⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

Making Payment Security Business-as-Usual

Order a reprint of this story
Close (X)

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


October 01, 2014
Payment Security
Bob Russo

The rash of high-visibility data breaches we’ve seen this year highlight two key things for any business accepting payment cards, and especially the highly targeted hospitality sector: First, your business is at risk, and second, a major cultural shift is needed in how businesses think and view compliance and security.

Criminals have increased their efforts to target legitimate businesses for data theft. Sensitive data, intellectual property, customer information and financial records are like gold to these groups of organized cybercriminals and are increasingly attracting attention. These criminals have created a global market for their stolen currency, which is data. They will take anything of value and sell it on the open market. However, if this data is gold, then payment card data is platinum for these thieves, and is often the primary objective in their attacks against businesses. They have created a criminal economy that is increasing its scale globally.

Grocery, retail, hospitality; these are all high-value targets for the cybercriminal. Whether it is through complex malware in our reservation systems, skimming devices at the check-in desk or a shifty bartender or waiter in our food establishments, there are many avenues criminals will pursue to secure the payment card data that is the lifeblood of our commerce.
A recent Verizon report highlights compliance with the PCI Data Security Standard (PCI DSS) as a key factor to data security. This reiterates what we’ve seen in similar industry reports over the years – those organizations with security controls in place as part of complying with PCI Standards improve their chances, both of avoiding a breach in the first place, and of minimizing the resulting damage if they are breached.

Yet compliance does not equal security. Asking “Am I compliant?” is not the same thing as “do I have a strong security strategy for protecting my customer’s payment card data?” There’s too much focus on cramming for the test and not on being a good student year round. We have to change the conversation in the boardroom and all the way down and across our businesses to focus on building a culture of security and vigilance.
PCI standards are a driver for getting a baseline of security practices for card data into the fabric of a business. But just like the fact that a lock is no good if you forget to lock it, these controls are only effective if they are implemented properly and as a part of an everyday, ongoing business process.

The latest version of the PCI Data Security Standard (version 3.0) aims at helping organizations make payment security part of business-as-usual activities with greater flexibility, an increased focus on education, awareness and security as a shared responsibility. Let’s take a closer look at ways to leverage this in your business.

Taking a Layered Approach to Security
If anything has become increasingly apparent in this past year of intensified global cyber attacks, it’s that today’s threats demand a multilayered approach to security.
In its 2014 Data Breach Investigation Report (DBIR), Verizon identified the most common attack pattern as: compromise the POS devices and/or systems, install malware to collect magnetic stripe data while the transaction is in process, retrieve data and cash in.

Whether it’s new forms of malware or other types of attacks, the PCI Standards outline the security controls necessary to effectively help prevent hackers from penetrating a payment environment and jeopardizing the protection of card data as it is being processed. These include techniques for maintaining POS security and a secure terminal environment, and monitoring and managing access to systems.
Technologies that devalue card data such as EMV chip, point-to-point encryption and tokenization can also play an important part in a layered approach.

When implemented properly, technologies such as tokenization and point-to-point encryption can remove or render payment card information useless to cybercriminals, dramatically increasing data security at vulnerable points along the payment transaction chain.

If we can limit the locations of cardholder data, the smaller subset of systems to protect should improve the focus and overall security of those systems.  And better security should then lead to simpler compliance efforts.

But these technologies are only as good as the way in which they’re applied and implemented. The focus should be to limit exposure of data in your systems – and the first step is properly identifying the cardholder data environment to begin with. Knowing where your cardholder data is located is a critical part of your planning.

The PCI Standards provide a solid foundation for a layered approach, focusing on people, process and technology as key parts of payment card data protection. The underlying tenant is removing payment card data if it is no longer needed. Simply put – if you don’t need it, don’t store it. If it is needed, then protect it and reduce incentives for criminals to steal it.
Building a Culture of Vigilance
While adoption of PCI DSS has improved steadily over the years, industry reports highlight the challenge of ongoing maintenance of PCI DSS controls as part of a daily business process, with organizations often viewing PCI DSS compliance as a single annual event and unaware that compliance needs to have a 365-day-a-year focus. Recent breach incidents underscore the danger of this approach and the increasing importance of building a culture of continuous security and vigilance to protect payment card data at all times.
Education and awareness around the importance of payment security in your business is a critical piece of fostering a security over compliance mindset.

