5 Presenters: Mark Haley, CHTP Jeff Henschel Chuck Marratt Managing Partner● The Prism Partnership, LLCJeff HenschelDirector of IT● Benchmark Hospitality InternationalChuck MarrattRegional Director of IT● Benchmark Hospitality International
6 What Does PCI Compliance Entail? What is PCI?What Does PCI Compliance Entail?
7 Overview Objectives What are: The Payment Card Industry (PCI) Data Security Standard (DSS) andThe Payment Application Data Security Standard (PA-DSS)?What are the components of a sound data security policy and PCI Compliance?How do you get to PCI Compliance?Vocabulary and Concepts for all of aboveToday we want to answer these questionsWe aren’t going to talk about 128-bit vs. 256-bit encryption.
8 Overview Why is Compliance So Important? PCI & PCI Compliance Defined Key IssuesWho is responsible for compliance?What gets overlooked?How do I plan my compliance journey?Additional ResourcesQuestionsIs this what you expected to cover today?
9 Why Is Compliance Important? PCI Compliance is like insuranceGood business practiceYou are vulnerable!55% of credit card fraud from hospitality85% of breaches against Level 4 merchants*Potential impact of a breachCustomer RelationsLegalFinancial * Source: Unified Compliance FrameworkPenalties for non-compliance can be very steep…more on that laterU of Delaware research shows that consumer are likely to stop patronizing a hotel or hotel brand in the event of a breachASK: Anyone here ever had a card compromised in a breach? Actually defrauded? How did that make you feel?
10 Why is Compliance Important? Because they are after us!Hackers now specifically targeting hospitality38% of breaches in 2009 in hotels and resortsSource: Trustwave Spider Labs83 of 218 breaches investigated by SpiderLabs in hotels1 initial penetration led to multiplesTypically:Weak remote access controlsRouters and firewalls unconfiguredDefault passwords left in placeAlso note: Hotels very unlikely to have conducted audits/tests prior to a breachIndustry initiatives
11 2010 Market Trends: Industries by Percent of Breaches *Statistics from 2011 Verizon Business Data Breach Investigation Report
12 2010 Breach Trends: The Facts 761 Breaches in 2010 (141 in 2009)89% of victims subject to PCI DSS had not achieved compliance86% of the breaches were discovered by a third party86% of the victims had evidence of the breach in their log files98% of all breached records came from servers96% of breaches were avoidable through simple or intermediate controls* All percentages are from the 2011 Verizon Business Data Breach Investigation
13 Why is Compliance Important? You don’t want to make the headlines!
15 Costs of Non-Compliance Costs of a BreachFines from issuing brandsCosts to address vulnerabilitiesCosts of Level 1 audits in futureLawsuits from card-issuing banks for card replacement costsLoss of customer trust and goodwillLoss of businessTarnished reputationMARKFine schedules vary by brand: Visa $5K - $25K/mo; AEXP, $50K and upThe brand fines the acquirer, who then passes it on to the hotel. The cash just disappears. Your merchant agreement gives them this power to take your money.Compromised merchants will be designated L1Card replacement $35/ea
16 DefinitionData security standards for all merchants accepting credit, debit or other cards to protect cardholder dataTo ensure the integrity of the global payment card industryApplies to ALL cardholder dataElectronicPaperApplies to ALL merchantsSo, your paper authorization forms are also covered by PCIIncluding the PDFs you attach to the corporate account record in your PMS
17 Definition- Roles Key Players & Roles Standards “owned” by PCI Security Standards CouncilEnforcement reserved to the issuing brandsSSC formed by the brands in September 2006SSC controls the standards, certifies QSA/ASV vendors, maintains list of certified Payment ApplicationsThe merchants pay for all of this. That would be you.
18 Lodging complexity - lifespan of a credit card number in a lodging environment
19 Definition - DetailsPayment Card Industry (PCI) Data Security Standards (DSS)12 Major RequirementsApplies to everyone handling cardholder dataMerchantsProcessorsIntermediariesSelf-Assessment Questionnaire (SAQ) for most merchantsDifferent forms of SAQ varying with merchant’s processing infrastructureMarkPCI is GLOBAL, not just North America4 forms of SAQ; Most hotels will use SAQ DThe standards, SAQs and other useful references at pcisecuritystandards.orgHas your firm completed a SAQ?
