Hospitality PCI Myth no.3: IT can assure PCI compliance with just a little added effort
June 22, 2011
The information management can be compared to financial management by simply replacing the object “finance” by “sensitive data”. Both Finance and IT are bound by legal and contractual obligations to comply with governance standards and both disciplines also face significant risks associated with non-compliance and fraud.
Whilst nobody can imagine a hotel operating long-term without risk-based financial controls and an internal audit function actively monitoring the legitimity of financial transactions, avoiding basic IT security is unfortunately still a common practice in a number of hotels, resorts and spas.
In essence, becoming compliant with PCI or any other data security standard for this matter requires your organisation being the owner of the sensitive data to KNOW about your data rather than to GUESS or ASSUME. You need to properly describe and understand your own data flows, maintain a clear overview of where your sensitive data resides, who and how should be and is in reality able to access it, keep an evidence of such accesses and have defined controls in place enforcing and verifying the related internal processes on a frequent (some even daily) and regular basis.
Similarly to the Finance department, if we try to adhere to the applicable laws and prevent monetary breaches without clearly defining the processes having impact on financial data, without putting in place reasonably effective controls and by letting the Finance Manager alone in a hands-on fashion do hotel’s financial management, accounts receivables and payables, purchasing and internal audit, we are likely to fail miserably.
- Do you accept that a decision of working with sensitive information carries also the responsibility for properly protecting it?
- Do you understand that a single IT Manager with tight outsourcing budget is probably unable to implement and maintain compliance with PCI and other data security standards?Well in that case you’re well positioned towards success in implementing the PCI compliance in your hotel, resort or spa.