Checklist for PCI Compliance

This section applies to any Campground Master system that is used to store (or process) credit cards. If you enter credit cards in Campground Master, this applies to you! If, and only if, you never enter credit card numbers in Campground Master, then you can ignore this section.

Since the official PA-DSS Implementation Guide can be difficult to understand, here is a list of the specific things you need to do in Campground Master in order to be compliant. While some of the PCI compliance issues are handled automatically, others will require due diligence on your part to enable or maintain the functions needed to be in compliance.

Note: This checklist does not cover issues external to Campground Master, such as basic computer and network security, external credit card handling, etc. To make sure your business is in compliance, you should consult a PCI compliance specialist. Contact your credit card company for references.



Change the default "Administrator" password:

If the default operator login of "administrator" and "password" still exists, then it must be changed. At a minimum, the password must be changed (you will be prompted to do so when using that login for the first time). It's better to add a separate login for each user and remove the "Administrator" login altogether.


Enforce PCI-compliant logins:

To create PCI DSS-compliant secure logins, the Operator records must have "Force password change every 90 days" selected, "Complex password required" selected, and must have "Auto-Logout after" set to no more than 15 minutes. Go into Maintenance / Park Setup / Operators, and enable these options for each operator.


Unique logins:

Using a shared login, whether it's for the administrator or for clerks, does not meet PCI compliance. Every person using the system must have their own unique login. Go into Maintenance / Park Setup / Operators to add logins for each person using Campground Master, and make sure they are used accordingly. Remember that all actions are tracked in the Audit Trail, so you don't want someone else doing things under your login!

Also make sure you promptly delete operators that should no longer be using the system.


Keep sufficient audit trails:

The length of time that the log history is maintained may be set by the user, through View / Audit Trail, Audit Trail Options. To meet PCI DSS compliance, the "Permanently delete entries older than" setting should be at least 366 days. Alternatively, it may be set to 30 days if a manual backup is done at least every 30 days and these backups are kept for at least 1 year.


Do not bypass the security code non-entry rule:

PCI compliance requires that you never store the CVC or CVV2 security codes from credit cards on a computer. Therefore these fields have been removed from Guarantee Info entry, and only exist in the Payment entry if you're processing cards through Campground Master (where it's only used during that payment processing, not stored for later use). Do not be tempted to put the code somewhere else. If you have questions about the consequences of not having this code when processing a card, contact your credit card company.


X-Charge users -- change to the XpressLink interface:

To be PCI compliant with X-Charge, you must use the new "XpressLink" interface method. See here for instructions on changing the settings for this: help/basicsetup_x_chargexpressl.html

In a nutshell, you need to select the XpressLink option in the Credit Card Processing Setup, and enter the X-Charge user/password under the XpressLink Options. If using more than one computer, it also means having X-Charge installed as a Client on each other computer, and also using the XpressLink option there instead of "Send processing requests through the master".


IC Verify users -- use at least version 4.0.4 and change to the Encrypted method:

You need to use IC Verify version 4.0.4 (or their latest if greater than that) to be fully PCI compliant. Also, use the Encrypted option in Campground Master: On the main computer (the one that also has IC Verify on it), change the Processing software used to "IC Verify Encrypted". Also make sure that "ICV404" is selected for the Encryption DLL.

For more details, see the new documentation for IC Verify setup: https://campgroundmaster.com/help/basicsetup_icverifyencrypt.html


Merchant Warehouse users:

Previously, the IC Verify settings were used for Merchant Warehouse. Since that is not PCI compliant, a new interface method has been set up in Campground Master to interface directly with their MerchantWARE web service. You must change Campground Master to use this interface.

For details, see the documentation here: https://campgroundmaster.com/help/basicsetup_merhcantwareweb.html


Cleaning old credit card data:

Campground Master versions prior to 6.0 allowed the storage of magnetic stripe data and card validation values with a "weak" encryption. While the upgrade to 6.0 automatically corrects the encryption to be strong in your current database file, it does not automatically remove this information completely. In order to remove this information, you must perform these steps in Campground Master once version 6.0 is loaded: