REZOVATION GT 5.12 PA-‐DSS 2.0 IMPLEMENTATION GUIDE
Transcription
REZOVATION GT 5.12 PA-‐DSS 2.0 IMPLEMENTATION GUIDE
REZOVATION GT 5.12 PA-‐DSS 2.0 IMPLEMENTATION GUIDE VERSION 3 .0 | O CTOBER 8 , 2 013 REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | NOTICE Copyright 2013 HomeAway Software, Inc. 1 TABLE OF CONTENTS NOTICE ................................................................................................................................................................................................. 8 ABOUT THIS DOCUMENT ..................................................................................................................................................................... 9 REVISION INFORMATION ................................................................................................................................................................... 10 EXECUTIVE SUMMARY ....................................................................................................................................................................... 11 APPLICATION SUMMARY ................................................................................................................................................................... 11 Typical Network Implementation ...................................................................................................................................................... 14 Dataflow Diagram .............................................................................................................................................................................. 15 DIFFERENCE BETWEEN PCI COMPLIANCE AND PA-‐DSS VALIDATION ................................................................................................ 17 The 12 Requirements of the PCI DSS: ....................................................................................................................................... 18 SUMMARY OF PCI DSS REQUIREMENTS ............................................................................................................................................ 19 Build and Maintain a Secure Network .......................................................................................................................................... 19 Requirement 1: Install and maintain a firewall configuration to protect cardholder data ...................................................... 19 Requirement 2: Do not use vendor-‐supplied defaults for system passwords and other security parameters. ...................... 19 Protect Cardholder Data ............................................................................................................................................................... 20 Requirement 3: Protect stored data ........................................................................................................................................ 20 Requirement 4: Encrypt transmission of cardholder data across open, public networks ........................................................ 20 Maintain a Vulnerability Management Program .......................................................................................................................... 21 Requirement 5: Use and regularly update anti-‐virus software or programs ............................................................................ 21 Requirement 6: Develop and maintain secure systems and applications ................................................................................ 21 Implement Strong Access Control Measures ................................................................................................................................ 22 Requirement 7: Restrict access to cardholder data by business need-‐to-‐know ....................................................................... 22 Requirement 8: Assign a unique ID to each person with computer access .............................................................................. 22 Requirement 9: Restrict physical access to cardholder data .................................................................................................... 23 Regularly Monitor and Test Networks .......................................................................................................................................... 23 Requirement 10: Track and monitor all access to network resources and cardholder data .................................................... 23 REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | NOTICE Copyright 2013 HomeAway Software, Inc. 2 Requirement 11: Regularly test security systems and processes ............................................................................................. 23 Maintain an Information Security Policy ....................................................................................................................................... 24 Requirement 12: Maintain a policy that addresses information security for employees and contractors .............................. 24 CONSIDERATIONS FOR THE IMPLEMENTATION OF PAYMENT APPLICATION IN A PCI-‐COMPLIANT ENVIRONMENT ....................... 25 Remove Historical Sensitive Authentication Data (PA-‐DSS 1.1.4.a) .............................................................................................. 25 Sensitive Authentication Data requires special handling (PA-‐DSS 1.1.5.c) ................................................................................... 25 Purging of Cardholder Data (PA-‐DSS 2.1) ...................................................................................................................................... 25 Cardholder Data Encryption Key Management (PA-‐DSS 2.5.c and 2.6.a) ..................................................................................... 26 Compliance with standards ...................................................................................................................................................... 27 Key storage method .................................................................................................................................................................. 27 Key rotation .............................................................................................................................................................................. 27 Old keys .................................................................................................................................................................................... 27 Refreshing keys manually ......................................................................................................................................................... 27 Removal of Cryptographic material (PA-‐DSS 2.7.a) ....................................................................................................................... 27 Set up Strong Access Controls (3.1.a and 3.2) ............................................................................................................................... 27 Properly Train and Monitor Admin Personnel .............................................................................................................................. 28 Log settings must be compliant (PA-‐DSS 4.1.b, 4.4.b) .................................................................................................................. 29 Services and Protocols (PA-‐DSS 5.4.c) ........................................................................................................................................... 29 PCI-‐Compliant Wireless settings (PA-‐DSS 6.1.f and 6.2.b) ............................................................................................................ 29 Never store cardholder data on internet-‐accessible systems (PA-‐DSS 9.1.b) ............................................................................... 30 PCI-‐Compliant Remote Access (10.2) ............................................................................................................................................ 30 PCI-‐Compliant Delivery of Updates (PA-‐DSS 10.3.1) ..................................................................................................................... 30 PCI-‐Compliant Remote Access (10.3.2.b) ...................................................................................................................................... 31 Data Transport Encryption (PA-‐DSS 11.1.b) .................................................................................................................................. 32 PCI-‐Compliant Use of End User Messaging Technologies (PA-‐DSS 11.2.b) ................................................................................... 32 Non-‐console administration (PA-‐DSS 12.1) ................................................................................................................................... 32 REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | NOTICE Copyright 2013 HomeAway Software, Inc. 3 Network Segmentation ................................................................................................................................................................. 33 MAINTAIN AN INFORMATION SECURITY PROGRAM ......................................................................................................................... 34 APPLICATION SYSTEM CONFIGURATION ........................................................................................................................................... 35 PAYMENT APPLICATION INITIAL SETUP & CONFIGURATION ............................................................................................................. 36 Installing the payment application ................................................................................................................................................ 36 Defining the payment gateway ..................................................................................................................................................... 36 Conducting test transactions ........................................................................................................................................................ 36 How to upgrade ............................................................................................................................................................................ 36 Resetting Administrator passwords .............................................................................................................................................. 36 Updating your encryption key ....................................................................................................................................................... 37 HOW USE REZOVATION GT TO ENSURE COMPLIANCE ...................................................................................................................... 38 1. Do not retain full magnetic stripe or CVV2 data ...................................................................................................................... 38 How to set up RezOvation GT to meet the compliance requirements ..................................................................................... 38 What you need to do to meet the compliance requirements .................................................................................................. 38 2. Protect stored data .................................................................................................................................................................. 38 How to set up RezOvation GT to meet the compliance requirements ..................................................................................... 38 What you need to do to meet the compliance requirements .................................................................................................. 39 3. Use secure passwords .............................................................................................................................................................. 40 How to set up RezOvation GT to meet the compliance requirements ..................................................................................... 40 What you need to do to meet the compliance requirements .................................................................................................. 42 4. Log application activity ............................................................................................................................................................. 45 How to set up RezOvation GT to meet the compliance requirements ..................................................................................... 45 What you need to do to meet the compliance requirements .................................................................................................. 45 5. Protect wireless transmissions ................................................................................................................................................. 45 How to set up RezOvation GT to meet the compliance requirements ..................................................................................... 45 What you need to do to meet the compliance requirements .................................................................................................. 46 REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | NOTICE Copyright 2013 HomeAway Software, Inc. 4 6. Secure the network .................................................................................................................................................................. 46 How to set up RezOvation GT to meet the compliance requirements ..................................................................................... 46 What you need to do to meet the compliance requirements .................................................................................................. 47 7. Server computers connected to the internet ........................................................................................................................... 47 How to set up RezOvation GT to meet the compliance requirements ..................................................................................... 47 What you need to do to meet the compliance requirements .................................................................................................. 47 8. Software updates ..................................................................................................................................................................... 48 How to set up RezOvation GT to meet the compliance requirements ..................................................................................... 