How secure are credit card transactions? Is BookingCenter PCI compliant? The Visa Stored Credential Mandate
Posted by - NA - on 10 Jan 2008 12:58 PM
|
|
How secure are credit card transactions? Is BookingCenter PCI compliant?The BookingCenter system is behind our corporate firewall, runs with strict security permissions, and is monitored 24 hours a day, 7 days a week by our staff in Canada, Australia, and the United States. Plus, we operate sophisticated backup procedures to assure your data is never compromised. In 2017, the Visa Stored Credential Mandate was issued and it affects storage of credit card data. This one can be confusing for the hotel industry, who often needs to store credit card data from time of booking through check-out. Here is an example of what Visa is referring to in the Mandate: When a cardholder provides a payment credential to a hotel to cover charges for a specific reservation (confirming a specific booking with an arrival date in the future, ability to pay for food, movies, parking, etc.) that is not considered a stored credential. When a cardholder provides a payment credential to a hotel to cover future potential reservations (i.e. a membership profile), that is considered a stored credential. Very few BookingCenter customers do this, and our software would not allow for it, as the card will be automatically 'expunged' at no more than 90 days after checkout, as documented in the Credit Card retention Settings area. If a business is going to store a credential for the first time (which Visa does allow), they must do it after an approved authorization or a valid Account Number Verification. They cannot get a decline and then store the credential for the first time. Also, the business must follow all disclosure rules from Visa notifying the customer that they will be storing their card number. If your business wishes to store credit card data in a way that the Mandate covers, then you must have notification procedures in place with your customers, and you can't store the cards in MyPMS (as they wil get expunged).
BookingCenter does store manually entered and swiped credit card data for a user-defined period (from 1-90 days) from departure date. The entire card is stored encrypted using both Oracle and private/public encryption shemas for this time period. After 6 months, the card number is deleted from all systems, except the last 4 digits and expiration date, which is saved for later retrieval to match with folio entries. No 'swiped data' is ever stored, nor are 'card ID' values stored. All auth, batch, and settlement data is transferred via TLS 1.2 through TSYS' 'Sierra' platform via their SSL 2 gateway specification. There is a good article at: https://www.pcisecuritystandards.org/saq/how_it_fits.shtml that shows how it 'all fits together' and we have done exactly what is required for PCI compliance, witnessed by us boarding numerous merchants each week. We sometimes get requests for our certification to be a Level 1 PCI certification. BookingCenter will likely never become a level 1 PCI provider, as that costs a lot of money to certify and far exceeds the amount of transactions we process annually. We are level 4 due to the volume of our current transactions, but are certified as a Level 3, as we do continue to grow. For reference, the general guideline for determining PCI Level certification with Mastercard that BookingCenter falls within is Level 2: 300,000 or less total combined MasterCard and Maestro annual transactions annually.
v v | |
|