July 5, 2011
Whilst outsourcing of the card storage or processing simplifies the processes required to protect the credit card information by the hotels it does not by itself guarantee security or compliance with PCI DSS.
Cardholder data must be protected from the point of acceptance by the company throughout its entire lifecycle until and inclusive of the handling refunds and charge backs.
Any part of the credit card lifecycle can be outsourced except the accountability for proper and compliant handling of the sensitive data, which always remains the responsibility of the merchant.
If you decide to outsource part of your payment structure it is important that you verify that the payment providers’ applications, terminals and internal processes comply with the PA DSS standards as a minimum. PCI DSS sets a requirement for the merchants to request a proof of compliance from all third party vendors involved in storing or processing the credit card data annually and you really should treat this requirement seriously and take it even beyond the baseline outlined in PCI DSS.
Giving away a hugely valuable toxic data to a third party processor is similar to giving your baby to a babysitter. It should only be done on the basis of a full trust in the provider and their applied responsibility for your treasure. Remember that in case of a data breach it will not be them who would be held accountable to your guests, it would indeed still be your hotel’s management. Don’t therefore hesitate checking whether the provider is truly cautious about the security of your data, whether they implement beyond the PCI compliant processes to safeguard the records and don’t hesitate to ask for more secure controls you feel appropriate, such as:
- Forwarding of the provider’s security log records relevant to the access to your data to your own central log server
- Have your QSA (Qualified Security Assessor) audit selected doubtful aspects of the provider’s compliance
- Consider enforcing integration of the payment processor’s access to your data with your internal authentication/authorisation structure (directory/identity management services)
In general, outsourcing of the payment processes to trusted entities would save hotels time and resources involved in securing the data internally and as such should be seen as a positive thing. On the other hand, all hotels taking that approach must absolutely invest into implementing processes and controls verifying the provider’s compliance with PCI DSS on a regular basis.
Outsourcing of some of the PCI management tasks (e.g. patch or log management, file integrity monitoring etc.) to third parties, such as to My Hotel IT who are a Virtual IT department and provider of cloud computing services, network management and PCI compliance solutions to hotels, on the other hand, does not require the given 3rd party’s compliance with PCI as the provider doesn’t actually process the security-relevant data.