12 things I took away from the PCI Security Council North American Community Meeting

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

October 01, 2014
Takeaways from the PCI Security Council
Jeffrey Stephen Parker, CHTP

It was a hot, muggy, rainy and sticky week in Orlando the second week of September. I managed to sneak into the 2014 PCI Security Council’s North American Community Meeting, three fun-filled days of segmentation, tokenization, EMV and encryption, discussions and education. (Yes in some sessions they handed out toothpicks at the door so you could prop your eyes open, but the quantity and quality of information was very high.)

 


Here are some observations from the meeting this year.

01 Security, Particularly Cyber Security, Is A National Defense Issue.
 
Navigate the Cyberseas.
We had the pleasure of Admiral James Stavridis, former NATO Supreme Allied Commander Europe and Commander of the U.S. European Command, speak to us on the ever-evolving threats, and identify theaters of battle including Russia, the former Eastern Bloc, the Middle East and Asia Pacific. The Cybersea is a reference to the 9 billion connected devices in the world.

Ubiquity Does Not Equal Safety.
Stavridis thinks that the ubiquity of the Internet and the smart device is a major venerability. He stressed that no matter how good our technology or security is, poorly trained or apathetic people and poor processes will defeat our efforts.

The Threat Is Often Government Sponsored.
Threats from outside the United States are often government sponsored. He indicated that 1.2 billion accounts and 500 million passwords have been taken by Russian cybercriminals, with the Russian FSB (equivalent of American CIA and FBI) in cahoots with them. The Russian government is not prosecuting these criminals, but it is reserving the right to use the data at a later time. Admiral Stavridis also had seen that similar attacks are coming at a staggering rate from Hamas and ISIS, as well as other militant groups. The Admiral feels we are already at Cyberwar.

Staridis indicated the countries that are the largest threat to United States data (PAN and PII) are: China, Nigeria, Brazil, Ukraine, Russia and Vietnam.

America’s Biggest Threat Is Cyberwar.
Right now cyber attacks are the biggest threat to America because we have the largest gap in preparedness to address the threat versus the abilities of the attackers. We know how to be victorious in a kinetic war, but are not as prepared for the cyber one. 
 
Partnership between government, private and public sectors is the only way to attack this threat, and we need to find a balance between other countries to address this or the threat.


02 The PCI Security Council Is Really (Finally?) Interested In Involving Hospitality And Smaller Merchants In The Discussion.

New Attitudes. Unlike in past years where the council seemed disinterested or annoyed by hospitality merchants (did I tell you how they had no clue who AH&LA or HFTP was?), this year the council made it a point of contention to engage both small vendors and hospitality.

Unique Payment Processes. Leaders on the hospitality industry PCI Security Council recognize that our unique payment process creates an expanded threat, and is interested in targeting the hospitality vertical with special training and information.

Specific Education. The council recognizes the need for education and is willing to help. Several discussions revolved around attackers going after small targets in order to practice/learn how to attack similar systems in larger operations. If you are a member of HFTP or any other PCI partner group and you want to be involved, I urge you to email participate@pcisecurity council.org.


03 The Card Brands Are Still Insolent Toward Hospitality.

Card Brands Are Not Concerned About a Hospitality Transaction Model Regarding EMV.
None of the brands seemed to understand an authorization model and how guest checkout with EMV would impact hospitality.

No Plans To Delay EMV Requirements.
Even though there are few software and hardware partners that are ready for EMV in hospitality, there are no plans to delay the timeline for compliance. While only VISA is focused on the October 2015 liability shift, all card brands will require terminals by October 2016.


04 What You Think Is Out Of Scope, Is Not.

If The System Can Access the In-scope Areas, Then That System Is In Scope.
The philosophy is that even if a sector or component of your system does not store, transmit or process credit card data and is isolated, but could be compromised to gain access to a system in your documented CDE (cardholder data environment), it is in scope.

Example One - If you have a company.com website that takes reservations and the site redirects traffic for reservations to a third-party system, your website is in scope.

Example Two - If your PMS receives encrypted PAN from the reservation engine but never the unencrypted PAN, it is still is scope. This brings into question the impact of tokenization and reducing compliance costs.

Third-party QSA Required To Define A Network Or System As Out Of Scope.
Unless a system is completely (read physically) separated from the cardholder environment, it is in scope. As far as the speakers felt, the only way to have a system truly out of scope officially was through QSA confirmation. It is largely thought that the Target and Home Depot breaches were started from the parts of those networks that were falsely identified as out of scope.

Ignorance Is Not A Control.
Up to 50 percent of breaches were related to cardholder data being stored in an area that the merchant did not know about.


05 EMV Is Not Going To Replace PCI.

EMV Only Will Stop Card-present Transaction Fraud Relating to Lost, Stolen and Counterfeiting.
Hotels will still be major repositories for non-EMV transactions because of online/voice reservations.

EMV Will Likely Make Securing Your Networks A Bigger Challenge, At Least At First.
Once deployed EMV will shift the attacks from physical (skimmers, counterfeit cards) to card-not-present (online reservations, e-commerce) as that will be the path of least resistance.


06 I Could Not Find A Brand, Processor Or Expert At The Conference That Had Any Clue How EMV Will Work For North American Hotels.

