Credit Card security in Clock PMS

Credit Cards are handled according to the following PCI DSS requirements:

1. Physical Access

Clock Cloud Applications are hosted on "Amazon Web Services".

The "Amazon Web Services" conforms with the following regulations, standards, and best-practices: PCI DSS Level 1, HIPAA, SOC 1/S SAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, ISO 27001, FedRAMP(SM), DIACAP and FISMAITAR, FIPS 140-2, CSA, MPAA

2. HTTPS.

All data is transferred only over Hypertext Transfer Protocol Secure (HTTPS).

3. Encryption

Credit Card data is encrypted before it is stored. Plain Credit Card data is not stored anywhere in the entire system, including database, web server logs, application logs or any other files.

4. Masking PAN

Masked PAN number of credit card is used for presentation purposes. In reports, folios and lists PAN is presented as 'XXXX-4567'

5. User Access

Access to full credit card is restricted with a special right. The right should be granted by an administrator to other users, so they can read the full credit card data.

6. User Access History

All readings of the full credit card data are logged with the user name, IP address and date/time in a special report ("Credit Cards Log")

7. Responsibilities for Deleting Data After Authorisation

After authorisation credit card data should be deleted. Check the following table to understand yours and Clock PMS' responsibilities.

Case Responsibilities
On-line Credit Card payment in the Web Reservation System, Gift Voucher Shop or Self Service portal Clock PMS does not store credit card data
Collecting and storing Credit Card Data in bookings for later manual processing with credit card/virtual terminal The User is responsible for the disposal of data after authorisation. Leave the “Clear credit card data” checkbox checked when adding payment in the system or delete the card from the booking.
On-line Credit Card payment in back office using newly entered credit card data Clock PMS does not store credit card data.
On-line Credit Card payment in back office using existing credit card data The User is responsible for the disposal of data after authorisation. Leave the “Clear credit card data” checkbox checked or delete the card from the booking
Unimported OTA bookings The User is responsible for the disposal of data after resolving the problem. Delete the data from the channel inbox.
Imported OTA bookings Clock PMS disposes of the credit card data from the channel inbox

8. Credit Card Data Retention Policy

Clock PMS maintains a retention policy for credit card data. If sensitive information is not deleted in some of the ways above, the system will automatically delete credit card details as follows:

Case Retention Period
Regular bookings 3 days after the departure date of the booking, regardless of check out
Cancellations 3 days after the date of the cancellation of the booking
Unimported OTA bookings 14 days after the unsuccessful import of the booking the information is deleted from the channel manager inbox
Company Credit Cards 1 day after the credit card expiration month / year

Search support:

Sign up for a free demo account now!
Want to know more?