48 What you need to do to meet the compliance requirements .................................................................................................. 48 9. Secure remote access to application ........................................................................................................................................ 48 How to set up RezOvation GT to meet the compliance requirements ..................................................................................... 48 What you need to do to meet the compliance requirements .................................................................................................. 50 10. Encryption of sensitive traffic over public networks .............................................................................................................. 50 How to set up RezOvation GT to meet the compliance requirements ..................................................................................... 50 What you need to do to meet the compliance requirements .................................................................................................. 50 11. Encryption of non-‐console administrative access .................................................................................................................. 50 How to set up RezOvation GT to meet the compliance requirements ..................................................................................... 50 What you need to do to meet the compliance requirements .................................................................................................. 50 REZOVATION GT SECURITY FEATURES AND POLICIES ....................................................................................................................... 51 Protection and storage of sensitive data ...................................................................................................................................... 51 Purging of sensitive data ............................................................................................................................................................... 51 Cryptographic keys ........................................................................................................................................................................ 51 User access .................................................................................................................................................................................... 52 Audit trails ..................................................................................................................................................................................... 52 Wireless networks ......................................................................................................................................................................... 52 Secure delivery of software updates ............................................................................................................................................. 52 REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | NOTICE Copyright 2013 HomeAway Software, Inc. 5 Remote access to application ....................................................................................................................................................... 52 Secure transmission of cardholder data over public networks ..................................................................................................... 53 Encryption of cardholder data sent over end-‐user message technologies ................................................................................... 53 Encryption of non-‐console administrative access ......................................................................................................................... 53 Data gathered as a result of troubleshooting ............................................................................................................................... 53 ENCRYPTION ...................................................................................................................................................................................... 54 Compliance with standards ........................................................................................................................................................... 54 Key storage method ...................................................................................................................................................................... 54 Key rotation ................................................................................................................................................................................... 54 Old keys ......................................................................................................................................................................................... 54 Refreshing keys manually .............................................................................................................................................................. 54 ADDRESSING INADVERTENT CAPTURE OF PAN ................................................................................................................................. 55 Disable System Restore Settings ................................................................................................................................................... 55 Disabling System Restore – Windows XP .................................................................................................................................. 55 Disabling System Restore – Windows 7 .................................................................................................................................... 55 Disabling System Restore – Windows 8 .................................................................................................................................... 56 Encrypt the System PageFile.sys – Windows 7 & 8 ....................................................................................................................... 58 Clear the System Pagefile.sys on shutdowN – Windows XP, 7, and 8 ........................................................................................... 59 Disable System Management of Pagefile.sys ................................................................................................................................ 60 Windows XP AND 7 ................................................................................................................................................................... 60 Windows 8 ................................................................................................................................................................................ 63 Disable Windows Error Reporting ................................................................................................................................................. 65 Windows XP .............................................................................................................................................................................. 65 Windows 7 ................................................................................................................................................................................ 65 Windows 8 ................................................................................................................................................................................ 67 WINDOWS SECURITY ......................................................................................................................................................................... 70 REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | NOTICE Copyright 2013 HomeAway Software, Inc. 6 Overview of Windows security ..................................................................................................................................................... 70 Password policies .......................................................................................................................................................................... 72 Account lockout policies ............................................................................................................................................................... 73 Screensaver and idle lockout ........................................................................................................................................................ 74 Windows audit trail ....................................................................................................................................................................... 75 Windows XP restore point ............................................................................................................................................................ 76 RESOURCES ........................................................................................................................................................................................ 77 RezOvation GT documentation ..................................................................................................................................................... 77 Where to find out more about PA-‐DSS and PCI-‐DSS ..................................................................................................................... 77 Wireless security ........................................................................................................................................................................... 77 Windows automatic updates ........................................................................................................................................................ 77 TERMINOLOGY .................................................................................................................................................................................. 78 REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | NOTICE Copyright 2013 HomeAway Software, Inc. 7 NOTICE THE INFORMATION IN THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. HOMEAWAY SOFTWARE, INC. MAKES NO REPRESENTATION OR WARRANTY AS TO THE ACCURACY OR THE COMPLETENESS OF THE INFORMATION CONTAINED HEREIN. YOU ACKNOWLEDGE AND AGREE THAT THIS INFORMATION IS PROVIDED TO YOU ON THE CONDITION THAT NEITHER HOMEAWAY SOFTWARE, INC. NOR ANY OF ITS AFFILIATES OR REPRESENTATIVES WILL HAVE ANY LIABILITY IN RESPECT OF, OR AS A RESULT OF, THE USE OF THIS INFORMATION. IN ADDITION, YOU ACKNOWLEDGE AND AGREE THAT YOU ARE SOLELY RESPONSIBLE FOR MAKING YOUR OWN DECISIONS BASED ON THE INFORMATION HEREIN. Nothing herein shall be construed as limiting or reducing your obligations to comply with any applicable laws, regulations or industry standards relating to security or otherwise including, but not limited to, PA-‐DSS and DSS. The user may undertake activities that may affect compliance. For this reason, HomeAway Software, Inc. is required to be specific to only the standard software provided by it. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | NOTICE Copyright 2013 HomeAway Software, Inc. 8 ABOUT THIS DOCUMENT This document describes the steps that must be followed in order for your RezOvation GT installations to comply with Payment Application – Data Security Standards (PA-‐DSS). The information in this document is based on PCI Security Standards Council Payment Application Data Security Standards program (version 2.0 dated October, 2010). HomeAway Software, Inc. instructs and advises its customers to deploy HomeAway Software, Inc. applications in a manner that adheres to the PCI Data Security Standard (v2.0). Subsequent to this, best practices and hardening methods, such as those referenced by the Center for Internet Security (CIS) and their various “Benchmarks”, should be followed in order to enhance system logging, reduce the chance of intrusion and increase the ability to detect intrusion, as well as other general recommendations to secure networking environments. Such methods include, but are not limited to, enabling operating system auditing subsystems, system logging of individual servers to a centralized logging server, the disabling of infrequently-‐used or frequently vulnerable networking protocols and the implementation of certificate-‐based protocols for access to servers by users and vendors. You must follow the steps outlined in this Implementation Guide in order for your RezOvation GT installation to support your PCI DSS compliance efforts. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ABOUT THIS DOCUMENT Copyright 2013 HomeAway Software, Inc. 9 REVISION INFORMATION Version Date Changes 1.0 Mar 9, 2009 Initial version 2.0 Aug 1, 2009 Updated program version and business name 2.0 Jan 1, 2010 Reviewed 2.0 Jan 1, 2011 Reviewed 2.0 Jan 1, 2012 Reviewed 3.0 Aug 21, 2012 4.0 Oct 8, 2013 Updated program version and business name Updated for PA-‐DSS 2.0 REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | REVISION INFORMATION Copyright 2013 HomeAway Software, Inc. 10 EXECUTIVE SUMMARY Payment Application version 5.12 has been PA-‐DSS (Payment Application Data Security Standard) certified, with PA-‐DSS Version 2.0. For the PA-‐DSS assessment, we worked with the following PCI SSC approved Payment Application Qualified Security Assessor (PAQSA): Coalfire Systems, Inc. 361 Centennial Parkway Suite 150 Louisville, CO 80027 Coalfire Systems, Inc. 1633 Westlake Avenue N. Suite 100 Seattle, WA 98109 This document also explains the Payment Card Industry (PCI) initiative and the Payment Application Data Security Standard (PA-‐ DSS) guidelines. The document then provides specific installation, configuration, and ongoing management best practices for using Payment Application as a PA-‐DSS validated Application operating in a PCI Compliant environment. PCI Security Standards Council Reference Documents The following documents provide additional detail surrounding the PCI SSC and related security programs (PA-‐DSS, PCI DSS, etc): • Payment Applications Data Security Standard (PA-‐DSS) https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml • Payment Card Industry Data Security Standard (PCI DSS) https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml • Open Web Application Security Project (OWASP) http://www.owasp.org This document is updated whenever there are changes in RezOvation GT which affect PCI-‐DSS, and is also updated annually to reflect changes in RezOvation GT as well as the PCI standards. Please visit our website at http://www.rezovation.com/rezovationgt/documentation.html for the latest version of this guide. Note: this document refers to RezOvation GT 5.12. If you are using an older version of RezOvation GT, you should upgrade your software to ensure that you are in