Hospitality PCI Myth no.4: Outsourcing card processing assures compliance

Whilst outsourcing of the card storage or processing simplifies the processes required to protect the credit card information by the hotels it does not by itself guarantee security or compliance with PCI DSS.

Cardholder data must be protected from the point of acceptance by the company throughout its entire lifecycle until and inclusive of the handling refunds and charge backs.

Any part of the credit card lifecycle can be outsourced except the accountability for proper and compliant handling of the sensitive data, which always remains the responsibility of the merchant.

If you decide to outsource part of your payment structure it is important that you verify that the payment providers’ applications, terminals and internal processes comply with the PA DSS standards as a minimum. PCI DSS sets a requirement for the merchants to request a proof of compliance from all third party vendors involved in storing or processing the credit card data annually and you really should treat this requirement seriously and take it even beyond the baseline outlined in PCI DSS.

Giving away a hugely valuable toxic data to a third party processor is similar to giving your baby to a babysitter. It should only be done on the basis of a full trust in the provider and their applied responsibility for your treasure. Remember that in case of a data breach it will not be them who would be held accountable to your guests, it would indeed still be your hotel’s management. Don’t therefore hesitate checking whether the provider is truly cautious about the security of your data, whether they implement beyond the PCI compliant processes to safeguard the records and don’t hesitate to ask for more secure controls you feel appropriate, such as:

  • Forwarding of the provider’s security log records relevant to the access to your data to your own central log server
  • Have your QSA (Qualified Security Assessor) audit selected doubtful aspects of the provider’s compliance
  • Consider enforcing integration of the payment processor’s access to your data with your internal authentication/authorisation structure (directory/identity management services)

In general, outsourcing of the payment processes to trusted entities would save hotels time and resources involved in securing the data internally and as such should be seen as a positive thing. On the other hand, all hotels taking that approach must absolutely invest into implementing processes and controls verifying the provider’s compliance with PCI DSS on a regular basis.

Outsourcing of some of the PCI management tasks (e.g. patch or log management, file integrity monitoring etc.) to third parties, such as to My Hotel IT who are a Virtual IT department and provider of cloud computing services, network management and PCI compliance solutions to hotels, on the other hand, does not require the given 3rd party’s compliance with PCI as the provider doesn’t actually process the security-relevant data.

Hospitality PCI Myth no.3: IT can assure PCI compliance with just a little added effort

The information management can be compared to financial management by simply replacing the object “finance” by “sensitive data”. Both Finance and IT are bound by legal and contractual obligations to comply with governance standards and both disciplines also face significant risks associated with non-compliance and fraud.

Whilst nobody can imagine a hotel operating long-term without risk-based financial controls and an internal audit function actively monitoring the legitimity of financial transactions, avoiding basic IT security is unfortunately still a common practice in a number of hotels, resorts and spas.

In essence, becoming compliant with PCI or any other data security standard for this matter requires your organisation being the owner of the sensitive data to KNOW about your data rather than to GUESS or ASSUME. You need to properly describe and understand your own data flows, maintain a clear overview of where your sensitive data resides, who and how should be and is in reality able to access it, keep an evidence of such accesses and have defined controls in place enforcing and verifying the related internal processes on a frequent (some even daily) and regular basis.

Similarly to the Finance department, if we try to adhere to the applicable laws and prevent monetary breaches without clearly defining the processes having impact on financial data, without putting in place reasonably effective controls and by letting the Finance Manager alone in a hands-on fashion do hotel’s financial management, accounts receivables and payables, purchasing and internal audit, we are likely to fail miserably.

  • Do you accept that a decision of working with sensitive information carries also the responsibility for properly protecting it?
  • Do you understand that a single IT Manager with tight outsourcing budget is probably unable to implement and maintain compliance with PCI and other data security standards?Well in that case you’re well positioned towards success in implementing the PCI compliance in your hotel, resort or spa.

Hospitality PCI Myth no.2: PCI Compliance in Hotels is an IT Project

For many traditionally operated hotels, PCI DSS is likely to represent significant changes to the processes and controls of the entire hotel operation and administration, including Rooms, F&B outlets, Finance, Internal Audit as well as the IT departments.

Due to the complexity and cost, the PCI DSS implementation may easily become a 1-3 year multi-disciplinary project, similar to major renovations or hotel take-overs. Additionally, due to the evolution of systems, internal processes and ever emerging forms of security threats, maintaining the compliance will be a continual process of assessments, reporting and remediations.

—–
MAIN PLAYERS

Similarily to the internal audit discipline governing financial compliance, hotel General Managers are expected to distribute the responsibility for data security compliance among:
1. Functional Departments involved in processing sensitive data – Responsibility for compliant data handling processes
2. IT Department – Responsibility for securing systems and frameworks
3. Security Officer (a role required by PCI, which may need to be newly appointed) – Overall data security oversight

For the overall success and ongoing sustainability of the compliant processes put in place, it is critical for hotels to appoint the role of the PCI Compliance Project Manager who will carry the overall responsibility for the data security (Security Officer) during PCI implementation. It is recommended for the PCI Compliance Project Manager to have a solid IT technical background, a project management experience and at the same time understand the hotel operation in order to serve as a comptent advisor to the General Manager in data security matters and have the ability to effectively drive both operational and technical process changes. This person, however, does not need to be (and should not be) involved in the running hotel operation in order to maintain an objective oversight over the processes being implemented.

