PCI in Hospitality: Tips for Protecting Your Card Data

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

June 01, 2012
Security
Bob Russo

View Magazine Version of This Article

We all know hospitality has been hit hard in recent years by credit card breaches and data theft; in fact, it was the most affected vertical industry according to the 2011 Verizon Business Data Breach Investigations Report (DBIR). With the high volume of transactions and stored credit card numbers, coupled with a steady turnover of employees without proper training in fraud prevention, hospitality organizations are ripe for the picking. Point-of-sale systems and other systems that store credit card data, wireless networks and integrated payment applications continue to be easy targets for data compromise.

 

In an ever-changing security and threat landscape, how can hospitality organizations work to protect their card information?

For starters, Verizon Business estimates that 96 percent of breaches it investigated in 2010 would have been stopped with a few basic security measures in place such as removing default passwords on every machine in your network, eliminating holes in remote access to systems inside your network, and buying and installing a firewall.

Starting with the fundamentals, organizations should work across industries to educate, then develop security procedures and strategies and implement technologies designed to reduce scope and reduce risk. By doing this, they will be able to counter today’s threats and address the next critical juncture of payments security.

If You Don’t Need It, Don’t Store It
This may seem like an oversimplification, but it’s the bottom line and the basis for many talked about technologies such as encryption and tokenization. Do everything you can to eliminate data, if it’s not there, you don’t need to worry about securing it.

Train your people, create the processes and then look at the appropriate technologies that help you in this effort. In many cases you can replace the data that you currently store or transmit by encrypting or tokenizing the data. This will help reduce the scope of your PCI assessment and simplify your compliance efforts. Check out the PCI Security Standards Council’s guidelines on these technologies and see what makes the most sense for your environment and security posture.

Think Security, Not Compliance
This is about a change in mindset. Organizations have to stop thinking about this as checking a box; instead it as to be the way of doing business.  Focus on building security best practices into your everyday business, and compliance will follow.

Name an Internal Expert
The more educated your employees are about proper handling of payment card data, the more secure your organization becomes.

One of the simplest and most effective means of maintaining ongoing compliance is through a dedicated internal resource you have named. Through this, you can have an individual or team that not only helps prepare for a compliance assessment, but also establishes the protocols to monitor and maintain ongoing compliance and security. The PCI SS Council’s Internal Security Assessor (ISA) program gives internal champions the same training as qualified security assessors, so they know what to look for and how to keep an organization on track and within the PCI requirements for the entire year.

Implement a Risk-based Approach
Once you have your internal staff on board, it’s time to set your agenda. Whether you are well into your PCI process, or just beginning, a great reference for you to consult is the PCI Prioritized Approach document, which provides guidance on identifying how to reduce risk to cardholder data as early as possible in your compliance journey. Grouping together the requirements of PCI DSS into six key milestones to consider in your card data security strategy, this risk-based approach eliminates the biggest vulnerabilities first and allows you to share with your assessors, acquiring banks and the card brands how you are progressing.

Make Security Part of Your DNA
The PCI DSS is a fantastic foundation for establishing a core group of best practices that can serve as the foundation for your security efforts. The DSS is the floor, not the ceiling; you should always be looking to build additional layers of security on top of it. This layered approach will allow you to focus on the security part of your business, building it into every business project or activity, and allow you to move beyond a compliance sideshow to one where you are an increasingly difficult target for the bad guys.

Take Advantage of PCI Council Resources
The council has a wealth of information available online, free of charge, to help those in the hospitality industry build security into their business plans. Notably, the council’s Payment Application Data Security Standard (PA-DSS) and program provides an online listing of payment applications that have been tested and validated by council QSAs as compliant with the PA-DSS. The list covers shopping cart software and other secure transaction tools and should be one of the first stops when making technology investments or checking the credentials of products you are using. But, check the list before buying. It’s much easier to build and maintain your own PCI security if the items you are purchasing are already compliant off the shelf with PCI Standards.

Visit the documents library on the PCI SSC website to take advantage of the guidance on skimming prevention, securing wireless networks and the prioritized approach to PCI that can help you get and maintain your security, by learning to identify vulnerabilities and assess your biggest, most pressing needs first.

You can also find guidance on specific technologies that not only may impact PCI DSS compliance efforts but also those that can potentially minimize the scope of your card data environment, such as point-to-point encryption and tokenization. Payment technology is moving at a breakneck speed, so the PC ISS Council has asked the industry and others across the payment community to work together through special interest groups in 2012 to explore and provide information on areas including cloud computing, e-commerce security and risk assessment.

Become Part of the Solution. Get Involved
The PCI Standards are not created in a vacuum. They are collected best practices from global experts in every industry, which is why your insights are needed. Join the council as a Participating Organization or become a member of a PCI SSC special interest group, attend the annual PCI community meetings, submit feedback to the council on the PCI Standards, learn from your expert peers in a PCI training. Share your expertise and make your industry more secure. Input is critical in creating and maintaining strong standards for protecting all forms of cardholder data.

The PCI Data Security Standard is a solid foundation for you to develop and maintain security practices that help enable the entire business and protect your card data. Get the basics down by following these tips, and then build your layers on top for a more secure business.

Bob Russo is the general manager for the PCI Security Standards Council.

©2012 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.