compliance. APPLICATION SUMMARY Payment Application Name: Payment Application Version: RezOvation GT 5.12 REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | EXECUTIVE SUMMARY Copyright 2013 HomeAway Software, Inc. 11 Application Description: Application Target Clientele: Hotel property management software providing full hotel / lodging payment integration via QBMS, seamless integrated booking engine, GDS distribution, QuickBooks integration, and more. Turn-‐key front desk / back office solution. Hospitality including bed and breakfasts, inns, boutique hotels. RezOvationGT.exe: Primary POS application, deployed on primary POS terminals Components of Application Suite RezOvationPropertyManager.exe: Windows service which manages communication (i.e. POS, Back Office, etc.) between each terminal and the database. Deployed on a single back end server. Required Third Party Payment Application Software: None Database Software Supported: Microsoft SQL Server 2008+ (any version, including Express) Other Required Third Party Software: Operating System(s) Supported: None The latest supported versions of: Windows XP Pro Windows Vista Windows 7 Windows 8 Select one or more from the following list: POS Suite POS Admin Application Functionality Supported POS Face-‐To-‐ Face POS Kiosk Shopping Cart & Store Front Others (Please Specify): Payment Middleware Payment Back Office POS Specialized Payment Gateway/Switch RezOvation GT uses two payment methods. Our traditional method via Intuit and our new method using HAPI (HomeAway Payment Island). HAPI is a PCI certified credit card processing center. In the traditional method RezOvation GT connects to Intuit’s payment gateway and uses SSL/HTTPS to send encrypted PAN. If the payment is successful, Intuit returns an authorization code and transaction ID to RezOvation GT, which is stored in the RezOvation GT database. The transaction ID can then be used to void/refund the transaction if necessary. In the new method, RezOvation GT calls the HAPI server to receive an IFrame which the credit card pan is typed. This pan is only accessible to the HAPI server. The HAPI server takes the pan, creates a proprietary token linking that pan to this instance of RezOvation GT. Then RezOvation GT calls the HAPI server to charge, authorize, capture or refund. Hapi returns the transaction ID, which is stored. All credit cards received via outside sources (external booking engines) are converted to HAPI tokens before being passed to the RezOvation GT instance. Payment Processing Connections: REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | APPLICATION SUMMARY Copyright 2013 HomeAway Software, Inc. 12 With interactions Intuit are conducted over SSL SOAP calls with the RezOvation GT instance first passing over a authentication package to Intuit to create the connection and then the xml call and response is passed over the created connection. With HAPI, and SSL SOAP call is made to the RezOvation Master Server. An authentication packet is passed with each call and verified before the call is processed. With the HAPI model there is no pan passed, only a proprietary token that only allows the card to be charged to the RezOvation GT merchant of record (even if stolen). RezOvation GT versioning has three levels, Major, Minor, and Build: e.g. 5.12.1400. In some cases a build revision number is also included, e.g. 5.12.1400.2 Application Authentication Major changes include significant changes to the application and would have an impact on PA-‐DSS requirements. Description of Versioning Methodology: Minor changes include small changes such as minor enhancements and may or may not have an impact on PA-‐DSS requirements. Build changes include bug fixes and would have no negative impact on PA-‐DSS requirements. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | APPLICATION SUMMARY Copyright 2013 HomeAway Software, Inc. 13 TYPICAL NETWORK IMPLEMENTATION Rez0vation Network Design Diagram (RezOvationGT.exe) Client Database Internet (all communications via ssl) RezOvation GT instance RezOvation Network Server RezOvation GT Server application Firewall router (service RezOvationPropertyManager.exe) Cardholder Data Environment Intuit card services A typical RezOvation installation consists of a dedicated Client Server in the customer’s location which runs the RezOvation Property Manager Service. This service handles all communication with the local Client Database (Microsoft MSSQL) and through the router to the internet. Then the customer can have one or more client machines which interconnect via the RezOvation Property Manager Service behind the firewall. There are two major outside services the Client Server communicates with. All communication is done via secure SSL with well identified API calls. All interactions with these services are initiated by the Client Server and authenticated by the server. The first of these is Intuit Card Services. This is a well know credit card handler and communication. The other is the RezOvation Network Server. This server stores a copy of the Client Database, handles outside reservations, and communicates software updates, among other operations. All interactions with the RezOvation Network Server are authenticated in a PCI certified manner. The RezOvation Network Server might as needed communicate with third party reservation servers to send out availability information and receive new reservations and with HomeAway HAPI Credit Card Services and Intuit Payment Services to directly process the card. The RezOvation Network Server and it interactions with HAPI Credit Card services and third party reservation servers is PCI certified. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | Typical Network Implementation Copyright 2013 HomeAway Software, Inc. 14 DATAFLOW DIAGRAM Internally credit cards are treated with care in regards to security. Credit cards are received in two different fashions. The first is by traditional methods of typing in or swiping the credit card into a local text box in the CDE (Cardholder Data Environment). As soon as the credit card is received is it encrypted and is stored encrypted. When any data is passed to the RezOvation Network, the encrypted pan stripped from the data and not sent. The only time a credit card pan is passed out of the CDE is to Intuit via an ssl dedicated connection for processing (see scenario 1). The second method is via a HAPI (HomeAway Payment Island) token. HAPI is a PCI certified card processing store that ties a card to the merchant and returns a token to represent that relationship. To process (charge, authorize, e tc.) the card in anyway, the merchant tells HAPI to process and HAPI handles the transaction (see scenario 2). In this way the credit card information never actually resides in the CDE and cannot be compromised. HAPI tokens can exist in two ways. First all credit cards that come into the CDE via the RezOvation Network Server (by reservations take by third party booking agents like Expedia and Innlink, or by the online booking engine) with have the credit card already converted to a HAPI token (thus the credit card actually never enters the CDE). The other method is the CDE asks HAPI for an IFrame to use as the textbox, which captures the credit card pan, and HAPI returns a HAPI token, ensuring that technically the credit card pan never enters the CDE (see scenario 3). This last method is currently only used by selected customers. (Scenario 1) Charging a Credit Card Via Intuit Internet (all communications via ssl) RezOvation GT instance (RezOvationGT.exe) Client Database RezOvation GT Server application Firewall router (service RezOvationPropertyManager.exe) Cardholder Data Environment Intuit card services In scenario 1, the server wishes to charge a credit card it has received in a traditional way with Intuit. To do this, the server gets the credit card information, decrypts it and passes it to the Intuit server via an xml packet over ssl. The Intuit server process the card and returns the status back to the server. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | Dataflow Diagram Copyright 2013 HomeAway Software, Inc. 15 (Scenario 2) Charging a Credit Card with HAPI (RezOvationGT.exe) Internet (all communications via ssl) RezOvation GT instance RezOvation Network Server 1 3 Client Database RezOvation GT Server application 2 1 3 Firewall router (service RezOvationPropertyManager.exe) Cardholder Data Environment Intuit card services The second way cards are processed are with a HAPI token. First (1) the Rezovation GT Server, tells the RezOvation Network Server to process the HAPI token. (2) The server (internally to HAPI) translates the token into the card information and sends the processing to Intuit. Finally (3), the RezOvation Network Server packages up the result and sends it back to the Rezovation GT Server. In this method, no credit card pan is ever handled in the CDE. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | Dataflow Diagram Copyright 2013 HomeAway Software, Inc. 16 (Scenario 3) Receiving and Storing a Credit Card with HAPI (RezOvationGT.exe) 1 1 3 Internet (all communications via ssl) 2 RezOvation GT instance RezOvation Network Server 1 3 Client Database RezOvation GT Server application Firewall router (service RezOvationPropertyManager.exe) Cardholder Data Environment The third scenario, explains how the CDE gets a HAPI Token without ever having the credit card pan. First (1) the RezOvation GT Instance learns it needs to accept a credit card. It sends a request to the RezOvation Network Server (via the Rezovation GT Server) for the url of an IFrame. Then (2) the RezOvation GT Instance displays an IFrame for the text which communicates directly with the HAPI services. In this way the CDE has no access to the pan or swipe information of the card. Finally (3) the RezOvation Network Server HAPI services verifies the credit card pan and returns a HAPI token to the Rezovation GT Server. DIFFERENCE BETWEEN PCI COMPLIANCE AND PA-‐DSS VALIDATION As a software vendor, our responsibility is to be “PA-‐DSS Validated.” We have performed an assessment and certification compliance review with our independent assessment firm, to ensure that our platform does conform to industry best practices when handling, managing and storing payment related information. PA-‐DSS is the standard against which Payment Application has been tested, assessed, and validated. PCI Compliance is then later obtained by the merchant, and is an assessment of your actual server (or hosting) environment. Obtaining “PCI Compliance” is the responsibility of the merchant and your hosting provider, working together, using PCI compliant server architecture with proper hardware & software configurations and access control procedures. The PA-‐DSS Validation is intended to ensure that the Payment Application will help you achieve and maintain PCI Compliance with respect to how Payment Application handles user accounts, passwords, encryption, and other payment data related information. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | DIFFERENCE BETWEEN PCI COMPLIANCE AND PA-‐DSS VALIDATION Copyright 2013 HomeAway Software, Inc. 17 The Payment Card Industry (PCI) has developed security standards for handling cardholder information in a published standard called the PCI Data Security Standard (DSS). The security requirements defined in the DSS apply to all members, merchants, and service providers that store, process or transmit cardholder data. The PCI DSS requirements apply to all system components within the payment application environment which is defined as any network device, host, or application included in, or connected to, a network segment where cardholder data is stored, processed or transmitted. The RezOvation master server and the HomeAway Payment Island have been certified as PCI compliant for handling credit cards. Your proper setup of your RezOvation client software will ensure your systems meet PCI requirements. THE 12 REQUIREMENTS OF THE PCI DSS: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-‐supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect Stored Data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-‐virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-‐to-‐know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | DIFFERENCE BETWEEN PCI COMPLIANCE AND PA-‐DSS VALIDATION Copyright 2013 HomeAway Software, Inc. 18 SUMMARY OF PCI DSS REQUIREMENTS The following summary provides a basic overview of the PCI DSS requirements, and how they apply to your business and to the RezOvation GT software. For further detail on implementing the requirements, please view the section “Considerations for the implementation of payment application in a PCI-‐compliant environment”. BUILD AND MAINTAIN A SECURE NETWORK REQUIREMENT 1: INSTALL AND MAINTAIN A FIREWALL CONFIGURATION TO PROTECT CARDHOLDER DATA WHAT THE REQUIREMENT SAYS Firewalls are computer devices that control computer traffic allowed into and out of a company’s network, as well as traffic into more sensitive areas within a company’s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from the Internet, whether entering the system as e-‐commerce, employees’ Internet-‐based access through desktop browsers, or employees’ e-‐mail access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. HOW REZOVATION GT HELPS YOU MEET THESE REQUIREMENTS RezOvation GT is designed to operate securely in a network behind a firewall, and works with all popular firewall applications. Please see our Firewall Guide for more information about setting up your firewall to work with RezOvation GT. WHAT THIS MEANS FOR YOU You should install and maintain firewall software on any computers that you use for your business. Your firewall should be configured to block unauthorized traffic. Please see your firewall vendor’s documentation for more information about configuring your firewall. REQUIREMENT 2: DO NOT USE VENDOR-‐SUPPLIED DEFAULTS FOR SYSTEM PASSWORDS AND OTHER SECURITY PARAMETERS. WHAT THE REQUIREMENT SAYS Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | SUMMARY OF PCI DSS REQUIREMENTS Copyright 2013 HomeAway Software, Inc. 19 HOW REZOVATION GT HELPS YOU MEET THESE REQUIREMENTS RezOvation GT allows you to create a unique user account and password for each user, make passwords required, and includes options to set restrictions on user access to specific information (like credit cards). WHAT THIS MEANS FOR YOU You should create unique usernames and passwords for both your Windows accounts and for RezOvation GT. You should use complex passwords, especially for administrator accounts. PROTECT CARDHOLDER DATA REQUIREMENT 3: PROTECT STORED DATA WHAT THE REQUIREMENT SAYS Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example: methods for minimizing risk include not storing cardholder data unless absolutely necessary; truncating cardholder data if full PAN is not needed; not sending PAN in unencrypted e-‐mails. HOW REZOVATION GT HELPS YOU MEET THESE REQUIREMENTS RezOvation