It seems that Australian hotels are lagging behind their European and U.S. counterparts when it comes Payment Card Industry–Data Security Standards (PCI-DSS). This may be due to the fact that reporting a breach of cardholder data is currently not a legal requirement in Australia. This is about to change with proposed laws due to be implemented on 12 March 2014 http://www.oaic.gov.au/news-and-events/media-releases/privacy-media-releases/australians-better-protected-with-mandatory-data-breach-notification
Some hotels think they are PCI compliant because the cardholder data that they store in the Property Management System (PMS) or Point of Sale system (POS) is encrypted. Not so. Encryption of credit card data is only 1 of 12 core requirements to safeguard your guest’s credit card information and maintain your reputation. Another is “vaulting” or segregating the cardholder data from the rest of your network. How many hotels can truly state that they have this in place?
In order to be PCI compliant you must implement all the requirements of the PCI Security Standard Council. These are:
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
- Requirement 3: Protect stored cardholder data.
- Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software.
- Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know.
- Requirement 8: Assign a unique ID to each person with computer access.
- Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data.
- Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security.
Looks pretty straightforward doesn’t it? Unfortunately it’s a lot more complicated than it appears and requires a considerable amount of effort and cost to become compliant.
The best way to achieve compliance is to create a team of key stakeholders in the hotel that meet on a regular basis to work through and achieve the detailed requirements that can be downloaded at https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs
Whilst many of the requirements are IT related, standard operating procedures (SOP’s) and employee education play an integral part in the plan. Therefore your PCI team may include your IT manager, Front Office Manager, Financial Controller and HR Manager. When reading the compliance document you may think it daunting but by assigning tasks to your team members it is quite achievable. Do not make the mistake of considering this project simply IT related. It’s not. It will most likely involve many changes to your SOP’s across a number of departments and a change to the way you do things today. An example would be physical security of paper credit card records i.e. where are they stored, who has access and how is access controlled and monitored?
Whilst PCI compliance is not a legal requirement, it is bank requirement and no doubt in your merchant agreement. Failure to comply could result in a breach of cardholder data resulting in heavy fines and possible termination of the merchant agreement with your bank. Worst of all is the potential damage to your reputation. How do you explain a serious breach to your loyal guests who have entrusted their information to you?
With our industry experience in this area Systemnet Hospitality can assist you with your remediation efforts to achieve compliance and prepare for an external PCI audit* by a Qualified Security Assessor (QSA). For more information on PCI visit www.pcisecuritystandards.org
*Systemnet can recommend a QSA if required or you can select one from a list on the PCI Standards Council website.