RDPWin

System Administrator - Encryption of Credit Card Information


ENCRYPTION REQUIREMENTS
Call RDP Support Call RDP Support at 970-845-7108 to schedule implementation.  Prior to taking any steps to encrypt data, customers must first Call RDP Support.
Schedule
Down-Time 		During implementation, systems will be down for up to eight (8) hours or longer during conversion, depending on data size and hardware.
Update RDPWin Update RDPWin to the most recent version of RDPWin 2.xxx.
Update RDP-DOS Update RDP-DOS to the most recent version.
Update IRM Update the Internet Reservation Module (IRM) to the most recent version.
Update Protobase Customers using Protobase Credit Card Interface must also update Protobase.  Call Protobase support at (877) 732-1799 for details.
Update GDS and RDPSerial Interfaces Any properties using the Interface to the Global Distribution System (GDS) must also update the GDS and RDPSerial.  Customers who have purchased enhanced movie interface and GDS install both interfaces on the same workstation.  Customers with only RDPSerial and not GDS still need to get the latest update.
Purge 
Historical Data 		Properties should consider purging some historical data prior to converting to Level 3 or 4.  This is the perfect time for long-time RDP customers to "clean up".  For more information, see http://support.resortdata.com/Customers/Knowledge/KB-RDPWin/KWin0080.htm.

TOPICS
Overview of Levels Change Fence Level to View Full Credit Card Numbers
Level 1 Details Verify and Change Power Levels for Users
Level 2 Details Entry and Display of Credit Card Numbers - Search by Credit Card #
Level 3 Details Implement Level 1
Level 4 Details Implement Level 2
PCI Compliance Standards Implement Levels 3 or 4
Change Level 4 to Level 3  

Overview

Credit card security for our customers is just one step in Payment Card Industry (PCI) Compliance.  Payment Card Industry (PCI) compliance is different for every RDP customer based on the volume of credit card transactions. There are many PCI compliance requirements that must be satisfied which have nothing to do with the RDP system. Every RDP customer must carefully examine the full Visa Compliance Validation requirements.  Please also review PCI Compliance Standards for detail.

Every RDP customer must carefully examine the full "Visa Compliance Validation" requirements.  It is the responsibility of each customer to assure full PCI compliance.  RDP is NOT LIABLE for damages or fines related to any level of credit card security, including level 1-4.  RDP offers no assistance, guarantees, or advice regarding PCI compliance, and cannot be held liable for any damages resulting from customer failure to comply with full PCI compliance standards.

Resort Data Processing (RDP) offers four levels of credit card security available to RDP customers. Only Levels 3 and 4 are PCI compliant, because they include data encryption and deletion of old credit card information.  RDP strongly recommends that all customers use Level 3 or 4 which require that RDPWin (not RDP-DOS) be used for making and changing reservations, taking payments, checking-in and checking-out reservations, etc.

RDP Suggests...

  1. Read and implement all non-RDP requirements, some of which are outlined on Visa’s website at Visa Compliance Validation.
  2. Upgrade to the current version of all RDP products.
  3. Upgrade to the current version of Protobase Software or contact Protobase's Technical Support at (866) 709-7880.
Level Security Level Explanation
1 This is for current RDP-DOS customers with no changes and all other Front Desk functions.  Level 1 provides no credit card security, is not PCI compliant, and is not recommended by RDP.  Level 1 should not be used by any RDP customers.  This level exists as the "default condition" for RDP customers who have not updated their systems to a higher security level. 
2 Level 2 provides limited security, is not PCI compliant, and is not recommended by RDP.  Level 2 may be used temporarily by customers still using the legacy RDP-DOS product for reservations and front desk functions.  Level 2 customers should plan on conversion to Level 3 and using RDPWin as soon as possible. 
3 PCI COMPLIANT LEVEL 3
Level 3 provides much greater security by removing old credit card data and encrypting current data while still allowing system administrators to see the full credit card number.  Level 3 provides access to the full credit card number for managers designated as a credit card administrator. 

