CB/TBO advanced: Trams Products and PCI Compliance DATA SECURITY DISCUSSION POINTS DATA PRIVACY VS. DATA SECURITY

Transcription

1 CB/TBO advanced: Trams Products and PCI Compliance DAN PALLEY, CTO, TRAMS AND CLIENTBASE PRODUCTS AND SERVICES DATA SECURITY DISCUSSION POINTS Data Privacy vs. Data Security What Does it Mean to be PCI-Compliant? The PCI Audit Process Current State of Trams Products To Be Done 3rd Party Access to Encrypted Data DATA PRIVACY VS. DATA SECURITY PCI covers Data Security around Credit Card data, specifically, how that data is stored and transmitted and who can access it. Personal information, such as addresses, phone numbers, SSN, etc., is referred to as PII and is not specifically addressed via PCI. Securing PII data and ensuring the user s privacy are important, but separate, issues. 1

2 Compliant WHAT DOES IT MEAN TO BE PCI COMPLIANT? PCI-DSS vs. PA-DSS PCI-DSS covers the overall security of Credit Card data storage and transmission. PA-DSS covers turnkey software that is installed on the client premises that needs to be PCI-compliant. WHAT DOES IT MEAN TO BE PCI COMPLIANT? Fundamental PCI Guidelines Don t store CC data if it s not absolutely needed. Mask CC data as much as possible. Encrypt CC data wherever it is stored. Implement controls so only people who need access to the unmasked CC data can see it. 2

3 THE PCI AUDIT PROCESS Agencies that sign a merchant agreement to process credit cards will be required to go through a PCI audit periodically. A vulnerability scan is performed to detect if any unusual ports or configurations are present in the agency s public-facing internet connection. Any issues found would need to be resolved or mitigated. Most customers will be able to do a self-assessment, in which the agency provides answers to a checklist of questions about the software and the agency environment. Very large customers may have an auditor come on site. CURRENT STATE OF TRAMS PRODUCTS CURRENT STATE OF TRAMS PRODUCTS Trams Back Office/ClientBase As of Trams Back Office 3.1 and ClientBase Windows 3.4, all regular CC and customer bank account data stored in the database is encrypted (AES 256-bit encryption). Credit card data is masked throughout the program and access to the full credit card number is controlled via permissions and accesses are logged. Enhanced Login Security can be enabled via the EUA option: Mandatory password strength settings. Users can change their own passwords. No reusing old passwords. Passwords expire based on set interval. 3

4 CURRENT STATE OF TRAMS PRODUCTS Database Central/CBMS All hosted databases are either encrypted or do not contain credit card data. Newly added DBC databases do not contain any credit card data. Existing DBC databases will be stripped of CC data (except masked data). CURRENT STATE OF TRAMS PRODUCTS Live Connect and Sync These systems pass encrypted data from ClientBase via web services or web apps. The data transmissions use SSL and HTTPS to encrypt data being sent from CB to the booking engine or Sync Web Service. TO BE DONE Encryption Key Rotation PCI requirement is that the encryption key be rotated (changed) at least yearly. We have a manual solution in place today and are working on a more automated process. Disable SYSDBA Login PCI requirement is that each user log in with a unique username. Currently, certain operations need to be done as SYSDBA. Change will be to prompt the administrative user for SYSDBA password when performing these operations and to restrict being able to log in as SYSDBA. Middle-Tier for TBO/CBW Active Directory integration (single sign-on). User lockout after multiple failed login attempts. Enhanced database security as users won t be accessing the database directly from their workstations. 4

5 3 RD PARTY ACCESS TO ENCRYPTED DATA Encryption vs. Hashing Credit Card data is stored encrypted and it s also stored hashed. The difference is that you can find records using the hash if you know what credit card number you re searching for, without having to know the encryption key. For example, a Credit Card reconciliation report, based on a file coming from the credit card company, already has the desired credit card number so the report can query matching credit card payments using the hash. Encryption UDF s 3 rd party reporting and utilities that need full access to the encrypted data can use our provided UDF s (user-defined functions) via SQL to encrypt and decrypt the credit card data in the database. The applications installed in the agency would need to know the agency s encryption key. Stay Connected facebook.com/sabretravel twitter.com/sabretn youtube.com/sabretravelnetwork agentstream.com sabretravelnetwork.com/blog 5