GT encrypts all credit card data that is stored in the database. Encryption keys for credit cards are automatically changed once a year. If a credit card number (PAN) is included on any documents that can be printed or emailed (such as an invoice or folio), then the PAN is always displayed masked. WHAT THIS MEANS FOR YOU You should regularly change your passwords, especially for your administrator account, to ensure that your passwords cannot be easily compromised. If you suspect that your passwords or database has been compromised, then you should immediately change your passwords and manually update the encryption keys. You should never store credit card numbers or sensitive data in data fields that are not specifically designed to store this data. REQUIREMENT 4: ENCRYPT TRANSMISSION OF CARDHOLDER DATA ACROSS OPEN, PUBLIC NETWORKS WHAT THE REQUIREMENT SAYS Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit. HOW REZOVATION GT HELPS YOU MEET THESE REQUIREMENTS REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | SUMMARY OF PCI DSS REQUIREMENTS Copyright 2013 HomeAway Software, Inc. 20 RezOvation GT encrypts all data sent over Internet connections using SSL encryption. This includes connections made for processing credit cards. WHAT THIS MEANS FOR YOU If you are using a wireless network, you should make sure to set up your network properly using strong wireless security such as WPA (WEP is not recommended). Please contact your wireless network vendor for more information about configuring your wireless network. MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM REQUIREMENT 5: USE AND REGULARLY UPDATE ANTI-‐VIRUS SOFTWARE OR PROGRAMS WHAT THE REQUIREMENT SAYS Many vulnerabilities and malicious viruses enter the network via employees' e-‐mail activities. Anti-‐virus software must be used on all systems commonly affected by viruses to protect systems from malicious software. HOW REZOVATION GT HELPS YOU MEET THESE REQUIREMENTS RezOvation GT is compatible with antivirus, firewall, anti-‐spyware, and anti-‐malware software. WHAT THIS MEANS FOR YOU You should install and maintain antivirus software, firewall software, and any other security software which helps to protect your computer. You should always make sure that this software is up to date, as security threats change often and new threats are introduced regularly. REQUIREMENT 6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS WHAT THE REQUIREMENT SAYS Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-‐provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-‐house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques. HOW REZOVATION GT HELPS YOU MEET THESE REQUIREMENTS REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | SUMMARY OF PCI DSS REQUIREMENTS Copyright 2013 HomeAway Software, Inc. 21 RezOvation GT is constantly tested for security problems and vulnerabilities throughout the development cycle, and also includes an automatic update feature to regularly and quickly apply any necessary updates. WHAT THIS MEANS FOR YOU You should keep your system up to date with software updates, operating system updates, and any other security patches. You should also enable the auto update feature in RezOvation GT to ensure that you have the latest version. For more information, please use the links below. • • • Microsoft Windows Updates Enabling automatic updates in RezOvation GT Manually installing RezOvation GT updates IMPLEMENT STRONG ACCESS CONTROL MEASURES REQUIREMENT 7: RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED-‐TO-‐KNOW WHAT THE REQUIREMENT SAYS This requirement ensures critical data can only be accessed by authorized personnel. HOW REZOVATION GT HELPS YOU MEET THESE REQUIREMENTS RezOvation GT allows you to restrict access to financial reports and other sensitive financial data on a per-‐user basis. WHAT THIS MEANS FOR YOU You should restrict access in RezOvation GT as needed, and only provide Administrator access to those who need access to sensitive data. If you do print financial reports or other documents containing sensitive data, you should shred those documents if you no longer need them. REQUIREMENT 8: ASSIGN A UNIQUE ID TO EACH PERSON WITH COMPUTER ACCESS WHAT THE REQUIREMENT SAYS Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. HOW REZOVATION GT HELPS YOU MEET THESE REQUIREMENTS RezOvation GT allows you to set up unique user accounts for each user. WHAT THIS MEANS FOR YOU REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | SUMMARY OF PCI DSS REQUIREMENTS Copyright 2013 HomeAway Software, Inc. 22 You should set up unique user accounts for each user of RezOvation GT, and not share user accounts. You should also set up unique user accounts in Windows. Users should change their passwords at least every 90 days. REQUIREMENT 9: RESTRICT PHYSICAL ACCESS TO CARDHOLDER DATA WHAT THE REQUIREMENT SAYS Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. HOW REZOVATION GT HELPS YOU MEET THESE REQUIREMENTS RezOvation GT allows you to keep your database on a physically secure server, so that users only access RezOvation GT from other computers on your network, not the computer where the database is stored. WHAT THIS MEANS FOR YOU Install RezOvation GT on a server or other computer that is in a physically secure location, and then follow the network setup instructions to access RezOvation GT from other computers on your network. REGULARLY MONITOR AND TEST NETWORKS REQUIREMENT 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND CARDHOLDER DATA WHAT THE REQUIREMENT SAYS Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs. HOW REZOVATION GT HELPS YOU MEET THESE REQUIREMENTS RezOvation GT logs application activity in the Windows application log. WHAT THIS MEANS FOR YOU Review the Windows application and security logs periodically to see which users are accessing your system. REQUIREMENT 11: REGULARLY TEST SECURITY SYSTEMS AND PROCESSES WHAT THE REQUIREMENT SAYS REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | SUMMARY OF PCI DSS REQUIREMENTS Copyright 2013 HomeAway Software, Inc. 23 Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software. WHAT THIS MEANS FOR YOU You should test your network connections (including wireless networks) periodically for vulnerabilities, and make use of network vulnerability scans at least quarterly to check for any problems. If you make any significant changes to your network, you should also test for vulnerabilities. Please visit https://www.pcisecuritystandards.org for more information. MAINTAIN AN INFORMATION SECURITY POLICY REQUIREMENT 12: MAINTAIN A POLICY THAT ADDRESSES INFORMATION SECURITY FOR EMPLOYEES AND CONTRACTORS WHAT THE REQUIREMENT SAYS A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it. HOW REZOVATION GT HELPS YOU MEET THESE REQUIREMENTS RezOvation GT allows you to set user access levels and control who has access to your sensitive data. WHAT THIS MEANS FOR YOU Review your security settings and network configuration at least once a year, or any time there is a change in your business or employees. Employees that no longer work at your business should be restricted from accessing your network or the RezOvation GT software. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | SUMMARY OF PCI DSS REQUIREMENTS Copyright 2013 HomeAway Software, Inc. 24 CONSIDERATIONS FOR THE IMPLEMENTATION OF PAYMENT APPLICATION IN A PCI-‐COMPLIANT ENVIRONMENT The following areas must be considered for proper implementation in a PCI-‐Compliant environment. • • • • • • • • • • • • • • Remove Historical Cardholder Data Sensitive Authentication Data requires special handling Set up Good Access Controls Properly Train and Monitor Admin Personnel Key Management Roles & Responsibilities PCI-‐Compliant Remote Access Use SSH, VPN, or SSLV3/TLS 1.0 or higher for encryption of administrative access Log settings must be compliant PCI-‐Compliant Wireless settings Data Transport Encryption PCI-‐Compliant Use of Email Network Segmentation Never store cardholder data on internet-‐accessible systems Use SSLV3 for Secure Data Transmission REMOVE HISTORICAL SENSITIVE AUTHENTICATION DATA (PA-‐DSS 1.1.4.A) Previous versions of RezOvation GT did not store sensitive authentication data. Therefore, there is no need for secure removal of this historical data by the application as required by PA-‐DSS v2.0. SENSITIVE AUTHENTICATION DATA REQUIRES SPECIAL HANDLING (PA-‐DSS 1.1.5.C) HomeAway Software, Inc. does not store Sensitive Authentication data for any reason, and we strongly recommend that you do not do this either. However, if for any reason you should do so, the following guidelines must be followed when dealing with sensitive authentication data (swipe data, validation values or codes, PIN or PIN block data): • • • • • Collect sensitive authentication data only when needed to solve a specific problem Store such data only in specific, known locations with limited access Collect only the limited amount of data needed to solve a specific problem Encrypt sensitive authentication data while stored Securely delete such data immediately after use PURGING OF CARDHOLDER DATA (PA-‐DSS 2.1) The following guidelines must be followed when dealing with cardholder data (PAN alone or with any of the following: expiry date, cardholder name or service code): • • A customer defined retention period must be defined with a business justification. Cardholder data exceeding the customer-‐defined retention period must be purged. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | CONSIDERATIONS FOR THE IMPLEMENTATION OF PAYMENT APPLICATION IN A PCI-‐COMPLIANT ENVIRONMENT Copyright 2013 HomeAway Software, Inc. 25 RezOvation GT is capable of automatically deleting credit card data on a pre-‐defined schedule. Please follow the instructions below to set the credit card data delete parameters. 1. 2. 3. 4. 5. 6. Open RezOvation GT and select the Configuration icon, or select View > Configuration from the menu. Go to the Property Settings section, and select the link for Payments and Cancellation Fees. Go to the Credit card delete settings section, and choose the appropriate option. Whatever option you choose will determine how both past and future credit card data is handled. For example, if you choose the option to “Delete credit cards 7 days after charge is recorded”, then payments recorded more than 7 days ago will have the associated credit cards deleted. Note that in all cases, cardholder name, the last 4 digits of the PAN, and the expiry date of the credit card are stored. In addition, the full card number is never required for refunds or voids if you are using the QBMS system for processing credit cards. Credit card numbers are deleted from the automatic backups. In addition, cards can be manually deleted by doing the following: 1. 2. 3. 4. Open RezOvation GT, and locate an invoice or reservation which has a credit card that you wish to delete. From the transactions section, double click on a credit card transaction. Select the link for “select card on file” from the right. Select the credit card you wish to delete and press the Delete button. CARDHOLDER DATA ENCRYPTION KEY MANAGEMENT (PA-‐DSS 2.5.C AND 2.6.A) The following key management functions must be performed per PCI DSS: • • • • • • • • • Generation of strong cryptographic keys. Secure cryptographic key distribution. Secure cryptographic key storage. Cryptographic key changes for keys that reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of ciphertext has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-‐57. Retire keys when the integrity of the key has been weakened. Replace known or suspected compromised keys. If retired or replaced cryptographic keys are retained, the application cannot use these keys for encryption operations. Manual clear-‐text key-‐management procedures require split knowledge and dual control of keys. Prevention of unauthorized substitution of cryptographic keys. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | CONSIDERATIONS FOR THE IMPLEMENTATION OF PAYMENT APPLICATION IN A PCI-‐COMPLIANT ENVIRONMENT Copyright 2013 HomeAway Software, Inc. 26 COMPLIANCE WITH STANDARDS All sensitive data stored in the RezOvation GT database, including PANs, are encrypted using 128 bit Triple DES encryption. When you first create your RezOvation GT database, a unique encryption key is automatically created. This key is then automatically regenerated one per year, and can be manually generated at any time. KEY STORAGE METHOD Encryption keys are always stored encrypted in the RezOvation GT database. KEY ROTATION Keys are automatically rotated once per year. You can also manually rotate the keys. See the section below for instructions on this procedure. OLD KEYS Old encryption keys are overwritten whenever a new key is generated. As a result, old keys cannot be recovered. REFRESHING KEYS MANUALLY To manually refresh or rotate the encryptions keys, please follow these steps: 1. 2. 3. Open RezOvation GT and select the Configuration icon, or select View > Configuration from the menu. Go to the Property Settings section, and select the link for Payments and Cancellation Fees. Go to the section titled “Encryption key management”, and click the link to manually change the encryption key. 4. The encryption key will be changed. REMOVAL OF CRYPTOGRAPHIC MATERIAL (PA-‐DSS 2.7.A) Old encryption keys are overwritten whenever a new key is generated. As a result, old keys cannot be recovered. SET UP STRONG ACCESS CONTROLS (3.1.A AND 3.2) The PCI DSS requires that access to all systems in the payment processing environment be protected through use of unique users and complex passwords. Unique user accounts indicate that every account used is associated with an individual user and/or process with no use of generic group accounts used by more than one user or process. 3.1.a: You must assign strong passwords to any default accounts (even if they won’t be used), and then disable or do not use the accounts. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | CONSIDERATIONS FOR THE IMPLEMENTATION OF PAYMENT APPLICATION IN A PCI-‐COMPLIANT ENVIRONMENT Copyright 2013 HomeAway Software, Inc. 27 Some authentication credentials are provided by RezOvation GT. However, you must make use of Windows authentication credentials in order to fully secure your system. For both the completion of the initial installation and for any subsequent changes (for example, any changes that result in user accounts reverting to default settings, any changes to existing account settings, or changes that generate new accounts or recreate existing accounts), the following requirements must be met per PCI 8.1, 8.2, and 8.5.8-‐15: 1. 2. The application must assign unique IDs for user accounts. (8.1) The application must provide at least one of the following three methods to authenticate users: (8.2) a. Something you know, such as a password or passphrase b. Something you have, such as a token device or smart card c. Something you are, such as a biometric 3. The application must NOT require or use any group, shared, or generic accounts or passwords.