Only users with credit card administrator privileges have the ability to access credit card information.  Great care and consideration must be given when granting these privileges.  Level 3 can be implemented by customers using RDPWin for reservations and front desk functions who wish to take on the additional liability of allowing the administrator user(s)access to full credit card numbers. 
4 PCI COMPLIANT LEVEL 4

Level 4 provides the highest security by removing old credit card data and encrypting current data, and prevents all users, even an administrator, from viewing the full credit card number.  RDP recommends Level 4 to reduce the probability of employees fraudulently using credit card information.  Level 4 may be implemented by customers using RDPWin for reservations and front desk functions to prevent any user from viewing the full credit card numbers.  
Feature
Level 1
Level 2
Level 3
Level 4
PCI Compliant
No
No
Yes
Yes
Recommended by RDP
No
No
No
Yes
Yes
Yes
No
No
Yes
Yes
Yes
Yes
No
No
Yes
Yes
No
Yes
No
No
No
No
Yes
Yes
No
No
Yes
Yes
Yes
Uses HIDECC
CC Admin Only
No
Yes
Yes
Yes
Yes
Yes
Yes
Last 5
Last 5
Yes
Yes
Last 5
Last 5
Last 5
Last 5
Last 5
Last 5
Applies to RDP-DOS
Applies to and Requires RDPWin
RDPWin must be used for Reservations & Front Desk
Training is required to convert from RDP-DOS to RDPWIN
Uses C1HIDECC
Credit Card Number Encrypted
Retention Scheme Used
Full Credit Card Numbers accessible
Search for Reservations by Credit Card Number
RDP-DOS Reports Show Full Credit Card Number
Reporter 8.5 Show Full Credit Card Number
RDPWin Reports Show Full Credit Card Number

 

Level 1 Implementation 

Level 1 provides no credit card security, is not PCI Compliant, and is not recommended by RDP.  Level 1 should not be used by any RDP customers.  This level exists as the "default condition" for RDP customers that require a system update to operate at a higher security level.  RDP is NOT LIABLE for damages or fines related to any level of credit card security, including level 1-4. 

Level 2 Implementation 

Level 2 provides limited security, is not PCI Compliant, and is not recommended by RDP.  Level 2 may be used temporarily by customers still using the legacy RDP-DOS product for reservations and front desk functions.  These customers should plan on conversion to Level 3 and using RDPWin as soon as possible.  RDP is NOT LIABLE for damages or fines related to any level of credit card security, including level 1-4. 

To implement Level 2, proceed as follows:

  Level 2 Implementation Steps
Update RDPWin Update RDPWin to the most recent version.
Update RDP-DOS Update RDP-DOS to the most recent version.
Update IRM Update the Internet Reservation Module (IRM) to the most recent version.
Update Protobase Customers using Protobase - Protobase Credit Card Interface must also update Protobase Protobase.  Call Protobase support at (877) 732-1799 for details.
Old Crystal Reporter For customers using the old RDP Reporter Crystal Report Viewer provided by RDP with the RDP-DOS system, all old reports continue to show full credit card numbers to all users.  To avoid this security issue, use RDPWin to print all reports.  RDPWin has been updated to only show the last five digits of the credit card number on all standard RDP system reports.
Set HIDECC Fence Level Verify default fence levels for viewing full credit card numbers.
Set Power Levels Verify Power Levels for all users.
RDP-DOS OK RDP-DOS or RDPWin can be used with Level 1 or 2 Credit Card Security


Level 3 or 4 Implementation - Remove Old Data and Data Encryption 
PCI COMPLIANT

Levels 3 or 4 credit card security implementation provide much greater security by removing old credit card data and encrypting current data.  The requirements to implement Levels 3 or 4 include:

  • Please Call RDP Support at 970-845-7108 to verify readiness for RDPWin and to discuss use of Level 3 or Level 4 security.
  • Level 3 or 4 implementation must be scheduled at a time when all users can stop accessing the RDP system for up to eight (8) hours to allow the encryption program to process.  The exact duration depends on individual property data files and hardware. 
  • With Level 3 or 4 credit card encryption, RDPWin must be used for reservations, check-in, check-out, etc.  RDP-DOS can no longer be used after implementation of Level 3 or 4.  Properties not currently using RDPWin must first attend training in Vail and use RDPWin at the property for a few weeks prior to implementing Level 3 or 4 credit card encryption.
  • Properties are required to provide the user name and password of one person to be designated as the "credit card security system administrator".  As part of the Level 3 or 4 implementation, RDP inputs the encrypted password for that user, who can then establish other users with credit card administrator access.
  • A full system-backup must be completed prior to implementing Levels 3 or 4.
  • Properties should consider purging some historical data prior to converting to Level 3 or 4.  This is the perfect time for long-time RDP customers to "clean up".  For more information, see http://support.resortdata.com/Customers/Knowledge/KB-DOS/K000191.htm.

