PCI DSS compliance challenges for the Hospitality Sector

PCI DSS requirements are a confusing array of demands that take time, resource and money to meet. Within the hospitality sector there are numerous challenges to be faced, some of which can have straight forward answers whereas others may require more innovative solutions.


The hospitality sector is particularly vulnerable to cardholder data breach due to the various mechanisms used to facilitate bookings and payments. In an industry where customer service is of the utmost importance there have been a number of high profile data compromises which have seriously affected the brand credibility of the organisations involved.


PCI DSS compliance in practice
Businesses trading in the hospitality arena, and falling within the scope of PCI DSS should be aware of the following critical areas:-



  • Call recordings which include cardholder data are within the scope of PCI DSS. This must be addressed in any compliance project;


  • Storage of the Primary Account Number (PAN) on paper is still within the scope of compliance. Is your organisation taking steps to protected card data on paper or remove it all together? Have you confirmed whether your payment applications in use are PA DSS certified or have any plan to become certified?


  • Does your company use pre-authorisation for incidental charges, or are you storing sensitive authentication data? This is strictly prohibited by PCI DSS;


  • Storage of cardholder data within a booking and/or room management system often significantly increases the number of systems within the scope of PCI DSS.
    It might sound strange but the key to PCI DSS compliance is not meeting the requirements. In fact, direct remediation of issues in order to achieve compliance is often the most complex and costly way of getting there! Companies seeking compliance should first seek to reduce their compliance scope to the smallest possible footprint. Sysnet have often achieved ten-fold reduction in the costs of a n organisation’s initial and on-going
    compliance.

Sysnet recommends that rather than taking the ‘traditional’ route and performing a gap analysis as the first step to achieving PCI DSS compliance, it would be more beneficial to conduct a scope reduction exercise. This would provide blueprints of how your card payment processing systems could look based upon different scope reduction options.

By adopting this approach, a significant reduction in the overall cost of the compliance exercise can be achieved, simply by reducing the number of systems, locations and employees who are subject to PCI DSS requirements. This will also make compliance review a more manageable process. Following on from the above exercise you will receive various options by which the scope of compliance could be reduced.

The recommendations will also provide insight as to how the scope of compliance may look once that solution, process or approach has been implemented. For example, on completion of the scope reduction exercise you would need to complete the appropriate Self Assessment Questionnaire (SAQ). This provides you with the flexibility of choosing the solution that fits your business.

Maintaining PCI DSS compliance
True information security can only be achieved through the implementation of a comprehensive data security programme. It needs to be continually updated to reflect industry best practices such as PCI DSS or ISO 27001 and accommodate the need for continuous workforce education and the implementation of proven technologies to protect data assets.

A comprehensive data security programme is one that involves all areas of the business with the aim of securing valuable business information from the moment it enters the organisation until it leaves or is destroyed. The three most vital business components that need to be addressed are people, processes and technology.

People: People are often viewed as the weak link in the information security chain. Education is critical to ensuring your employees are familiar with your business security policies and procedures and that they know exactly what is expected of them when it comes to protecting the information assets of the business.New employees should receive information security training on induction with mandatory periodic refresher courses for existing employees.

If your business is part of a wider group or franchise, take advantage of group training events and materials. Franchise owners should ensure consistency across all locations by providing such training aids and group policies.

Processes: Many security weaknesses manifest themselves in poor information security management processes and insure system architecture. A thorough analysis of policies and procedures is required to ensure that your business operates in a secure manner.

Simple steps that can be taken include the identification of information that isn’t required by the business as well as the reduction of the number of applications and systems that store or transmit sensitive data. Taking these steps can also go a long way towards reducing the scope and costs of compliance audits.

Technology: Poorly implemented technology solutions can pose significant risks to data security. A thorough analysis of existing as well as proposed systems and their implementation is critical to identifying how suitable and capable a technology for your organisation’s needs.

You can also reduce the burden of protecting information within your business by choosing appropriate partners who take on the responsibility of managing the data. However, the merchant retains compliance responsibility if functions are outsourced. Technologies such as tokenisation and end-to-end encryption greatly reduce the scope of information security requirements.

Merchants should be aware that as of July 2012, MasterCard has mandated that all European merchants and service providers using 3rd party payment applications must use PA DSS compliant applications. Full listings of compliant providers are available on the Security Standards Council’s website, http://www.pcisecuritystandards.org/.

How can Sysnet help?
Sysnet’s QSA consultants have significant experience with helping organisations attain and remain compliant with the PCI DSS. We have worked closely with many high profile organisations and have a wealth of experience in dealing with a varied range of payment applications that are currently being used.

Sysnet have taken this experience and built an extensive knowledge base which help us to better assist you with the challenges you face.

For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.