The risk of credit card security breaches seemingly has never been higher. In recent months, major cyber attacks have been perpetrated against companies like Citibank and Sony’s PlayStation Network. These kinds of security threats can cost a company millions of dollars and a black eye in the view of consumers.
For anyone who handles credit card information, it is not just important to protect yourself against these risks; it is a requirement. As many in the hospitality industry know, one year ago credit card companies mandated that credit card acquirers — including hotels — become PCI and PA-DSS compliant.
PCI compliant (which stands for Payment Card Industry) means that merchants have taken appropriate steps to ensure credit card data is safe and secure in your system. PA-DSS (Payment Application Data Security Standard) applies to the software used by merchants. Any application used that processes or stores credit card must be PA-DSS compliant.
To address this need, IQware developed the IQvault. Launched in the fall of 2010, IQvault is IQware's PA-DSS compliant solution that was developed in response to the credit card industry’s PCI requirements. Used to store and process credit card information, IQvault is encrypted using 256-bit encryption.
IQvault is designed to integrate with hotel property management software such IQpms, IQpos, and others. These products offload their credit card storage and processing needs to the IQvault. While all of these systems work independently, you can lose credit card functionality if the IQvault system is not utilized.
“As a trusted partner of thousands of hotels, IQware developed the IQvault to help our clients become PCI compliant,” says Francois Greffard, Vice President of Operations for IQware. “If you are not currently compliant, you risk data being lost or compromised and can be subject to fines, and most important of all, you could lose the trust of your guests.”
With IQvault, only key people within your organization will be able to view the credit card information stored within. Regular users such as front-desk employees will not have access to the system. Everything is encrypted so that if your systems is hacked, your credit card information is secure.
“IQware products and the IQvault function independently, yet work together seamlessly to achieve maximum security,” explains John G. Denver, IQware Vice President, Business Development. “
Investment in Security
After investing more than 3,600 hours and more than a quarter million dollars in research and development, the IQvault PA-DSS certification was achieved on Nov. 3, 2010, with the assistance of TELUS — a prominent security company.
Properties that deploy the IQvault, will seek to obtain their own PCI certification with the assistance of a third-party auditor. The use of the IQvault, according to the PCI Council certified deployment and maintenance instruction provided by IQware, will ease this process as the use of certified PA-DSS payment applications is a mandatory requirement of the PCI certification.
“Installing the IQvault system is a quick and easy process: Our technicians can typically finish a project in about an hour,” says Denver. “Also, unlike other companies charging substantial fees to profit from the new PA-DSS regulations, we have come up with an extremely reasonable cost structure to ensure all of our clients can make the necessary upgrades to their systems.”
IQvault licensing fees are based per system and can be licensed with or without the Elavon credit card processing option. In most cases, the IQvault can be installed on your current hardware and does not require independent hardware. Standard annual support fees are applicable.
Like all IQware products, IQvault is backed up by expert technicians and 24/7 customer service. The installation process includes close coordination and implementation of this project with our Director of Installation and installation team. There are very strict rules regarding who is allowed to install this system. All IQware technicians have undergone an internal certification process to deploy and configure the IQvault.
How Is IQvault Configured?
IQvault can be broken down into three major parts:
• Database server: The SQL server that stores the IQvault database;
• IQvault services: The services that provide the credit card processing features; and
• Clients: Any computer that accesses the IQvault to store and retrieve credit card data.
IQvault can be deployed according to two base scenarios approved by the PCI council: For larger sites, the IQvault services are placed on one server and the database on another. The use of firewalls creates different network segments to secure the data. For smaller sites, IQvault components can be placed on the same server only if the property does not use the IQvault to receive Internet payments or reservations from a GDS that pushes data to the property.
“The first step in credit card security is education,” says Greffard. “Some hotels don’t fully understand the regulations or don’t recognize the significant threat posed by hackers. IQvault is a safe and secure method of processing and storing all of your credit card information. It keeps you up-to-date with the latest requirements at a minimal expense — saving you from the cost of fines, or in a worst-case scenario, the price you’d pay from letting your guests’ information fall into the wrong hands.”
Becoming PCI Compliant
As mentioned earlier, though IQvault gives hotels the backbone to become PCI compliant, businesses are required to prove their business has achieved certification.
What must a company do to become PCI DSS compliant? These are the 12 rules listed on the PCI DSS website (www.pcisecuritystandards.org
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks Requirement.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications Requirement.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.