Hospitality PCI Myth no.2: PCI Compliance in Hotels is an IT Project
May 25, 2011
For many traditionally operated hotels, PCI DSS is likely to represent significant changes to the processes and controls of the entire hotel operation and administration, including Rooms, F&B outlets, Finance, Internal Audit as well as the IT departments.
Due to the complexity and cost, the PCI DSS implementation may easily become a 1-3 year multi-disciplinary project, similar to major renovations or hotel take-overs. Additionally, due to the evolution of systems, internal processes and ever emerging forms of security threats, maintaining the compliance will be a continual process of assessments, reporting and remediations.
Similarily to the internal audit discipline governing financial compliance, hotel General Managers are expected to distribute the responsibility for data security compliance among:
1. Functional Departments involved in processing sensitive data – Responsibility for compliant data handling processes
2. IT Department – Responsibility for securing systems and frameworks
3. Security Officer (a role required by PCI, which may need to be newly appointed) – Overall data security oversight
For the overall success and ongoing sustainability of the compliant processes put in place, it is critical for hotels to appoint the role of the PCI Compliance Project Manager who will carry the overall responsibility for the data security (Security Officer) during PCI implementation. It is recommended for the PCI Compliance Project Manager to have a solid IT technical background, a project management experience and at the same time understand the hotel operation in order to serve as a comptent advisor to the General Manager in data security matters and have the ability to effectively drive both operational and technical process changes. This person, however, does not need to be (and should not be) involved in the running hotel operation in order to maintain an objective oversight over the processes being implemented.
THE MOST COMMON PITFALL
One mistake hotels commonly make in the effort to save cost is throwing the responsibility of implementing compliance onto the shoulders of functional department managers (including IT) who often:
a) Don’t have the time to study the details of the PCI DSS norm
b) Don’t understand the full scope of the regulations, their details and dependencies
c) Tend to misinterpret the PCI security requirements in favour of their department’s convenience
All three factors subsequently create a severe risk to the objective of the entire project, which I’d like to emphasise again is to prevent credit card breaches. Always keep in mind that data security is as strong as is its weakest link!
From my experience, the ideal approach to the PCI compliance implementation in hotels with regards to the definition of the project team is:
1. CEO or General Manager being the project sponsor.
2. CEO or General Manager appointing a PCI Compliance Project Manager reporting directly into the CEO/GM and being the primary steering force. The role does not need to be full-time, however, an active involvement is typically necessary (one or two man-days per week in the initial stages gradually reducing the involvement after achieving the first compliant self-audit).
3. The project management team should comprise from:
– PCI Compliance Project Manager
– Executive Assistant Manager (if exists)
– Head of Operations (in larger hotels, the heads of Rooms and F&B should also be included)
– Head of Finance
– Head of IT
4. Strategy for appointing the Security Officer’s role maintaining the compliance after its initial implementation should also be defined. The PCI Project Manager would be the most competent entity to carry on with the role (can be external, e.g. My Hotel IT – Virtual IT department and provider of hospitality PCI compliance project management and data security solutions), however, the other members of the project team or the General Manager him/herself might also take on this responsibility in stable operating environments.
I hope this introduction to the hotel PCI PM methodology has convinced you to not believe that PCI is an IT project. I would welcome your opinion by commenting on this post or by contacting me directly.
If I could help you get started with the PCI DSS compliance implementation in your particular hotel please don’t hesitate to contact me.