Synxis PCI Compliance

Similar documents
COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Payment Card Industry Compliance

Payment Card Industry Data Security Standard Explained

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Frequently Asked Questions

PCI Compliance Overview

Payment Card Industry Data Security Standard

Two Approaches to PCI-DSS Compliance

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Your Compliance Classification Level and What it Means

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Payment Card Security

Kim Decarolis Compliance and Security Specialist (248) Mark Wayne Vice President Compliance and Security Specialist

Achieving Compliance with the PCI Data Security Standard

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

PCI DATA SECURITY STANDARD OVERVIEW

How To Protect Your Credit Card Information From Being Stolen

Technical breakout session

What a Processor Needs from a University to Validate Compliance

PCI COMPLIANCE FOR HIGHER EDUCATION BEST PRACTICES CHECKLIST. Presented By: The Treasury Institute for Higher Education.

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

PCI DSS. Payment Card Industry Data Security Standard.

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Payment Card Industry Compliance Overview

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standards

Credit Card Processing Overview

A PCI Journey with Wichita State University

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

Merchant guide to PCI DSS

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Understanding Payment Card Industry (PCI) Data Security

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Achieving PCI Compliance for Your Site in Acquia Cloud

Josiah Wilkinson Internal Security Assessor. Nationwide

CardControl. Credit Card Processing 101. Overview. Contents

A Compliance Overview for the Payment Card Industry (PCI)

How To Ensure Account Information Security

PCI Standards: A Banking Perspective

PCI DSS. CollectorSolutions, Incorporated

Becoming PCI Compliant

La règlementation VisaCard, MasterCard PCI-DSS

Payment Card Industry Data Security Standards (PCI-DSS) Guide for Contact Center Managers

PCI: It Never Ends. Why?

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)

Achieving Compliance with the PCI Data Security Standard

PCI Compliance Just the Facts. Rick Dakin President ext. 7001

Adyen PCI DSS 3.0 Compliance Guide

Payment Card Industry Data Security Standard

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

PCI Requirements Coverage Summary Table

Enforcing PCI Data Security Standard Compliance

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI Compliance Top 10 Questions and Answers

Why Is Compliance with PCI DSS Important?

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

How To Program A Credit Card Terminal To Be A Pca Compliant (Cpo) Or Not (Pca) Compliant (Dns) (Cisp) (Dhs) (Pci) (Susu) (Usu/

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

North Carolina Office of the State Controller Technology Meeting

Payment Card Industry Data Security Standards.

Transcription:

Synxis PCI Compliance Tuesday, April 15, 2008 Tom Murray Vice President of Technology

SynXis PCI Agenda Company Overview Why PCI - Drivers Synxis PCI History PCI Challenges 2008 Objectives Lessons Learned 2

SynXis Company Overview History Founded 1996 Provide RedX Distribution Management System via SaaS model A Web-based Central Reservations System Year over year growth and a recognized industry innovator Acquired by Sabre Holdings in January 2005 Approx. 8,000 properties in over 100 countries Management Seasoned management team with impressive hospitality, operations, and technology backgrounds International organization with offices in USA, Europe, South America and Asia SynXis Mission Energize and optimize hotel distribution and marketing 3

Who is Sabre Holdings? The world leader in travel commerce, retail travel products and providing distribution and technology solutions for the travel industry. A privately held company recently acquired by Silver Lake Partners and Texas Pacific Group, private equity firms. Businesses include: Quick Facts Headquartered in Southlake, Texas 9,000 employees in 52 countries $80 billion of travel products and services sold through Sabre systems 2007 total revenue approximately 3 billion (USD) 4

