Credit Card Numbers / Security Code Best Practices PCI DSS

Transcription

1 Credit Card Numbers / Security Code Best Practices PCI DSS

2 1 Overview The aim of this document is to give the 'Credit Card numbers' and 'Security Code' best practices usage within the Amadeus Central system applications. Like all companies processing Credit Card data, Amadeus has to follow the PCI DSS rules (see PCI DSS section). PCI DSS requires strong data security (like concealment, encryption, access restriction ) in PNR and Profile elements containing Credit Card information. One of the major initiatives underway is to secure all PNR/Profile elements where credit card information is appended (e.g. Credit Card Concealment). Today, only the following fields can be populated with Credit Card information because only those fields are secured in Amadeus system: For PNR Elements: - Credit Card Numbers can only be entered in: - Guarantee fields for Hotel and Car segments: '/G' - Deposit fields for hotel and car segments: '/DP' - Special Service Request for Form of Identification: 'SSR FOID' - Special Service Request for Electronic Payment: 'SSR EPAY' - Form of Payment element: 'FP' - Form of Payment sub-elements in miscellaneous documents: 'MCO' and 'SVC'. - Security Code can only be entered in: - Special Service Request for Electronic Payment: 'SSR EPAY' - Form of Payment element/sub-elements: 'FP' For Profile Application: - Credit Card Numbers can be stored only in: - Guarantee fields for Hotel and Car segments: '/G' - Special Service Request for Form of Identification: 'SSR FOID' - Special Service Request for Electronic Payment: 'SSR EPAY' - Form of Payment element: 'FP' - Security Code must not be stored anywhere in the Profile application. All other PNR/Profile fields, and specially free-flow remarks and transferable entries, must not contain any Credit Card Information under any circumstances (neither Credit Card number nor Security Code). If a travel agent and/or airline populates any Credit Card information in other PNR/Profile fields (others than the approved ones listed above), airlines and/or travel agencies are at a high risk of breaching relevant industry security standards including PCI-DSS which could lead to serious consequences such as reputation loss and/or financial loss, fines, third party claims, etc N.V. Page 2 of 8

3 Free-flow text: Remarks, OSI fields and Profile notes: All free-flow text fields (like Remarks - 'RM', 'RC', 'RX', 'OSI' fields and Profile Notes) fall under the category that must not contain any credit card information (those PNR elements are not listed). There is some evidences that agents are making an inappropriate usage of some PNR fields to store Credit Card information - this must not be done anymore (see 'Illustration' section for some examples). Actions and responsibilities: If you are aware of any process that needs to store the Credit Card Information in other fields than the ones stated above, it is your responsibility to notify Amadeus: travel agencies can contact their Local Sales Representative. This will allow us to: - See with you the exact reason why you are using those fields to store card information. - Check if a secure and PCI DSS compliant solution can be proposed (or implemented). As part of the PCI DSS audit, Amadeus has committed to sanitize all the systems where the Credit Card information is not stored correctly (for instance, it can be mechanisms that detect Credit Card numbers in a PNR field and automatically remove it - with/without notification). It can impact at a first step all the logs and in a second step PNR and Profile: it means some strong business impacts for your products/solution/customers if this is not anticipated in advance. About PCI DSS: PCI DSS stands for Payment Card Industry Data Security Standard. PCI DSS is a new worldwide standard for consumer data protection. The purpose of PCI DSS is to help Credit Card processors improving data security measures, ultimately safeguarding cardholder information. Complying with PCI DSS can lead to increase consumer protection and loyalty, limiting the exposure to customer disputes as well as fraud. Information on PCI DSS program is available on 'PCI Security Standards Council' web site: N.V. Page 3 of 8

