eSmartNews -- Fall 2007

The payment card industry (PCI) compliance and validation regulations spells out what security measures must be taken to protect the private information during any transaction occurring with the use of a paycard. The PCI Data Security Standard is used by all card brands to assure the security of the data gathered when transacting on behalf of a customer.

There are numerous regulations including encrypting the credit card numbers in the database. Encrypting this data makes it virtually impossible to decipher a credit card number without a decryption key which protects the credit card information in your database from fraudulent abuse.

In an effort to help protect your agency and your clients, and to comply with recent PCI regulations, the following enhancements will be introduced in our upcoming 3.4 release of ClientBase, due out in July. Providing you with tools that help your agency succeed is our number one goal, and although these enhancements may not be as “fun” as some of our other product enhancements, protecting your agency and your valuable data is part of that goal. Please let us know if you have any questions.

***Upon saving or editing Credit Card numbers, ClientBase now validates the card number. If the number is invalid, a prompt occurs "The credit card number entered appears to have a typographical error or it is not a valid credit card. Do you want to continue saving this record?" This prompt serves as a warning that there may have been a data entry error (typo).
Selecting YES saves the card As Is.
Selecting NO returns user to the card number field.
When editing an existing card number, validation does not occur unless the Card number field is modified. Validation occurs in Profile Cards Tab, Invoice Form of Payment Credit Card and CC Merchant, Invoice Booking Payment Credit Card and CC Merchant, Reservation Payment Due Date tab, Receipt Form of Payment CC Merchant FOP

Valid credit card numbers with spaces do not prompt
Valid credit card numbers with letters (VI1234123412341234) do not prompt
Valid credit card numbers with expiration date after a slash (CA5458004519231383 /1109) will not prompt (although we do not recommend entering the expiration date in the Card Number field.)

***Upon installation of both CBP 3.4 and TBO 3.01, Credit Numbers become encrypted and masked within the database. In an effort to protect your clients from credit card fraud, and to comply with recent PCI (Payment Card Industry) Compliance regulations, all credit card numbers within your database have been encrypted and masked. To a typical ClientBase User this encryption appears invisible, but it makes the extraction of this personal data much more difficult should your database be accessed in an unauthorized manner. Upon retrieving a Credit Number within the ClientBase application, the system will automatically decrypt the credit card number and display the full number as always. (Please note the User Permission enhancement below where users can be forced to only view the masked version of the Credit Card number.)

How It Works
After running the cbplusup.exe the credit card data that was stored in the Credit Card field pre-encryption now contains a masked version of the credit card number. A new field is also added to the database. The full credit card number is copied from the existing field to the new field and then encrypted.

A cleaning and masking routine will take place during the database update to standardize all of the credit card numbers so they can be properly masked for all applications utilizing the masked Credit Card field. Only valid credit card numbers will be cleaned and appear in the masked format.

Any non-numeric text at the beginning of the string up to the first digit is stripped out. AX 3782 078 234 0834/1008 becomes 3782 078 234 0834/1008.
All spaces are removed. 3782 078 234 0834/1008 becomes 37820782340834/1008.
The credit card string is truncated starting at the first non-numeric character, usually a slash, leaving only digits. 37820782340834/1008 becomes 37820782340834 .

Masked CC Number Field (CCNUMBER): Credit card number in masked format. Credit card numbers are standardized and validated. Valid credit cards are saved in its masked format and invalid credit cards are saved as is.
Encrypted CC Number Field (NUMBERENCRYPT): Encrypted full credit card number entry (all numbers whether valid or not are encrypted).
Hash CC Number Field (NUMBERHASH): Credit card number in hash format. This field is used for “faster searching of credit card number”. Valid credit cards hash the standardized format. Invalid credit cards hash the number as is.

Utilities Updated: Globalware Invoice Export Utility, IC Host Utility, XML Travel History Import, Australian “Enable Automatic XML Profile Export”,
Utilities Sunset (will no longer work after a database has been encrypted): XML Import, XML Export, CB2CBP conversion utility, CBT2CBP conversion utility
Utilities Not Affected: ASCII Profile Import, IB Backup, Ensemble Import, Ensemble Export, Virtuoso Utility, Virtuoso Segment Update

Use of Encryption Keys for Third Party or Custom Development:
A unique key will be generated for each agency that can be used in product development for non-TRAMS applications that need to read the full credit card number. The key can be obtained by the SYSDBA User only by going to Utilities|Credit Card Encryption Key and entering a password provided by the TRAMS support desk. A CCEncrypt.dll file is installed that allows access to the TRAMS database to view un-encrypted credit card numbers. Documentation for use is available upon request by e-mailing Customercare@trams.com. The intended audience is for the designers and developers of non-TRAMS applications that read credit card numbers directly from the TRAMS database.

***Enhanced the User Login Advanced permission settings|Other Permissions to include the ability to “Mask Credit Card Numbers”. This allows you to mask full credit card numbers from Users that don't have a need to view the complete number. ClientBase Plus version 3.04 and TRAMS Back Office version 3.01 both must be installed and the database must be encrypted for this setting to be activated. All existing Users default this setting to unchecked. Upon checking this Advanced permission and saving, the system prompts with a message: "By checking Mask Credit Card Numbers for this User, Credit entries will not be included in Merge to PNR and Live Connect, since the full Credit Number must result at the end of these features." Please keep this limitation in mind when deciding which Users should have the Credit Card numbers masked.

The following areas are updated if the current User Login is set to "Mask Credit Card Numbers":

Profile|Cards grid and Credit Card records mask the Credit Card Number and set to read only (in addition to Card Type)
Family Member|Cards grid and Credit Card records mask the Credit Card number and set to read only (in addition to Card Type)
Merge to PNR Selection Screen no longer includes any Credit Card data to select from
Live Connect Selection Screen no longer includes any Credit Card data to select from
Res Card Reservation Deposit FOP does not show the drop down list of CCs although a CC number can be hand entered. Upon saving the number will be masked.
Existing Res Card Reservations with a CC number, displays as masked although it can be edited and saved
Generate - Invoice feature does not include the drop down list of CCs although a CC number can be hand entered

***Updated the Help/About screen to identify the status of credit card encryption. “Credit Card Encryption Done” is either set to True or False depending on the status. In order for Credit Card Encryption to occur the database must be upgraded to ClientBase version 3.4 and TRAMS Back Office version 3.1.

***Added a prompt when doing a Live Connect to a provider's website that doesn't use HTTPS. This message warns about the lack of HTTPS and asks the user if they want to cancel, send all the information except the login/credit card or send all information including login/credit card.

***File | Export | Profile Cards Info now exports the Credit Card Numbers as masked by default.