CB/TBO advanced: Trams Products and PCI Compliance DATA SECURITY DISCUSSION POINTS DATA PRIVACY VS. DATA SECURITY



Similar documents
Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Security Information & Policies

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

PCI Requirements Coverage Summary Table

Eagle 8.0 Release Notes

PCI Requirements Coverage Summary Table

How To Protect Your Data From Being Stolen

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Oracle Database 11g: Security. What you will learn:

Oracle Database 11g: Security

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI Compliance Training

Implementation Guide

FileCloud Security FAQ

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Security Architecture Whitepaper

PCI Compliance Considerations

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Zed E-Commerce and WebCRM 7.5. Release Notes 11/29/2011

Global Partner Management Notice

PCI Compliance for Cloud Applications

General Information. About This Document. MD RES PCI Data Standard November 14, 2007 Page 1 of 19

paypoint implementation guide

CONTENTS. PCI DSS Compliance Guide

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

<Insert Picture Here> Oracle Database Security Overview

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Retour d'expérience PCI DSS

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

D50323GC20 Oracle Database 11g: Security Release 2

Kentico CMS security facts

Group Management Server User Guide

Configuring Keystroke with KeyPay

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Becoming PCI Compliant

Security Controls for the Autodesk 360 Managed Services

Oracle Database 11g: Security Release 2

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

An identity management solution. TELUS AD Sync

BOLDCHAT ARCHITECTURE & APPLICATION CONTROL

Blue Jeans Network Security Features

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Best Practices (Top Security Tips)

PII Compliance Guidelines

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

HIPAA Security Matrix

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

RFG Secure FTP. Web Interface

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Projectplace: A Secure Project Collaboration Solution

GFI White Paper PCI-DSS compliance and GFI Software products

DalPay Internet Billing. Technical Integration Overview

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Technical breakout session

Compliance and Industry Regulations

Print Audit Facilities Manager Technical Overview

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Oracle Database 11g: Security

Catapult PCI Compliance

The City of New York

How to Audit the Top Ten E-Business Suite Security Risks

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

IT TECHNICAL SECURITY REVIEW CHECKLISTS FOR E-COMMERCE WEBSITES

White Paper. BD Assurity Linc Software Security. Overview

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Credit Card Processing Overview

The PCI DSS Compliance Guide For Small Business

Using Authorize.net for Credit Card Processing in YogaReg

Credit Card Security

University of Sunderland Business Assurance PCI Security Policy

Project Title slide Project: PCI. Are You At Risk?

Two Approaches to PCI-DSS Compliance

MySQL Security: Best Practices

How To Protect A Web Application From Attack From A Trusted Environment

Getting Started with Clearlogin A Guide for Administrators V1.01

PAYMENTVAULT TM LONG TERM DATA STORAGE

Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Security Overview Enterprise-Class Secure Mobile File Sharing

Advanced Administration

Transcription:

CB/TBO advanced: Trams Products and PCI Compliance DAN PALLEY, CTO, TRAMS AND CLIENTBASE PRODUCTS AND SERVICES DATA SECURITY DISCUSSION POINTS Data Privacy vs. Data Security What Does it Mean to be PCI-Compliant? The PCI Audit Process Current State of Trams Products To Be Done 3rd Party Access to Encrypted Data DATA PRIVACY VS. DATA SECURITY PCI covers Data Security around Credit Card data, specifically, how that data is stored and transmitted and who can access it. Personal information, such as addresses, phone numbers, SSN, etc., is referred to as PII and is not specifically addressed via PCI. Securing PII data and ensuring the user s privacy are important, but separate, issues. 1

Compliant WHAT DOES IT MEAN TO BE PCI COMPLIANT? https://www.pcisecuritystandards.org/index.shtml PCI-DSS vs. PA-DSS PCI-DSS covers the overall security of Credit Card data storage and transmission. PA-DSS covers turnkey software that is installed on the client premises that needs to be PCI-compliant. WHAT DOES IT MEAN TO BE PCI COMPLIANT? Fundamental PCI Guidelines Don t store CC data if it s not absolutely needed. Mask CC data as much as possible. Encrypt CC data wherever it is stored. Implement controls so only people who need access to the unmasked CC data can see it. 2

THE PCI AUDIT PROCESS Agencies that sign a merchant agreement to process credit cards will be required to go through a PCI audit periodically. A vulnerability scan is performed to detect if any unusual ports or configurations are present in the agency s public-facing internet connection. Any issues found would need to be resolved or mitigated. Most customers will be able to do a self-assessment, in which the agency provides answers to a checklist of questions about the software and the agency environment. Very large customers may have an auditor come on site. CURRENT STATE OF TRAMS PRODUCTS CURRENT STATE OF TRAMS PRODUCTS Trams Back Office/ClientBase As of Trams Back Office 3.1 and ClientBase Windows 3.4, all regular CC and customer bank account data stored in the database is encrypted (AES 256-bit encryption). Credit card data is masked throughout the program and access to the full credit card number is controlled via permissions and accesses are logged. Enhanced Login Security can be enabled via the EUA option: Mandatory password strength settings. Users can change their own passwords. No reusing old passwords. Passwords expire based on set interval. 3

CURRENT STATE OF TRAMS PRODUCTS Database Central/CBMS All hosted databases are either encrypted or do not contain credit card data. Newly added DBC databases do not contain any credit card data. Existing DBC databases will be stripped of CC data (except masked data). CURRENT STATE OF TRAMS PRODUCTS Live Connect and Sync These systems pass encrypted data from ClientBase via web services or web apps. The data transmissions use SSL and HTTPS to encrypt data being sent from CB to the booking engine or Sync Web Service. TO BE DONE Encryption Key Rotation PCI requirement is that the encryption key be rotated (changed) at least yearly. We have a manual solution in place today and are working on a more automated process. Disable SYSDBA Login PCI requirement is that each user log in with a unique username. Currently, certain operations need to be done as SYSDBA. Change will be to prompt the administrative user for SYSDBA password when performing these operations and to restrict being able to log in as SYSDBA. Middle-Tier for TBO/CBW Active Directory integration (single sign-on). User lockout after multiple failed login attempts. Enhanced database security as users won t be accessing the database directly from their workstations. 4

3 RD PARTY ACCESS TO ENCRYPTED DATA Encryption vs. Hashing Credit Card data is stored encrypted and it s also stored hashed. The difference is that you can find records using the hash if you know what credit card number you re searching for, without having to know the encryption key. For example, a Credit Card reconciliation report, based on a file coming from the credit card company, already has the desired credit card number so the report can query matching credit card payments using the hash. Encryption UDF s 3 rd party reporting and utilities that need full access to the encrypted data can use our provided UDF s (user-defined functions) via SQL to encrypt and decrypt the credit card data in the database. The applications installed in the agency would need to know the agency s encryption key. Stay Connected facebook.com/sabretravel twitter.com/sabretn youtube.com/sabretravelnetwork agentstream.com sabretravelnetwork.com/blog 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information