Credit Card Numbers / Security Code Best Practices PCI DSS



Similar documents
Amadeus Egypt. Electronic Ticketing. Briefing Module

Electronic Ticketing

FLYGTAXI Amadeus specification valid from

Amadeus Virtual MCO User Guide

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

How To Complete A Pci Ds Self Assessment Questionnaire

Appendix 1 Payment Card Industry Data Security Standards Program

Credit and Debit Card Handling Policy Updated October 1, 2014

White Paper On. PCI DSS Compliance And Voice Recording Implications

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

Amadeus Flown Segment & Past Dated PNR Pricing:

Credit Card Handling Security Standards

Welcome to Amadeus Basic Reservation Guide

Accepting Payment Cards and ecommerce Payments

TERMINAL CONTROL MEASURES

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Revenue Accounting Reference Number SAA-RS-01 JUNE 2014 Effective Date 2007 SECTION 2 CREDIT CARD SALES 2.1 CREDIT CARD FRAUD PROTECTION

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

New York University University Policies

Amadeus Electronic Ticketing Course

Secure Flight Passenger Data Overview

quick REF GUIDE Booking easyjet through Amadeus Version 2.2

UCSD Credit Card Processing Policy & Procedure

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

UW Platteville Credit Card Handling Policy

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Payment Card Industry Compliance

Credit Card Processing and Security Policy

Payment Application Data Security Standard

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

DalPay Internet Billing. Technical Integration Overview

Accelerating PCI Compliance

AheevaCCS and the Payment Card Industry Data Security Standard

Information Technology

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Amadeus Electronic Ticketing. Amadeus Iran

Your Compliance Classification Level and What it Means

PAYU HUNGARY KFT. PAYMENT INFORMATION. PayU Hungary Kft. T: Budapest, F:

E ticket industry default Effective from June 1 st, 2008

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

PCI Compliance Just the Facts. Rick Dakin President ext. 7001

Payment Card Industry (PCI) Data Security Standard

Content. Quick Reference Online Assistant ticket order tool. Overview Retrieve a PNR Pricing Payment TSA Data...

A multi-layered approach to payment card security.

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)

DalPay Internet Billing. Virtual Terminal User Guide

Policy Title: Payment Cards Policy Effective Date: 5/5/2010. Policy Number: FA-PO-1214 Date of Last Revision: 11/5/2014

Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

Payment Card Security

Amadeus Selling Platform Profiles Plus. User Guide

Electronic Miscellaneous Document SV EMD Distribution Policy. Guidelines for Travel Agencies

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Becoming PCI Compliant

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

SECTION 2 - CREDIT CARD SALES

Langara College PCI Awareness Training

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Payment Card Industry (PCI) Data Security Standard

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

University of York Policy on the Management of Debit/ Credit Card Data

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

An instruction from FB to Agents to issue e-ticket from 1 June 2008.

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Electronic Miscellaneous Document (and / or) Amadeus Airline Ancillary Services

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

Passing PCI Compliance How to Address the Application Security Mandates

Attestation of Compliance for Onsite Assessments Service Providers

Viterbo University Credit Card Processing & Data Security Procedures and Policy

Merchant Account Glossary of Terms

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Why Is Compliance with PCI DSS Important?

Version 15.3 (October 2009)

Global Visa Card-Not-Present Merchant Guide to Greater Fraud Control. Protect Your Business and Your Customers with Visa s Layers of Security

Transcription:

