PA-DSS (short for Payment Application Data Security Standards) is a list of similar standards developed for software applications, like CARS+, that are used as a point of sale (POS) application at the counter and which process credit card numbers but which do not themselves do authorizations or settlement. (This used to be called PABP = Payment Application Best Practices.)
As a software developer, it is Thermeon’s responsibility to design a system that can be configured and run in compliance with these standards.
As a user, it is your responsibility to run the system in a compliant mode. Failure to run the system in a compliant mode exposes you to the possibility of punitive fines from the credit card providers if there is a security breach of your data.
General notes:
This chapter includes the following sections:
I. Overview of the methods used for credit card handling in CARS+
II. Set up requirements
III. Requirements for running your business in a PCI/PA-DSS compliant manner
IV. How to research those who have had access to credit card data
I. OVERVIEW OF METHODS USED FOR CREDIT CARD HANDLING IN CARS+
A. CREDIT CARD NUMBER MASKING
The PCI compliant CARS+ card masking format is to display the first 4 and last 4 characters of a credit card number with an asterisk in between.
Example: The Visa credit card with 16 character card # 4234 5555 6666 7890, will appear as: 4234*7890
NOTE: Masking and encryption does not apply to credit cards while in the process of being entered. That is, when a credit card is entered manually or swiped in Reservations, Petty Cash Entry, RA Open, RA Close, Customer File Update or any other program, the credit card number is shown in full until the entry is saved. Once saved, the credit card will be masked when the transaction or file is accessed again.
Users who are exempt from the masking logic (see Set Up Requirement - User Access File below) can use Shift/F4 to request the card be unmasked. The user is prompted for their usercode and password for verification. If exempt from masking, the full credit card number will display. This access is logged in the FOP Viewing Log File. If the user is NOT exempt to the masking, the Shift/F4 request is rejected.
1. Users subject to masking:
a. CARS+ installations using EDC (Electronic Draft Capture)
- When an existing RA is pulled up on either the Open or Close screens, or an existing Reservation is pulled up on the Reservations or RA Open screen, credit card numbers are always masked.
- When the RA is extended, an estimate is done, and/or an additional authorization is requested, the credit card remains masked.
- When the RA is closed and additional authorization is needed, the credit card remains masked.
b. CARS+ installations NOT using EDC
- When an existing RA is pulled up on either the Open or Close screens, or an existing Reservation is pulled up on the Reservations or RA Open screen, credit card numbers are always initially masked.
- When the RA is extended, an estimate is done. If the estimated charges are less than the authorized amount and deposits, the credit card remains masked. If the estimated charges are greater than the authorized amount, the user can press Shift/F4 to unmask the card. This access is logged.
- When the RA is being closed, the user can press Shift/F4 to unmask the card. This access is logged.
2. Users exempt from masking
If the user has the authority to unmasked credit cards (granted in a field in the User Access record), pressing Shift/F4 and entering their username and password will display the full credit card number from Reservations, RA Open, RA Close, and Customer File Update. This access is logged.
B. DEPOSIT/PAYMENT FILE SEARCH
User tip: Because of PCI restrictions, the complete credit card number IS NOT stored anywhere in CARS+. After entry and saving, it is encrypted and stored in a separate encryption server. The only thing that is stored in CARS+ is the first four characters of the card, an asterisk "*" followed by the last four characters. The Deposit/Payment (Dep/Pay) file search when searching by credit card number will accept a full credit card number. But then the number is internally reformatted to the “First 4*Last 4” format and and that is what is used to read the Dep/Pay file for a match. For example, MasterCard # 5121123456781234 will be converted to 5121*1234 and a match will be sought. But 5121*1234 can match card 5121123456781234, but it will also match 51219999999991234 or 5121888888881234. In fact, one hundred million cards can have the same first and last four characters. Therefore, this type of search is NOT guaranteed to give the correct match on the first attempt. You must unmask the found card to determine if a match has been found.
WARNING: Since a Cars+ search for this is the "First 4*Last 4" format, this is not a guaranteed match and the user should unmask the credit card found in the search to determine if the credit card is a match.
