Credit Cards are handled according to the following PCI DSS requirements:

1. Physical Access

Clock Cloud Applications are hosted on "Amazon Web Services".

The "Amazon Web Services" conforms with the following regulations, standards, and best-practices: PCI DSS Level 1, HIPAA, SOC 1/S SAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, ISO 27001, FedRAMP(SM), DIACAP and FISMAITAR, FIPS 140-2, CSA, MPAA

2. HTTPS.

All data is transferred only over Hypertext Transfer Protocol Secure (HTTPS).

3. Encryption

Credit Card data is encrypted before it is stored. Plain Credit Card data is not stored anywhere in the entire system, including database, web server logs, application logs or any other files.

4. Masking PAN

Masked PAN number of credit card is used for presentation purposes. In reports, folios and lists PAN is presented as 'XXXX-4567'

5. User Access

Access to full credit card is restricted with a special right. The right should be granted by an administrator to other users, so they can read the full credit card data.

6. User Access History

All readings of the full credit card data are logged with the user name, IP address and date/time in a special report ("Credit Cards Log")

7. Responsibilities for Deleting Data After Authorisation

After authorisation credit card data should be deleted. Check the following table to understand yours and Clock PMS' responsibilities.

CaseResponsibilities
On-line Credit Card payment in the Web Reservation System, Gift Voucher Shop or Self Service portalClock PMS does not store credit card data
Collecting and storing Credit Card Data in bookings for later manual processing with credit card/virtual terminalThe User is responsible for the disposal of data after authorisation. Leave the “Clear credit card data” checkbox checked when adding payment in the system or delete the card from the booking.
On-line Credit Card payment in back office using newly entered credit card dataClock PMS does not store credit card data.
On-line Credit Card payment in back office using existing credit card dataThe User is responsible for the disposal of data after authorisation. Leave the “Clear credit card data” checkbox checked or delete the card from the booking
Unimported OTA bookingsThe User is responsible for the disposal of data after resolving the problem. Delete the data from the channel inbox.
Imported OTA bookingsClock PMS disposes of the credit card data from the channel inbox

8. Credit Card Data Retention Policy

Clock PMS maintains a retention policy for credit card data. If sensitive information is not deleted in some of the ways above, the system will automatically delete credit card details as follows:

CaseRetention Period
Regular bookings3 days after the departure date of the booking, regardless of check out
Cancellations3 days after the date of the cancellation of the booking
Unimported OTA bookings14 days after the unsuccessful import of the booking information is deleted from the channel manager inbox
Company Credit Cards1 day after the credit card expiration month / year