4 Requirement 3 in the PCI DSS Requirement 3 deals with the cardholder data protection. The below section is a copy/paste from the PCI DSS standards that deals with the Credit Card number/security Code policy: QUOTE Requirement 3: Protect stored cardholder data../.. - [Req 3.1] Keep cardholder information storage to a minimum - [Req 3.2] Do not store sensitive authentication data subsequent to authorization (not even if encrypted). - [Req 3.2.2] Do not store the card-validation code: three-digit or four-digit value printed on the front or back of a payment card (e.g., CVV2 and CVC2 data). - [Req 3.3] Mask account numbers when displayed (the first six and last four digits are the maximum number of digits to be displayed).../.. - [Req 3.4] Render Credit Card number, at minimum, unreadable anywhere it is stored... (equals to 'encryption' requirement) END Benefits: Amadeus ensures correct Credit Card processing security by being compliant with Credit Card schemes rules. It will enable our customers to reduce the risk of fraudulent actions within their own organization. It will also allow Amadeus to improve its Credit Card information processing for its customers N.V. Page 4 of 8

5 2 Illustrations This section gives the example of different PNR with Credit Information incorrectly and correctly inserted (Note that real Credit Card number, Passenger name and others confidential information had been removed or renamed in the PNR) Example 1: Inappropriate usage of RC and RM fields RP/HAMLT21BW/HAMLT21BW HO/SU 07FEB06/1144Z ZV EXAMPLE1/EXAMPLE MR 2 IB8428 R 12JUL 3 BCNLEI HK1 C *1A/E* 3 IB8419 H 18JUL 2 LEIBCN HK *1A/E* 4 AP PAX FRAU EXAMPLE 5 AP FIRMA EXAMPLE@COMPANY AG 6 AP GOETHE STRASSE BERLIN 7 AP FAX AP KD NR TK OK11JUL/HAMLT21BW//ETIB 10 RC HAMLT21BW-W/CVV CODE MASTER CARD 123 <== CVC2 information in clear in RC: prohibited 11 RM AX /1106 <== CC number in clear in RM: prohibited 12 FE PAX CHANGE/REFUND RESTRICTED/S FM PAX *C*0.00/S FP PAX CCCAXXXXXXXXXXXX5312/0407/A52134/S2-3 <== CC number concealed properly (FP element): OK Example 2: Inappropriate usage of RC and RM fields RP/BODVI378D/BODVI378D OC/PR 07FEB06/1155Z Y EXAMPLE2/PETER 2 AF6006 N 12AUG 6 ORYMRS HK W *1A/E* 3 AP AP BOD ADELINE 5 APE [email protected] 6 TK OK15JUN/BODVI378D//ETAF 7 RC BODVI378D-W/BODVI378D D0607 <== CC information in clear in RM: prohibited 8 RM CCN:QUINTON 9 RM CCVI 10 RM CVV: PRESENT 114 <== CVV2 information in clear in RM: prohibited 11 RM E-TKT SCRIPT 2009 N.V. Page 5 of 8

6 Example 3: Inappropriate usage of OSI field --- TST RLR --- RP/SELKE18BB/SELKE EXAMPLE3/JOHN MR(ADT) AA/SU 7JUL06/0352Z YIL123 2 KE5704 Y 12OCT 4 NRTICN HK *1A/ 3 KE 001 Y 19OCT 4 ICNNRT HK1 4 AP SEL *1A/E* 5 TK OK07JUL/SELKE18BB 6 OSI 1A KE RSVN NBR IS OSI YY FARE USD 8 OSI KE TKOK/SELKE18BB 9 OSI KE TIDTEST3 10 OSI YY MARTIN//AMADEUS.COM 11 OSI KE AP H 12 OSI KE MODCUSTOMER PICKUP AT AIRPORT 13 OSI KE MOPCHARGE MY CREDIT CARD 14 OSI KE FPCCVI CV123 <== CC number and CVV2 in clear in OSI: prohibited 15 OSI KE AB SUNITA AMADEUS/TEST CVC/WRONG NO AND CVC/BKK///TH 16 RM PRICING ENTRY FXP/R,UP,LAX.LAX 17 RM COSECONOMY Example 4: Correct usage of FP field --- RLR --- RP/MIA1S2CA1/MIA1S2CA1 ZZ/SU 6JAN06/1905Z YEV123 1.EXAMPLE4/NORMAN 2 AA1139 Y 20OCT 1 ORDMIA HK E* 3 AP MIA (305) AMADEUS - A 4 TK OK06JAN/MIA1S2CA1 5 FM *M*0 6 FP CCVIXXXXXXXXXXX2226/1207*CV/A555381/S2 <== CC number is concealed, CVV2 used correctly (FP): OK Example 5: Correct usage of SSR EPAY field RP/MUC1A0701/MUC1A0701 BM/PR 29MAY06/1351Z 2ST123 1.EXAMPLE5/ROSSANA 2 G31715 Y 20SEP 3 BSBCNF HK AP MUC - AMADEUS DEFAULT OFFICE - A 4 TK OK29MAY/MUC1A SSR EPAY G3 HN1 CCVIXXXXXXXXXXX1004/EXP08 09/NAME ANA CXXXX IXX <== CC number is concealed, CVV2 used correctly: OK 2009 N.V. Page 6 of 8