Credit Card Numbers / Security Code Best Practices PCI DSS

1 Overview The aim of this document is to give the 'Credit Card numbers' and 'Security Code' best practices usage within the Amadeus Central system applications. Like all companies processing Credit Card data, Amadeus has to follow the PCI DSS rules (see PCI DSS section). PCI DSS requires strong data security (like concealment, encryption, access restriction ) in PNR and Profile elements containing Credit Card information. One of the major initiatives underway is to secure all PNR/Profile elements where credit card information is appended (e.g. Credit Card Concealment). Today, only the following fields can be populated with Credit Card information because only those fields are secured in Amadeus system: For PNR Elements: - Credit Card Numbers can only be entered in: - Guarantee fields for Hotel and Car segments: '/G' - Deposit fields for hotel and car segments: '/DP' - Special Service Request for Form of Identification: 'SSR FOID' - Special Service Request for Electronic Payment: 'SSR EPAY' - Form of Payment element: 'FP' - Form of Payment sub-elements in miscellaneous documents: 'MCO' and 'SVC'. - Security Code can only be entered in: - Special Service Request for Electronic Payment: 'SSR EPAY' - Form of Payment element/sub-elements: 'FP' For Profile Application: - Credit Card Numbers can be stored only in: - Guarantee fields for Hotel and Car segments: '/G' - Special Service Request for Form of Identification: 'SSR FOID' - Special Service Request for Electronic Payment: 'SSR EPAY' - Form of Payment element: 'FP' - Security Code must not be stored anywhere in the Profile application. All other PNR/Profile fields, and specially free-flow remarks and transferable entries, must not contain any Credit Card Information under any circumstances (neither Credit Card number nor Security Code). If a travel agent and/or airline populates any Credit Card information in other PNR/Profile fields (others than the approved ones listed above), airlines and/or travel agencies are at a high risk of breaching relevant industry security standards including PCI-DSS which could lead to serious consequences such as reputation loss and/or financial loss, fines, third party claims, etc. 2009 N.V. Page 2 of 8

Free-flow text: Remarks, OSI fields and Profile notes: All free-flow text fields (like Remarks - 'RM', 'RC', 'RX', 'OSI' fields and Profile Notes) fall under the category that must not contain any credit card information (those PNR elements are not listed). There is some evidences that agents are making an inappropriate usage of some PNR fields to store Credit Card information - this must not be done anymore (see 'Illustration' section for some examples). Actions and responsibilities: If you are aware of any process that needs to store the Credit Card Information in other fields than the ones stated above, it is your responsibility to notify Amadeus: travel agencies can contact their Local Sales Representative. This will allow us to: - See with you the exact reason why you are using those fields to store card information. - Check if a secure and PCI DSS compliant solution can be proposed (or implemented). As part of the PCI DSS audit, Amadeus has committed to sanitize all the systems where the Credit Card information is not stored correctly (for instance, it can be mechanisms that detect Credit Card numbers in a PNR field and automatically remove it - with/without notification). It can impact at a first step all the logs and in a second step PNR and Profile: it means some strong business impacts for your products/solution/customers if this is not anticipated in advance. About PCI DSS: PCI DSS stands for Payment Card Industry Data Security Standard. PCI DSS is a new worldwide standard for consumer data protection. The purpose of PCI DSS is to help Credit Card processors improving data security measures, ultimately safeguarding cardholder information. Complying with PCI DSS can lead to increase consumer protection and loyalty, limiting the exposure to customer disputes as well as fraud. Information on PCI DSS program is available on 'PCI Security Standards Council' web site: https://www.pcisecuritystandards.org/ 2009 N.V. Page 3 of 8

Requirement 3 in the PCI DSS Requirement 3 deals with the cardholder data protection. The below section is a copy/paste from the PCI DSS standards that deals with the Credit Card number/security Code policy: QUOTE Requirement 3: Protect stored cardholder data../.. - [Req 3.1] Keep cardholder information storage to a minimum - [Req 3.2] Do not store sensitive authentication data subsequent to authorization (not even if encrypted). - [Req 3.2.2] Do not store the card-validation code: three-digit or four-digit value printed on the front or back of a payment card (e.g., CVV2 and CVC2 data). - [Req 3.3] Mask account numbers when displayed (the first six and last four digits are the maximum number of digits to be displayed).../.. - [Req 3.4] Render Credit Card number, at minimum, unreadable anywhere it is stored... (equals to 'encryption' requirement) END Benefits: Amadeus ensures correct Credit Card processing security by being compliant with Credit Card schemes rules. It will enable our customers to reduce the risk of fraudulent actions within their own organization. It will also allow Amadeus to improve its Credit Card information processing for its customers. 2009 N.V. Page 4 of 8