(8.5.8 4. The application requires passwords to be changed at least every 90 days (8.5.9) 5. The application requires passwords must to be at least 7 characters (8.5.10) 6. The application requires passwords to include both numeric and alphabetic characters (8.5.11) 7. The application keeps password history and requires that a new password is different than any of the last four passwords used. (8.5.12) 8. The application limits repeated access attempts by locking out the user account after not more than six logon attempts. (8.5.13) 9. The application sets the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. (8.5.14) 10. The application requires the user to re-‐authenticate to re-‐activate the session if the application session has been idle for more than 15 minutes. For more information on how to configure RezOvation GT and Windows to meet the compliance standards, please view the section titled “How to set up RezOvation GT to meet the compliance requirements”. These same account and password criteria from the above 10 requirements must also be applied to any applications or databases included in payment processing to be PCI compliant. RezOvation GT, as tested in our PA-‐DSS audit, meets, or exceeds these requirements for the following additional required applications or databases: [JENNIFER] <list all applications or databases required here> [Note: These password controls are not intended to apply to employees who only have access to one card number at a time to facilitate a single transaction. These controls are applicable for access by employees with administrative capabilities, for access to servers with cardholder data, and for access controlled by the application.] 3.2: Control access, via unique username and PCI DSS-‐compliant complex passwords, to any PCs or servers with payment applications and to databases storing cardholder data. PROPERLY TRAIN AND MONITOR ADMIN PERSONNEL It is your responsibility to institute proper personnel management techniques for allowing admin user access to cardholder data, site data, etc. You can control whether each individual admin user can see credit card PAN (or only last 4). REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | CONSIDERATIONS FOR THE IMPLEMENTATION OF PAYMENT APPLICATION IN A PCI-‐COMPLIANT ENVIRONMENT Copyright 2013 HomeAway Software, Inc. 28 In most systems, a security breach is the result of unethical personnel. So pay special attention to whom you trust into your admin site and who you allow to view full decrypted and unmasked payment information. LOG SETTINGS MUST BE COMPLIANT (PA-‐DSS 4.1.B, 4.4.B) 4.1.b: RezOvation GT has PA-‐DSS compliant logging enabled by default. Disabling or subverting the logging function of RezOvation GT in any way will result in non-‐compliance with PCI DSS. In addition, RezOvation GT logs user and program activity to the Windows application & security logs. Audit trails and user access logging can obtained by following the Windows audit procedures. 4.4.b: RezOvation GT facilitates centralized logging by using a standard .LOG file format. Logs can be located in %TEMP%\RezOvation GT\ as well as %SYSTEMDRIVE%\Windows\Temp\RezOvation GT\. SERVICES AND PROTOCOLS (PA-‐DSS 5.4.C) The application must only use or require use of necessary and secure e services, protocols, daemons, components. PCI requires that you list all required protocols, services and dependent software and hardware that are necessary for any functionality of the payment application, including those provided by third parties. RezOvation GTdoes not require the use of any insecure services or protocols. Here are the services and protocols that RezOvation GT does require: • • SSL HTTPS PCI-‐COMPLIANT WIRELESS SETTINGS (PA-‐DSS 6.1.F AND 6.2.B) RezOvation GT does not support wireless technologies. However should a merchant implement wireless access withing the cardholder data environment, the following guidelines for secure wireless settings must be followed per PCI Data Security Standard 1.2.3, 2.1.1 and 4.1.1: 1.2.3: Perimeter firewalls must be installed between any wireless networks and systems that store cardholder data, and these firewalls must deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. 2.1.1: • • • • • All wireless networks implement strong encryption (e.g. AES) Encryption keys were changed from default at installation, and are changed anytime anyone with knowledge of the keys leaves the company or changes positions Default SNMP community strings on wireless devices were changed Default passwords/passphrases on access points were changed Firmware on wireless devices is updated to support strong encryption for authentication and transmission over wireless networks (for example, WPA/WPA2) REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | CONSIDERATIONS FOR THE IMPLEMENTATION OF PAYMENT APPLICATION IN A PCI-‐COMPLIANT ENVIRONMENT Copyright 2013 HomeAway Software, Inc. 29 • Other security-‐related wireless vendor defaults, if applicable 4.1.1: Industry best practices are used to implement strong encryption for the following over the wireless network in the cardholder data environment (4.1.1): • • Transmission of cardholder data Transmission of authentication data o Payment applications using wireless technology must facilitate the following regarding use of WEP: o For new wireless implementations, it is prohibited to implement WEP as of March 31, 2009. o For current wireless implementations, it is prohibited to use WEP after June 30, 2010. Note: The use of WEP as a security control was prohibited as of June 30, 2010. NEVER STORE CARDHOLDER DATA ON INTERNET-‐ACCESSIBLE SYSTEMS (PA-‐DSS 9.1.B) Never store cardholder data on Internet-‐accessible systems (e.g., web server and database server must not be on same server.) PCI-‐COMPLIANT REMOTE ACCESS (10.2) The PCI standard requires that if employees, administrators, or vendors are granted remote access to the payment processing environment; access should be authenticated using a two-‐factor authentication mechanism. The means two of the following three authentication methods must be used: 1. 2. 3. Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric PCI-‐COMPLIANT DELIVERY OF UPDATES (PA-‐DSS 10.3.1) RezOvation GT delivers patches and updates in a secure manner providing a secure chain of trust per requirements in PA-‐DSS 7.2.a, including: • Timely development and deployment of patches and updates. o • Delivery in a secure manner with a known chain-‐of-‐trust. o • Updates are typically deployed once per quarter, whereas hotfixes are deployed on an as-‐needed basis. Patches are delivered using the RezOvation GT automatic update process. Delivery in a manner that maintains the integrity of the deliverable. o Patches are delivered over HTTPS REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | CONSIDERATIONS FOR THE IMPLEMENTATION OF PAYMENT APPLICATION IN A PCI-‐COMPLIANT ENVIRONMENT Copyright 2013 HomeAway Software, Inc. 30 • Integrity testing of patches or updates prior to installation. o Patches and updates are signed by the HomeAway certificated and validated at run time by the Windows installer. As a development company, we keep abreast of the relevant security concerns and vulnerabilities in our area of development and expertise. In addition to the preceding security recommendations, a comprehensive approach to assessing and maintaining the security compliance of the payment application environment is necessary to protect the organization and sensitive cardholder data. The following is a very basic plan every merchant/service provider should adopt in developing and implementing a security policy and program: • • • • • Read the PCI DSS in full and perform a security gap analysis. Identify any gaps between existing practices in your organization and those outlined by the PCI requirements. Once the gaps are identified, determine the steps to close the gaps and protect cardholder data. Changes could mean adding new technologies to shore up firewall and perimeter controls, or increasing the logging and archiving procedures associated with transaction data. Create an action plan for on-‐going compliance and assessment. Implement, monitor and maintain the plan. Compliance is not a one-‐time event. Regardless of merchant or service provider level, all entities should complete annual self-‐assessments using the PCI Self Assessment Questionnaire. Call in outside experts as needed. Once we identify a relevant vulnerability, we work to develop & test a patch that helps protect RezOvation GT against the specific, new vulnerability. We attempt to publish a patch within 14 days of the identification of the vulnerability. We will then contact vendors and dealers to encourage them to install the patch. Typically, merchants are expected to respond quickly to and install available patches within 30 days. We do not deliver software and/or updates via remote access to customer networks. Instead, software and updates are available by using the automatic update functionality within RezOvation GT. PCI-‐COMPLIANT REMOTE ACCESS (10.3.2.B) The PCI standard requires that if employees, administrators, or vendors are granted remote access to the payment processing environment; access should be authenticated using a two-‐factor authentication mechanism (username/ password and an additional authentication item such as a token or certificate). In the case of vendor remote access accounts, in addition to the standard access controls, vendor accounts should only be active while access is required to provide service. Access rights should include only the access rights required for the service rendered, and should be robustly audited. If users and hosts within the payment application environment may need to use third-‐party remote access software such as RDP, LogMeIn, etc. to access other hosts within the payment processing environment, special care must be taken. In order to be compliant, every such session must be encrypted with at least 128-‐bit encryption (in addition to satisfying the requirement for two-‐factor authentication required for users connecting from outside the payment processing environment). REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | CONSIDERATIONS FOR THE IMPLEMENTATION OF PAYMENT APPLICATION IN A PCI-‐COMPLIANT ENVIRONMENT Copyright 2013 HomeAway Software, Inc. 31 For RDP this means using the high encryption setting on the server, and for LogMeIn encryption is automatic. Additionally, the PCI user account and password requirements will apply to these access methods as well. When requesting support from a vendor, reseller, or integrator, customers are advised to take the following precautions: • • • • • • • • • Change default settings (such as usernames and passwords) on remote access software (e.g. VNC) Allow connections only from specific IP and/or MAC addresses Use strong authentication and complex passwords for logins according to PA-‐DSS 3.1.1 – 3.1.10 and PCI DSS 8.1, 8.3, and 8.5.8-‐8.5.15 Enable encrypted data transmission according to PA-‐DSS 12.1 and PCI DSS 4.1 Enable account lockouts after a certain number of failed login attempts according to PA-‐DSS 3.1.8 and PCI DSS 8.5.13 Require that remote access take place over a VPN via a firewall as opposed to allowing connections directly from the internet Enable logging for auditing purposes Restrict access to customer passwords to authorized reseller/integrator personnel. Establish customer passwords according to PA-‐DSS 3.1.1 – 3.1.10 and PCI DSS Requirements 8.1, 8.2, 8.4, and 8.5. DATA TRANSPORT ENCRYPTION (PA-‐DSS 11.1.B) The PCI DSS requires the use of strong cryptography and encryption techniques with at least a 128 bit encryption strength (either at the transport layer with SSLV3 or IPSEC; or at the data layer with algorithms such as RSA or Triple-‐DES) to safeguard cardholder data during transmission over public networks (this includes the Internet and Internet accessible DMZ network segments). PCI DSS requirement 4.1: Use strong cryptography and security protocols such as secure sockets layer (SSLV3) / transport layer security (TLS 1.0 or higher) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS are: • The Internet • Wireless technologies • Global System for Mobile Communications (GSM) • General Packet Radio Service (GPRS) Refer to the Dataflow diagram for an understanding of the flow of encrypted data associated with RezOvation GT PCI-‐COMPLIANT USE OF END USER MESSAGING TECHNOLOGIES (PA-‐DSS 11.2.B) RezOvation GT does not allow or facilitate the sending of PANs via any end user messaging technology (for example, e-‐mail, instant messaging, and chat). NON-‐CONSOLE ADMINISTRATION (PA-‐DSS 12.1) Although RezOvation GT does not support non-‐console administration and we do not recommend using non-‐console administration, should you ever choose to do this, must use SSH, VPN, or SSLV3/TLS 1.0 or higher for encryption of this non-‐ console administrative access. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | CONSIDERATIONS FOR THE IMPLEMENTATION OF PAYMENT APPLICATION IN A PCI-‐COMPLIANT ENVIRONMENT Copyright 2013 HomeAway Software, Inc. 32 NETWORK SEGMENTATION The PCI DSS requires that firewall services be used (with NAT or PAT) to segment network segments into logical security domains based on the environmental needs for internet access. Traditionally, this corresponds to the creation of at least a DMZ and a trusted network segment where only authorized, business-‐justified traffic from the DMZ is allowed to connect to the trusted segment. No direct incoming internet traffic to the trusted application environment can be allowed. Additionally, outbound internet access from the trusted segment must be limited to required and justified ports and services. • Refer to the standardized Network diagram for an understanding of the flow of encrypted data associated with RezOvation GT. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | CONSIDERATIONS FOR THE IMPLEMENTATION OF PAYMENT APPLICATION IN A PCI-‐COMPLIANT ENVIRONMENT Copyright 2013 HomeAway Software, Inc. 33 MAINTAIN AN INFORMATION SECURITY PROGRAM In addition to the preceding security recommendations, a comprehensive approach to assessing and maintaining the security compliance of the payment application environment is necessary to protect the organization and sensitive cardholder data. The following is a very basic plan every merchant/service provider should adopt in developing and implementing a security policy and program: • • • • • Read the PCI DSS in full and perform a security gap analysis. Identify any gaps between existing practices in your organization and those outlined by the PCI requirements. Once the gaps are identified, determine the steps to close the gaps and protect cardholder data. Changes could mean adding new technologies to shore up firewall and perimeter controls, or increasing the logging and archiving procedures associated with transaction data. Create an action plan for on-‐going compliance and assessment. Implement, monitor and maintain the plan. Compliance is not a one-‐time event. Regardless of merchant or service provider level, all entities should complete annual self-‐assessments using the PCI Self Assessment Questionnaire. Call in outside experts as needed. