How to gain a five star security reputation in hospitality
Achieving and sustaining compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a daunting challenge for hotels because they handle many complex payment business cases.
Achieving and sustaining compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a daunting challenge for hotels because they handle many complex payment business cases. For example, consider the numerous new booking options and services to improve the customer’s experience during the reservation process and their stay. Also, debit and credit card payments represent 80% of the industry’s customer payment methods, and it can be difficult to master and protect the stream of payment data running through the business. Applying a well-defined or planned out security approach can help to empower your organization with the necessary tools and knowledge to fulfil the PCI DSS requirements while also building a sustainable PCI compliance program. This approach should help usher in a successful transition to PCI DSS version 4.0 in order to meet the March 31, 2024, deadline, when v3.2.1 is set to expire.
Do you know all your payment channels and credit card flows?
Considering the complexity of debit and credit card use cases in the hospitality industry, finding the right approach for transitioning to PCI DSS v4.0 can be difficult for an industry that must address changes from the corporate to the franchise level in a timely manner.
Complexity has increased with the introduction of smartphones and digital wallets as well as the significant reduction of in-person cash payments. For example, in France 6O% of payments are done using a debit or a credit card[1]. Indeed, hotel customers can now book their stay via the corporate website, online travel agencies, such as www.booking.com or www.expedia.com, or hotel applications on their smartphones – in addition to traditional payments at the payment terminal located at the front desk of the hotel. Also, new digital payment channels are available for the customers during their stay: They can book a cab right after selecting and paying for the lunch menu with the hotel application or applications managed by third parties such as www.karhoo.com or www.resdiary.com. These payment evolutions impacting the hospitality industry require special PCI DSS v4.0 compliance steps.
Four recommended steps in the PCI DSS v4.0 transition
Step 1: Locate, identify and document all the credit card flow in the organization, as stated by the following requirements applicable to all entities subject to PCI security compliance:
1.2.4 An accurate data-flow diagram(s) is maintained that meets the following:
• Shows all account data flows across systems and networks.
• Updated as needed upon changes to the environment.
12.5.1 An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.
12.5.2 PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment.
(See the PCI Security Standards Council (SSC) Requirements and Testing Procedures, Version 4.0 March 2022.)
Step 2: As an organization that is subjected to PCI DSS compliance, step 2 of your compliance project is to prepare for the update as soon as possible by knowing your compliance status and level, and select the date of your next assessment.
Compliance with the PCI DSS demonstrates to customers and third parties that security controls required by the PCI Standards are in place in order to safeguard their confidential data and mitigate the risk of a credit card data breach. The required security controls include, but are not limited to, security policy and process documentation, secure data storage and transmission, development and application security, access control, network isolation, and service providers and third-party management.
Your organization likely is facing one of two choices: Either maintain your current PCI security compliance while implementing the new applicable requirements or invest in a new project and implement all the PCI security requirements of PCI DSS v4.0. Different FAQs available on the PCI SSC website can help you navigate this big change: If this is your initial PCI DSS assessment, as defined in the PCI SSC FAQ 1485, your “entity has never undergone a prior PCI DSS assessment that resulted in the submission of a compliance validation document.” In this case, “PCI DSS requirements are expected to be in place at the time of the assessment.” If you are already PCI security compliant, all expected requirements should be in place by the date of your next assessment. Indeed, as per FAQ 1328, after March 31, 2024, PCI DSS v4.0 will be the only active version. Note that your current certification will not expire at the beginning of April, as per PCI SSC FAQ 1565.