2 Illustrations This section gives the example of different PNR with Credit Information incorrectly and correctly inserted (Note that real Credit Card number, Passenger name and others confidential information had been removed or renamed in the PNR) Example 1: Inappropriate usage of RC and RM fields RP/HAMLT21BW/HAMLT21BW HO/SU 07FEB06/1144Z ZV1234 1.EXAMPLE1/EXAMPLE MR 2 IB8428 R 12JUL 3 BCNLEI HK1 C 2115 2230 *1A/E* 3 IB8419 H 18JUL 2 LEIBCN HK1 1500 1615 *1A/E* 4 AP PAX 123.456789 FRAU EXAMPLE 5 AP FIRMA EXAMPLE@COMPANY AG 6 AP GOETHE STRASSE 42 54321 BERLIN 7 AP FAX 123.456789 8 AP KD NR. 123456 9 TK OK11JUL/HAMLT21BW//ETIB 10 RC HAMLT21BW-W/CVV CODE MASTER CARD 123 <== CVC2 information in clear in RC: prohibited 11 RM AX3750123456789/1106 <== CC number in clear in RM: prohibited 12 FE PAX CHANGE/REFUND RESTRICTED/S2-3 13 FM PAX *C*0.00/S2-3 14 FP PAX CCCAXXXXXXXXXXXX5312/0407/A52134/S2-3 <== CC number concealed properly (FP element): OK Example 2: Inappropriate usage of RC and RM fields RP/BODVI378D/BODVI378D OC/PR 07FEB06/1155Z Y31234 1.EXAMPLE2/PETER 2 AF6006 N 12AUG 6 ORYMRS HK1 0715 W 0735 0850 *1A/E* 3 AP 0123456789 4 AP BOD 0892.213.213 - ADELINE 5 APE EXAMPLE2@COMPANY.COM 6 TK OK15JUN/BODVI378D//ETAF 7 RC BODVI378D-W/BODVI378D-49730123456789123D0607 <== CC information in clear in RM: prohibited 8 RM CCN:QUINTON 9 RM CCVI 10 RM CVV: PRESENT 114 <== CVV2 information in clear in RM: prohibited 11 RM E-TKT SCRIPT 2009 N.V. Page 5 of 8

Example 3: Inappropriate usage of OSI field --- TST RLR --- RP/SELKE18BB/SELKE1200 1.EXAMPLE3/JOHN MR(ADT) AA/SU 7JUL06/0352Z YIL123 2 KE5704 Y 12OCT 4 NRTICN HK1 2 1425 1655 *1A/ 3 KE 001 Y 19OCT 4 ICNNRT HK1 4 AP SEL 123 456 789 1115 1330 *1A/E* 5 TK OK07JUL/SELKE18BB 6 OSI 1A KE RSVN NBR IS 123-546 7 OSI YY FARE999.99 USD 8 OSI KE TKOK/SELKE18BB 9 OSI KE TIDTEST3 10 OSI YY MARTIN//AMADEUS.COM 11 OSI KE AP123 456879123 H 12 OSI KE MODCUSTOMER PICKUP AT AIRPORT 13 OSI KE MOPCHARGE MY CREDIT CARD 14 OSI KE FPCCVI4444332222221111 0108 CV123 <== CC number and CVV2 in clear in OSI: prohibited 15 OSI KE AB SUNITA AMADEUS/TEST CVC/WRONG NO AND CVC/BKK///TH 16 RM PRICING ENTRY FXP/R,UP,LAX.LAX 17 RM COSECONOMY Example 4: Correct usage of FP field --- RLR --- RP/MIA1S2CA1/MIA1S2CA1 ZZ/SU 6JAN06/1905Z YEV123 1.EXAMPLE4/NORMAN 2 AA1139 Y 20OCT 1 ORDMIA HK1 3 0600 1001 E* 3 AP MIA (305) 406-8943 - AMADEUS - A 4 TK OK06JAN/MIA1S2CA1 5 FM *M*0 6 FP CCVIXXXXXXXXXXX2226/1207*CV/A555381/S2 <== CC number is concealed, CVV2 used correctly (FP): OK Example 5: Correct usage of SSR EPAY field RP/MUC1A0701/MUC1A0701 BM/PR 29MAY06/1351Z 2ST123 1.EXAMPLE5/ROSSANA 2 G31715 Y 20SEP 3 BSBCNF HK1 0935 1045 3 AP MUC - AMADEUS DEFAULT OFFICE - A 4 TK OK29MAY/MUC1A0701 5 SSR EPAY G3 HN1 CCVIXXXXXXXXXXX1004/EXP08 09/NAME ANA CXXXX IXX <== CC number is concealed, CVV2 used correctly: OK 2009 N.V. Page 6 of 8