Consumer Behavior for Checkout in North America Needs to Be Changed. Guests in North America typically just leave the hotel, skipping the desk for a formal checkout. Given the nature of our transaction model (authorization at check-in, settlement at checkout) this creates a problem, as the guest will not be able to present the card to swipe/dip and pin/signature if he has already left the hotel. The card brands I talked to were unsure how this would impact liability and responsibility to the merchant.

This Will Impact Your Labor Footprint As Well.
The current staffing models in hotel operations are based on a small percentage of guests coming to the desk to check out. Hotels will need to staff for the new model.

Rethink Bar Tabs As Well.
The practice of holding a credit card at the bar for a tab (already counter to PCI rules) or swiping to open a tab and returning the card to the customer, will be worthless with EMV cards.


07 The United States Will Deploy Chip And Signature AND Chip And Pin Versions Of EMV.

Guess What?
Card issuers are freaking out that their customers (our customers) will be slow to adopt chip and pin, so they are going to chip and signature instead to encourage better consumer adoption. One big concern for merchants is the risk of not having the pin for confirmation and the liability related to this. The EMV transition group hopes that card brands will remove or restructure liability to the same levels as chip and pin.

Each Transaction Will Be Evaluated At Time Of Swipe/Dip.
Terminals will be set to the highest level of security, so if the card is capable of chip and pin, it will be chip and pin; if not, it will revert to chip and signature or to swipe and so on.

Not Ready For Prime Time.
For the foreseeable future the vast majority of card-present transactions will still be swiped. Some speakers thought it would be 2018 or 2019 before the majority of card-present transactions would be performed with EMV.


08 EMV Was Delayed Because We Use Debit Cards.

What The Heck Is Taking So Long?
I have finally heard the explanation of why the U.S. market has been so late to this party: debit cards. In Europe and other countries that were early adopters of EMV, debit was not used, or at least was not heavily adopted when EMV was rolled out. This made a greater challenge for the U.S. transition because of the number of debit networks on the national and regional level, and the Durbin Amendment requiring every card to work with at least two debit networks.

Okay,  And There Are Some Other Factors.
In addition, the number of issuers, banks, secondary partners and vendor trepidation has slowed the process by an estimated two years.


09 Tokenization Is Not A Magic Bullet.

PCI Still Applies to Environments with Tokenization.
Even though it is widely held that tokenization will render PANs worthless, PCI will still be an everyday part of life.

Scope It In.
Your systems that only have tokenized PAN data will not be considered out of scope in many cases (see earlier point about scope).

PCI-compliant Tokenization Is Not Completely Defined Yet.
In addition, the PCI Security Council is creating its own definition for PCI tokenization, and it is pretty strict, particularly when regarding reversible encryption.

Acceptable Tokenization Will Be A True Black Box.
PCI-compliant tokenization will need to have encryption/decryption/token creation happen in an environment that is isolated and not understood.

Protecting Its Business Model.
While the movement toward tokenization (and rendering this data worthless to a thief) is a key pillar to the council, it is continuing to defend its position that PCI continues through systems that are tokenized. Frankly, the only way this will work is to remove them from scope completely.

 
10 OMG Apple Just Invented NFC (Near-field Communications) for Payments.

Apple puts a chip on its phone and the company is innovative, even though NFC has been on most Android handsets for three years.

All of the sudden the payment world has universally accepted the need to adopt NFC payments as soon as possible. Several partners of the event indicated how monumental this is. The story is, if NFC payment acceptance if not part of your current EMV deployment plans, update your plans.

Mobile Is A Big Focus.
Other emerging mobile technologies, or at least adoptions of said technologies, are a major arena for payment security. Look for the PCI security council to research and develop standards for mobile payments.


11 Compliance Is A Daily Process, Not A Check Box.

Monitor physical systems for tampering, particularly POS terminals with exposed ports.

Compliance does not mean you are secure.

PCI cannot be completely outsourced.

PCI is not an IT project, it is a process for the whole company.


12 If You Belong To A Partner Organization, You Have Access To Additional PCI Council Resources.

PCI Security Council Website - https://www.pcisecuritystandards.org/ 

PCI Special Interest Group (SIG) Participation
SIGs include many fringe PCI guidelines. Research is done, and recommendation papers are completed. The process takes about 18 months to 24 months. 2013 SIGs are working on PEN testing standardization and educating small businesses in an easy-to-understand manner.

Current SIG proposals:

  • Third-party services shared responsibilities clarification
  • Security of retail stores
  • Cryptographic keys and digital certificates security guidelines
  • Unattended security guidance (securing unattended units like ATMs, vending, pay at pump)
  • Network virtualization standards
  • Effective daily log monitoring – Reduce the time breaches go unnoticed.

Go To The PCI Security Council Community Meetings
There are three each year in Asia, North America and Europe. 2015 North America will be in Vancouver Sept. 29 through October 1.

HFTP is a member, and rumor has it that AH&LA is entertaining joining.

After three days of this, I am looking to work on another 12-step program. Happy securing!

Jeffrey Stephen Parker, CHTP, is the vice president and chief funologist for Stout Street Hospitality.

©2014 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com
 
 


want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.