The records in the Deposit/Payment File can be a valuable source of information when researching payments on Closed RAs, deposits on Open RAs and Reservations, Petty Cash Entries, credit card charge backs, and other situations. The Deposit/Payment File may be searched from many screens including the following: Reservations, RA Open, RA Close, Batch Open, Batch Close, Edit Opening Fields, Edit Closed RA, Edit Posted RA, Petty Cash Entry, Batch Petty Cash Entry, Edit Petty Cash Entry.
Users that are exempt from masking can access a full credit card number if necessary by doing the following:
- Access a search of the Dep/Pay File from Reservations, RA Open, RA Close, etc.
- Find the record and select it from the search by entering its line number. A prompt for the username and password will appear.
- If the user is exempt from masking, the full credit card number and expiration date will appear in a pop-up window. This access is logged in the FOP Viewing Log File.
C. MASKED REPORTS AND REPORT WRITERS
All reports in CARS+ show the credit card in masked format regardless which user requested the report. This also applies to both the IQ and CQ Report Writers (as there are no credit card numbers stored anywhere in CARS+ there is no card number for the report writers to print).
II. SET UP REQUIREMENTS
A. USER ACCESS FILE
A field in the User Access File record controls whether or not each user is able to unmask credit card numbers.
Page 2; Data Field # 1: MASKING EXEMPT
For each user, enter:
Y = YES, this user is exempt from the masking logic and, therefore, can ask to see the full credit card data on various screens by using the Shift/F4 function key and after they have entered their usercode and password. But even for masking exempt users, all cards are initially masked when redisplayed.
N (or blank) = NO, this user is not exempt from masking.Therefore, credit card data will always be in masked format. The Shift/F4 function key is in-operable.
Note that having exempt users is permissible under PCI/PA rules. But in reality, this privilege should be granted to very few users. CARS+ is designed to do most rental operations without the need for a credit card to be unmasked.
B. INPUT TIMER
In order to be PCI/PA compliant, the logout timer has to be set so that a session is logged out automatically if not used for a certain number of minutes.EDIT MAIN CONTROL RECORD (shortcut: EDITMAIN)
Data Field # 26: INPUT TIMER
This field controls the automatic log-off feature of the system. Enter the number of minutes between 1 and 99 (1 hour 39 minutes) inclusive to set the log-off timer. Sessions which are signed into CARS+ which have not had any keyboard entry for the period of time specified are automatically logged off.
C. SANITIZE THE TRAINING COMPANY DATA (PA-DSS Requirements - Section 1)
One of the PCI/PA-DSS rules states that live production credit card data cannot be used in any data base used for testing or training.
For that reason, a program has been developed that will “sanitize” data after copying it to another company, such as when live data is copied to a training company in CARS+.
In order to remove credit card data and other customer personal information in the training company (or any other receiving company), the program MASK CUSTOMER PID (shortcut: PIDUPD) needs to be run. It will “sanitize” the data in several files including the Customer, Reservations, RA, and Deposit/Payment files. The data is replaced with standardized information for all records.
Contact Thermeon’s Customer Support Dept. to request that this program be run.
PROGRAM: MASK CUSTOMER PID (shortcut: PIDUPD)
Data Field #1: Company No.
Enter up to 2 alphanumeric characters representing the Company whose data should be changed. (Typically this is Co. 99.)
Data Field # 2: Second Employee
Because of the critical nature of this program, it requires 2 usercodes/passwords in order for it to be run. Therefore, enter up to 6 alphanumeric characters representing an employee code of a second employee. This employee must have this program on their menu. This is followed by a prompt to enter the second employee's password.
This program makes the following data changes:
Customer File --For all customers, the following changes are made:
- Customer's first name is changed to John
- Customer's last name is changed so that "DOE" replace the last 3 characters of the name.
- Address is changed to:1234 Main Street, Tustin, CA 92780
- Phone and employer phone are changed to 555-1212
- Credit card (FOP) is changed to: 4564 4564 4564 4564 and expiration date is reset
- Driver’s license is changed to: 123456 and expiration date is reset
- Birth date is changed to 01-01-80
- Email address is erased.