7 Example 6: Inappropriate usage of Profile Notes *F* SMITH/JOHN ZA9Z5X FREQUENT FLYER INFORMATION *ACTIVE* AIRLINE : 6X CUSTOMER TYPE : VIP TIER / PRIORITY : GOLD/1 ALLIANCE TIER : FF NUMBER : EXPIRY DATE : 02SEP PNR TRANSFERABLE DATA 1 A NM 1 SMITH/JOHN 2 A FFN 6X A ST /N/A * INTERNATIONAL 4 A SR SPML - NO FISH * DOMESTIC GENERAL INFORMATION 5 PCZ/ GB 6 PBD/ 19APR PAD/ LHR 8 PIC/ IBM 9 PJT/ PROJECT MANAGER 10 PSX/ M DOCUMENTS 11 PAS/ PT / PB /10JAN2000/10JAN PIV/ PT / /15DEC2000/15JUN PCE/ PT /GTR /15JAN2000/15JAN PID/ PT /Y /01JAN2001/31DEC PROFILE NOTES 1 AX /1106 <== CC number in clear in Profile Notes: prohibited Example 7: Inappropriate usage of Frequent Flyer Profile Number 2009 N.V. *F* SMITH/JOHN ZA9Z5X FREQUENT FLYER INFORMATION *ACTIVE* AIRLINE : 6X CUSTOMER TYPE : VIP TIER / PRIORITY : GOLD/1 ALLIANCE TIER : FF NUMBER : <== CC number should not be used as Frequent Flyer number EXPIRY DATE : 02SEP PNR TRANSFERABLE DATA 1 A NM 1 SMITH/JOHN 2 A FFN 6X A ST /N/A * INTERNATIONAL 4 A SR SPML - NO FISH * DOMESTIC GENERAL INFORMATION 5 PCZ/ GB 6 PBD/ 19APR PAD/ LHR 8 PIC/ IBM 9 PJT/ PROJECT MANAGER 10 PSX/ M DOCUMENTS 11 PAS/ PT / PB /10JAN2000/10JAN PIV/ PT / /15DEC2000/15JUN PCE/ PT /GTR /15JAN2000/15JAN PID/ PT /Y /01JAN2001/31DEC PROFILE NOTES 1 ALWAYS CHECK MEAL PREFERENCE Page 7 of 8

8 3 Glossary CCD: Stands for 'Credit Card Display'. This sign-in attribute is used to determine the agents authorized to view the Credit Card Information (CCD-Y) or those users not permitted to view the information (CCD-N). PNR: A record of each passenger's travel requirements which contains all information necessary to enable reservations to be processed and controlled by the booking and participating travel provider. Security Code: Also known as card validation value (CVV2) or card validation code (CVC2). It is the three-digit value printed to the right of the credit card number in the signature panel area on the back of the card. For American Express cards, the code is a four-digit un-embossed number printed above the card number on the face of all payment cards. The code is uniquely associated with each individual piece of plastic and ties the card account number to the plastic N.V. Page 8 of 8