>>Inventory Applications
An inventory of applications involves not only looking at your network and work stations to see what is installed, but involves checking licensing to verify you have the legal right to use the software you find. Be prepared to either spend a little money on licensing software that is already installed, or to face the wrath of employees when you take the software away and tell them that it is not legal and they can no longer use it.
Inventory also involves talking with users to see what software they use and how they use it. It is in these conversations that you will discover people are using software that you had no idea was being used. You will also discover that they are entering and saving private information in locations you or the application developer never intended. This could include saving credit card numbers in memo fields or having entire spread sheets with contact information and credit card numbers that are being stored in a directory that is accessible to everyone.
>>Define Controls
Defining controls is basically as easy as going to http://www.usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html and following the Payment Card Industry Payment Security Standard (PCI.)
The bad side of these recommendations is that understanding some of these requirements seems to take a network engineer with four graduate degrees and a strong programming background.
Be prepared to ask for help in understanding some of the technical requirements with PCI. In my experience going directly to the software vendors and asking if they understood what was being asked for was helpful. The credit card processor account manager was also a good source to interpret PCI and CISP compliance requirements.
>>Perform an Audit
The good part is that if the audit is comprehensive yet short and the questions are simple and clearly stated without much technical jargon, then even the smallest hotels should be able to perform an audit on their own.
>>Implement Changes
This is the ugly part. Most hospitality specific applications that are currently in use are not 100 percent PCI compliant. Many vendors have newer versions that might be compliant, but many hotels are using older versions that won’t be replaced for several years.
The best recommendation is to minimize your risk by working around the applications’ short comings by using network or operational controls. For example, enforce user rights and password controls at the operating system level, instruct employees not to put credit card numbers and other sensitive data in memo fields and instruct them to change their application passwords every 90 days even if the application does not force or require such a change. What you cannot solve technically, you will have to implement through training and procedural changes.
If you have plans to purchase a new application and find it is not totally PCI compliant, you can ask the vendor to commit to compliance in future upgrades. Ideally, you should put the specific program changes you require in any contract you sign. The bad side is that many vendors are reluctant to do so.
The credit card industry is looking at those merchants and service providers that handle a large volume of credit card transactions to comply with their security standards. It is up to the merchant or service provider to be responsible for any application they purchase to be compliant.
Instead of each hotel or hospitality company demanding similar but separate changes in the software to meet PCI standards, it would be more effective if the hospitality industry as a whole set forth standards that the hospitality vendor could adhere to. Representatives from some of the major hospitality companies have been talking with just this intent. While these discussions are not complete, some recommended standards for hospitality related software developers appear in the sidebar.
Before closing, what do you do if you feel or know that private data has been compromised, stolen or used illegally?
Do you first contact someone higher up with in your company? Do you call the authorities? Would this be the local police, the FBI or the Secret Service? At what point do you notify the credit card processor, the bank or your guests whose data has been compromised? If an employee is involved, do you immediately notify human resources? What legal rights do suspected employees have during an investigation? The last thing you want is to suspect an employee, investigate, find out that employee is innocent, only to have them sue you because you did not respect his or her privacy or legal rights.
Meet with your legal counsel, your human resource director and a representative of your management company to determine what is the best process for you to follow when investigating and reporting incidents where you believe private data has been compromised.
No system is going to be 100 percent secure, but we owe it to our guests, employees and vendors to make sure that we are doing everything possible to protect their private information, even if it means having to face the good, the bad and the down right ugly of information privacy.
Leonard Boike is a senior business analyst for Carlson Hospitality Worldwide. He can be reached at lboike@carlson.com.