The AutoClerk Licensee (Customer) acknowledges that no computer system or software can be made completely secure. The information and instructions detailed below do not guarantee the safety or security of your hotel's e-commerce network, or information transmitted or stored on this application. In addition, following these steps does NOT make the Customer PCI DSS compliant although it does support your effort to become compliant. Not completing these steps to securely delete and then wipe all legacy data makes the hotel NON-PCI DSS compliant.

The secure deletion of AutoClerk PMS legacy data MUST be performed by the hotel's network administrator on EVERY hotel computer. The access, retention, storage and deletion of other forms of legacy data are the property's responsibility and must follow your written policy. (PCI DSS Reqs. 3.1, 7.1)

The purpose of performing these steps is to securely delete all legacy data that contains credit card data, such as a cardholder's Primary Account Number (PAN) from all network computers. You must also insure that any legacy cryptographic keys are securely deleted. This secure deletion and then wiping are requirements of PABP. ( Reqs. 1.1.1 - 1.1.4)

Legacy data includes, but is not limited to, neglected and/or forgotten data on stored zip or other media backups; data on computers that have been replaced; data copied to perform computer upgrades or to set up additional stations; and data copied for system maintenance.

Legacy data also can include imprints of credit cards taken at check in; faxes with credit card guarantee information; and/or hard copies of past reports including night audits.

This document addresses legacy data, which is not part of the PMS's active data that may reside on any of your computers.

The Customer's network administrator should use caution when performing the secure data deletion and wiping. If the Customer or network administrator is in doubt about any step, please contact AutoClerk technical support at (925) 284-1005 or AutoClerk president Gary Gibb at (925) 871-1801.

The AutoClerk program has integrated features for purging old data backups, but the automated purging process only works on the backups in specific directories on the hotel's AutoClerk server or the AutoClerk station #1. A common and dangerous practice when doing a computer hardware upgrade is to use an existing computer as temporary storage for a copy of the old files. When the new computer is installed on the network, the old files are bulk copied to the new computer but rarely are the files wiped from the temporary storage computer. Such actions compound a legacy data problem because the end result is that multiple computers have legacy data on them. The solution is to securely delete any legacy data before any other data is transferred. You must then wipe the storage computer's disk once the transfer is complete.

When your property was updated to AutoClerk's Version 7, data within the active AutoClerk dataset was encrypted. It is the Customer's responsibility to follow the instructions detailed below to ensure that no legacy data resides on ANY computer (server, computer or laptop) outside of the active AutoClerk dataset.

If you need to log onto a computer with administrative rights in order to access and securely delete data you MUST log off when you are done to prevent others from using the computer with administrative rights.

When you are finished removing files from a given computer, you MUST include all users' Windows recycle bins in a wipe of the system. Windows will automatically re-generate a recycle folder when needed in the future.

When you have securely deleted all legacy data from a computer, you MUST wipe the drives using a wipe tool program. Two programs that some of our Customers have used are eraser http://www.heidi.ie/eraser/  (freeware) or CyberScrub's Privacy Suite v.5.0 http://www.cyberscrub.com/  (purchase). These tools 'wipe' or overwrite data in the computer's unused or empty space to make it unreadable.

A Customer only has one active working AutoClerk dataset. It resides on the property's AutoClerk server computer (be it dedicated or non-dedicated). It is always within a directory called 'autoclerk' located on one of the AutoClerk server's root drives.

To protect against data loss, compressed backup copies of the active dataset are automatically created whenever a shift change or night audit is performed on station #1. Dataset backups are comprised of three compressed zip files: data.zip, profile.zip, and xdev.zip.

All compressed backup files should reside ONLY on the AutoClerk server and on station #1, within specific directories (...\autoclerk\backup). They should always be current, less than one month in age. No other computer should have ANY uncompressed or compressed AutoClerk data files.

Uncompressed COPIES of an AutoClerk dataset and compressed AutoClerk zip backups more than 1 month old must always be securely deleted wherever and whenever found.

