The global hospitality industry has long been an attractive target for cybercriminals trying to pilfer credit card data. Hotels and restaurants were among the first businesses to adopt card-based payments: the world’s first charge card—Diners Club—was conceived of when businessman Frank McNamara suffered the embarrassment of forgetting his wallet while dining out at a New York restaurant. And within a decade, American Express had introduced their now-familiar plastic charge card into the range of financial services it was offering to business and leisure travelers. From the outset, hospitality businesses have been pioneers in terms of credit card acceptance, catering to their guests’ wishes for simplicity and convenience.
As ever-increasing numbers of hotels and restaurants accept credit cards, however, the number of data breaches and the amount of data theft and card-based fraud have continued to climb as well.
Hotels are uniquely vulnerable to these types of crime for several reasons. Their payment systems are inherently complex, with POS terminals often situated in multiple, varied locations across their properties. And these point-of-sale systems must be integrated with an abundance of other IT systems that contain and administer customer data—running the gamut from online booking engines to electronic room key management to guest WiFi access to golf tee time or spa reservation systems. Each of these systems, and the interfaces that link them, represents a point of potential vulnerability.
What Is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was developed in response to a dramatic increase in credit card fraud that took place at the start of the digital age. It established a common security framework for all organizations that accept major credit cards for payment or process their transactions. The standard sets out clear technical and operational requirements for these organizations, as well as for the software developers and device manufacturers who create the systems they use.
Over the ten-year period between 1988 and 1998, Visa and MasterCard lost $75 million to credit card fraud. By the year 2000, as increasing numbers of merchants began to adopt e-commerce and to roll out websites with payment processing capabilities, annual losses to credit card fraud had risen to $1.5 billion. By 2016, losses topped $24 billion.
At the start of this period, each of the major credit card companies had its own unique set of security standards and policies. Visa’s, called the Cardholder Information Security Program, was the first to be implemented, in 2001. But MasterCard, American Express and Discover soon followed suit. Any merchant wishing to accept multiple credit cards had to adhere to multiple different sets of standards.
In an effort to reduce the fraud which had by then become rampant, and to encourage merchants to accept their cards, all five of the major credit card companies banded together to create a universal and comprehensive set of security standards. This new standard, PCI DSS 1.0, was introduced on December 15, 2004. Compliance was made mandatory for all merchants accepting any card offered by Discover, Visa, MasterCard, American Express or JCB.
Since then, the PCI data security standard has been updated eight times, roughly on a bi-annual basis. New versions are introduced to keep pace with changes in available technologies and best practices, as well as transformations in the threat landscape. The current version, PCI DSS 3.2.1, went into effect in May of 2018.
What’s Included in the Standard?
PCI DSS outlines twelve major facets of payment card information security. Within each area, the minimum security measures necessary for compliance are defined.
To maintain compliance, your business must:
Build and Maintain a Secure Network and Systems
#1: Install and maintain a firewall configuration to protect cardholder data.
Firewalls monitor traffic at the network’s perimeter, inspecting all incoming and outgoing packets to ensure they meet a set of predetermined security standards. A firewall establishes a barrier between secure internal networks and the untrusted “outside world” of the Internet. This PCI standard details how firewalls and routers must be configured, as well as how organizations should document the ways data flows within their systems and networks.
#2: Do not use vendor-supplied defaults for system passwords and other security parameters.
It’s easy for cybercriminals to find or discover the default passwords in place when software developers and hardware manufacturers initially ship their products. PCI DSS requires that all vendor-supplied passwords be changed to strong, unique passwords, and that all system components be individually configured in accordance with industry best practices.
Protect Cardholder Data
#3: Protect stored cardholder data.
To secure data at rest, a PCI-compliant merchant must employ an encryption method that ensures that an intruder to the network would be unable to read stored data without access to a strong cyptographic key. This standard also stipulates that no data should be retained unless absolutely necessary, and outlines secure destruction procedures for data that is no longer needed.
