Complying with the payment card industry’s Data Security Standards is challenging, sometimes tedious, and one of the best ways to avoid an information security breach.
Editor's note: This is the third installment in a seven-part series about hotel information data security.
REPORT FROM THE U.S.—Data security is a complex beast. Firewalls, encryption, passwords—there are seemingly as many ways to protect hotel information as there are ways for hackers to steal it. But of all of these defenses, the most commonly cited—yet oft-misunderstood—is PCI compliance.
The Payment Card Industry Data Security Standard, or PCI DSS, is a set of comprehensive requirements for enhancing payment account data security, said Bob Russo, general manager of the PCI Security Standards Council. The PCI Security Standards Council established the requirements during September 2006. PCI DSS fosters a consistent and uniform set of standards among the five major credit brands (Visa, MasterCard, American Express, Discover, and JCB).
“Before September 2006, you could call Visa and ask a question about it and get one answer and a week later call MasterCard and get a completely different answer,” Russo said. Now PCI DSS is the sole set of requirements, vetted and enforced by the payment card industry.
PCI DSS is one of three standards created by the Standards Council. The second is the Payment Application Data Security Standard, or PA DSS, which was created to assess the security standards of over-the-counter software applications. The third promotes compliance within PIN Transaction Security, or anything that requires consumers to enter their personal identification numbers.
Each is global in scope, updated on a cyclical basis, and provides the best defense against a data breach, Russo said.
Every hotel that stores, transmits or processes credit card data must be compliant with PCI DSS, which comprises 12 specific requirements outlined in six specific goals. Failure to comply represents a contractual breach with the various credit card brands, which then can impose fines as large as US$500,000, said Anthony C. Roman, president of Roman & Associates, a Lynbrook, New York-based security and fraud consulting company.
Anthony C. Roman
Roman & Associates
Anthony C. Roman
The 12 requirements and six goals are as follows:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update antivirus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
While the Standards Council and various organizations like the American Hotel & Lodging Association offer educational seminars and supporting documents to help hoteliers get compliant, the task can be a difficult and complex process, especially given the more than 100 pages of technical requirements that compose the above 12 requirements.
- For more information and supporting documents from the PCI Security Standards Council, click here.
- View a “Quick Facts” brochure from the AH&LA.
- Sign up for the AH&LA’s PCI DSS Online Course.
Major hotel companies likely have the technical support to foster compliance with their various brands. Smaller companies and stand-alone properties, however, might not. In any case, the expertise of a third party is often required.
Depending on what level merchant a given company is, the payment card industry requires different burdens of proof of compliance. Merchant level is dictated by the number of credit card transactions conducted in a single year. More than 6 billion transactions signify a Level 1 merchant. Anything less is broken down accordingly, Russo said. (If you’re unsure of your merchant level, ask your acquiring bank.)
Level 1 merchants must validate compliance by hiring a qualified security assessor, or QSA. There are 220 QSAs worldwide, each assessed and certified by the PCI Security Standards Council on a cyclical basis.
- View the complete list of qualified security assessors.
Once hired, a QSA will come in, conduct an assessment of your information security network and submit his or her findings to the acquiring bank, which then passes the findings to the credit card brands represented at the given property. If found compliant, the given property is considered valid under PCI DSS.
For hotel companies that do not qualify as Level 1 merchants, compliance is still mandatory but does not have to be validated. To ensure compliance, these merchants can conduct a self-assessment questionnaire and hire an approved scanner vendor, or ASV, to do an external scan of the information security networks to make sure there are no lapses or holes in protection, Russo said.
Oftentimes, the acquiring bank has programs or its own requirements for ASV scanning among its portfolio of merchants to avoid contractual breaches and penalties imposed by the credit card companies. These acquiring banks might require a hotel company within their portfolio to send in paperwork to prove it has been scanned by an ASV on a quarterly basis, Russo said.
Security and compliance
Hoteliers shouldn’t think of PCI compliance as burdensome paperwork, Russo said. It should be seen as a way to bolster security and protect against a wide array of potential ramifications.
“There are direct fines, which are contractual in nature. The liability for the identity theft of those people who have suffered a breach as a result of a hotel’s negligence is substantive,” Roman said, adding that a single breach could lead to millions of dollars in legal costs, branding tarnishing, and multimillion-dollar negligence liability payouts either through settlements or awarded by federal courts.
PCI DSS is the best way to avoid a hack or information security breach, Russo said.
“What is always found in the forensics after a breach is that companies were not compliant with the standards,” he said. “Had they been, there were defenses that would have prevented them from being breached.
“The biggest defense that you can put up against having a breach is these standards.”