20 Definition - DetailsPayment Application Data Security Standards (PA-DSS)Formerly known as Payment Application Best Practices (PABP)Applies to software vendors marketing products that handle cardholder dataRequires software vendors to invest in certification, costly to achieve and maintainMerchants forbidden to use uncertified payment applications July 2010MARKPABP was a Visa program, transitioned to SSCNote that the brands work through others, typically the acquiring banks, rather than directly with merchants
21 Definition of Merchant Levels Merchant Level Description1Over 6,000,000 Visa transactions per year for any merchant-regardless of acceptance channel-processing. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.21,000,000 to 6,000,000 Visa transactions per year, applies to any merchant-regardless of acceptance channel-processing.320,000 to 1,000,000 Visa e-commerce transactions per year.420,000 or fewer Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.MarkMost individual hotels are Level 4 merchantsMajor brands are Level 1sIf you can aggregate, you must aggregate your transaction volumeDSS applies to all merchant levels equally. The difference is higher levels must use a QSA, lower levels may use the SAQ and self-reportVerification deadline for L4 at discretion of acquirerSource:
22 12 Steps to PCI Compliance CONTROL OBJECTIVESCOMPLIANCE REQUIREMENTSBuild and Maintain a Secure Network1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parametersProtect Cardholder Data3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability Management Program5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applicationsImplement Strong Access Control Measures7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder dataRegularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processesMaintain an Information Security Policy12. Maintain a policy that addresses information securityMark12 major requirements addressing 6 broad control objectives.>200 specific sub-requirements under the major requirementsNote that most of the requirements are on-going processes, not one-time activities or events.The major requirements all seem common-sense and reasonable, but some of the sub-requirements can approach absurdity in some applications.Note great latitude of QSA in interpreting requirements
24 What Gets Overlooked? People Process MARK PAPER: Folios, POS Receipts, Reports, Manual Vouchers AND REG CARDS;All require masking, secure storage if not. Better to forego card imprints on reg cards and to rely on the swipe flag in PMS to prove card-presentPEOPLE: Need to establish a culture of privacy, PCI is part of that broader privacy obligation. People in the hotel company need to embrace that culture and changer behavior accordingly. Take password security seriously. Don’t put card numbers where they don’t belong. Consider Delphi CC Safeguard.PROCESS: Not a one-time event. Must become a way of doing business. PCI and privacy are a business issue, not an IT issue.
25 Where Companies Fail Their PCI Audit 2011 Global Security Report
26 Action Items How do I plan my compliance journey? Assign an Owner Use your AcquirerUse your Franchisor/BrandEstablish DocumentationGather InventoriesUse your Software VendorsComplete Self-Assessment Questionnaire (SAQ)May 6 & 7, 2010
27 Action Items How do I plan my compliance journey? (continued) Determine if you need a Qualified Security Assessor (QSA)Implement Vulnerability Scans from an Approved Scanning Vendor (ASV)Address SAQ DeficienciesUpdate your DocumentationRepeat!
28 Just Remember… Data Security is an ongoing process. Recognize the risks at all levels in your organization.Understand what you can do to be proactive.Determine what behaviors and processes may have to change.
29 Action Items Budget for PCI Not a One-Time Expense! Initial costs may include:Engage a QSA or other resourcesSystem replacementsStaff costs for initial SAQOn-going Costs Include:Quarterly Penetration ScansAnnual SAQ exerciseInternal & External evaluations of technology in scopeLogging and Alert managementAnti-Virus subscriptionsPayment Application upgradesIntrusion Detection SoftwareResources and training to manage security measures
30 Action ItemsMake sure you budget appropriately as PCI compliance is an ongoing expense to your organization.Costs include but are not limited to items listed below:Annual Penetration ScanningExternal scans of technology in scopeInternal scans of technology in scopeLogging and Alert ManagementAnti Virus upgrades/renewalsPMS/POS Annual UpgradesIntrusion detection softwareResources and training to manage PCI and Security measures implemented.
31 Additional ResourcesAH&LA publication, The Payment Card Industry Compliance Process for Lodging EstablishmentsPCI Security Standards CouncilVisaMasterCardKELLY
35 Do You Really Need It? Why do you have it in the first place? Old ProcessesYou Think You Need ItChargeback documentationBalancing Risk and ConvenienceDoes the risk of having credit card data outweigh the convenience it creates?
