users can view only the last 5 digits of the credit card number on screens and RDP-DOS and Crystal reports.
• Old credit card numbers are removed and current credit card numbers are encrypted.
• The credit card numbers are no longer stored on the guest history master, reservation, or transactions. They are encrypted and stored in the CntCCard file.
• This level still allows system administrators access to the full credit card number on screens, but only the last 5 digits on RDP-DOS and Crystal reports.
• Credit card numbers are purged from guest history and non-active reservations.
• RDPWin must be used for reservations and front desk functions like check-in and check-out.

Encryption Level 4

Level 4 provides the highest level of security.

• Users and administrators can view only the last 5 digits of the credit card number on screens and RDP-DOS and Crystal reports.
• Old credit card numbers are removed and current credit card numbers are encrypted.
• The credit card numbers are no longer stored on the guest history master, reservation, or transactions. They are encrypted and stored in the CntCCard file.
• Credit card numbers are purged from guest history and non-active reservations.
• RDPWin must be used for reservations and front desk functions like check-in and check-out.

Implementation Steps for Levels 3 and 4

** Can’t Go Back After Encryption **

1. Install RDPWin version 2.xxx. If you don’t have it, call RDP Support to schedule the installation. You must be on version 2.xxx for at least a few weeks, in order to get used to using only RDPWin for reservation and front desk functions.
2. Update RDP-DOS.
3. Update IRM.
4. Update SDC to version 6.0. Please call SDC Support at 877-732-1799 for more details.\
5. Update RDPSerial and/or GDS, if they’re installed.
6. Perform a full system backup in case any problems occur during the data conversion.
7. Purge historical data. In order to speed up the conversion process, you should “clean up” your data directories. You can refer to KB article K00091.htm from our website going to the Support link, then Knowledge Base under RDP-DOS.
8. Exit all users. During the conversion, systems will be down for up to 8 hours or longer, depending on the data size and hardware.
9. Call RDP Support and obtain the password to encrypt the data. The user running the conversion program will automatically become the system administrator. It is important that the correct person calls RDP Support to get the password.
10. Run the conversion program.
1. In RDPWin, go to Masters -> Credit Card -> Configuration.
2. Check the “Encrypt critical credit card data” box
3. Set “Days to retain credit card data in history after departure”. Credit card numbers should be purged from the system after so many days.
4. Click Process
5. Enter the password obtained from RDP Support and click Continue.
11. Verify conversion, which may take several hours. If there are any errors, it is critical to call RDP Support.

Conversion Process

On Active Data:

1. Delete Log Files – this step deletes all cc log files as well as all .IN, .OUT, and .RDP files from the pbfiles directory, because with older versions of RDP-DOS and RDPWin, the credit card number was not masked.
2. Update Guests – deletes the credit card information from each guest history master. The credit card information will no longer be pulled up from guest history on new reservations.
3. Update Res – purges credit card numbers on reservations whose departure date is greater than the number of days to retain setting. It encrypts all credit card numbers, stores them in the CntCCard file, and masks the credit card number on the reservation for all reservations within the number of days to retain setting.
4. Update Transactions – purges credit card numbers on transactions older than the number of days to retain setting. It encrypts all credit card numbers, stores them in the CntCCard file, and masks the credit card number on the transaction for all transactions within the number of days to retain setting.
5. Update Notes – masks the credit card number in the notes file which is used to print the credit card receipts.

Then on Historical Data:

1. Update Res, Update Transactions, Update Notes – this does the same thing as active data, but to non-active reservations.

User Maintenance

For Level 4, go to System -> Manager Users. 

Only the credit card administrator can change the level from 3 to 4. Pull up the credit card administrator login and uncheck Credit Card Administrator. If no other users have this box checked, you will get a warning that the level of security is changing from level 3 to level 4.

In order to go back to Level 3, a password is required when checking the Credit Card Administrator checkbox.
 

·       

Home	RDPWin	RDP-DOS	IRM/IRM.Net	Open A  Web Support Ticket
	Version 2.xxx	Upgrade to RDPWin	Link to Marketing Site	Contact Us
	Training	Vendor Interfaces	Troubleshooting	RDP Sales Website