For users that are running CARS+ in a PA-DSS compliant mode, use this program to purge credit card data from the system.
For operations that are using the CARS+ Payments Service module with EMV devices, this program purges out the token that represents the renter's credit card.
As stressed in the
PCI-PA Implementation Guide, credit card data must be purged from the system after there is no longer a "legitimate business reason" to maintain it. There is no business reason to keep credit card numbers on file forever. Thermeon recommends removing any card that has not been used in over 2 years.
MORE ABOUT CREDIT CARD PURGINGIn overly simplistic terms, all credit card numbers are stored in a separate file while all other files in CARS+, like the RA and Deposit/Payment files, contain just the first and last four characters of the card number and a pointer to the record in the Credit Card file. Every time a record in the Credit card file is looked at or used, such as when it is used on a reservation or RA, a date in the credit card's record has the date of "last access" set to the current date. This purge program deletes credit card numbers whose "last-access" date is older than the requested Cut-Off date. For example, if you purge with the Cut-Off date set to 2 years ago, only credit card numbers which have not been seen or used in more than 2 years will be deleted.
This program
DOES NOT delete the "pointers" to deleted credit card records that may be in other CARS+ files. For example, if a customer who last rented before the most recent purge cut off date, returns to rent, the pointer in their Customer record will no longer point to an existing credit card record. When that occurs, the following message will be displayed: "CARD HAS BEEN PURGED, RE-ENTER IT".
The actual purging is a two step process. Once a record to be deleted is found, the card # is re-written with all 9's and saved. Then the newly saved record is deleted. This makes sure that no "shadow" image of the card # is still on the hard disk after the purging is complete.
USER NOTE: This means that even on your VIP customers, if they are inactive for more than the Cut-Off date, their credit card number will be purged as well. Therefore use this fact when determining what Cut Off date you wish to use. The default for this program is two years ago.
Credit Card numbers that are referenced in the following files are never purged:
- Corporate Account Records (CDPID) - as these cannot be re-added at the counter
- International Tours (IT file) - as these cannot be re-added at the counter
To purge these credit card numbers out of the credit card file, you must first remove their pointer from these files.
PCI requirements only apply to standard credit cards like VISA, MasterCard and American Express. Other charge cards like car rental issued accounts such as the Hertz Charge Card, Avis Central Billing Account, etc. fall outside the regulations of PCI. As such, there is no PCI rule that requires you to ever purge these non-standard card numbers off your system. By requesting only PCI Credit Cards (in field 2), only the following brands of cards will be purged if they meet all other purge criteria:
Brand Codes
|
Individual credit cards |
A
|
American Express |
| D |
Discover, Diners Club, Carte Blanche, Enroute, Novus |
| J |
JCB |
| M |
MasterCard |
| U |
China Union Pay |
| V |
VISA |
To access the Purge Credit card file program, type
PURGECC (RET) at any menu
"OPTION:" field or the appropriate line number on the Purge sub-menu of the System
Management menu. The screen will display as follows:
OPTION: __ PURGE CC File
1 Cut off Date 01-01-15
2 PCI Credit Cards only? Y
1DO PURGE 2 3 4 5BACKUP 6 7HELP 8
|
Enter data as follows:
|
1. CUT OFF DATE
|
Using your selected date format, enter a purge cut off date. Records whose last access date is either blank or older than the date entered here are subject for purging. The default date is today's date less two years ago.
EXAMPLE: Type 010114 (RET) |
|
2. PCI CREDIT CARDS ONLY?
|
Enter:
Y = Yes, only those credit cards that fall under the domain of PCI will be purged (Visa/MC, American Express, Discover and Diners), all other charge cards will be retained.
N = No, all records in the credit card file will be subject to purging, this includes car rental brand issued cards such as Hertz HCCs.
EXAMPLE: TYPE Y (RET) |
Press F1 to do the purge.