Reservations --For all reservations, the following changes are made:
- Phone number and employer phone number are changed to 555-1212
- Credit card (FOP) is changed to: 4564 4564 4564 4564 and expiration date is reset
RAs --For all RAs, the following changes are made:
III. REQUIREMENTS FOR RUNNING THE BUSINESS IN A PCI/PA-DSS COMPLIANT MANNER
In addition to the set up requirements listed above, there are requirements that must be met in order to run the business in an on-going manner for PCI/PA-DSS compliance.
A. PURGING OLD DATA (PA-DSS Requirements - Section 1)
Importance of Purging – One of the points stressed by the PCI standards is that credit card information cannot be stored any longer than the time needed for “reasonable business purposes”. Therefore, it is very important to develop and follow a purging schedule in order to purge old credit card information from CARS+.
Remember, however, that credit card numbers themselves are not stored in CARS+. Credit card numbers are stored and encrypted in an external service maintained by Thermeon Worldwide. What is stored in your CARS+ system, and therefore needs purging, is the "pointer" to the encrypted external service which gives you the ability to retrieve the credit card number in full.
Use the program Purge Credit Card Pointers to purge old credit card pointers off the system.
In many cases, RAs are kept on file for a time after they have closed for such reasons as parking ticket research, damage charges assessed after the RA closes, tax and airport authority audits, and management reporting purposes. It is up to you to determine what is a “reasonable” length of time for your operation to keep this data before it is purged. You can choose to keep rental agreements on your system for a longer period of time than the credit card pointers associated with those RAs. RAs and card pointers are purged independently of each other. Remember, a valid business reason is required to keep credit card pointers on the system. After purging the pointer, you will lose the ability to unmask the credit card and see the full card number.
B. USER PASSWORDS (PA-DSS Requirements - Section 3)1. New user set up and changing the password
When a new user is set up by Thermeon’s Support Department, an initial default password is assigned to them. New users MUST change this password the first time they login. The password must be reset with a “strong” password (one that is not easily guessed):
There are websites that generate random strong passwords. An example of one of these websites is:
Each employee must have their own login and password. In no case should employees share a login or use the login and password of an employee that is no longer with the company.
2. Users that are terminated
When a user leaves your employ, their password needs to be changed immediately using Change System Password and their access to the system terminated. If you have any questions, contact Thermeon’s Customer Support Dept.
If there is a chance that the employee learned the passwords of other employees, then those other employees must change their password.
C. WIRELESS ACCESS (PA-DSS Requirements - Section 6)
If your stand-alone system is configured to use a wireless transmission or if you use CARS+ Internet with a wireless internet connection, your wireless system must be configured to use WiFi Protected Access (WPA or WPA2) or Wired Equivalent Privacy (WEP) with a minimum of 104 bit encryption and 24 bit initialization value.Some CARS+ operations use handheld terminals which operate via a FM transmitter. These terminals are limited in CARS+ to the following programs: RA Close, Physical Inventory, Non-Revenue Movements. As such, no credit card data are transmitted to or from the handheld device. As a result, they fall outside the scope of the PCI/PA-DSS wireless concerns.
D. FIREWALLS (PA-DSS Requirements - Section 9)Operations using CARS+ Internet: Credit card data is behind a firewall and is not on an internet directly accessible system.
E. VIRUS PROTECTION
It is the end user’s responsibility to make sure that their PCs are protected from viruses and malware. This involves:
1. The installation of commercial or freeware virus protection software
2. Regular running of virus scans
3. Keeping the virus definition files current on the selected protection software
F. E-MAILS AND FAXES (PA-DSS Requirements - Section 12)
When e-mailing or faxing a screen shot to anyone, including the renter or Thermeon’s Support Dept., the credit card data must be masked or blocked out.