Understand why compliance is crucial for your business and its stakeholders to determine the right sponsorship and resource allocations for your project. In the hospitality industry, hotels are either corporate or franchise entities. This situation creates complexity since, for the customers, the corporate entity is also responsible for the payment card data processed by the franchise organization. One key success factor in this type of large organization is to implement the right governance model by assigning clear roles and responsibilities for the implementation and maintenance of the requirements. This approach is not only a good practice but also a requirement since the new version of the standard puts some emphasis on business-as-usual compliant processes, as stated in the Payment Card Industry Data Security Standard Requirements and Testing Procedures, Version 4.0, March 2022:
12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
12.4 PCI DSS compliance is managed.
12.4.1 Additional requirement for service providers only:
Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include:
• Overall accountability for maintaining PCI DSS compliance.
• Defining a charter for a PCI DSS compliance program and communication to executive management.
Step 3: Formally assigning roles and responsibilities is step 3 of the security compliance project, with a PCI security compliance manager in charge of the coordination and follow-up of all required tasks. Customers in this industry frequently have a PCI security compliance manager position at the corporate level supported by local PCI contacts responsible for coordinating the local implementation of the PCI security compliance program.
The hospitality industry relies a lot on payment and property management system service providers, IT infrastructure service providers, and cloud providers in order to maintain and provide payment channels. It’s important to outline the responsibility of each party for the implementation of each requirement through a signed contract. Requirements 12.8.2 and 12.8.5 of the standard clearly support this approach, since written agreements are mandatory along with a responsibility matrix:
12.8.2 Written agreements with TPSPs [third-party service providers] are maintained as follows:
• … with all TPSPs with which account data is shared or that could affect the security of the CDE [cardholder data environment].
• … acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.
12.8.5 Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity.
In the hospitality industry, franchises are often seen as third-party service providers. The property owner using the franchisor’s brand name also should participate in the compliance program of the franchisor and demonstrate their compliance. This could be achieved through appropriate compliance documentation depending on the number of card transactions processed locally. The compliance document can be either a Report on Compliance (ROC) or the appropriate self-assessment questionnaire (SAQ). The appropriate management of the relationship with the service providers is very important; it represents a huge workload that should be done diligently.
PCI DSS v4.0 comes with a lot of technical challenges. It’s important to understand them and know the ones that are applicable to your environment. Let’s explore some examples:
Multifactor authentication (MFA) technology Requirement 8.4.2
MFA is implemented for all access into the CDE.
Multifactor authentication technologies are now mandatory for all personnel with access to the credit card environment. This requirement is a challenge due to the number of front desk agents with access to the credit card data on the booking systems. This requirement also has an impact on the Property Management System (PMS) used to manage payment at the front desk. It can be quite a challenge to implement this feature if it’s not supported by the PMS used in the hotel. Many hotels use Opera PMS, Sihot PMS or some Cloud PMS.
Security of payment page scripts Requirement 6.4.3
All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
• A method is implemented to confirm that each script is authorized.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written justification as to why each is necessary.
The appropriate solution should be used in order to identify, list and protect all the scripts used on the different payment pages in the business environment.
Step 4: Know and understand your technical environment and the challenges that your organization will face in order to implement the applicable new requirements.
Conclusion
Hotels are receiving a major makeover these days—and not just with the room decor. New payment models are challenging PCI DSS compliance in new ways. Organizations are on a journey in which it’s important to clearly know the starting point and the destination. PCI DSS version 4.0 brings solutions but also many challenges that require your organization to identify key concerns as well as an appropriate means for resolving them. Breaking down complex issues into smaller manageable ones is the best approach for such projects. Having a step-by-step methodology is essential for successfully implementing the new requirements in your organization.
Start by understanding all of the business cases and payment flows in your organization. The second milestone of the journey is to know your current PCI security compliance status and plan the next assessment. Then, formally assign roles and responsibilities with a PCI security compliance manager in charge of the coordination and follow-up of all required tasks. Finally, set up a compliance organization and program before undertaking all the technical challenges related to your IT environment. Learn more about Verizon’s PCI assessments here.
O’Pa-Gnou Félix Grebet is a senior consultant, PCI QSA, CISM, CISA in Verizon Cyber Security Consulting, France.
About Author
