Credit Cards are handled according to the following PCI DSS requirements:
1. Physical Access
Clock Cloud Applications are hosted on "Amazon Web Services".
The "Amazon Web Services" conforms with the following regulations, standards, and best-practices: PCI DSS Level 1, HIPAA, SOC 1/S SAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, ISO 27001, FedRAMP(SM), DIACAP and FISMAITAR, FIPS 140-2, CSA, MPAA
2. HTTPS.
All data is transferred only over Hypertext Transfer Protocol Secure (HTTPS).
3. Encryption
Credit Card data is encrypted before it is stored. Plain Credit Card data is not stored anywhere in the entire system, including database, web server logs, application logs or any other files.
4. Masking PAN
Masked PAN number of credit card is used for presentation purposes. In reports, folios and lists PAN is presented as 'XXXX-4567'
5. User Access
Access to full credit card is restricted with a special right. The right should be granted by an administrator to other users, so they can read the full credit card data.
6. User Access History
All readings of the full credit card data are logged with the user name, IP address and date/time in a special report ("Credit Cards Log")
7. Responsibilities for Deleting Data After Authorisation
After authorisation credit card data should be deleted. Check the following table to understand yours and Clock PMS+'s responsibilities.
| Case | Responsibilities |
|---|---|
| On-line Credit Card payment in the Web Reservation System, Gift Voucher Shop or Self Service portal | Clock PMS+ does not store credit card data |
| Collecting and storing Credit Card Data in bookings for later manual processing with credit card/virtual terminal | The User is responsible for the disposal of data after authorisation. Leave the “Clear credit card data” checkbox checked when adding payment in the system or delete the card from the booking. |
| On-line Credit Card payment in back office using newly entered credit card data | Clock PMS+ does not store credit card data. |
| On-line Credit Card payment in back office using existing credit card data | The User is responsible for the disposal of data after authorisation. Leave the “Clear credit card data” checkbox checked or delete the card from the booking |
| Unimported OTA bookings | The User is responsible for the disposal of data after resolving the problem. Delete the data from the channel inbox. |
| Imported OTA bookings | Clock PMS+ disposes of the credit card data from the channel inbox |
8. Credit Card Data Retention Policy
Clock PMS+ maintains a retention policy for credit card data. If sensitive information is not deleted in some of the ways above, the system will automatically delete credit card details as follows:
| Case | Retention Period |
|---|---|
| Regular bookings | 3 days after the departure date of the booking, regardless of checkout |
| Cancellations | 3 days after the date of the cancellation of the booking |
| Unimported OTA bookings | 14 days after the unsuccessful import of the booking information is deleted from the channel manager inbox |
| Credit cards in an Event | 3 days after the departure date |
| Credit Cards in a Company profile | 1 day after the credit card expiration month / year |