H. GENERAL DISCUSSION
1. Personal ID Data
Being conscious about credit card security does not stop with only hiding the credit card numbers. You must also protect any correlation between the credit card and the personal information of the cardholder. Therefore, CARS+ can be configured to mask the following personal data:
- drivers license
- address
- birth date
- frequent traveler number
- customer number
Masking of this data is controlled through fields in the Edit Misc Control Fields program.
Additionally, use the program Clear Customer Data to clear or 'sanitize' the personal identification data (PID) from customer records. It will clear out of the customer's record all data that can be used to uniquely identify them. This includes the customer's address, driver's license number, date of birth, phone numbers, email address, passport number, federal tax id number and any other unique personal information from the customer records selected.
Another responsibility of being security conscious is to review the menu access levels of all users periodically. Access to sensitive reports, such as the Selected Customer Reports program on the Customer Maintenance Menu, should be strictly controlled.
2. Employee Security Acknowledgment (PA-DSS Requirements - Section 14)
It is the responsibility of the user to make sure that their employees understand and are committed to the security of customer credit card data. In order to be considered PCI/PA-DSS compliant, it is required that this Implementation Guide be reviewed with all employees at least once a year.
Employees should be required to sign a statement that they are aware of the security concerns of the company and are committed to upholding the security policy of the employer.
An example of an acknowledgment form is shown below:
ACKNOWLEDGMENT OF ______ RENT-A-CAR SECURITY PROCEDURES
I ______________________________________ have read, understand and agree to adhere to the data handling procedures outlined in the CARS+ PCI/PA IMPLEMENTATION GUIDE,
Revision Date ____/_____/____.
_____________________________________________________
Signature Date
3. Staying current with PCI/PA Compliance
Periodically this Guide will be updated to keep current with PCI/PA-DSS compliance requirements and to reflect changes in the CARS+ software. Changes will be announced in the CARS+ Release Notices which can be accessed at Thermeon’s Website: http://www.thermeon.com
Therefore, it is important to review the Release Notices and note with highest concern when this chapter has been changed. Changes that are made to this document need to be read and heeded in order for you operation to stay current and remain PCI and PA-DSS compliant.
There is, obviously, a delicate balance between creating an iron-clad system and a system that gives its users the freedom to run their business in the way that they wish. Additionally, the system cannot compensate entirely for hiring staff with less than desirable integrity.
Thermeon Corp. is always open to additional security ideas and suggestions that you may have.
IV. RESEARCHING ACCESS TO CREDIT CARD NUMBERS
From time to time, it may be necessary to research which
users have had access to a credit card number, that is they have seen the full unmasked credit card number on a CARS+ screen.
When transactions are created, such as RAs, Reservations, and Petty Cash entries, the employee code of the user who created the transaction is stored with it. However, transactions are often recalled to a screen and changed or simply viewed. To track this access, log files that are kept in CARS+ can be very helpful to management when there is a need for research.
A. THE PROGRAM ACCESS LOG
This log file tracks each program that a user enters and exits. The times for access and exit are logged as well. This provides a way to track such things as:
The data requested can be displayed to the screen or sent as an attachment to an E-mail which can be imported into a spreadsheet program such as Excel. Once in Excel, the data can be sorted by employee code, date, or program name.
- The programs that a particular user is accessing during their shift.
- Which users accessed a particular program.
- Users accessing the system during their off hours.
This log will be kept for 365 days.
B. INDIVIDUAL LOG FILES
Changes to major files are logged in individual log files for RAs, Reservations, Customer records, etc.
The access to view these log files is on the Transaction Logging Menu.
These files are kept until purged using the Purge Log Files program on the Purge Menu.
C. FOP VIEWING LOG (PA-DSS Requirements - Section 4)
Whenever a user unmasks a credit card using Shift/F4, that fact is logged in the FOP Viewing Log File.
The program View FOP Viewing Log (on the Transaction Logging Menu) can be used to print or display a report of data from the FOP Viewing Log File. It will report the who, when and where a credit card has been unmasked. The report can be run for a particular credit card number, date range or employee.
This log will remain on the system for a minimum of 365 days, after which it can be purged using the Purge FOP Viewing Log program on the Purge Menu.