—–
THE MOST COMMON PITFALL

One mistake hotels commonly make in the effort to save cost is throwing the responsibility of implementing compliance onto the shoulders of functional department managers (including IT) who often:
a) Don’t have the time to study the details of the PCI DSS norm
b) Don’t understand the full scope of the regulations, their details and dependencies
c) Tend to misinterpret the PCI security requirements in favour of their department’s convenience

All three factors subsequently create a severe risk to the objective of the entire project, which I’d like to emphasise again is to prevent credit card breaches. Always keep in mind that data security is as strong as is its weakest link!

—–
RECOMMENDATION

From my experience, the ideal approach to the PCI compliance implementation in hotels with regards to the definition of the project team is:

1. CEO or General Manager being the project sponsor.

2. CEO or General Manager appointing a PCI Compliance Project Manager reporting directly into the CEO/GM and being the primary steering force. The role does not need to be full-time, however, an active involvement is typically necessary (one or two man-days per week in the initial stages gradually reducing the involvement after achieving the first compliant self-audit).

3. The project management team should comprise from:
- PCI Compliance Project Manager
- Executive Assistant Manager (if exists)
- Head of Operations (in larger hotels, the heads of Rooms and F&B should also be included)
- Head of Finance
- Head of IT

4. Strategy for appointing the Security Officer’s role maintaining the compliance after its initial implementation should also be defined. The PCI Project Manager would be the most competent entity to carry on with the role (can be external, e.g. My Hotel IT – Virtual IT department and provider of hospitality PCI compliance project management and data security solutions), however, the other members of the project team or the General Manager him/herself might also take on this responsibility in stable operating environments.

—–
CONCLUSION

I hope this introduction to the hotel PCI PM methodology has convinced you to not believe that PCI is an IT project. I would welcome your opinion by commenting on this post or by contacting me directly.

If I could help you get started with the PCI DSS compliance implementation in your particular hotel please don’t hesitate to contact me.

Hospitality PCI Myth no.1: Hospitality is different and needs a special (i.e. reduced) set of security requirements

As the initial excuse for not following the PCI regulations, some hospitality professionals keep on emphasising that hospitality is different from other industries in the way it operates and thus requires a special set of requirements issued by the Payment Card Industry (PCI) governing the storage and transmission of the credit card data.

Unfortunately to date, I haven’t found any explanation as to why should hospitality be any different from other verticals in terms of respecting the contractual obligations agreed with the acquiring banks or other general legally stipulated rules and regulations enforcing data security onto companies. The only and actually a shameful argument supporting the statement that “hospitality is different” is  that hotels and restaurants accounted for by far the largest amount (approximately 40%) of credit card breaches in 2010 out of all industries.

The position of the acquiring banks and QSAs is, however, very simple: If businesses don’t need to store or process the credit card data they should avoid doing so. By eliminating storage of sensitive data or its processing through internal systems, hotels can elegantly get around the requirements of implementing strict operating and information technolgy security controls. If however the hotels insist on using credit cards as a guarantee for no-shows or late charges, for simplifying the guest experience by keeping the preferred payment details stored within the guest profile or as a mathing identifier in the loyalty system, then, like any other merchants, they need to work towards conforming to the PCI DSS type D self-assessment questionnaire.

Let’s not see information security and compliance only negative. After all, implementing solid data security practices has also positive sides to it, to name a few:

  1. It gives hotels the opportunity to review and optimise internal processes and systems in use, which consequently leads to an improvement in staff productivity
  2. Better protection of other digital assets, such as company secrets (strategy papers, accounting records) and sensitive data required for compliance with local legal requirements (data privacy protection)
  3. Compliance with data security regulations is an investment that reduces operational risk and thus increases overall company’s market value

Let’s pull the sleeves and pick up the topic of compliance as an opportunity of working towards improved controls and productivity! I am positive we will see positive returns along the way!

Common PCI DSS Hospitality Myths

The PCI DSS standards are quite complete and as such may seem overwhelming especially for smaller individual hotels and chains that are missing standard security processes and measures common in other industries.

Having discussed the compliance requirements in depth with some hospitality IT professionals I have discovered that there are various common misperceptions related to PCI DSS generally within the hospitality IT audience.

With the intent to improve the general awareness of good data security practices in the hotel industry and prevent ever increasing frequency of credit card breaches, I have clarified the most common myths with a PCI Qualified Security Assessor (QSA) and have eventually decided to share the outcome in this blog and also in the PCI DSS Compliance in Hospitality group discussion area on LinkedIn.

If you’re a hospitality professional interested in the details please subscribe and stay tuned.

Follow

Get every new post delivered to your Inbox.

Join 261 other followers