Amadeus - PMPRO is a property management system which can deal with sensitive cardholder account information. The Payment Card Industry (PCI) has developed security standards for handling cardholder information in a standard called the PCI Data Security Standard (DSS). The security requirements defined in the DSS apply to all members, merchants, and service providers that store, process or transmit cardholder data and therefore also to any software developed by Amadeus - PMPRO which can process credit card information.
This section of the online help explains the Cardholder Information Security Program (CISP), Payment Card Industry initiative, and the Payment Application Best Practices (PABP) guidelines. This section then provides specific installation, configuration, and ongoing management best practices for using PMPRO as a PABP Application operating in a PCI Compliant environment.
The PCI DSS requirements apply to all system components within the payment application environment which is
defined as any network device, host, or application included in, or connected to, a network segment where
cardholder data is stored, processed or transmitted.
We worked with the following Visa U.S.A. approved certification firm on our PABP Certification:
Coalfire Systems, Inc.
Louisville, Colorado:
361 Centennial Parkway,
Suite 150
Louisville, CO 80027
Phone: 303-554-6333
Fax: 303-554-7555
Web: http://www.coalfiresystems.com
In summary, PABP is the standard against which PMPRO has been tested and certified. PCI Compliance is then later obtained yourself (the merchant) on your actual server (or hosting) environment to certify PCI compliance by using various hardware scans, port scans, and configuration evaluation testing methods. This is further defined in the following section. We go into this definition because many users and merchants are not clear as to the differences between “PABP” and “PCI Compliance”. While very closely inter-related, they are different.
Amadeus -
PMPRO version 10.1 is tested and is complaint with the PABP standard.
If you have this version, it does not necessarily mean that your system
is configured according to the PABP standard. To run a PABP compliant
PMPRO system you need a special data security license.
The following documents detail the Cardholder Information Security Program (CISP) and related materials (e.g.
PABP, PCI, etc):
Visa
CISP website
This site includes information such as Industry Letter to Merchants,
CISP Overview, PCI Data Security Standard, View all CISP downloads.
As a software vendor, our responsibility is to be “PABP Compliant”. While this is not currently required by Visa U.S.A., as an industry leader in hospitality industry technology Amadeus - PM PRO felt it was important to take a leading position and obtain this certification. We have performed an audit and certification compliance review with our independent auditing firm, to ensure that our platform does conform to industry best practices when handling, managing and storing payment related information.
We want to
reiterate that obtaining “PCI Compliance” falls on you (the merchant)
and your hosting provider, working together, using PCI compliant server
architecture with proper hardware & software configurations and access
control procedures. We do outline the PCI ready environment that we performed
our testing on.
We have tested and certified to the Visa U.S.A. “Payment Application Best Practices” (PABP) standard, to ensure that when you install PMPRO into an environment equivalent to our recommended PCI ready environment, that our application is also following best practices, helping you achieve PCI Compliance easily with respect to how PMPRO handles user accounts, passwords, encryption, and other payment data related information.
After installation and initial certification to PCI standards, you should then follow our recommended operational guidelines, defined later in this section, to ensure continued best practices for management of property or properties. Visa U.S.A. specifies different levels of compliance requirements, driven mostly by the annual transaction volume of your business. You should read the documentation provided by Visa (see above) to determine the level of PCI Compliance required for your business.
Once Amadeus - PMPRO is installed and operational with a PCI data security license you need to train your staff and make them aware that maintaining a secure environment is a continuous job. You will also have to train your staff to understand how credit card details are masked or simply not visible at all. Also, passwords will expire and need to be renewed regularly. Your staff needs to understand what “strong passwords” are.