Application Integration
and Data Security
This document has been produced by hospitalityPulse Inc and is made available to
individuals for informational purpose. This document contains confidential information
regarding hospitalityPulse product(s) and various proprietary information. This
document and all information provided within are to be considered and treated as
confidential.
The information provided in this document is a representation of information content
and flow between hotel systems and hospitalityPulse’s production environments as
implemented at the document’s date. Due to the changing nature of security
requirements, changes to further harden hospitalityPulse’s data security may be
required at an unpredictable frequency. These may occur without prior notification.
No part of this publication may be reproduced, photocopied, shared or transmitted
without the express prior written consent of the publisher.
Application Integration & Data Security
2
hospitalityPulse - roomPulse
Document Change History
Version
Date
Change
Version 1.0
July 09 2014
Initial Creation (MS)
Version 1.1
October 05, 2014
Update to system
architecture (PB)
Application Integration & Data Security
3
hospitalityPulse - roomPulse
Table of Contents
Document Change History
3
Table of Contents
4
General Information
5
About this document
5
About roomPulse
5
What is CISP compliance
5
What is PCI-DSS
5
What is PII
6
hospitalityPulse Security
7
Secure Integration & Architecture
7
Secure Application
7
Application Integration & Data Security
4
hospitalityPulse - roomPulse
General Information
About this document
This document is provided as a reference guide concerning hospitalityPulse’s security architecture, it’s
adherence to the VISA USA PCI Data Security Standard concerning CISP compliance, PCI PA-DSS Data
Security standard issued by the PCI Security Standards Council, as well as treatment of Personally
Identifiable Information (PII).
About roomPulse
roomPulse by hospitalityPulse is a cloud based (SaaS) enterprise level software, architected to
intelligently recommend the most optimal room type and or room number assignment for the hotel’s
reservations. roomPulse accomplishes this by analyzing inventory and reservation data received from
the hotel’s Property Management System (PMS). roomPulse increases the hotel’s operational efficiency,
and guest satisfaction, while reducing fragmentation of inventory. The PMS data is received and stored
in dataPulse, hospitalityPulse’s generic and normalized data store.
What is CISP compliance
Cardholder Information Security Program (CISP) was mandated to protect payment card holder data,
regardless of where it resides and to ensure vendors and service providers maintain the highest
information security standard.
Details regarding CISP can be located at:
http://usa.visa.com/merchants/protect-your-business/index.jsp?it=search%20Quicklink
and at:
http://www.visaeurope.com/en/businesses__retailers/retailers_and_merchants.aspx
What is PCI-DSS
Payment Card Industry Data Security Standard (PCI-DSS) is a result of collaboration between VISA,
MasterCard, AMEX, Discover and JCB to create a common industry security requirement framework. It
applies to all payment channels, such as online and offline retailers that store, process, or transmit card
holder data.
Details regarding PCI can be located at:
https://www.pcisecuritystandards.org/security_standards/index.php
hospitalityPulse DOES NOT require PCI data from the hotel’s PMS. Wherever possible, hospitalityPulse
will request all transmission of PCI data to be suppressed.
Application Integration & Data Security
5
hospitalityPulse - roomPulse
What is PII
Personally Identifiable Information (PII) is a legal concept defined by information that can be used on its
own or with other information to identify, contact, or locate a single person. PII security has become
increasingly important as criminals may exploit internet, network, and browser security to engage in a
person’s identity theft.
Detailed recommendation through National Institute of Standards and Technology’s special publication
800-122 can be found at:
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
The table below details the most critical data types and their treatment by hospitalityPulse.
Data Type
From PMS
Stored in dataPulse
User Interface
UI Example
Full Name
Y
Y
Y
H. Johnson
Home Address
Y
Y
N
N.A.
Email Address
Y*
Y
N
N.A.
Social Security #
N
N
N
N.A.
Driver’s License #
N
N
N
N.A.
Credit Card #
N
N
N
N.A.
Date of Birth
Y*
N
N
N.A.
Telephone #
Y*
Y
N
N.A.
Age
N
N
N
N.A.
Gender
Y*
Y
Y
Ms
Membership #
Y*
Y
N
N.A.
Membership Level
Y
Y
Y
PLATINUM
* received from hotel PMS if data exists on the reservation’s profile
Application Integration & Data Security
6
hospitalityPulse - roomPulse
hospitalityPulse Security
Secure Integration & Architecture
The hotel system’s interface will transmit XML documents containing reservations, inventory, room
statuses and configuration information to dataPulse’s web services. These documents are transmitted
using HTTP protocol with POST method. All communication uses 128 bit SSL encryption. hospitalityPulse
servers are equipped with the SSL certificates, ensuring encryption of the entire message stream.
As messages are received, the receiving webservice uses a 128 bit encryption followed by a 40 Char key
encryption, before storing the content. This ensures that no readable documents are ever stored on any
retrieval system (database, file system…)
Secure Application
Built in session time out
Password complexity requirement
User level controls
Application Integration & Data Security
7
hospitalityPulse - roomPulse