Data Security For Credit Card Users
PCI-PA-DSS – COMPATIBILITY
„PCI Compliance“ is an important subject. It stands for applying the information security best practices of the Payment Card Industry (PCI) Payment Application (PA) Data Security Standard (DSS) as laid down and enforced by the world’s leading global payment brands.
Compliance to this standard is not merely of interest to your customers. Failure to comply may have negative consequences, such as fines levied by payment card issuers and lawsuits, not to mentioned damaged reputation and financial loss.
The standard includes 12 PCI-PA-DSS requirements for any business that stores, processes or transmits payment cardholder data. These requirements specify the framework for a secure payments environment in order to prevent data theft and credit card fraud.
PCI Requirements Affecting SIHOT
Of the 12 PCI-PA-DSS requirements, five have a direct impact on SIHOT:
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
Protection of Card Holder Data
Protecting card data means that the data to be stored is kept to an absolute minimum and for as long as necessary only, access must be restricted as much as possible and stored data must be encrypted at all times.
SIHOT.PMS stores credit card numbers and their expiry date for the duration of the transaction only (beginning with the reservation up until settlement of the bill). The CVC-number is not stored at any time. The data is deleted after the transaction is completed. When storing data in the database, a special encryption method using AES algorithms is applied. Full credit card numbers are not displayed at any point of the application.
SIHOT does not use public networks to transmit sensitive cardholder data. Authorisations and payments via online payment facilities are processed within the local network or on the server of the electronic payment provider (as applicable), who is in turn responsible for encrypting cardholder data when transmitting to public networks.
Access rights must be granted on a “least privilege” and “need to know” basis. In addition, SIHOT.PMS provides role-based access control, where user rights are determined by job classification and function. Each user is assigned a separate password in SIHOT.PMS. The passwords must fulfil certain requirements as to length, validity etc.