View PCI Frequently Asked Questions
Payment Card Industry (PCI) Compliance - Frequently Asked Questions
Below is a list of the most commonly asked questions about PCI Compliance and the Hudson system.
What is PCI Compliance and what do I need to do to be “compliant”?
Any business that accepts credit cards will have an established relationship with a bank or credit card processor. As part of any agreement you signed with that processor, you have agreed to be contractually obligated to observe very specific security procedures in your business. This includes who has access to credit card information, how that information is recorded and stored, how you connect to the Internet and much more. Instead of each bank having their own requirements, most adhere to the standards put forth by the Payment Card Industry (PCI) Security Standards Council (SSC, aka PCI-SSC). This organization is comprised of the major credit card issuers (VISA, Master Card, AMEX, etc.). To be PCI compliant or PCI certified, you must 1) adhere to PCI standards in your business or obtain PCI certification, 2) use a PA-DSS accepted payment application in order to process credit cards. While Hudson delivers on item #2, you as a business must complete item #1. For complete information on PCI Compliance for Merchants, please visit: PCI for Merchants.
What is the difference between PA-DSS Acceptance and PCI Compliance?
PA-DSS Acceptance is a process that software vendors undergo to ensure that the way they process and store credit card data falls within the PCI-SSC standards and guidelines. PCI Compliance is a process that merchants (Hudson clients) undergo to ensure that their business practices protect the security of their clients credit card data. The link below will allow you to watch a Quick Time movie that explains the differences in these two programs and how they both effect you and your business.
...or watch it right now on YouTube.
How is credit card data protected in HGTS?
The HGTS suite uses a unique and very secure method of encryption (and always has). Credit card numbers are encrypted dynamically with a unique encryption key that changes for each and every record / reservation. HGTS generates a key that is a combination of the credit card number (which varies with most every reservation) the reservation ID (which is never duplicated) and other information from the reservation. This means that there is no single key to manage, protect or change and that a different encryption key is generated for each and every reservation / transaction in HGTS. Due to the robustness of this encryption process, which far exceeds the PA-DSS requirements, it is unnecessary to modify or change the Encryption Key in the Hudson system; this virtually eliminates the need for clients and users to have a key management policy in place.
What type of security does Hudson offer in their local and web systems?
Many layers of PCI compliant security have been built into Hudson systems. This begins with unique user access privileges in the HGTS local and web systems. A system administrator creates unique login accounts for their business. Each login account is protected with secure passwords. See Login Security for detailed information regarding the login security options. Each account is then reviewed and privileges are assigned based on that users function in the business. For example, only accounting staff should have the ability to generate invoices. The number of user access privileges is continuously evolving. When new features are added, a corresponding user privilege is often added and by default the privilege is disabled, unless later changed by a system administrator. Hudson clients have autonomous control over all levels of user access.
How secure is Hudson’s cloud hosting solution?
If you are a using Hudson’s Cloud Computing offering, then your entire reservation system is hosted on state of the art web servers that you access via the Internet from your office. To ensure the highest standards of security possible, Hudson neither owns nor has physical access to any of the web servers. Hudson employs the professional technical services of a hosting provider; INetU. This managed hosting provider has clients from the banking, finance, insurance and medical industries all of which have rigorous data processing and storage security requirements. To meet those requirements, INetU has to exceed the PCI standards outlined above. INetU servers and databases that Hudson clients are using and accessing are all PCI Certified. For more information on the PCI compliance of our managed hosting provider, please visit their site at http://www.inetu.net/Assurances.aspx
Is the Hudson system PCI-Compliant?
Well - sort of! This isn’t really the right question to ask. Only a business who accepts credit cards as a method of payment can be named “PCI Compliant” or “PCI Certified” therefore the Hudson system can never be called PCI-Compliant. We are however PA-DSS Accepted, which is actually even better. The Hudson Group has always observed the most stringent levels of security while developing its various systems. Each time Hudson integrates with a new credit card processor, we are checked and reviewed to insure that credit card security is observed at all times. As Hudson has grown and expanded and is being selected as the payment application of choice by larger transportation clients around the world it finally became appropriate to undergo the very stringent Payment Application-Data Security Standard (PA-DSS) evaluation process. Hudson has retained the services of Trustwave, an approved Qualified Security Assessor, to test andreview the HGTS product and how it processes credit cards. Begun in the spring of 2012, it took about 5 months for Hudson to meet all of the documentation requirements for PA-DSS acceptance. As of late December 2012, the HGTS application (version 1.94) has been named a PA-DSS Accepted payment application when installed and run on a Windows XP SP3 platform. Hudson is the first in the ground transportation software industry to achieve this designation according to the current (version 2.0) security standard. A list of accepted payment applications may be found at Validate Payment Applications. As 2013 continues, we will have our system evaluated for PA-DSS Acceptance on additional Windows Operating Systems. This will validate that the application performs in an equally secure manner on additional platforms. We will then be submitting additional systems and products to the same scrutiny and review process, including our Web reservation and mobile device systems.
