PCI compliance: A 12-step program

One more minute ...

Hello everyone and welcome to Hotel & Motel Management’s Live Chat on data security and PCI compliance. The goal today is to bring awareness to the importance of protecting guests’ personal information and answer your questions on how security breaches and PCI compliance deadlines affect you.

We have three experts with us today who have immersed themselves in the best practices of data security. They will try to answer each and every one of your questions, but in the event they cannot, we will direct you to places where you can get more information.

Please look below this chat window for brief biographies on our expert panelists. Consider directing your questions to the most appropriate panelist.

I’ll now open it up to questions from the attendees.

I see a question from Marsha.

David, would you mind taking a stab at that?

Marsha, so, assuming that the company making the request is a merchant, then they are doing something that is at odds with the PCI DSS requirements, in several ways...

Dustin, can you speak to Henry's question?

Marsha,
If you are storing hard copy PDF's of cardholder data, you are required to store those securely. I would recommend reviewing these processes to determine if they are truly required. If not, it's in your best interest to create policies the prohibit such storage. Occasionally data may be received through channels that are not part of normal processes. In these cases, just insure you have processes and procedures that address how to treat such data (like secure deletion).

First, by getting a back and front photocopy of a credit card, they are capturing and storing the card validation code, along with all of the other cardholder data (PAN, account name, expiration date). Having the Card validation code post authorization (assuming this is to be used to authorize some charges) is something you aren't allowed to do under the PCI DSS, even if it is encrypted.

Also, ultimate liability most often lies to the owner of the Merchant account which the data is being transacted. But that's really determined by the Card Brand and Merchant Bank.

It is important to realize that the requirements regarding the storage of credit card data is not limited to magnetic storage, but also applies to paper and other media as well.

Here's a question from George:

In the case you describe, Marsha, there ends up being several potential violations of PCI DSS requirements, not just dealing with storage, but with the transmission of data, as well.

David makes a good point. If you are storing the card validation code post authorization, no matter what controls you put into place, you are not following the requirements defined within PCI DSS section 3.

George,
First, and foremost, they must be secured in a place with very limited access. Second, these receipts should be stored with business defined retention periods that are the shortest periods you require. There should be some sort of mechanism to ensure that such materials are destroyed at the end of the retention and destroyed in a secure fashion.

thanks for your question, MsChips. The PCI Security Standards Council has an extensive website for more information on PCI compliance, even listing vendors that have completed the application process. The website is: https://www.pcisecuritystandards.org/index.shtml

Warren, can you speak to @Joel_Ross?

Tokenization is certainly an added level of security and highly recommended, but it only covers the card holder storage of data in the database. There are other points of contact with the credit card such as checkin swipe that still require PCI considerations.

this one is also for Warren, from @Michael:

George and anyone else, too... While requirement 3 applies to all storage, magnetic, paper, images (don't forget about any imaging processes, too!), Requirement 9 of the PCI DSS also hits on the destruction of such media. So those are two good references for this sort of stuff.

George, that was a good question, in any case. Paper sometimes get overlooked by many businesses because the focus is so strongly on the computer media.

Joel, I think end to end encryption is a good direction for many merchants. But their are different definitions of end-to-end encryption out their and how the technology is implemented is important. There been a lot of buzz about end-to-end encryption lately and I think there will be a lot of progress made within this space in the future. There is a cost factor to its implementation that might not be feasible for some. Also, your POS software and gateway/processor will need to support it. It will be interesting to see how many merchants decide to go this direction in the future.

As noted by Dustin earlier, utlimate liability lies with the owner of the merchant account. Remember, even if your PMS is certified by the PCI council as PA-DSS certified (the designation for certified applications), it is still incumbent on the property to implement and maintain and use the PMS in a PCI compliant manner.

thanks Warren. Good question from @Craig. David, can you take this?

@Marsha, a transcript of this conversation will stay up at this page, www.hotelworldnetwork.com/security0510, for at least another week. You can also e-mail me at jfreed@questex.com and I can send you a Word document.

Warren, good point. There are a lot of franchisee's out there that do not understand this. The parent company may provide and manage the POS system and the franchise owner assumes because that system is also PA DSS compliant that PCI DSS compliance does not affect him and is the responsibility of the Parent company. Franchise owners need to be aware of PCI DSS and how it affects them. If you are transacting with your Merchant account, you own the liability. A lot of franchise owners do not understand this until it is too late.

Craig,
That is, in my opinion, a healthy way to look at it. PCI compliance is, for the most part, security measures that most businesses should be practicing over their whole environment. For the Card brands, their acquirers, service providers, and everyone else downstream from there, the PCI DSS provides a baseline of compliance. Businesses should consider exceeding those requirements where their own risk analysis (also required by PCI under requirement 12) calls for it.

Question from @Brian. Dustin, can you handle this?

and David, can you speak to @Marsha ...

Regarding the liabilities... Dustin and Warren have said it well... Everyone who handles cardholder data is liable. Everyone needs to be responsible and feel responsible.

Brian, there may be better ways. There may be costs associated with other ways though. We have some customers that use special software they copy the card with that has the ability to block out the card number (automatically) within certain sections of the image. I've seen customers do what you are doing to. I would recommend investigating if an actual image is required to be maintained. Also, please insure that you are not storing the CVV data as well. Unfortunately, using a sharpie is not always effective. I've seen with some sharpies that it's easy to obtain the number under certain types of light. You may want to hole punch the section of the card number to remove it completely. Sorry, I don't have a magic answer to that one.