Once the above requirements are met, proceed as follows to implement Levels 3 or 4:

Level 3 Implementation Steps - Remove Old Credit Card Data and Encrypt Current Data
Call RDP Call RDP Support at 970-845-7108 to schedule implementation
Update RDPWin Update RDPWin to the most recent version of RDPWin 2.xxx.
Use RDPWin only Only RDPWin can be used for reservations and front desk with Level 3 or 4 Credit Card Security: not RDP-DOS.
Update RDP-DOS Update RDP-DOS to the most recent version.
Update IRM Update the Internet Reservation Module (IRM) to the most recent version.
Update Protobase Customers using Protobase Credit Card Interface must also update Protobase.  Call Protobase Support at (877) 732-1799 for details.
Update GDS Interface Any properties using the Interface to the Global Distribution System (GDS) must also Update GDS and RDPSerial.
Full Backup Perform a full system-backup in case any problems could occur during data conversion. 
Purge 
Historical Data 		Properties should consider purging some historical data prior to converting to Level 3 or 4.  This is the perfect time for long-time RDP customers to "clean up".  For more information, see http://support.resortdata.com/Customers/Knowledge/KB-RDPWin/KWin0080.htm.
Exit All Users All users must exit the system while the data encryption program runs.  The exact duration depends on hardware and the size of individual property data files.
Password from RDP A password must be obtained from RDP Support at (970) 845-7108 prior to starting the credit card encryption process.
Encrypt Credit Cards and Delete History
  1. From RDPWin, access Configuration from the Masters | Credit Card menu.  Note:  RDPWin must be updated to the current version!
  2. Check the Encrypt critical credit card data box.
  3. Set Days to retain credit card date in history after departure.  The default setting is 90.
  4. Review all text.  Click Process.  The system prompts for the password (obtain from Support at 970-845-7108).  
Verify Conversion The conversion program can run for many hours.   If there are any errors it is critical to call RDP support!
Verify Fence Levels Verify default fence level.
Verify Power Levels Verify Power Levels for all users.


Change Fence Level to View Full Credit Card Numbers

The security system in both RDPWin and RDP-DOS uses power levels assigned to user names and fence levels assigned to system functions.  To access a given system function, a user's power level must be greater than or equal to the fence level assigned to the function.  

After updating RDP-DOS and RDPWin, the default fence level to view full credit card numbers is the RDP maximum Fence Level 999. Therefore, by default, only users with a power level of 999 or higher are able to view or print reports with the full credit card numbers.

RDP recommends leaving the fence level at the highest level of 999.  Confirm only the administrators have Power Level 999.  See Setting Power Levels for Users below.  To lower the fence level on the "view full credit card number" capability:

For RDPWin Customers:
  1. Logon to RDPWin as a user with Power Level 999 (or the highest level in the system).
  2. Click Switches from the System menu.
  3. Type in C1HIDECC in the Search field.
  4. Confirm that BOTH the Dos and Win checkboxes are checked and Setting is equal to 999.
  5. Save.

Warning:  Setting the fence level below 999 allows many users access to full credit card numbers which violates the PCI Compliance rules.  RDP recommends leaving the fence level at the highest level of 999.  Confirm that only administrators have a power level equal to 999.

Verify and Change Power Levels for Users

Only the administrator should have a power level equal to or greater than the fence level assigned to the "view full credit card number" capability.  The fence level is set to 999 by default.  To verify or change the power levels of users, see User Maintenance.

Warning:  The steps above assume the fence level for the system function "view full credit card numbers" is set to the default of 999.  If the default fence level has been changed to a lower number, adjust all users accordingly.

If selecting Level 3 security, please contact RDP Support at 970-845-7108 to set an encrypted password for the administrator to allow viewing of full credit card numbers.  With Level 4 security, no user, including the administrator, can view the entire credit card number.

Entry and Display of Credit Card Numbers - Search by Credit Card #

When credit card numbers are entered into RDP-DOS or RDPWin, users can view the full number as it is entered.  However, after saving and redisplaying the information, only the last five digits are visible.  Administrators always see the full credit card number.  See Find Reservation by CC# for details.  This feature is available with all four levels of RDP Credit Card Security.

Change Encryption Level From 4 to 3

When encrypting the system data the program automatically makes the logged-on user a Credit Card Administrator (CCA); thereby placing the system’s credit card security at Level 3. Users that are either System or Credit Card Administrators may access the CCA checkbox.  If the property subsequently unchecks the CCA box for the user and no other CCA users exist, then the system displays a message warning the user that Level 3 is about to be updated to Level 4.

If a user checks the CCA box when no other CCA users exist, the system displays a message warning that the Level 4 is about to be lowered to Level 3 and credit card numbers will be visible to CCA users. If the user elects to proceed, the system prompts for a password.  Entry of the correct password is required to change this setting for the first time. The password must be obtained from RDP Support by calling (970) 845-7108.


Click these links for Frequently Asked Questions or Troubleshooting assistance.

12/04/2007

© 1983-2009 Resort Data Processing, Inc. All rights reserved.