#4: Encrypt transmission of cardholder data across open, public networks.
Credit card data should also be secured while in transit. Whenever payment-card information is transmitted over public or wireless networks or the Internet, it must be encrypted, and a secure transmission protocol must be employed.
Maintain a Vulnerability Management Program
#5: Protect all systems against malware and regularly update anti-virus software or programs.
This standard mandates the use of anti-virus software on all systems commonly affected by malware. The AV software must be regularly updated and maintained, and be configured so that it runs actively and cannot be disabled by users.
#6: Develop and maintain secure systems and applications.
The security community frequently discovers new vulnerabilities in software and systems already in widespread use, and vendors subsequently issue patches. PCI DSS calls for all appropriate software patches to be installed in a timely manner, and requires that industry best practices for secure coding be followed if custom applications are developed to handle payment card data.
Implement Strong Access Control Measures
#7: Restrict access to cardholder data by business need to know.
Simply put, the more people have access to cardholder data, the greater the risk of data compromise. “Need to know” is when access rights are granted only to personnel who absolutely require them in order to perform their jobs.
#8: Identify and authenticate access to system components.
Each individual who accesses a system containing sensitive payment card data must have a unique user ID. This ensures that user actions can be traced. In case of a breach, authentication and access control logs also enable forensic investigations to be conducted more readily. This standard also mandates the use of strong passwords and multi-factor authentication for system administrators.
#9: Restrict physical access to cardholder data.
Any comprehensive data security policy must also take into account physical access to the devices and systems that hold the data. Systems that store, process or transmit payment card data should be monitored by video cameras or access control mechanisms. Processes and procedures should be developed to ensure that visitors, including third-party service providers, are identified and granted only necessary levels of access. And all physical media containing sensitive data must be appropriately secured and completely destroyed once no longer needed.
Regularly Monitor and Test Networks
#10: Track and monitor all access to network resources and cardholder data.
This standard stipulates that all processes and user activities be logged on any system or network that stores or processes payment card data. These system activity logs must be retained and made available for audit.
#11: Regularly test security systems and processes.
The threat landscape is constantly evolving. All system components, including hardware, software and procedures, should be subject to regular testing—including vulnerability scans and penetration tests—to ensure that security remains robust in the face of current threats.
Maintain an Information Security Policy
#12: Maintain a policy that addresses information security for all personnel.
A comprehensive information security policy enables all employees, contractors and consultants to understand their individual roles in keeping sensitive data safe. The policy should include usage guidelines for individual and company devices, an annual risk-assessment process, and procedures for ongoing training and documentation.
How Can I Ensure That My Hospitality Business is Compliant?
Which specific steps your organization must take depends in part on the number of Visa transactions you process annually. Merchants are classified into four levels, with transaction volumes ranging from under 20,000 to over six million per year. All merchants follow the same three-step process, but what’s required to complete the steps varies with compliance level.
The three steps include:
This consists of identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
Smaller businesses can complete a self-assessment questionnaire, while those with greater transaction volumes must employ a PCI-approved scanning vendor or security assessor. Compliance assessments are repeated annually.
Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
Reporting (or validation) involves compiling and submitting the required reports to the appropriate bank and card brands.
Specific reporting and validation requirements vary between card brands and differ for each of the transaction volume-based compliance levels.
Many hospitality businesses outsource the provision and maintenance of their IT systems to third-party service providers. But even if your organization does so, the penalties for non-compliance—including fines, potential legal liability, and increased risk of a breach—remain yours. So, too, does ultimate responsibility for compliance.
Adhering to the PCI standards is mandatory for all hospitality businesses accepting card-based payments, but does compliance mean that your hotel or restaurant is truly secure? Come back for next week’s blog post to learn more about how to answer this question.
Or contact Netswitch today to find out about how you can rely on our advanced managed detection and response services to ensure your business remains PCI compliant—and secure.