PCI compliance: A best defense against hackers
PCI compliance: A best defense against hackers
19 MAY 2010 7:19 AM

Complying with the payment card industry’s Data Security Standards is challenging, sometimes tedious, and one of the best ways to avoid an information security breach.



Editor's note: This is the third installment in a seven-part series about hotel information data security.

REPORT FROM THE U.S.—Data security is a complex beast. Firewalls, encryption, passwords—there are seemingly as many ways to protect hotel information as there are ways for hackers to steal it. But of all of these defenses, the most commonly cited—yet oft-misunderstood—is PCI compliance.

The Payment Card Industry Data Security Standard, or PCI DSS, is a set of comprehensive requirements for enhancing payment account data security, said Bob Russo, general manager of the PCI Security Standards Council. The PCI Security Standards Council established the requirements during September 2006. PCI DSS fosters a consistent and uniform set of standards among the five major credit brands (Visa, MasterCard, American Express, Discover, and JCB).

“Before September 2006, you could call Visa and ask a question about it and get one answer and a week later call MasterCard and get a completely different answer,” Russo said. Now PCI DSS is the sole set of requirements, vetted and enforced by the payment card industry.

PCI DSS is one of three standards created by the Standards Council. The second is the Payment Application Data Security Standard, or PA DSS, which was created to assess the security standards of over-the-counter software applications. The third promotes compliance within PIN Transaction Security, or anything that requires consumers to enter their personal identification numbers.

Each is global in scope, updated on a cyclical basis, and provides the best defense against a data breach, Russo said.

Getting compliant

Every hotel that stores, transmits or processes credit card data must be compliant with PCI DSS, which comprises 12 specific requirements outlined in six specific goals. Failure to comply represents a contractual breach with the various credit card brands, which then can impose fines as large as US$500,000, said Anthony C. Roman, president of Roman & Associates, a Lynbrook, New York-based security and fraud consulting company.

Anthony C. Roman
Roman & Associates

Compliance becomes mandatory 1 July 2010, he said.

The 12 requirements and six goals are as follows:

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update antivirus software.
Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.

While the Standards Council and various organizations like the American Hotel & Lodging Association offer educational seminars and supporting documents to help hoteliers get compliant, the task can be a difficult and complex process, especially given the more than 100 pages of technical requirements that compose the above 12 requirements.

  • For more information and supporting documents from the PCI Security Standards Council, click here.
  • View a “Quick Facts” brochure from the AH&LA.
  • Sign up for the AH&LA’s PCI DSS Online Course. 

Major hotel companies likely have the technical support to foster compliance with their various brands. Smaller companies and stand-alone properties, however, might not. In any case, the expertise of a third party is often required.

Proving compliance

Depending on what level merchant a given company is, the payment card industry requires different burdens of proof of compliance. Merchant level is dictated by the number of credit card transactions conducted in a single year. More than 6 billion transactions signify a Level 1 merchant. Anything less is broken down accordingly, Russo said. (If you’re unsure of your merchant level, ask your acquiring bank.)

Level 1 merchants must validate compliance by hiring a qualified security assessor, or QSA. There are 220 QSAs worldwide, each assessed and certified by the PCI Security Standards Council on a cyclical basis.

Once hired, a QSA will come in, conduct an assessment of your information security network and submit his or her findings to the acquiring bank, which then passes the findings to the credit card brands represented at the given property. If found compliant, the given property is considered valid under PCI DSS.

For hotel companies that do not qualify as Level 1 merchants, compliance is still mandatory but does not have to be validated. To ensure compliance, these merchants can conduct a self-assessment questionnaire and hire an approved scanner vendor, or ASV, to do an external scan of the information security networks to make sure there are no lapses or holes in protection, Russo said.

Oftentimes, the acquiring bank has programs or its own requirements for ASV scanning among its portfolio of merchants to avoid contractual breaches and penalties imposed by the credit card companies. These acquiring banks might require a hotel company within their portfolio to send in paperwork to prove it has been scanned by an ASV on a quarterly basis, Russo said.

Security and compliance

Hoteliers shouldn’t think of PCI compliance as burdensome paperwork, Russo said. It should be seen as a way to bolster security and protect against a wide array of potential ramifications.

“There are direct fines, which are contractual in nature. The liability for the identity theft of those people who have suffered a breach as a result of a hotel’s negligence is substantive,” Roman said, adding that a single breach could lead to millions of dollars in legal costs, branding tarnishing, and multimillion-dollar negligence liability payouts either through settlements or awarded by federal courts.

PCI DSS is the best way to avoid a hack or information security breach, Russo said.

“What is always found in the forensics after a breach is that companies were not compliant with the standards,” he said. “Had they been, there were defenses that would have prevented them from being breached.

“The biggest defense that you can put up against having a breach is these standards.”


  • Cindy Valladares, Tripwire May 19, 2010 11:31 AM

    I agree with Brent. PCI is a good starting point and very effective in protecting cardholder data when done appropriately. It could be harmful if treated as the security goal for your organization, as it will create a false sense of security.

  • Mister Reiner May 19, 2010 6:42 PM

    Cindy - All security creates a false sense of security. =/ Brent - It's just a standard. Hotels need a professional risk and security assessment to determine how to best implement the standard and obtain the best security. Half the battle with security is educating people about requirements and standards. This article raises awareness, which is a good thing.

  • Jan Popovic May 18, 2011 7:44 PM

    PCI DSS is a very good and meaningful norm for data security. Although intended for credit cards only, if its scope is expanded to personal and other sensitive data it can very well serve as a base for the organization's general information security policy.

Comments that include blatant advertisements or links to products or company websites will be removed to avoid instances of spam. Also, comments that include profanity, lewdness, personal attacks, solicitations or advertising, or other similarly inappropriate or offensive comments or material will be removed from the site. You are fully responsible for the content you post. The opinions expressed in comments do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Please report any violations to our editorial staff.