Marsha,
Yes, in fact, that is really the objective of the PCI assessment process:
Compliance

PCI DSS requirements aren't impossible idealistic goals, they are very real and doable. But they aren't necessarily easy.

More important is not just becoming compliant, but staying compliant. If you read the PCI DSS requirements, you will notice there are several items that speak to ongoing activities and staying compliant (such as the ongoing scans).

"hole punch" earns top answer of the day. (so far)

I think if you take a wood burning tool to the paper that might work... and probably violate a ton of OSHA rules in the process!

David, there is no prize for top answer. But thanks for trying to one-up Dustin. Next question from @Hotel_Mike ...

Brian, is there some sort of secured (locked container) that you can have these forms stored within (like a secured drop box) that only an authorized person would have access to? Just an idea. You're not technically required to black it out, it does need to be securely stored though.

@Ken, recycle them.

Burn everything except the first six and last 4 digits. :-)

@Hotel_Mike, I don't think Visa plans on sending a "regulator" around to make sure merchants are PCI compliant, but if your hotel is breached and it is determined you weren't compliant with DSS standards, there will be a slew of consequences.

Mike,
Whether an assessor comes out depends upon so many things. First, it depends whether your hotel group is classified as a Level 1 merchant or otherwise classified to require a 3rd party assessment (companies that have had a card breach in the past are typically required to have a 3rd party assessment). Second, if your hotel is one of many sites that is being assessed by a 3rd party, then you may be selected as part of a sample, or you may not.

good point, @David Moody.

Ken,
That is more real than you might think. I, and I am sure Warren and Dustin have seen this as well, have seen several emerging businesses just dealing with PCI media destruction, management, and recycling of materials, too.

To add to David's comments... we are receiving a lot of calls from Level Two merchants/franchises lately because of the MasterCard validation requirements that go into affect next year. It will be up to the Merchant Bank to notify you of their validation requirements.

Good point, @Craig. The PCI DSS standards provide a stepping-stone for data security. Teaching your staff about the importance of handling guest data is just as critical.

question from @Marsha ...

Also, I want to emphasize that the PCI DSS standard is pretty solid and based off of ISO standards. What's important to realize is that an audit or assessment, is not what makes you secure. It's the day in and day out attention to the requirements and how you follow them that will ultimately determine how secure you are.

@Ken, I'm sure the panelists can offer more specifics, but you'll always want to keep your POS systems on a dedicated server and update anti-virus software regularly. The PCI DSS website has more tips on firewall protection ...

Marsha,
Are you looking for a paperless solution? Or a way to let some other service handle the credit cards entirely?

I don't know how to answer your question specifically, except to say, yes, there are ways around deposit payments, for instance, I know Orbitz and others take payments on behalf of hotels. But that may not be what you are really trying to achieve.

@Marsha. there are already properties that do accept paypal as a method of payment, which is fine for fully prepaid stays, but it my be inconvenient for guests to manage incidentals at checkout through paypal.

A Marsha, One thing to realize by putting data into a web browser, you have just transferred risk from paper/physical security to digital/logical security. This is why a risk analysis is important to determine what is the best practice to follow by your organization. By putting data into a browser, you may have made it more accessible to employees and possible non-authorized persons. You may even have employees that can access this data from home? This all needs to be assessed internally to determine what is the best process for your organization.

Ken,

No matter what... you should keep Telnet and FTP totally out of the cardholder environment.

That being said, firewalls set ups and configurations can get complex. Some of the important things to focus on are:

Segmenting and securing the cardholder environment away from other processing in the network.

Having a DMZ that is the barrier between internal and external IP's

Using accepted published standards such as NIST, SANS, NSA, CERT, and vendor recommendations.

I'm sure Dustin and Warren also have some good advice regarding firewalls. I'm not going to try and get into too many details just because that is a HUGE subject.

Folks, we'll wrap up shortly ... I just wanted to thank our panelists quickly for taking the time to Chat today. At www.hotelworldnetwork/security0510 you'll find more information on PCI compliance. If you have questions that weren't resolved, please visit the PCI DSS website or feel free to leave a reader comment on the bottom of this page and we'll contact you with the best answer we can provide.

Ken, to add to David's point, a good change control process is essential to managing a firewall. Given the complexity of the rules, firewalls can be ugly to manage. There are tools out there that can help. Shrubbery Networks has a free Rancid tool that works really well with managing and tracking changes to Cisco firewalls. It's worth looking into if your environment is complex. There are other tools as well.

If you use any 3rd party payment gateway or processor....

Make sure they are PCI Compliant!

If they are, they should be listed on Visa and MasterCard's websites as compliant service providers.

@Marsha, it is within PCI compliance to take advance deposits, all within the realm of proper encryption and database storage rules. With tokenization added to the mix, you can process the advance deposits without holding cardholder data.

If you are using a 3rd party service provider for credit card stuff and they aren't listed on the Visa and/or MasterCard sites.... it should be something to make you go "hmmmm"

In any case, find out the facts on third party PCI compliance. It all goes back to who is responsible.

Under requirement 12... you are responsible to ensure that other folks you share cardholder data with are PCI compliant and that you monitor that status.

excellent point, @Warren, and a great note to wrap today's chat. Thanks again to our panelists and readers, and please stay tuned to Hotel & Motel Management for future Live Chats on bettering operations at your property.

Also, you should try to verify if your payment software is PA DSS compliant. But even if you determine that it is, you will need to also verify that it was configured and maintained in a compliant manner. A lot of franchise owners are making assumptions out there. Please verify that all of PCI DSS is being met.