SynXis Distribution Landscape Global Distribution Systems Web Sites and Travel Portals Booking Engine Voice Hotel Web Site Group Web Site Chain Web Site Corporate Internet SynXis Call Center Hotel Reservation Office, CRO, Property GDS Channel Connect Guest Connect Voice Agent RedX Distribution Management System High Volume Real Time Transaction Processing Reliability 99.9% - 24/7 Channel Management Single Image Inventory All Profiles, Reservations Property Connect Hotel PMS Local property integration Data collection point Accounting Property Connect RMS Optimization of rates, controls, inventory Data exchange Property Connect CRM Guest loyalty programs Guest recognition Segmentation 5

SynXis Customers 6

SynXis What is PCI? Payment Card Industry (PCI) Data Security Standard Requirements for protection of Payment Account Data Security Standard Published by PCI Security Standards Council VISA, MasterCard, Discover, American Express & Others Twelve Requirement spanning; Security Management Policies Procedures Network Architecture Software Design And other areas https://www.pcisecuritystandards.org/index.htm http://usa.visa.com/merchants/risk_management/cisp.html 7

SynXis Why PCI Compliance? Customer Drivers Growing Awareness of PCI Pressure from Financial Institutions Requiring Contractual Commitments for compliance Internal Drivers Protect Customer Data Adherence to Best Practices in Network, Data and Application Security Corporate Objective for Sabre Holdings Payment Authorization in the Future Competitive 8

SynXis PCI - History Level 2 Service Provider per VISA CISP Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 VISA accounts/transactions annually. We do 6,000,000+ bookings per year We do not process payments but hold CVV for 48 hours Third Party Audit required PCI self-assessment in mid 2006 Third Party Audit started late 2006 Audit completed December 2007 AMEX DSOP (Data Security Operating Procedure) compliance certified in December, 2007 PCI Report On Compliance (ROC) accepted by VISA, January 2008 9

SynXis PCI Challenges General Interpretation of Standard Contracted for Informal Review of self assessment and network environment Validated strategy for Gap Closure & compensating controls Resources Significant Effort and Impact across Technology organization Network / Infrastructure Mostly Minor but time intensive E.g. Firewall Rules to be most restrictive Quarterly Network Vulnerability Scanning Process Documentation, Formalization and Education 10

SynXis PCI Challenges Data Enhanced Encryption of Sensitive Data Upgraded to Triple DES Encryption in business layer 24 Hour Purging of CVV Credit card details purged 60 days after departure Removal of Credit Card Information from all logs Masking of Credit Card Information in all reports Masking of Credit Card information on most pages Viewable via a single web page with explicit viewership Implementation of encryption key management application Version Key management Split master key 11

SynXis PCI Challenges Application Identifying & Eliminating Application Vulnerabilities Contracted a Third Party Application Vulnerability Scan to satisfy PCI clean Third Party Scans for each new product release (4x annual) as an alternative to code reviews Developer Education on Open Web Application Security Project (OWASP) standards and best practices Third Party Connectivity Reviewed all third party connectivity (OpenTravel, HTNG, other) Over 60 different interfaces All communications via HTTPS Satisfies PCI No OpenTravel Schema or coding Impact 12

SynXis PCI 2008 Objectives Ongoing Quarterly internal Reviews to maintain compliance Quarterly Network Vulnerability Scans Application Vulnerability Scans for each new release Planned Moving from Service Provider to Merchant Introduction of Payment Processing in 2008 Evaluating Payment Applications Best Practices (PABP) Standard Preparing for 2008 Audit Moving Data Center Evaluating Message level encryption & other enhancements Monitoring OpenTravel Evaluating Application Firewalls 13

SynXis PCI Lessons Learned Larger Than Expected Effort PCI affects all aspects of the environment Application Database Network Administrative / Hiring Procedures and Processes Need realistic resource allocation and commitment Project Planning Consulting Assistance Valuable Minimal Hours Interpretation and Clarification of the Standard Validation of Remediation Plan for Gaps 14

SynXis PCI Lessons Learned Worth It Enforces Best Practices Results in a More Secure Environment Benefits Customers Benefits Synxis PCI is a continuous Effort Quarterly Scans Quarterly Reviews Annual Audits 15

Questions? 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information