PCI Card Decryption – Frequently Asked Questions

You are here:>PCI Card Decryption – Frequently Asked Questions
PCI Card Decryption – Frequently Asked Questions2018-07-31T13:29:52+00:00

FREQUENTLY ASKED QUESTIONS:

These enhancements ensure that we are meeting all of the latest requirements introduced in version 3.2 of the PCI Data Security Standards, which are currently best practice but become mandatory requirements from February 2018.

Any current user accounts who have been authorised to decrypt cards on the Avvio system via their Avvio PCI Code Card.

Authorised users will continue to be able to access customer card details on Avvio’s platform. However, we will be replacing the current two-factor authentication using PCI code cards with a new authentication solution. The new solution will require:

  1. Each user that is authorised to decrypt credit cards must be uniquely identifiable. So each person must have a unique identifiable username associated with their name, as well as a unique email address associated to that user account. Each individual decrypting credit card data must be identifiable for PCI regulations, so any generic user accounts will need to updated to more specific user accounts tied to individual staff. We will be contacting any users who do not have user accounts that specifically identify a staff member, to get their user account updated to a compliant one.
  2. To decrypt cards, each authorised user must obtain a random six digit authentication number from one of our approved options (listed below).

We recommend that you setup the relevant application in advance of our November 28th release to ensure a smoother transition from PCI code cards to the new Authenticator. When the release date comes you will then be able to proceed to Step 2 on the Authentication screen after you login to complete the verification process.

Via Google Authenticator App on your Phone [Recommended]

The “Google Authenticator” app is free to download from the Google Play and Apple App Stores. Once installed, you will only need to open the app for a couple of seconds to retrieve the 6 digit number. You can then insert that number into the card details section on a reservation made through Avvio to retrieve card data.

For more details on how to install and use this application to retrieve card data, please click HERE.

Alternative Options

For those users who can’t avail of the smartphone authentication option, the following alternatives are available. It is best to consult with your I.T. team when installing any of the options below.

  1. Via Electronic Authentication Card

    Avvio can provide an Electronic Authentication card to each user that needs to decrypt card data on our system. These Electronic cards generate random 6 digit authentication tokens similar to the Google Authenticator app on the phone.

    For more details on how to activate and use these electronic cards to retrieve card data, please click HERE.
    However, please note there will be charges associated with providing these cards. Please see following table which outlines the current costs for each order.

    Number of Cards Cost per Card
    1 € 70
    2 € 60
    3 € 55
    4 € 50
    5+ € 45

    If you would like to order these cards for users in your property, please contact support@avvio.com.

  2. WinAuth Application for Desktop

    Should you wish to use an application on your computer to generate the random 6 digit authentication number, you may use the WinAuth application.
    For more details on how to install and use this application to retrieve card data, please click HERE.

  3. Via Authy Desktop Application

    Should you wish to use a different application on your computer browser to generate the random 6 digit authentication number, you may use the Authy Desktop Application.
    For more details on how to install and use this option to retrieve card data, please click HERE.

  4. Via Authy Google Chrome Extension

    Should you wish to use an application on your website browser to generate the random 6 digit authentication number, you may use the Authy Extension for your Google Chrome browser.
    For more details on how to install and use this option to retrieve card data, please click HERE.

NOTE: If multiple members of staff use the same machine to access card data from Avvio, it’s extremely important that they have all their own unique login to that machine (for WinAuth or Authy Desktops Apps) or have their own unique Google Chrome account that they sign in/out of. Otherwise staff will be opening the same instance of the application. Each user account on Avvio will be associated to a particular instance of that application and only that user will be able to decrypt card data from it. So if multiple people access the machine, they must have their own login to that machine or Google Chrome account and install the application to only their profile. Failure to do so is in breach of PCI Data Security Standards. You may need to consult with your I.T. team in setting this option up.

IMPORTANT:We recommend that all devices with an authenticator app installed be protected by a password. If you step away from your phone/computer, it’s important that it’s locked and requires a password to access it. This is to prevent non-authorised people potentially accessing your account to decrypt card data.

No, with our update to tokenisation, we can no longer use PCI code cards from November 28th.

The main difference is that the 6 digit authentication code you needed to enter on the reservation details screen on Avvio will now be provided by the relevant authenticator app/device you choose, rather than via a PCI code card.

Once you have activated the relevant authenticator app / device you chose, you will go into the reservation details page as normal, where you will be asked to enter a 6 digit code in the credit card section of the page. To retrieve this code, you will just need to go into the relevant authenticator app/device you chose and it will immediately provide you with a 6 digit number. Just enter that number in the credit card area and it will provide you with access to decrypt card data for the next 15 mins. For each reservation you are trying to receive card data for, you will be asked to re-enter a 4 digit captcha number that appears on screen.

Yes, any member of your hotel staff who decrypts credit card data from reservations on our system must have a unique email address associated with their user account on Avvio. Otherwise it would mean one of your staff can access a password reset mail on another user account and then login to that user’s account.

The Avvio Engineering team have been examining the many different options available to them for well over a year now to fully meet the latest PCI Compliance standards and this solution was chosen as the best and least impacting approach they could possibly take. We acknowledge that this will have some impact to our customers and we apologise in advance for any issues this may cause.

Unfortunately as we are a service provider who process vast amounts of transactions / credit cards online, we are required to fully meet these PCI Data Security Regulations. The regulations are becoming stricter to combat misuse of customer card data and credit card fraud. The latest PCI Data Security standards are going to be enforced across all levels and sectors of the hotel industry.

We are taking these steps now to ensure we are compliant and we would recommend our customers to ensure their card data handling processes meet those standards too.

For virus and malware prevention reasons, some IT Networks have firewalls in place to block the download of any files that may contain applications (e.g. exe or zip files). If you are unable to download the WinAuth or Authy applications, you may need to contact your IT team to permit the download of either of those specific applications. They may also assist you installing it on your machine.