Share | |
Mr. Carr

Technology: Security

Credit Card Security:Primer on PCI Compliance

By Bob Carr, Chairman & CEO, Heartland Payment Systems

If you’re not properly securing your guests’ sensitive credit and debit card account information, your hotel may be a prime target for the many cyber-criminals who are searching for this valuable data. Data breaches are occurring at an alarming rate as hackers become increasingly sophisticated, constantly finding new and different ways to penetrate electronic systems. Help keep your hotel... and guests... secure by understanding the threats to card data security, the requirements for Payment Card Industry (PCI) compliance and how to meet them.

Threats to Card Data Security

Cardholder data is a major point of vulnerability. Whenever a guest provides a credit or debit card to pay a room balance or for any of your other services, the cardholder’s name, card number, card expiration date and security codes may be at risk as they travel from your system, to and through your processor’s network. Hotels are particularly vulnerable to data security breaches due to use of point-of-sale (POS) systems, shared systems among chains, wireless networks and the high volume of card-based payments.

If your hotel’s data is compromised, private information — stored in your property management or other systems — may be illegally accessed and could lead to theft of card data and other sensitive information, fraud and financial loss. You could face forensic investigations, damage to your reputation, the loss of loyal guests — and stiff fines from the card brands, ranging from tens of thousands to hundreds of thousands of dollars.

As a safeguard, the card brands — Visa®, MasterCard®, American Express® and Discover® Network — developed the PCI Data Security Standards (DSS) in December 2004. These are technical and operational requirements designed to protect cardholder data. Every hotel that accepts card payments — and stores, processes or transmits payment card data — must meet the PCI DSS.

Requirements of PCI Compliance

The PCI DSS include 12 requirements that support six core principles of network architecture, cardholder protection, vulnerability management, access controls, network security and information security policies. This means compliance goes beyond card processing at the point of sale. You must also look at your network and firewall configurations, policies for storing receipts, employees who have access to data, password policies … and so forth. Here are the PCI DSS principles and corresponding requirements:

  • Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

  • Protect Cardholder Data

Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.

  • Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.

  • Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical data access to cardholder data.

  • Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.

  • Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.

It is important to understand these requirements for the overall safety of your establishment and your guests. And this is particularly timely because, since July 1, 2010, Visa’s security mandate has required merchants to use a PCI-compliant payment application. This means you cannot use an application that stores prohibited data elements, such as magnetic stripe data.

Meeting PCI requirements is an important step, but being compliant is not easy. Beyond the 12 requirements, there are more than 230 PCI regulations you may have to meet depending on your processing environment. Plus, the self-assessment questionnaires (SAQs) that validate compliance can be tedious and time-consuming to complete.

PCI Compliance Tips

To alleviate some of the confusion surrounding PCI compliance, there are several steps you can take. Follow these best practice tips to ensure PCI compliance at your hotel:

  • Meet all PCI DSS requirements. Using a validated payment application may help improve PCI compliance. However, to be considered PCI DSS-compliant, you need to validate your compliance. For most merchant levels, determined by transaction processing volume, you can do that by completing the SAQ and passing network vulnerability scans (detailed below). If additional validation is required, your processor should notify you.
  • Complete the PCI DSS SAQ to identify any vulnerabilities at your hotel. There are four versions of the SAQ — each version with a different number of questions depending on the business’s processing environment. A business processing card payments via a phone dial-up connection will have fewer questions to answer than a business processing via an internet connection since the internet connection offers an external portal. Use a Qualified Security Assessor (QSA) to help with your PCI SAQ, and consult your network support person and/or property management or other system software provider for assistance with questions about your set-up and environment. To be compliant, your hotel must complete and pass the SAQ annually. If you process payment cards using multiple computers, you only need to complete one SAQ.
  • Complete a network vulnerability scan if you have an external-facing IP address. An external probe of all of your IP addresses will help identify any of more than 30,000 — and counting — commonly known vulnerabilities hackers exploit. In 2009, more than 8,000 new vulnerabilities were discovered, which averages out to almost 20 each day.

    To complete a network vulnerability scan, work with an Approved Scanning Vendor (ASV) listed on the PCI Security Standard website, PCISecurityStandards.org, under “QSA/ASV.” To be compliant, your hotel must complete and pass the network vulnerability scan quarterly.
  • Complete additional system reviews as needed. If you use a POS or other networked system, you may be storing cardholder data. Some services are available that can search your system to determine this. If the payment card data search detects track data, you should contact your software system provider immediately to upgrade your payment application and ensure they securely remove all prior-stored, prohibited data. This is essential to ensure compliance with this requirement of the PCI DSS and reduce your exposure to compromise.
  • Consult your payments processor. Ask your payments processor for more information and help in ensuring your hotel is PCI compliant.

Full information about PCI and the necessary forms are available on the PCI Security Standards Council website, PCISecurityStandards.org.