UPDATE:In February 2014, Hudson’s PA-DSS Acceptance was extended by the PCI Security Standards Council to include the HGTS System, version 1.94, when installed on Windows 7 and Windows Server 2008 R2 Operating Systems. As Windows XP will no longer be supported and updated by Microsoft in April of 2014, this updated authorization is perfectly timed as many people running Windows XP on their workstations will be looking to upgrade their operating systems. Windows Server 2008 R2 is the Operating System that Hudson has deployed across its cloud computing servers; the OS that is in use by over 65% of current Hudson clients. Only one other ground transportation application is PA-DSS accepted, and it is to the older version 1.0 of the PCI Standard and it is only approved for existing installations of the software. It is NOT approved for new installations.
Where do I learn more about how to make my business PCI compliant?
The source for all official information and documentation regarding PCI requirements is found here: https://www.pcisecuritystandards.org. You can and should also consult with your current credit card processor(s) for their requirements which could be slightly different.
A quick reference guide for Merchants has also been added to the Hudson KB document: PCI Documents - Links.
If you are looking for broad based tips from a PCI security firm on how to reduce security vulnerability in your office and how to implement good security practices among your staff, consider visiting the Trustwave Security Resource Center.
To get additional, very detailed information on credit card and data security standards and procedures from individual card issuers, consider the links below:
- American Express
- Visa Asia Pacific
- Visa Canada
- Visa Central Europe, Middle East, Africa
- Visa Europe 1
- Visa Europe 2
- Visa Europe 3
- Visa Latin America and Caribbean
- Visa United States
What is a “Data Retention Policy”?
Part of a merchant being PCI compliant involves establishing a Data Retention Policy. This is an internal program whereby you determine for what period of time you will keep sensitive client data in storage. PCI standards require that you keep information for the shortest period of time necessary for the normal operation of your business. While many don’t think about it, it really should not be necessary to retain credit card information on old or stale reservations, user accounts, etc. If a customer has not used your service in 3 years, it is likely that their credit card has expired anyway. This expired information should not be saved or stored indefinitely. Reservations that were completed and paid more than a few months ago will also contain credit card data that should no longer be needed. Your Data Retention Policy defines how long you will retain this kind of information as well as how often you will purge stale records and how that purging will be accomplished. To be PA-DSS compliant, Hudson provides the ability for a system administrator to purge sensitive data from reservations, user profiles and payment transaction records (NOTE: purging data only removes credit card details - the user profile, reservation and transaction histories are not lost). More information on how to purge this data may be found here: PCI Compliance - Credit Card Data Purging.
What Hudson settings are required to keep the system within the PA-DSS standards?
Hudson will enable all new systems with PA-DSS accepted settings. If you modify system security settings such that they fall below the minimum PCI defaults, you may be exposing your business to increased security threats and ‘breaking” the compliance of your system. For information on how to use your system so the PA-DSS acceptance remains, please obtain, read and adhere to the Hudson PA-DSS Client Implementation Guide. File:Hudson PA-DSS Implementation Guide.pdf
Can Hudson help me become PCI Compliant?
We already have and will continue to do so….by ensuring that our applications, products and services are PA-DSS Accepted. By delivering applications and services that meet these stringent guidelines and are inherently secure, your task of becoming PCI Compliant is greatly improved. Without a PA-DSS accepted application, your business cannot become PCI Compliant. You must however use the products as they were designed and as outlined in the Hudson PA-DSS Client Implementation Guide mentioned in the previous Question and Answer. There are many additional items you will need to evaluate and achieve, on your own and independent of Hudson, in order to achieve actual PCI Compliance. Think of it this way: Hudson has bult a very secure “safe” in which to store all cardholder data. You, as the end user, must ensure that the door to the safe is not left open, but is closed and locked - thereby ensuring true security. The process you go through, with or without the assistance of a licensed PCI approved Quality Security Assessor ensures that the door to that safe is always locked and sealed.