Example 6: Inappropriate usage of Profile Notes *F* SMITH/JOHN ZA9Z5X ------ FREQUENT FLYER INFORMATION *ACTIVE* AIRLINE : 6X CUSTOMER TYPE : VIP TIER / PRIORITY : GOLD/1 ALLIANCE TIER : FF NUMBER : 12985321 EXPIRY DATE : 02SEP10 ------- PNR TRANSFERABLE DATA 1 A NM 1 SMITH/JOHN 2 A FFN 6X-12985321-1 3 A ST /N/A * INTERNATIONAL 4 A SR SPML - NO FISH * DOMESTIC ------- GENERAL INFORMATION 5 PCZ/ GB 6 PBD/ 19APR1971 7 PAD/ LHR 8 PIC/ IBM 9 PJT/ PROJECT MANAGER 10 PSX/ M ------- DOCUMENTS 11 PAS/ PT /7007007PB /10JAN2000/10JAN2007 12 PIV/ PT /131310 /15DEC2000/15JUN2001 13 PCE/ PT /GTR99456765 /15JAN2000/15JAN2002 14 PID/ PT /Y999647555 /01JAN2001/31DEC2001 ------- PROFILE NOTES 1 AX3750123456789/1106 <== CC number in clear in Profile Notes: prohibited Example 7: Inappropriate usage of Frequent Flyer Profile Number 2009 N.V. *F* SMITH/JOHN ZA9Z5X ------ FREQUENT FLYER INFORMATION *ACTIVE* AIRLINE : 6X CUSTOMER TYPE : VIP TIER / PRIORITY : GOLD/1 ALLIANCE TIER : FF NUMBER : 4444332222221111 <== CC number should not be used as Frequent Flyer number EXPIRY DATE : 02SEP10 ------- PNR TRANSFERABLE DATA 1 A NM 1 SMITH/JOHN 2 A FFN 6X-4444332222221111-1 3 A ST /N/A * INTERNATIONAL 4 A SR SPML - NO FISH * DOMESTIC ------- GENERAL INFORMATION 5 PCZ/ GB 6 PBD/ 19APR1971 7 PAD/ LHR 8 PIC/ IBM 9 PJT/ PROJECT MANAGER 10 PSX/ M ------- DOCUMENTS 11 PAS/ PT /7007007PB /10JAN2000/10JAN2007 12 PIV/ PT /131310 /15DEC2000/15JUN2001 13 PCE/ PT /GTR99456765 /15JAN2000/15JAN2002 14 PID/ PT /Y999647555 /01JAN2001/31DEC2001 ------- PROFILE NOTES 1 ALWAYS CHECK MEAL PREFERENCE Page 7 of 8

3 Glossary CCD: Stands for 'Credit Card Display'. This sign-in attribute is used to determine the agents authorized to view the Credit Card Information (CCD-Y) or those users not permitted to view the information (CCD-N). PNR: A record of each passenger's travel requirements which contains all information necessary to enable reservations to be processed and controlled by the booking and participating travel provider. Security Code: Also known as card validation value (CVV2) or card validation code (CVC2). It is the three-digit value printed to the right of the credit card number in the signature panel area on the back of the card. For American Express cards, the code is a four-digit un-embossed number printed above the card number on the face of all payment cards. The code is uniquely associated with each individual piece of plastic and ties the card account number to the plastic. 2009 N.V. Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information