Bob Carr is chairman and chief executive officer of Heartland Payment Systems ¯ the nation’s fifth largest payments processor and the official preferred provider of card processing, gift marketing, check management, payroll and tip management services for the American Hotel & Lodging Association and 38 state lodging associations. In line with Heartland’s commitment to merchant advocacy and education, Mr. Carr spearheaded The Merchant Bill of Rights (www.merchantbillofrights.org) to promote fair credit and debit card processing practices for all business owners. He has also been a driving force in the enhancement of payment card security with E3™ (www.E3secure.com), Heartland’s end-to-end encryption technology. Mr. Carr can be contacted at Bob.Carr@e-hps.com Extended Bio...

HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.

Receive our daily newsletter with the latest breaking news and hotel management best practices.
Hotel Business Review on Facebook
RESOURCE CENTER - SEARCH ARCHIVES
General Search:

MAY: The Hotel Spa
High Value Marketing

Jason Guest

Wireless Internet is changing the way business gets done in the hotel industry. There's a tremendous demand for wireless access - for overnight guests and even for conferences and trade shows. It's not just for email and Web surfing anymore. Video streaming, audio streaming and voice-over-IP are all competing for the same Internet pipe. This is compounded by the growing trend for trade shows and conferences to offer high-speed wireless data service to their attendees, which can slow Internet traffic to a crawl. This demand means opportunities for new revenue streams. Wireless has also created new ways for hotels to connect with their guests to generate loyalty. READ MORE

Derek Wood

In today’s ever increasing ‘digital age’ the importance of providing a quality High Speed Internet Access system for your guests is more important than ever. The recent huge increase in mobile wi-fi devices has just added a new dimension to the problem. And yet to many hotels this service is seen as cumbersome, expensive non-revenue generating and does not rank highly at senior management level when increasing guest satisfaction is being discussed. This article examines some of the issues facing the hotelier today and suggests a few ways to overcome the problems. READ MORE

Roger Crellin

Much to the chagrin of property owners, free WiFi has become a guest expectation rather than a perk. Since the free WiFi model was introduced, hotel operators have faced the rapid adoption of bandwidth-hungry mobile devices such as tablets and smartphones. Not only do guests expect free WiFi, but they also expect ease of use and constant connectivity, similar to what they experience at home. What was once a means to improve satisfaction and engender loyalty, free WiFi that underperforms can actually have the opposite effect, causing dissatisfaction and frustration with a property that doesn’t provide a positive experience. READ MORE

Terence Ronson

As mentioned in a previous article, prior to the birth of IOS (Apple’s operating system), truthfully, we only scratched the surface and played around with implementing Wi-Fi in Hotels. But now, four years later with millions and millions of IOS devices in the hands of millions and millions of our loving guests, this has become the most disruptive of technologies in the modern era. That along with the creation of the smartphone and its Big Brother - the TAB – where there are sales predictions of 153 million units next year, and climbing to 232 million by 2016. This has set loose a tsunami of unparalleled demand - for a strangely invisible service! No wonder CIO’s call Wi-Fi a four-letter word. For the sake of repeating myself, today’s Hotel Wi-Fi network (and more critically tomorrow’s) is one of the principal areas in which your hotel will be judged. READ MORE

Coming Up In The June Online Hotel Business Review

"Hotel Business Review offers weekly articles for hotel management and operation and discussion on emerging growth markets."
Feature Focus
Hotel Sustainable Development: Principles and Best Practices
Sustainability is now a daily topic that affects every facet of hotel development and operations. As hotelier Hervé Houdré recently noted "The goal of Sustainable Development is clearly to secure economic development, social equity, and environmental protection. As much as they could work in harmony, these goals sometimes work against each other". In the June Hotel Business Review, some of the industry's most recognized sustainable development experts come together to identify emerging trends and discuss how sustainability is currently affecting the hotel industry. Each author presents the most important aspects of sustainable development of much interest to hotel owners, operators, investors and developers. We include perspectives and case studies on best practices from leading hotel groups and other industry players.
INSIGHTS FOR INDUSTRY LEADERS BY INDUSTRY LEADERS
"300,000 Rooms Complete, 15,700,000 to Go"
By Larry Mogelonsky, President and Founder, LMA Communications
"Destination Earth: A Customized Approach to Sustainability"
By Mark Hickey, Senior Vice President of U.S. Hotel Operations, Destination Hotels
"Why This New Standard is Going to change Hotel Energy Management Forever?"
By Robert Allender, Managing Director, Energy Resources Management
"How Two Major Hotel Companies are Turning Sustainability into Tangible Business Advantage"
By Christopher Wood, Director of Social Responsibility, ASAE Convene Green Alliance
PLUS: Green Certification - Development & Investment Outlook - Case Studies - Green Design – Sustainable Development Strategies - Green Luxury - CSR Programs - Green Facility Management