36 Just Say NoEliminate capturing/storing of Credit Card data unless it is absolutely necessaryQuestion/Challenge the needRe-evaluate outdated processesCard ImprintingCredit Auth FormsAccounting/Chargeback ReconciliationEvents/CateringDevelop contingency plans for one-offs scenariosOff Line AuthorizationsSpecial Guest Requests, etc.Evaluate partner’s processes/systemsAsk, Expect, InspectUnderstand effect of introduction of new devices into your environmentMobile/TabletsKiosksUse technology to protect data you must capture
37 Using TechnologyPCI Approach: Protect What You “Must” Have (This used to be a straightforward statement.)Protect Stored DataSecurely encrypt stored dataEncrypt transmissions of cardholder data across public networksRestrict access to data on a “need-to-know” basisMask PAN by default, reveal to selected people on requestOver time, this gets more and more complex. Time for a technology rethink…?
38 The Challenge Imagine a princess in a castle… Securing her against attacks of increasing sophistication is difficult and expensive.
39 The Solution TAKE THE PRINCESS OUT OF THE CASTLE! Purpose-Designed Solutions for ConsiderationEncryption at Swipe or Keyed EntryTokenization
40 Technology Choices Encryption at Swipe or Key Data is Swiped or Keyed into Encryption Device.Transmit ONLY encrypted data through your environment.Two Common Terms Used To Describe (Interchangeable)End to EndPoint To PointKey To Encryption SolutionsEnsure POS/PMS has no ability to decryptUnderstand where Card Data gets decryptedThe farther down the path the betterPCI is working on regulatory changes to recognize the use of this solution may reduce Merchants PCI Scope.POS/PMSGatewayProcessorCard BrandsIssuersDescribe using the graphic how Point to Point and End to End are really interchangeable. Point to Point could be from PMS to Issuer (those are the points in which data is encrypted, or End to End could mean
41 Technology Choices Tokenization Replacing sensitive cardholder data (CHD) with a piece of data that references Card Data, stored elsewhere.Vendors use different methods to generate TokensIt should not be possible to reverse engineer a Token back to the actual card data.Some solutions combine encryption at entry and tokenization;Encryption used on data in transitTokenization used on data at restCorrect tokenization solutions remove the PMS from the scope of PCI DSS.
42 Technology Choices Your Action Plan Review tokenization and Encryption at Source offerings that are supported by your software providersSelect technology solutions that reduce your PCI exposure by removing data from your applicationsIt’s better to not have data at all than to spend a lot of $$ trying to protect it
43 Cloud Computing Does It Solve The Problem? Cloud Computing does not necessarily remove all scope from your propertyCards could still exist in your networkSome public cloud vendors openly state they can’t and won’t be PCI compliant.Vendors may use other cloud vendorsFor more information please attend the Cloud Computing Super Session Thursday at 9amAdditional notes on bullets above if presenter wishes to add more information…Cloud Computing does not necessarily remove all scope from your propertyCards could still exist in your networkHandled by associates, swiped on your hardware (potentially), transmitted through your networkCall/Voice Recording software at Front Desk, Reservations if card numbers are spoken out loud.High resolution security cameras capturing images of cardsSkimmers installed on card swipesInternal TheftPublic Cloud vendors openly state they can’t and won’t be PCI compliant.Primary reason – they won’t open their doors to auditors, expose the architecture of their cloud, or prove true segmentation of customers/data.One public cloud company claims PCI compliance, however they accomplished that by redirecting customers away from their cloud for the credit card transaction, then redirected the customer back in to their cloud when it was completed. They are not able to claim PCI compliance for anything processed in their cloud. Be cautious of claims like this and the potential cost to develop those types of interfaces.Vendors may use other Cloud VendorsNot every vendor offering their software “in the cloud” is an expert on security/fault toleranceVendors may deploy their software to a public cloud or outside hosting company. Are all vendors involved compliant? Where does your data actually live?
46 Best Practices: TypesThe best practices we will discuss today fall into 3 distinct but interwoven areas:OperationsNetworksDocumentation
47 Best Practices: Operations Operational best practices should be implemented at all hotels, restaurants, clubs, casinos, and other hospitality enterprises currently accepting credit cards as methods of payment.Those best practices are….
