• No results found

Synxis PCI Compliance

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Synxis PCI Compliance"

Copied!
16
0
0

Loading.... (view fulltext now)

Download now ( 16 Page )

Full text

(1)

Synxis

PCI Compliance

Tuesday, April 15, 2008

Tom Murray

(2)

Syn

X

is PCI – Agenda

Company Overview

Why PCI - Drivers

Synxis PCI History

PCI Challenges

2008 Objectives

Lessons Learned

(3)

Syn

X

is – Company Overview

History

Founded 1996

Provide RedX Distribution Management System via SaaS model

A Web-based Central Reservations System

Year over year growth and a recognized industry innovator

Acquired by Sabre Holdings in January 2005

Approx. 8,000 properties in over 100 countries

Management

Seasoned management team with impressive hospitality, operations, and technology backgrounds

International organization with offices in USA, Europe, South America and Asia

SynXis Mission

(4)

Who is Sabre Holdings?

The world leader in travel commerce, retail travel products and

providing distribution and technology solutions for the travel industry.

A privately held company recently acquired by Silver Lake Partners and Texas Pacific Group, private equity firms.

Businesses include:

Quick Facts

Headquartered in Southlake, Texas

9,000 employees in 52 countries

$80 billion of travel products and services sold through Sabre systems

(5)

Syn

X

is Distribution Landscape

Channel Connect Web Sites and Travel Portals

Voice Agent SynXis Call Center Hotel Reserva-tion Office, CRO, Property Voice

Hotel PMS

• Local property integration • Data collection point • Accounting

Property Connect

Guest Connect

Hotel Web Site Group Web Site Chain Web Site Corporate Internet

Booking Engine

Red

X

Distribution

Management System

High Volume Real Time Transaction Processing

Reliability 99.9% - 24/7

Channel Management

Single Image Inventory

All Profiles, Reservations Property Connect

RMS

• Optimization of rates, controls, inventory • Data exchange Property Connect

CRM

• Guest loyalty programs • Guest recognition

• Segmentation

GDS

(6)
(7)

Syn

X

is – What is PCI?

Payment Card Industry (PCI) Data Security Standard

Requirements for protection of Payment Account Data Security

Standard Published by PCI Security Standards Council

VISA, MasterCard, Discover, American Express & Others…

Twelve Requirement spanning;

Security Management

Policies

Procedures

Network Architecture

Software Design

And other areas

https://www.pcisecuritystandards.org/index.htm

(8)

Syn

X

is – Why PCI Compliance?

Internal Drivers

Protect Customer Data

Adherence to Best Practices in Network, Data and Application Security

Corporate Objective for Sabre Holdings

Payment Authorization in the Future

Competitive Customer Drivers

Growing Awareness of PCI Pressure from Financial Institutions

Requiring Contractual

(9)

Syn

X

is PCI - History

Level 2 Service Provider per VISA CISP

Any service provider that is not in Level 1 and stores,

processes, or transmits more than 1,000,000 VISA

accounts/transactions annually.

We do 6,000,000+ bookings per year

We do not process payments – but hold CVV for 48 hours

Third Party Audit required

PCI self-assessment in mid 2006

Third Party Audit started late 2006

Audit completed December 2007

AMEX DSOP (Data Security Operating Procedure)

compliance certified in December, 2007

PCI Report On Compliance (ROC) accepted by VISA, January

2008

(10)

Syn

X

is PCI – Challenges

General

Interpretation of Standard

Contracted for Informal Review of self assessment and network environment

Validated strategy for Gap Closure & compensating controls

Resources

Significant Effort and Impact across Technology organization

Network / Infrastructure

Mostly Minor – but time intensive

(11)

Syn

X

is PCI – Challenges

Data

Enhanced Encryption of Sensitive Data

Upgraded to Triple DES Encryption in business layer

24 Hour Purging of CVV

Credit card details purged 60 days after departure

Removal of Credit Card Information from all logs

Masking of Credit Card Information in all reports

Masking of Credit Card information on most pages

Viewable via a single web page with explicit viewership

Implementation of encryption key management application

Version Key management

(12)

Syn

X

is PCI – Challenges

Application

Identifying & Eliminating Application Vulnerabilities

Contracted a Third Party Application Vulnerability Scan to satisfy PCI – clean

Third Party Scans for each new product release (4x annual) as an alternative to code reviews

Developer Education on Open Web Application Security Project (OWASP) standards and best practices

Third Party Connectivity

(13)

Syn

X

is PCI – 2008 Objectives

Ongoing

Quarterly internal Reviews to maintain compliance

Quarterly Network Vulnerability Scans

Application Vulnerability Scans for each new release

Planned

Moving from Service Provider to Merchant

Introduction of Payment Processing in 2008

Evaluating Payment Applications Best Practices (PABP) Standard

Preparing for 2008 Audit

Moving Data Center

Evaluating Message level encryption & other enhancements

Monitoring OpenTravel

(14)

Syn

X

is PCI – Lessons Learned

Larger Than Expected Effort

PCI affects all aspects of the environment

Application

Database

Network

Administrative / Hiring

Procedures and Processes

Need realistic resource allocation and commitment

Project Planning

(15)

Syn

X

is PCI – Lessons Learned

Worth It

Enforces Best Practices

Results in a More Secure Environment

Benefits Customers

Benefits Synxis

PCI is a continuous Effort

Quarterly Scans

Quarterly Reviews

Annual Audits

(16)

References

Download now ( PDF - 16 Page - 452.50 KB )

Related documents

PCI PA-DSS Implementation Guide

PCI PA-DSS Payment Card Industry Payment Application Data Security Standard is a standard for validation of payment applications that store, process or transmit payment card

Frequently Asked Questions about PCI Compliance

A ny business that accepts credit card payments is required to comply with the Payment Card Industry Data Security Standard (PCI DSS), created in 2004 to establish minimum

White paper. Getting Serious About PCI Compliance

brands stepping up enforcement of the Payment Card Industry (PCI) Data Security Standard (DSS), mer- chants, banks and service providers are increasingly taking information security

PCI Compliance for Large Computer Systems

DSS= Data Security Standard PCI SSC= PCI Security Standards Council QSA= Qualified Security Assessor SAQ=Self Assessment... PCI DSS Structure

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

Payment card industry (PCI) data security standards (DSS) are a set of standards that the payment card industry and related organizations use to increase controls around

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

• Payment Card Industry Data Security Standard (PCI DSS) requirements • Multiple options and form factors2.

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

» The Payment Card Industry Data Security Standards (PCI-DSS) focuses on how credit card payments are processed and stored in order to prevent fraud.. » Health Insurance

Corporate and Payment Card Industry (PCI) compliance

Payment Card Industry Data Security Standard compliance The GoToMyPC Corporate product contains various security and administrative features that can be used to meet the PCI