Topic:

I’m interested in using RegOnline, but we have specific requirements regarding information security. What security measures does RegOnline take to ensure that the information for our attendees remains secure?

Solution:

First and foremost, you'll be glad to know that RegOnline is certified as a PCI Level One compliant service provider! This level of compliance, most often associated with banks and financial institutions, means that our system security has been thoroughly reviewed and certified by Visa, and that we have met or exceeded their rigorous standards for transaction and system security.

For specific RegOnline security information, please refer to the questions and answers below.

How do users authenticate/authorize to the application and how is this information protected?

RegOnline maintains a secure (encrypted) database of users and passwords.  We use SSL to encrypt the user name and password as it passes over the internet.

Have there been any changes to RegOnline's security policies since being purchased by The Active Network?

As of now, our security policies have not changed, nor has access to data been expanded in any way.   Regonline’s network is autonomous from our parent company, and we don’t expect that to change anytime soon. We will certainly notify customers prior to any change that would affect our PCI Security clearance or data access restrictions.

How do you ensure that each customer only has access to their own cardholder data environment?

Our customers’ data is kept separate through the referential integrity of our database and session authentication. Each user session is password-protected and each new page that the user accesses re-checks the session authenticity.

Are logging and audit trails enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10?

RegOnline has complied with all PCI requirements, including auditing and monitoring. We have centralized auditing and log storage. We run reports and continuously scan for anomalies and to verify that all access is legitimate. Our logs and audit trails are centralized and are for the entire cardholder environment but they do not contain any cardholder data.

How do you restrict access to cardholder data?

RegOnline processes most credit cards without storing the actual credit card information, and we only retain this information if this is required by the event organizer for processing additional payments for other event-related fees such as lodging. In these situations, we encrypt the data as described below and we do not store the CVV number, and the data is automatically purged within 90 days. Internally, we mask all credit card information so no employee can view it. We never release cardholder information without a faxed, signed release from the primary event organizer who opened the account with RegOnline.

Do you use cameras to monitor your data room? If so, do you collect logs?

We use cameras to protect our office and the entire cardholder environment. These video records are retained in compliance with PCI requirements.

Is encryption used on your backup methodology?

All sensitive data is stored and backed up in encrypted form.

Do you encrypt transactions?

Yes. We use SSL to encrypt every transaction in transport between our servers and the client’s browser. We also encrypt all credit card information for every transaction in our database.

How do you manage and protect encryption keys with your customers?

We do not have individual encryption keys for our customers. SSL for secure connection to our site is enabled by our private certificate keys stored on each web server negotiating an encrypted session with the public keys that are shipped with every browser. When we encrypt cardholder information for storage in our database, we use a very strong key and introduce a salt value to introduce randomness to every encryption process. This means that two identical encrypted credit cards (for example) would never have the same encrypted value, further preventing unauthorized encryption.

What’s the retention period for data being backed up?

RegOnline stores weekly snapshots for one month, and monthly snapshots in perpetuity.

Do you use offsite media rotation?

We run full backups to disk every four hours and save one full backup to tape every day. These daily backups are sent offsite monthly. One backup a week is preserved for a month while our other daily backups are stored for at least seven days. One backup a month is preserved offsite in perpetuity. 

Do you have a disaster recovery site or other locations aside from the Colorado office?

At this time we do not have a hot spare site. Our current data center features advanced (non-destructive) fire suppression system, and highly redundant, multi-homed power and internet access. All of our critical systems are also part of an active/active or active/passive cluster to minimize potential downtime. Data is backed up to point-in-time as well.

How do you ensure data integrity?

We encrypt all credit card information and maintain very stringent access controls in compliance with PCI requirements.  To protect against potential corruption of data, we run backups every four hours and store everything on highly redundant fiber-connected SAN (Storage Area Network).  Log files are mirrored to a physically separate array to provide an additional level of redundancy.

Can you explain support on IDS?

In addition to our firewalls, we have implemented an IDS (Intrusion Detection System) that scans all packets entering or exiting our production network for malicious code or attacks.  This information is logged and analyzed in real time so that network staff can be automatically notified of potential threats.  Additional analysis is done daily in house and by using Symantecs DeepSight Analyzer service.

We also utilize a host-integrity system to notify network staff of any unauthorized changes by comparing day to day checksums and snapshots on production equipment.  Centrally managed virus detection provides real time protection along with daily deep scanning.

Do you rely on a single technology for virus detection?

We use a single vendor for updating our virus definitions but detection takes place at multiple levels including real-time protection and deep scans on our individual hosts and through our IDS system.

Additional Information:

For more information about PCI standards, check out the PCI Security Standards Council web site.

For information about Visa's Cardholder Information Security Program, visit the Visa CISP web site.

Related Links:

• RegOnline PCI Compliance Attestation Letter
• What are RegOnline's credit card security policies?
• What are the system requirements for RegOnline Manager?

Keywords:  security, secure, secured, information, info, PCI, Payment Card Industry, Visa, Cardholder Information Security Program, CISP, SSC, Security Standards Council, DSS, Data Security Standard, Level 1, Level One, Approved Scanning Vendors, ASV, environment, monitor, monitoring, compliance, compliancy, backup, back-up, storage, retrieval, standard, requirements, security management, policies, procedures, network architecture, software design, critical, protective, protection

rev. date 05/07/08