Checklist for PCI Compliance
|Top Previous Next|
This section applies to any Campground Master system that is used to store (or process) credit cards. If you enter credit cards in Campground Master, this applies to you! If, and only if, you never enter credit card numbers in Campground Master, then you can ignore this section.
Since the official PA-DSS Implementation Guide can be difficult to understand, here is a list of the specific things you need to do in Campground Master in order to be compliant. While some of the PCI compliance issues are handled automatically, others will require due diligence on your part to enable or maintain the functions needed to be in compliance.
Note: This checklist does not cover issues external to Campground Master, such as basic computer and network security, external credit card handling, etc. To make sure your business is in compliance, you should consult a PCI compliance specialist. Contact your credit card company for references.
Change the default "Administrator" password:
If the default operator login of "administrator" and "password" still exists, then it must be changed. At a minimum, the password must be changed (you will be prompted to do so when using that login for the first time). It's better to add a separate login for each user and remove the "Administrator" login altogether.
Enforce PCI-compliant logins:
To create PCI DSS-compliant secure logins, the Operator records must have "Force password change every 90 days" selected, "Complex password required" selected, and must have "Auto-Logout after" set to no more than 15 minutes. Go into Maintenance / Park Setup / Operators, and enable these options for each operator.
Using a shared login, whether it's for the administrator or for clerks, does not meet PCI compliance. Every person using the system must have their own unique login. Go into Maintenance / Park Setup / Operators to add logins for each person using Campground Master, and make sure they are used accordingly. Remember that all actions are tracked in the Audit Trail, so you don't want someone else doing things under your login!
Also make sure you promptly delete operators that should no longer be using the system.
Use Sufficient Access Levels to mask card numbers:
Any non-Administrator operators should not be able to see "unmasked" card numbers. There are Access Level settings to restrict who can see unmasked cards -- don't lower those access levels to allow non-Administrator access to unmasked cards.
Keep sufficient audit trails:
The length of time that the log history is maintained may be set by the user, through View / Audit Trail, Audit Trail Options. To meet PCI DSS compliance, the "Permanently delete entries older than" setting should be at least 366 days. Alternatively, it may be set to 30 days if a manual backup is done at least every 30 days and these backups are kept for at least 1 year.
Use only the designated credit card entry fields:
The required encryption is only used on those fields expected to hold credit card information. Never put credit card numbers or expiration dates in other fields like"Notes". The following places are safe for credit card entry:
Enter Payment dialog screen, in the "Credit Card Information" area (Credit card #, etc).
Edit Guarantee Information dialog screens (e.g. from Reservation Details or Customer Details), in the "Credit Card Information" area (Credit card #, etc). -- Do not enter card information in the "Notes" area, or directly in the "Guarantee Info" line of Reservation Details or Customer Details. You must click the "..." button to open the Edit Guarantee Information screen and enter the card information in the designated fields.
Do not bypass the security code (CVC/CVV2) non-entry rule:
PCI compliance requires that you never store the CVC or CVV2 security codes from credit cards on a computer. Therefore these fields have been removed from Guarantee Info entry, and only exist in the Payment entry if you're processing cards through Campground Master (where it's only used during that payment processing, not stored for later use). Do not be tempted to put the code somewhere else. If you have questions about the consequences of not having this code when processing a card, contact your credit card company.
X-Charge users -- change to the XpressLink interface:
To be PCI compliant with X-Charge, you must use the new "XpressLink" interface method. See the X-Charge Setup section for instructions on changing the settings for this.
In a nutshell, you need to select the XpressLink option in the Credit Card Processing Setup, and enter the X-Charge user/password under the XpressLink Options. If using more than one computer, it also means having X-Charge installed as a Client on each other computer, and also using the XpressLink option there instead of "Send processing requests through the master".
Cleaning old credit card data:
Campground Master versions prior to 6.0 allowed the storage of magnetic stripe data and card validation values with a "weak" encryption. While the upgrade to 6.0 automatically corrects the encryption to be strong in your current database file, it does not automatically remove this information completely. In order to remove this information, you must perform these steps in Campground Master once version 6.0 is loaded:
1. Go to Maintenance / Credit Cards / History/Security Cleanup.
2. Click the button "Remove Swipe data and CVC codes from ALL transactions", then click Yes to proceed.
3. Click the button "Remove Swipe data and CVC codes from ALL Guarantee info", then click Yes to proceed.
In addition, any old backup files and log files may contain credit card information, and should be deleted or secured appropriately a soon as you feel comfortable that you have sufficient new backups. This can be a lengthy process and may require a computer specialist -- see the PA-DSS Implementation Guide, section 4, for more specific details. Since cleaning up these files is not part of Campground Master functionality, our technical support will not be able to assist with the process.
Periodically purge stale data:
You should periodically clean stale out credit card information, e.g. once every 30 days. To purge unused credit card data, go to Maintenance / Credit Cards / History/Security Cleanup. Perform each of the five functions in the section labeled "These are also recommended to remove all unnecessary old card information".
PA-DSS Implementation Guide