The hospitality industry has long understood the importance of protecting the privacy of our
guests and our guests' information. Unfortunately, the newest threat to guest privacy comes from
the cyber world in the form of computer hackers and identity thieves attempting to penetrate
our information systems to obtain guest information including credit card information and
other personal data. Network security, firewalls and anti-virus software are just a few of the
components that help protect and insulate guest data from potential compromise by hackers.
Here at AutoClerk we take this threat very seriously. We ask you to join us in our ongoing
initiative to proactively deter and prevent this type of cyber crime for the good of our guests and
industry. As noted at this year's Hospitality Industry Technology Exposition and Conference
(HITEC 2006) in Minneapolis, many security leaders including Michael Smith, Senior VP of
Corporate Risk & Compliance for Visa USA Inc., emphasize that prevention is far less costly
and less painful than a cure.

The card industry associations (Visa, Mastercard, AmericanExpress and Discover) are exerting great pressure on their member banks and other services providers to ensure that all merchants accepting their card brands adhere to the Payment Card Industry (PCI) - Data Security Standard.

This PCI security standard defines strict standards for the processing and storage of credit and
debit card information that merchants must adhere to in order to continue accepting credit cards and to avoid substantial fines.

One of the highest priority elements of the 12-point PCI security program is to ensure that full
credit card magnetic strip (track or swipe) data and CVV2 authorization codes are not stored
in any form after an authorization is completed. This point is extremely important due to the
relative ease in which one could create a fraudulent payment card if access to their sensitive data is gained. One only has to open a newspaper and view current headlines documenting the almost constant loss of personal and financial data due to carelessness and hacking. (See "Meet the Hackers" Business Week, May 29, 2006.) While it is important to fully comply with all aspects of the PCI standard, the main emphasis at this point is to prevent the storage of full magnetic stripe data. AutoClerk is working to ensure that you have the appropriate tools to remediate the retention of magnetic stripe data in your system.

Other software changes may also be required to enable you to become PCI compliant. These
changes include, but are not limited to1:

1. Encrypt the account number anywhere it is stored on your computer network. This will
pose the greatest challenge for you since it will affect many downstream systems in your
office. These systems could include credit card settlement, analytical systems, customer
relationship modules, etc. Many of these systems may not be AutoClerk specific.
2. Operating system patches should be updated on a regular basis,
3. Rigorous IP port scans should be done on a regular basis,
4. Change all access passwords periodically. This is a very simple security measure,
one that might often be overlooked in the rush of our day-to-day business. The password
policies used for the connectivity between the AutoClerk technical support staff and the
computers in your hotels and/or corporate offices should contemplate regular password
changes.
5. Implement a firewall or similar network protection device at all access points from your
network to the internet.

As indicated, the responsibility for the safety of your hotel's data rests with you and your
network administrator, not with AutoClerk. This also applies to compliance with the PCI
standards. From our own experience we know that developing PCI compliant solutions can be
time consuming and expensive.

We also recognize that many network administrators (be they in house employees or 3rd
party PC vendors or consultants) sometimes has neither the training nor expertise to
properly test and validate your hotel's data security. AutoClerk stands ready to provide
support for our systems and provide references to other consulting services to assist you in your efforts to become PCI compliant. Digital Resource Group (DRG), www.drgsf.com , located in San Mateo, California is a Qualified Data Security Company that specializes in PCI data security and many other accredited security assessor organizations are available at www.visa.com/cisp  (click on "View all CISP downloads" and then select "Qualified Data Security Company List"). We also encourage you to work directly with your merchant bank in connection with the development of a written and agreed-upon deployment schedule for the required PCI enhancements.

In the event your systems are compromised (or it's alleged that your systems are compromised) you may be faced with customer notification expenses and loss mitigation costs. Consider obtaining Cyber Risk or Privacy insurance to cover these expenses.

If you are still considering whether or not to address this project, please understand the risk you are accepting by not complying with the PCI requirements. Again, the fines that are being
proposed are not trivial and could have a serious financial impact to your business. In the
event of fraudulent activity on a credit card that passes through your system you may also be
designated as a common point of purchase (CPP) (sometimes referred to as common point of
compromise or CPC) which carries even more serious consequences in the event you are not PCI compliant. (See attached CPP article.)

In closing, AutoClerk urges you to immediately start down the path of better data security for the benefit of your guests and your business. Please do not hesitate to call if you have any questions.

Gary R. Gibb
President / Co-founder
direct (925) 871-1801
cell (925) 324-1729
email gibb@autoclerk.com

1 See www.visa.com/cisp  "Top Downloads" (right column) and click on "PCI Data Security
Standard" for more details on the 12 categories covered by the PCI requirements.