48 Best Practices: Operations Discontinue the imprinting of credit cards if still imprinting.Review proper merchant bank retrieval request and chargeback information requirements: don’t keep documents containing complete credit card numbers for fear of losing a chargeback.Discourage facsimile receipt of credit card authorizations: secure fax machines and their output.Prohibit receipt of credit card numbers.For all voice, facsimile, or other methods of card receipt, enter directly into the system and destroy (shred) the paper.
49 Best Practices: Operations Review Sales & Catering Department files for maintenance of documents containing credit card numbers.Do not use Notes, Comments, or other unencrypted fields in Sales, Catering, and other electronic systems for credit card numbers.Review who has access to view guests’ complete credit numbers in both the PMS and POS.Review if card data or computer passwords are written on a “sticky note” placed on computer monitors or are otherwise visible or unsecured.
50 Best Practices: Operations Train users to log off their terminals and use tight auto-log off timeouts on payment applications if available.Always consider proper storage, retention and disposal of paper and other sources of credit card numbers.Select photocopiers and facsimiles with encrypted disk drives with auto-delete capability (24 hours).Control physical access to server rooms, Front Desk and any other areas where credit card numbers are stored or processed. Consider logging and badging all visitors to these areas and requirement to surveil all data centers by video.
51 Best Practices: Operations Conduct training on PCI Compliance!Training on PCI Compliance should include:Making training materials consumer-friendly.Annual training certification signed by all employees.Making training certification a part of the “Acceptable Use Policy.”Awareness of phishing, spear-phishing, pharming, and “vendor impostors.”
52 Best Practices: Networks Best practices regarding networks fall into 3 categories:Passwords;Remote Access; andOperations.
53 Best Practices: Network Passwords All default passwords should be changed before connecting a device to the network. Devices to be reviewed include:Payment application servers;Other servers;Routers; andFirewalls.
54 Best Practices: Network Passwords The SSID names for wireless networks should also be changed: how many networks named “Linksys Router” have you observed when looking for wi-fi “hot spots!?”Be mindful of the definition of a “strong password” for PCI purposes, as it differs from that for non-PCI purposes!Passwords for all users of payment applications should be unique:No shared passwords!Create unique passwords for vendors!Use tools and policies to expire passwords, force strong passwords, and do not allow re-use of prior passwords!
55 Best Practices: Network Remote Access PCI Compliance requires that remote access privileges be closely controlled and monitored.Regarding vendors:Access should be “on-request” from the property and not from the vendor.The property must initiate the remote access connection.Logging should be embedded in the access tool used.Default ports should be changed.Remote access should be added to vendor agreements and contracts.Hotel personnel trained to authenticate callers purporting to be vendors requesting access for support – very important!
56 Best Practices: Network Remote Access Regarding employees:Access should be “on-request” from the employee, approved by the department head/EC member, with a valid reason for access.Access should be granted only to those applications needed by the employee and not to the entire network, depending upon where payment applications reside.Default ports should be changed.A remote access program with strong authentication and logging should be used!
57 Best Practices: Network Operations Maintain separation of guest and employee networks.Insure that there are anti-virus subscriptions on all computers and that they are current!See that security patches are applied regularly!Be alert for skimmers and keystroke loggers!Be alert for rogue software, PCs, and wireless or USB devices!Use a laptop or smartphone to scan for rogue devices.
58 Best Practices: Network Documentation PCI Compliance requires significant levels of documen- tation, including 4 different types of self-assessment questionnaires (SAQs), dependent upon a property’s “merchant level” classification.SAQ D is the most common type of SAQ.The PCI Compliance Roundtable is examining new user-friendly types of the SAQs, including the SAQ D.
59 Best Practices: Network Documentation Other types of PCI Compliance-based documentation that should be prepared include:Acceptable Use Policy;Backups and Disaster Recovery;Incident Response Plans;Merchant level deter- mination letters from acquirers;Proof of PCI PA-DSS Compliance letters from payment applications used; andNetwork vulnerability scan reports.
60 Best Practices: Network Documentation An sample user-friendly SAQ-D is here:
62 In order to help us create/provide a better HITEC What Did You Think?In order to help us create/provide a better HITECexperience in the future, please take a second to fill out the short survey that will be sent to you via at the end of the day.And THANK YOU for attending HITEC!Learn how HFTP membership can benefit you,visit