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | MAINTAIN AN INFORMATION SECURITY PROGRAM Copyright 2013 HomeAway Software, Inc. 34 APPLICATION SYSTEM CONFIGURATION Below are the operating systems and dependent application patch levels and configurations supported and tested for continued PCI DSS compliance. • • • • • Microsoft Windows XP Service Pack 3, Windows Vista, Windows 7, Windows 8, Windows 2003 Server, or Windows 2008 Server. All latest updates and hot-‐fixes should be tested and applied. 512 MB of RAM minimum, 2GB or higher recommended for Payment Application 1 GB of available hard-‐disk space TCP/IP network connectivity SQL Server 2008 Express. All latest updates and hot-‐fixes should be tested and applied. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | APPLICATION SYSTEM CONFIGURATION Copyright 2013 HomeAway Software, Inc. 35 PAYMENT APPLICATION INITIAL SETUP & CONFIGURATION INSTALLING THE PAYMENT APPLICATION To install RezOvation GT, please follow the steps in the Installation Guide, which is available on http://www.rezovation.com/RezOvationGT/documentation.html DEFINING THE PAYMENT GATEWAY To set up the payment gateway, please follow these steps: 1. 2. 3. 4. 5. Obtain a connection ticket for your Intuit account. Please refer to the instructions sent to you by Intuit for more details. Open RezOvation GT and navigate to the configuration section, then select the Credit Card Processing link from the Payment and Accounting Integration section on the right. Check the box to enable processing for Booking Engine, PMS, or both. Enter your Intuit connection ticket. Press OK. CONDUCTING TEST TRANSACTIONS 1. 2. 3. 4. 5. 6. 7. Create a new reservation in RezOvation GT. From the transactions section, select Payment > Credit Card. Set the amount to $1.00. Set to the Card Type to Visa, enter the card number 4111111111111111, and set the expiration date to some date in the future. Press OK. You should receive a payment declined message. If you do, your account is working normally. If you receive any other error message, please contact the Support Team for assistance. HOW TO UPGRADE • • Automatic updates are delivered securely using SSL and automatically from our remote server. Learn more about enabling automatic updates with RezOvation GT. Updates can be applied manually as needed. Learn more about manually installing updates. RESETTING ADMINISTRATOR PASSWORDS 1. 2. 3. 4. 5. 6. Open RezOvation GT. Log in as a user with account administration privileges. Navigate to the configuration section, and then select Users from the Additional Settings section on the right. Locate the administrator user(s), and select the user you wish to edit. Click the Edit button. Change the password. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | PAYMENT APPLICATION INITIAL SETUP & CONFIGURATION Copyright 2013 HomeAway Software, Inc. 36 UPDATING YOUR ENCRYPTION KEY Encryption keys are automatically changed once per year. To manually refresh or rotate the encryptions keys, please follow these steps: 1. 2. 3. Open RezOvation GT and select the Configuration icon, or select View > Configuration from the menu. Go to the Property Settings section, and select the link for Payments and Cancellation Fees. Go to the section titled “Encryption key management”, and click the link to manually change the encryption key. 4. The encryption key will be changed. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | PAYMENT APPLICATION INITIAL SETUP & CONFIGURATION Copyright 2013 HomeAway Software, Inc. 37 HOW USE REZOVATION GT TO ENSURE COMPLIANCE The following details how you must set up your network and your RezOvation GT software in order to meet the compliance requirements. Failure to follow the steps below could leave your network and software vulnerable to a security breach. 1. DO NOT RETAIN FULL MAGNETIC STRIPE OR CVV2 DATA HOW TO SET UP REZOVATION GT TO MEET THE COMPLIANCE REQUIREMENTS No specific setup within RezOvation GT is required. RezOvation GT does not store magnetic stripe data or CVV2 (security code) data, so if you are using RezOvation GT to process credit cards, then you are in compliance. When you process a credit card through RezOvation GT, you have the option of entering a CVV2 code if you are processing a card not present transaction. If you enter the CVV2 number at this time, it is only used for processing, and is not stored. WHAT YOU NEED TO DO TO MEET THE COMPLIANCE REQUIREMENTS You should never write down or otherwise store CVV2 data. For example, you should not store CVV2 data in a custom field in RezOvation GT. 2. PROTECT STORED DATA HOW TO SET UP REZOVATION GT TO MEET THE COMPLIANCE REQUIREMENTS RezOvation follows best practices with regards to protecting and storing sensitive data: • • • • • • • • RezOvation GT does not store magnetic stripe data, card validation codes or values, PIN numbers, or PIN block data. Stored data is protected using encryption. All data that is transmitted over the Internet is encrypted using SSL. Credit card numbers are displayed masked in the software. If a credit card number (PAN) is included on any documents that can be printed or emailed (such as an invoice or folio), then the PAN is always displayed masked. You should restrict access to certain users so that they are not able to view credit card data. If you choose to use the automatic backup feature, then sensitive data, such as PAN, is deleted for you automatically from the backup data. Key management processes are not necessary because cryptographic keys are rotated automatically once per year. For more information about key management processes, click here. RezOvation GT also allows you to delete credit card data on a pre-‐defined schedule. Please follow the instructions below to set the credit card data delete parameters: 1. 2. Open RezOvation GT and select the Configuration icon, or select View > Configuration from the menu. Go to the Property Settings section, and select the link for Payments and Cancellation Fees. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 38 3. 4. 5. Go to the Credit card delete settings section, and choose the appropriate option. Whatever option you choose will determine how both past and future credit card data is handled. For example, if you choose the option to “Delete credit cards 7 days after charge is recorded”, then payments recorded more than 7 days ago will have the associated credit cards deleted. Note that in all cases, the last 4 digits and expiration date of the credit card are stored. In addition, the full card number is never required for refunds or voids if you are using the QBMS system for processing credit cards. WHAT YOU NEED TO DO TO MEET THE COMPLIANCE REQUIREMENTS In order to meet the compliance requirements, you will need to observe the following: • • • • • • Enter all necessary credit card data into RezOvation GT rather than storing in unsecure locations. Use the provided data fields in RezOvation GT to enter credit card data. Never enter credit card PAN, CVV2, or magnetic stripe data in custom fields or other fields that are not specifically provided for credit card data. Do not keep hard or written copies of card data. Do not include card data in any emails or other correspondence. Do not keep unneeded card data. Use the data purge features in RezOvation GT referenced above to automatically purge data after a specified period. We recommend using the option to purge data immediately after processing. If you choose to manually back up your database, then you should also regularly delete or safely archive databases. We recommend that you use our automatic backup feature, which purges credit data automatically. If you suspect that your network has been breached or your database has been accessed by an unauthorized person, you can change the encryption keys used to store credit card data. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 39 3. USE SECURE PASSWORDS HOW TO SET UP REZOVATION GT TO MEET THE COMPLIANCE REQUIREMENTS RezOvation GT supports enabling user login and passwords. To add a user and manage user access settings and passwords, please do the following: 1. Click the Configuration icon or select View > Program Configuration from the menu to display the Configuration window. 2. Click Users in the Software Settings section. 3. This will display the Add / Edit Users screen. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 40 4. Click the Add button to add a new user. 5. Configure the following options: • User Information -‐ Enter a first name, last name, login name, and password. • Set access levels for customer and reservation data -‐ select "Read and modify" for full access, select "Read only" for limited access, or select "No access" to restrict all access. • Set access levels to configuration -‐ select "Read and modify" for full access, or select "No access" to restrict all access. • Access to PMS reports -‐ select the report sections that the user should have access to. • Access to data export -‐ select QuickBooks to provide access to the QuickBooks export, select Marketing to provide access to the email or mail marketing list export, and select Backup Database to provide access to the manual backup option. • Credit card security settings -‐ select View full credit card numbers if you wish to give the user the ability to view credit cards attached to an invoice; select Allow refunds without referencing transactions if you wish to give the user the ability to apply a refund to a credit card without requiring an originating transaction. • Disable the option for Allow refunds without referencing transactions for all users. Only the administrator should be granted this permission. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 41 WHAT YOU NEED TO DO TO MEET THE COMPLIANCE REQUIREMENTS In order to meet the compliance requirements, you will need to observe the following: • • • • • • • • • • • Do not use default administrative accounts for payment application logins (e.g., don’t use the “Administrator” account to log in to). Assign secure authentication to these default accounts (even if they won’t be used), and then disable or do not use the accounts. Do not use group, shared, or generic accounts and passwords. Change user passwords at least every 90 days. Require a minimum password length of at least seven characters. Use passwords containing both numeric and alphabetic characters. Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. Limit repeated access attempts by locking out the user ID after not more than six attempts. Set the lockout duration to thirty minutes or until administrator enables the user ID. If a session has been idle for more than 15 minutes, require the user to re-‐enter the password to re-‐activate the terminal. See “Windows password policies”, “Windows account lockout policies”, and “Screensaver and idle lockout” below for instructions on how to configure Windows to comply with the PCI standards. Windows password policies. Windows provides the ability to configure password policies. To access this configuration, go to Start > Control Panel > Administrative Tools, and open Local Security Policy. Expand Account Policy from the tree menu on the left, and click Password Policy. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 42 You will need to use the following settings: • • • • • • Enforce password history: 4 passwords remembered Maximum password age: 90 days Minimum password age: 0 days Minimum password length: 7 characters Password must meet complexity requirements: Enabled Store password using reversible encryption: Disabled Note that “Password must meet complexity requirements” will enforce the following requirements for all Windows passwords: • • • • Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: o English uppercase characters (A through Z) o English lowercase characters (a through z) o Base 10 digits (0 through 9) o Non-‐alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created. Windows account lockout policies. Windows provides the ability to configure account lockout policies. To access this configuration, go to Start > Control Panel > Administrative Tools, and open Local Security Policy. Expand Account Policy from the tree menu on the left, and click Account Lockout Policy. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 43 You will need to make the following changes: • • • Account Lockout Duration: 30 (minutes) Account Lockout Threshold: 6 invalid login attempts Reset account lockout counter after: 30 (minutes) Screensaver and idle lockout. Windows provides the ability to lock the computer after the computer has been idle for a period of time and when the screensaver is active. To access this configuration, right-‐click on the Desktop and choose Properties or select Start > Control Panel > Display. Select the Screen Saver tab. Select a screen saver option (e.g. Windows XP), set the wait time, and check the box for “On resume, password protect”. Click Apply or OK to save the changes. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 44 4. LOG APPLICATION ACTIVITY HOW TO SET UP REZOVATION GT TO MEET THE COMPLIANCE REQUIREMENTS 4.1.b: RezOvation GT has PA-‐DSS compliant logging enabled by default. Disabling or subverting the logging function of RezOvation GT in any way will result in non-‐compliance with PCI DSS. In addition, RezOvation GT logs user and program activity to the Windows application & security logs. Audit trails and user access logging can obtained by following the Windows audit procedures. To access the Windows logs, go to Start > Control Panel > Administrative Tools and open Event Viewer. To view user login activity and to track which accounts / users are accessing your system, select Security from the tree view on the left. To view application activity, including activity for RezOvation GT, select Application from the tree view on the left. 4.4.b: RezOvation GT facilitates centralized logging by using a standard .LOG file format. Logs can be located in %TEMP%\RezOvation GT\ as well as %SYSTEMDRIVE%\Windows\Temp\RezOvation GT\. WHAT YOU NEED TO DO TO MEET THE COMPLIANCE REQUIREMENTS Regularly review the Windows event logs, in particular the Security logs, to look for any suspicious or unauthorized activity. 