Your network administrator MUST perform an all-inclusive search to locate all PMS dataset copies. One way is to search is: at the command prompt on each local drive's root directory (e.g. c:\, d:\, etc.) type: dir data.zip /s /p Take the same steps for profile.zip and xdev.zip. This will show you all directories where data.zip resides, and possibly where other encrypted or unencrypted legacy data files are. All copies of these files must be securely deleted.

For station #1's that are standalone, or peer-to-peer, or are NOT user profile enabled, the automated backup files in c:\autoclerk\backup should not be older than one month.

For user profile enabled computers that are part of a dedicated server network, the directory c:\autoclerk should be entirely deleted. Do NOT delete c:\autoclerk on the AutoClerk dedicated server. Backups should only be on station #1's %allusersprofile%\application data\autoclerk\backup directory and should not be older than one month.

On each computer, including the AutoClerk server, search for a file called 'psdf.pf1'. It should only be found on the AutoClerk server's data\credit folder, and should have a current date. Any other instances must be securely deleted.

All AutoClerk client log files must be securely deleted. On all computers, search for and securely delete log files beginning with ac. They will be followed by a number.

Do NOT delete any as*.log files as these contain important user log information that MUST be retained per PCI DSS Reqs. 10.1-10.3 and PABP Req. 4.

On computers that are running AutoClerk Central Reservation System (CRS) interfaces (such as AutoClerk's ResOnTheWeb service, or other 3rd party CRS vendors) it is important to securely delete the CRS interface log files. These interfaces run on the server and the log files are in the Windows temp directory. Examples of these files, all of which ".log", have a prefix of row, hub, topz, syx, grs, tvc, uz, rw, hope, and bw.

Interface log files for the various CRS interfaces contain data such as guest name, arrival, and departure. If more than a few dozen CRS log files are found, contact AutoClerk's technical department and have them modify AutoClerk's Acmaint's configuration files so the deletion of old CRS log files is automatic in the future.

Securely delete all CRS interface log files in the temp directory. Remember not to delete ANY log files that begin with 'as'.

Other log files can be maintained as they will now be automatically purged by AutoClerk program 'Acmaint' and/or do not contain any sensitive credit card data.

On the AutoClerk server's drive that has the active AutoClerk data (which may not be the c: drive), securely delete the following: cclog.2004*.*; cclog.2005*.*; cclog.2006*.*; and cclog.2007*.* from the data\credit directory.

Other Misc. Search and Destroys

You will need to do a few more searches before you run a wipe utility. This is because the AutoClerk PMS only maintains its own active data, not legacy data or data that resides outside the active data. If you find any of the files listed below, you must securely delete them and as a last step, perform a wipe.

AutoClerk PMS historical folio files can be found by searching for the first three characters of the month, followed by an asterisk, then .txt, for example: jan*.txt. The asterisk will be the year.

Search files for ac2g. Keep in mind that it may be called oldac2g.exe, ac2gold.exe, ac2g.old… The AutoClerk client executables may contain legacy cryptographic material, therefore all variations of this executable must be found and securely deleted.

Search for AutoClerk's p-system data which will be in a directory called 'rec'. If you find a directory called rec, and under it are such things as bios.rec or config.rec or sys.vol then delete the entire rec directory.

THESE TASKS MUST BE PERFORMED ON ALL PROPERTY COMPUTERS REGARDLESS OF WHETHER OR NOT THEY ARE STILL IN USE AND/OR PROCESS CREDIT CARD TRANSACTIONS. IN ADDITION, YOU MUST USE A WIPE TOOL ON EACH COMPUTER AFTER ANY SECURE DELETION HAS BEEN COMPLETED.

Remember, not securely deleting the legacy data and then wiping the drives makes you NON-PCI DSS compliant. You must follow your property's data retention policy (PCI DSS Reqs. 3, 9 and 12) in regards to keeping, accessing and subsequently deleting and/or destroying credit card data.