The Council offers training and education programs. For larger companies, the Internal Security Assessor (ISA) program, which provides your staff with training on the standard and on how to effectively work with an assessor, has proven helpful to ensure proper implementation and maintenance of PCI measures and to prepare adequately for an assessment, as well as enhance the quality, reliability and consistency of the organization’s internal PCI DSS self-assessments. Additional Council offerings help build payment security understanding and awareness, including PCI Awareness and Insider’s Guide to PCI DSS 3.0. PCI Essentials, an entry-level course that covers payment security basics. Offered as an e-learning course, it’s helpful for training employees on security basics. 

Find more information about PCI Training courses on the PCI SSC website: https://www.pcisecuritystandards.org/training/index.php

Managing Third-party Risk
Breach reports continue to highlight security vulnerabilities introduced by third parties as a leading cause of data compromise. According to a 2013 study by the Ponemon Institute, the leading mistake organizations make when entrusting sensitive and confidential consumer information to third-party vendors is not applying the same level of rigor to information security in vendor networks as they do in their own.

As managing third-party provider access remains a challenge for organizations, the Council also encourages organizations to reference recently released guidance developed by a special interest group on managing risk and securing data when working with third parties to support PCI DSS and ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner. Some of the key recommendations to consider include:

  • Conduct due diligence and risk assessment when engaging third-party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.
  • Implement a consistent process for engaging third parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.
  • Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship.
  • Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program.

The full document (Third-party Security Assurance Information Supplement) is available at www.pcisecuritystandards.org and includes high-level suggestions and discussion points for clarifying how responsibilities for requirements may be shared between an entity and its third-party service provider, as well as a sample responsibility matrix that can assist in determining who will be responsible for each specific control area.

The PCI Security Standards provide the foundation for a multilayered approach to data security. But even with the best standards in place, these criminals are persistent in their attacks and no organization is immune. Those in the hospitality industry have to be persistent in their defenses, relying not just on one layer of protections but many. This has to be a daily priority built into business practices, not a one-time effort.

Bob Russo is the general manager for the PCI Security Standards Council.

©2014 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.


Regarding malware specifically, organizations should review the following security risk mitigating control areas outlined in PCI Data Security Standard (PCI DSS) 3.0:
  • Proper firewall configuration – Requirement 1
  • Changing vendor defaults and passwords on devices and systems – Requirement 2
  • Regularly updating anti-virus protections – Requirement 5
  • Patching systems – Requirement 6
  • Limiting access and privileges to systems – Requirements 7, 9
  • Requiring two-factor authentication and complex passwords – Requirement 8
  • Inspection of POS devices – Requirement 9
  • Monitoring systems to allow for quick detection – Requirements 10, 11
  • Implementing sound security policies for preventing intrusions that may allow malware to be injected – Requirement 12
  • Managing third-party access to devices and systems, and specifically remote access from outside a merchant’s network – Requirements 8, 12


Version 3.0 of the PCI DSS emphasizes the critical importance of making payment security business as usual. Building on this, a PCI special interest group came together to develop guidance with practical recommendations on ways organizations might go about doing this.

In your efforts to prioritize payment security as part of daily business processes, not just a once-a-year compliance exercise, make sure to consider this guide (Best Practices for Maintaining PCI DSS Compliance Information Supplement), including these key recommendations:

  • Maintain the proper perspective: Ongoing security of cardholder data should be the driving objective behind all PCI DSS compliance activities, as opposed to achieving a passing compliance report and then subsequently letting security practices fall off. 
  • Emphasize security and risk, not just compliance: Build a culture of security and allow compliance to be achieved as a consequence.
  • Continuously monitor security controls: Develop strategies to continuously monitor and document the implementation, effectiveness, adequacy and status of all security controls.
  • Detect and respond to security control failures: Put processes in place to respond to security control failures in a timely manner.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.