5. PROTECT WIRELESS TRANSMISSIONS HOW TO SET UP REZOVATION GT TO MEET THE COMPLIANCE REQUIREMENTS REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 45 By design, RezOvation GT protects sensitive data that is sent over a wireless network. • • All data that is transmitted over the Internet is encrypted using SSL. Remote access to RezOvation GT requires the use of VPN or other secure tunneling software. WHAT YOU NEED TO DO TO MEET THE COMPLIANCE REQUIREMENTS In order to meet the compliance requirements, you must observe the following: • • • • • If wireless network is being used, a firewall must be used as well. We recommend using both a hardware firewall and software firewall for maximum security. For laptops, a software firewall is highly recommended if you travel with the laptop. WEP (wired equivalent privacy) should not be used, as it is considered insecure and can easily be circumvented. Encrypt all wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Change wireless vendor defaults, including but not limited to, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Install personal firewall software on any mobile and employee-‐owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network. 6. SECURE THE NETWORK HOW TO SET UP REZOVATION GT TO MEET THE COMPLIANCE REQUIREMENTS By design, RezOvation GT protects sensitive data that is sent over a wireless network: • • All data that is transmitted over the Internet is encrypted using SSL. Remote access to RezOvation GT requires the use of VPN or other secure tunneling software. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 46 WHAT YOU NEED TO DO TO MEET THE COMPLIANCE REQUIREMENTS In order to meet the compliance requirements, you must observe the following: • • • Your network should be configured similarly to the diagram below. You will need to install and maintain a firewall. Please see our Firewall Guide for more information on firewalls as well as instructions on how to configure your firewall with RezOvation GT. You will need to install and maintain antivirus software. Most good software firewall applications also include antivirus software, so you should check for this option when choosing a firewall software package. 7. SERVER COMPUTERS CONNECTED TO THE INTERNET HOW TO SET UP REZOVATION GT TO MEET THE COMPLIANCE REQUIREMENTS By default, RezOvation GT uses SSL for all transmissions made through the Internet. No setup steps are required. WHAT YOU NEED TO DO TO MEET THE COMPLIANCE REQUIREMENTS If you install the RezOvation GT application on a server or other computer that is connected to the internet, you must observe the following: • • Ensure that the server is not on the DMZ. Ensure that the server is behind a firewall. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 47 • Follow the procedures for securing your network. 8. SOFTWARE UPDATES HOW TO SET UP REZOVATION GT TO MEET THE COMPLIANCE REQUIREMENTS RezOvation GT includes an automatic update feature to regularly and quickly apply any necessary updates. • • Automatic updates are delivered securely using SSL and automatically from our remote server. Learn more about enabling automatic updates with RezOvation GT. Updates can be applied manually as needed. Learn more about manually installing updates. WHAT YOU NEED TO DO TO MEET THE COMPLIANCE REQUIREMENTS You should enable automatic updates in RezOvation GT. 9. SECURE REMOTE ACCESS TO APPLICATION HOW TO SET UP REZOVATION GT TO MEET THE COMPLIANCE REQUIREMENTS RezOvation GT requires a VPN or similar encrypted secure tunneling software in order to access the application remotely. As such, users of RezOvation GT will meet the requirement for two-‐factor authentication if: • • The secure tunneling software requires a password for the user access to the network, and encrypts all data between the remote and local networks; RezOvation GT is configured to require passwords to log in to the application. On occasion, you may need to provide data to RezOvation support in order to troubleshoot a problem that you are experiencing with the software. Our policy regarding your data is as follows: • • • • • • • We use the LogMeIn Rescue remote troubleshooting application whenever it is necessary to connect to your computer, which encrypts all traffic over SSL. It includes the following features: o Customers must permit a technician to use each LogMeIn Rescue function (Remote Control, Desktop View, File Transfer, System Information, and Reboot & Reconnect) o Customers can choose to terminate the session at any time o All traces of the Customer Applet disappear from the remote PC when the session is finished o Employs end-‐to-‐end, 256-‐bit SSL encryption – the same security levels used and trusted by major banking institutions. Whenever possible, we will not gather data locally. Instead, we use remote troubleshooting applications that require your express permission to access your computer, and which encrypts all traffic over SSL. We will never request magnetic stripe data, card validation codes, PINs, or PIN block numbers. Data is only gathered with your express permission, and only when required to resolve the specific problem. We will never gather data that is not needed to solve the specific problem. Data is encrypted and stored in locations that have limited access. Data is deleted immediately after use. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 48 REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 49 WHAT YOU NEED TO DO TO MEET THE COMPLIANCE REQUIREMENTS If you require remote access to RezOvation GT, we recommend the following: • • Use a secure remote access application such as LogMeIn or GoToMyPC. If you need to set up network access from a remote location, use VPN or secure tunneling software such as Hamachi. 10. ENCRYPTION OF SENSITIVE TRAFFIC OVER PUBLIC NETWORKS HOW TO SET UP REZOVATION GT TO MEET THE COMPLIANCE REQUIREMENTS RezOvation GT uses SSL for all transmissions made through the Internet. WHAT YOU NEED TO DO TO MEET THE COMPLIANCE REQUIREMENTS Install and maintain a firewall. If you have a wireless network, follow the wireless network setup requirements. 11. ENCRYPTION OF NON-‐CONSOLE ADMINISTRATIVE ACCESS HOW TO SET UP REZOVATION GT TO MEET THE COMPLIANCE REQUIREMENTS There is no non-‐console admin access for RezOvation GT. In addition, RezOvation GT fully supports the use of VPN and SSL connections for remote user access. In no case can a remote user access RezOvation GT without using a secure tunneling connection such as VPN. In addition, all data transmitted over the Internet is encrypted using SSL. WHAT YOU NEED TO DO TO MEET THE COMPLIANCE REQUIREMENTS No action is required. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | HOW USE REZOVATION GT TO ENSURE COMPLIANCE Copyright 2013 HomeAway Software, Inc. 50 REZOVATION GT SECURITY FEATURES AND POLICIES The following covers the various security features available in RezOvation GT. PROTECTION AND STORAGE OF SENSITIVE DATA RezOvation follows best practices with regards to protecting and storing sensitive data: • • • RezOvation GT does not store magnetic stripe data, card validation codes or values, PIN numbers, or PIN block data. Stored data is protected using encryption. All data that is transmitted over the Internet is encrypted using SSL. PURGING OF SENSITIVE DATA RezOvation GT allows users to delete credit card data on a pre-‐defined schedule. Please follow the instructions below to set the credit card data delete parameters. 7. 8. 9. Open RezOvation GT and select the Configuration icon, or select View > Configuration from the menu. Go to the Property Settings section, and select the link for Payments and Cancellation Fees. Go to the Credit card delete settings section, and choose the appropriate option. 10. Whatever option you choose will determine how both past and future credit card data is handled. For example, if you choose the option to “Delete credit cards 7 days after charge is recorded”, then payments recorded more than 7 days ago will have the associated credit cards deleted. 11. Note that in all cases, the last 4 digits and expiration date of the credit card are stored. In addition, the full card number is never required for refunds or voids if you are using the QBMS system for processing credit cards. 12. Credit card numbers recorded during the online reservation process are deleted from the RezOvation servers immediately after the data is transferred to your local computer. 13. Credit card numbers are deleted from the automatic backups. CRYPTOGRAPHIC KEYS Cryptographic keys (or encryption keys) are used to encrypt data in your database. Sensitive data, including credit card PANs, are stored using a unique encryption key. RezOvation uses the following methods for handling encryption keys: • • • Encryption keys are stored encrypted in the database. Encryption keys are cycled at least once per year, and can be cycled manually as needed. Keys used by previous versions are deleted. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | REZOVATION GT SECURITY FEATURES AND POLICIES Copyright 2013 HomeAway Software, Inc. 51 • Please view the section on encryption for more information about encryption in RezOvation GT, how encryption keys are managed, etc. USER ACCESS RezOvation GT includes a number of features which allow you to manage user access. • • • • • You can assign unique user IDs and passwords to each user in the system. Please view our user account setup guide for information on creating and managing user accounts. RezOvation GT does not require Windows administrative access if you have configured it to use network / remote clients. Only the main (server) computer requires Windows administrative access, and typically this is only required when installing the program. Please see our documentation on configuring RezOvation GT in a network for more information about setting up network / remote clients. RezOvation GT can be run from unique Windows user accounts, so that you can create unique user IDs in Windows. This allows you to track the activity of each Windows user account using the Windows audit procedures. You should only provide administrative access to users who require it. You should disable or delete any unused user accounts. AUDIT TRAILS RezOvation GT logs user and program activity to the Windows application & security logs. Audit trails and user access logging can obtained by following the Windows audit procedures. WIRELESS NETWORKS RezOvation GT is designed to allow secure use over both wired and wireless networks. • • • • In all cases, you should implement a secure wireless network using strong security such as WPA. All data sent from RezOvation GT over the Internet is encrypted using SSL. Remote access to RezOvation GT requires the use of VPN or other secure tunneling software. You should never use default settings or passwords for your wireless devices, as these settings are easily discovered through the public domain. Always change the default settings and passwords for your wireless network before you begin using RezOvation GT in a wireless environment. Please click here for resources relating to wireless security and network configuration. SECURE DELIVERY OF SOFTWARE UPDATES RezOvation GT includes an automatic update feature to regularly and quickly apply any necessary updates. • • Automatic updates are delivered securely using SSL and automatically from our remote server. Learn more about enabling automatic updates with RezOvation GT. Updates can be applied manually as needed. Learn more about manually installing updates. REMOTE ACCESS TO APPLICATION REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | REZOVATION GT SECURITY FEATURES AND POLICIES Copyright 2013 HomeAway Software, Inc. 52 PA-‐DSS requirements state that applications should implement two-‐factor authentication for remote access to a payment application. RezOvation GT requires a VPN or similar encrypted secure tunneling software in order to access the application remotely. As such, users of RezOvation GT will meet the requirement for two-‐factor authentication if: • • The secure tunneling software requires a password for the user access to the network, and encrypts all data between the remote and local networks; RezOvation GT is configured to require passwords to log in to the application. SECURE TRANSMISSION OF CARDHOLDER DATA OVER PUBLIC NETWORKS RezOvation GT uses SSL for all transmissions (including credit card processing) made over the Internet or other remote / public networks. ENCRYPTION OF CARDHOLDER DATA SENT OVER END-‐USER MESSAGE TECHNOLOGIES Credit card data displayed in reports or emails is always masked (last 4 digits are displayed). Full credit card numbers are never sent via email or printed in reports. ENCRYPTION OF NON-‐CONSOLE ADMINISTRATIVE ACCESS RezOvation GT fully supports the use of VPN and SSL connections for remote user access. In no case can a remote user access RezOvation GT without using a secure tunneling connection such as VPN. In addition, all data transmitted over the Internet is encrypted using SSL. DATA GATHERED AS A RESULT OF TROUBLESHOOTING On occasion, you may need to provide data to RezOvation support in order to troubleshoot a problem that you are experiencing with the software. Our policy regarding your data is as follows: • • • • • • Whenever possible, we will not gather data locally. Instead, we use remote troubleshooting applications that require your express permission to access your computer, and which encrypts all traffic over SSL. We will never request magnetic stripe data, card validation codes, PINs, or PIN block numbers. Data is only gathered with your express permission, and only when required to resolve the specific problem. We will never gather data that is not needed to solve the specific problem. Data is encrypted and stored in locations that have limited access. Data is deleted immediately after use. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | REZOVATION GT SECURITY FEATURES AND POLICIES Copyright 2013 HomeAway Software, Inc. 53 ENCRYPTION COMPLIANCE WITH STANDARDS All sensitive data stored in the RezOvation GT database, including PANs, are encrypted using 128 bit Triple DES encryption. When you first create your RezOvation GT database, a unique encryption key is automatically created. This key is then automatically regenerated one per year, and can be manually generated at any time. KEY STORAGE METHOD Encryption keys are always stored encrypted in the RezOvation GT database. KEY ROTATION Keys are automatically rotated once per year. You can also manually rotate the keys. OLD KEYS Old encryption keys are overwritten whenever a new key is generated. As a result, old keys cannot be recovered. REFRESHING KEYS MANUALLY To manually refresh or rotate the encryptions keys, please follow these steps: 5. 6. 7. Open RezOvation GT and select the Configuration icon, or select View > Configuration from the menu. Go to the Property Settings section, and select the link for Payments and Cancellation Fees. Go to the section titled “Encryption key management”, and click the link to manually change the encryption key. 8. The encryption key will be changed. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ENCRYPTION Copyright 2013 HomeAway Software, Inc. 54 ADDRESSING INADVERTENT CAPTURE OF PAN DISABLE SYSTEM RESTORE SETTINGS DISABLING SYSTEM RESTORE – WINDOWS XP Steps to turn off System Restore 1. 2. 3. 4. 5. Click Start, right-‐click My Computer, and then click Properties. In the System Properties dialog box, click the System Restore tab. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box. Click OK. When you receive the following message, click Yes to confirm that you want to turn off System Restore: You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer. Do you want to turn off System Restore? After a few moments, the System Properties dialog box closes. 6. Reboot the computer DISABLING SYSTEM RESTORE – WINDOWS 7 • • Right Click on Computer > Select “Properties” Select “System Protection” on the top left list, the following screen will appear: • Select Configure, the following screen will appear: REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 55 • • • • Select “Turn off system protection” Click apply, and OK to shut the System Protection window Click OK again to shut the System Properties window Reboot the computer DISABLING SYSTEM RESTORE – WINDOWS 8 • Right Click on Computer > Select “Properties”: • Select “Advanced System Settings” from the System screen: REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 56 • Select “System Protection” on the top left list, the following screen will appear: • Select Configure, the following screen will appear: REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 57 • • • • Select “Disable system protection” Click apply, and OK to shut the System Protection window Click OK again to shut the System Properties window Reboot the computer ENCRYPT THE SYSTEM PAGEFILE.SYS – WINDOWS 7 & 8 * Please note that in order to perform this operation the hard disk must be formatted using NTFS. • • • Click on the Windows “Orb” and in the search box type in “cmd”. Right click on cmd.exe and select “Run as Administrator” To Encrypt the Pagefile type the following command: fsutil behavior set EncryptPagingFile 1 • To verify configuration type the following command: fsutil behavior query EncryptPagingFile REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 58 • • If encryption is enabled EncryptPagingFile = 1 should appear In the event you need to disable PageFile encryption type the following command: fsutil behavior set EncryptPagingFile 0 • To verify configuration type the following command: fsutil behavior query EncryptPagingFile • If encryption is disabled EncryptPagingFile = 0 should appear CLEAR THE SYSTEM PAGEFILE.SYS ON SHUTDOWN – WINDOWS XP, 7, AND 8 Windows has the ability to clear the Pagefile.sys upon system shutdown. This will purge all temporary data from the pagefile.sys (temporary data may include system and application passwords, cardholder data (PAN/Track), etc.). NOTE: Enabling this feature may increase windows shutdown time. • • • • • Click on the Windows “Orb” and in the search box type in “regedit”. Right click on regedit.exe and select “Run as Administrator” Navigate to HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown Change the value from 0 to 1 Click OK and close Regedit REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 59 • If the value does not exist, add the following: o Value Name: ClearPageFileAtShutdown o Value Type: REG_DWORD o Value: 1 DISABLE SYSTEM MANAGEMENT OF PAGEFILE.SYS WINDOWS XP AND 7 • • Right Click on Computer > Select “Properties” Select “Advanced System Settings” on the top left list, the following screen will appear: REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 60 • Under performance select “Settings” and go to the “Advanced” tab, the following screen will appear: • Select “Change” under Virtual Memory, the following screen will appear: REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 61 • • • • • Uncheck “Automatically manage page file size for all drives” Select “Custom Size” Enter the following for the size selections: o Initial Size – as a good rule of thumb, the size should be equivalent to the amount of memory in the system. o Maximum Size – as a good rule of thumb, the size should be equivalent to 2x the amount of memory in the system. Click “OK”, “OK”, and “OK” You will be prompted to reboot your computer. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 62 WINDOWS 8 • Right Click on Computer > Select “Properties”: • Select “Advanced System Settings” from the System screen: • Select the “Advanced” tab: REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 63 • Under performance select “Settings” and go to the “Advanced” tab, the following screen will appear: • Select “Change” under Virtual Memory, the following screen will appear: REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 64 Uncheck “Automatically manage page file size for all drives” Select “Custom Size” Enter the following for the size selections: o Initial Size – as a good rule of thumb, the size should be equivalent to the amount of memory in the system. o Maximum Size – as a good rule of thumb, the size should be equivalent to 2x the amount of memory in the system. • Click “Ok”, “OK”, and “OK” You will be prompted to reboot your computer. • • • DISABLE WINDOWS ERROR REPORTING WINDOWS XP • Open System in Control Panel. 2. • On the Advanced tab, click Error Reporting. 3. • Click Disable error reporting or Enable error reporting. WINDOWS 7 • • • Open the Control Panel Open the Action Center Select “Change Action Center Settings” REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 65 • Select “Problem Reporting Settings” REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 66 • Select “Never Check for Solutions” WINDOWS 8 • From the desktop hold down the “Windows” key and type “I” to bring up the “Settings” charm, select “Control Panel”. • Open the Action Center • Select “Change Action Center Settings”: REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 67 • Select “Problem Reporting Settings”: REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 68 • Select “Never Check for Solutions”: REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | ADDRESSING INADVERTENT CAPTURE OF PAN Copyright 2013 HomeAway Software, Inc. 69 WINDOWS SECURITY OVERVIEW OF WINDOWS SECURITY One of the important elements in maintaining a secure system is to use the built-‐in security features of Microsoft Windows. These features include: • • • • Password policies Account lockout policies Idle time and screensaver lockout Audit trail We also recommend following some best practices in terms of Windows security: • • • • Turn on Windows automatic updates and make sure that your computer is always up to date with the latest security patches and updates. Do not share Windows accounts between users. All users should have their own unique user accounts. You should communicate your security and password policies to any employees that have access to your systems or to sensitive cardholder data. If you allow vendors or contractors to access your systems remotely, you should provide with accounts that are only available temporarily, or change your passwords on any existing accounts that you give them access to. Note: If you contact RezOvation support for assistance, our support team typically does not need account access to Windows, and REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | WINDOWS SECURITY Copyright 2013 HomeAway Software, Inc. 70 • • • can only access your system with express permission from you, and only for the time period that you allow. In this case, there is no need to change your passwords or provide temporary account access. Inactive Windows user accounts should be removed at least every 90 days. Whenever possible, do not allow public access to computers. If you do allow public access, you should set up idle lockout policies on these computers. Turn off Windows Restore Point. This can cause remnants of memory to be permanently written to the hard drive, which means that sensitive data such as credit card information may be stored permanently. For more information about using Windows in a secure fashion, please review the topics below. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | WINDOWS SECURITY Copyright 2013 HomeAway Software, Inc. 71 PASSWORD POLICIES Windows provides the ability to configure password policies. To access this configuration, go to Start > Control Panel > Administrative Tools, and open Local Security Policy. Expand Account Policy from the tree menu on the left, and click Password Policy. The following settings are recommended by the PCI standard: • • • • • • Enforce password history: 4 passwords remembered Maximum password age: 90 days Minimum password age: 0 days Minimum password length: 7 characters Password must meet complexity requirements: Enabled Store password using reversible encryption: Disabled Note that “Password must meet complexity requirements” will enforce the following requirements for all Windows passwords: • • • Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: o English uppercase characters (A through Z) o English lowercase characters (a through z) o Base 10 digits (0 through 9) o Non-‐alphabetic characters (for example, !, $, #, %) REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | WINDOWS SECURITY Copyright 2013 HomeAway Software, Inc. 72 • Complexity requirements are enforced when passwords are changed or created. ACCOUNT LOCKOUT POLICIES Windows provides the ability to configure account lockout policies. To access this configuration, go to Start > Control Panel > Administrative Tools, and open Local Security Policy. Expand Account Policy from the tree menu on the left, and click Account Lockout Policy. The PCI standard suggests the following changes: • • • Account Lockout Duration: 30 (minutes) Account Lockout Threshold: 6 invalid login attempts Reset account lockout counter after: 30 (minutes) REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | WINDOWS SECURITY Copyright 2013 HomeAway Software, Inc. 73 SCREENSAVER AND IDLE LOCKOUT Windows provides the ability to lock the computer after the computer has been idle for a period of time and when the screensaver is active. To access this configuration, right-‐click on the Desktop and choose Properties, or select Start > Control Panel > Display. Select the Screen Saver tab. Select a screen saver option (e.g. Windows XP), set the wait time, and check the box for “On resume, password protect”. Click Apply or OK to save the changes. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | WINDOWS SECURITY Copyright 2013 HomeAway Software, Inc. 74 WINDOWS AUDIT TRAIL Windows provides the ability to track user and application activity via the Event Viewer. To access this configuration, go to Start > Control Panel > Administrative Tools and open Event Viewer. To view user login activity and to track which accounts / users are accessing your system, select Security from the tree view on the left. To view application activity, including activity for RezOvation GT, select Application from the tree view on the left. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | WINDOWS SECURITY Copyright 2013 HomeAway Software, Inc. 75 WINDOWS XP RESTORE POINT Windows provides the ability to create system restore points. Unfortunately, this can cause remnants of memory to be permanently written to the hard drive. Credit card transactions will sometimes write items to the volatile memory of the system, and the system will in turn write these items to the disk in the file(s) containing the restore point information. Therefore, in order for any Windows XP system where the RezOvation application will be running to be compliant with PCI DSS 1.2 and PA DSS 1.2, it is mandatory that restore points are disabled. To access the System Restore configuration, “right-‐click” on My Computer and select Properties. Then select the tab labeled System Restore. You will be presented with a display similar to this one: Select the Turn off System Restore check box and click the Apply button. Ignore any warnings concerning lost restore points etc. and select Yes to set it properly. You will have to restart the system. Once it has restarted, follow these instructions again to ensure no restore points are being used or are in existence. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | WINDOWS SECURITY Copyright 2013 HomeAway Software, Inc. 76 RESOURCES REZOVATION GT DOCUMENTATION • • • • • • • • RezOvation GT Installation Guide (PDF) RezOvation GT Quick Start Guide (PDF) RezOvation GT User Guide RezOvation GT user account setup guide RezOvation GT automatic backup information Updating RezOvation GT automatically Updating RezOvation GT manually Installing RezOvation GT on a network WHERE TO FIND OUT MORE ABOUT PA-‐DSS AND PCI-‐DSS • Please visit https://www.pcisecuritystandards.org/security_standards/index.php WIRELESS SECURITY • Wikipedia – Wireless Security WINDOWS AUTOMATIC UPDATES • How to configure and use Automatic Updates in Windows REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | RESOURCES Copyright 2013 HomeAway Software, Inc. 77 TERMINOLOGY PCI DSS: Acronym for Payment Card Industry Data Security Standard, the subject of this guide. Retailers that use applications, like Point of Sale, to process, store, or transmit payment card data to authorize or settle transactions are subject to this standard. PA DSS: Acronym for Payment Application Data Security Standard; a Visa standard for validation of payment processing applications, such as Property Management Software. PA-‐DSS-‐compliant applications have built-‐in card protection features, and provide tools and information to help innkeepers comply with the PCI DSS. PMS: Property management software (also called guest management software). RezOvation GT is considered to be property management software. Cardholder data: Cardholder’s name, card type, account number, and expiration date that may be stored on authorized card transactions. Sensitive data (also called card swipe data): Card or account verification and PIN information stored in the magnetic stripe on a payment card. Encryption: Process of encoding data so that it is unreadable to those without the proper permissions or “key” to decode it. PAN: Acronym for Primary Account Number. Storage of customers’ payment card PANs is the deciding factor whether the PCI DSS and PA-‐DSS standards apply to retailers and application vendors respectively. SSL: Secure sockets layer; a common encryption technology used to secure transmissions of data across public networks. Complex password: A password is typically considered “complex” if it meets certain complexity requirements. DMZ: In computer security, a demilitarized zone (DMZ), more appropriately known as a demarcation zone or perimeter network, is a physical or logical subnetwork that contains and exposes an organization's external services to a larger, untrusted network, usually the Internet. See http://en.wikipedia.org/wiki/Demilitarized_zone_(computing) for more information. VPN: A virtual private network (VPN) is a computer network which is used to securely tunnel a remote computer to provide secure access to a network. See http://en.wikipedia.org/wiki/Virtual_private_network for more information. REZOVATION GT 5.12 PA-‐DSS IMPLEMENTATION GUIDE | TERMINOLOGY Copyright 2013 HomeAway Software, Inc. 78