Pci boot camp
1 / 62

PCI Boot Camp - PowerPoint PPT Presentation

  • Uploaded on

PCI Boot Camp. Presented by the PCI Compliance Task Force. moderator:. Jeremy Rock President ● RockIT Group. Agenda. PCI Overview Removing Card Data From Your Hotel Best Practices Questions & Answers. PCI Overview. Presenters:. Mark Haley, CHTP

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' PCI Boot Camp' - jolie-farley

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Pci boot camp

PCI Boot Camp

Presented by the PCI Compliance Task Force


Jeremy Rock

President ● RockIT Group


  • PCI Overview

  • Removing Card Data From Your Hotel

  • Best Practices

  • Questions & Answers



Mark Haley, CHTP

Managing Partner● The Prism Partnership, LLC

Jeff Henschel

Director of IT● Benchmark Hospitality International

Chuck Marratt

Regional Director of IT● Benchmark Hospitality International

What is PCI?

What Does PCI Compliance Entail?

Overview objectives
Overview Objectives

  • What are:

    • The Payment Card Industry (PCI) Data Security Standard (DSS) and

    • The Payment Application Data Security Standard (PA-DSS)?

  • What are the components of a sound data security policy and PCI Compliance?

  • How do you get to PCI Compliance?

  • Vocabulary and Concepts for all of above


  • Why is Compliance So Important?

  • PCI & PCI Compliance Defined

  • Key Issues

    • Who is responsible for compliance?

    • What gets overlooked?

    • How do I plan my compliance journey?

  • Additional Resources

  • Questions

Why is compliance important
Why Is Compliance Important?

  • PCI Compliance is like insurance

  • Good business practice

  • You are vulnerable!

    • 55% of credit card fraud from hospitality

    • 85% of breaches against Level 4 merchants*

  • Potential impact of a breach

    • Customer Relations

    • Legal

    • Financial* Source: Unified Compliance Framework

Why is compliance important1
Why is Compliance Important?

  • Because they are after us!

    • Hackers now specifically targeting hospitality

    • 38% of breaches in 2009 in hotels and resorts

      Source: Trustwave Spider Labs

2010 market trends industries by percent of breaches
2010 Market Trends: Industries by Percent of Breaches

*Statistics from 2011 Verizon Business Data Breach Investigation Report

2010 breach trends the facts
2010 Breach Trends: The Facts

  • 761 Breaches in 2010 (141 in 2009)

  • 89% of victims subject to PCI DSS had not achieved compliance

  • 86% of the breaches were discovered by a third party

  • 86% of the victims had evidence of the breach in their log files

  • 98% of all breached records came from servers

  • 96% of breaches were avoidable through simple or intermediate controls

* All percentages are from the 2011 Verizon Business Data Breach Investigation

Why is compliance important2
Why is Compliance Important?

You don’t want to make the headlines!

Costs of non compliance
Costs of Non-Compliance

  • Costs of a Breach

    • Fines from issuing brands

    • Costs to address vulnerabilities

    • Costs of Level 1 audits in future

    • Lawsuits from card-issuing banks for card replacement costs

    • Loss of customer trust and goodwill

    • Loss of business

    • Tarnished reputation


  • Data security standards for all merchants accepting credit, debit or other cards to protect cardholder data

  • To ensure the integrity of the global payment card industry

  • Applies to ALL cardholder data

    • Electronic

    • Paper

  • Applies to ALL merchants

Definition roles
Definition- Roles

  • Key Players & Roles

  • Standards “owned” by PCI Security Standards Council

  • Enforcement reserved to the issuing brands

Lodging complexity lifespan of a credit card number in a lodging environment
Lodging complexity - lifespan of a credit card number in a lodging environment

Definition details
Definition - Details

  • Payment Card Industry (PCI) Data Security Standards (DSS)

    • 12 Major Requirements

    • Applies to everyone handling cardholder data

      • Merchants

      • Processors

      • Intermediaries

    • Self-Assessment Questionnaire (SAQ) for most merchants

      • Different forms of SAQ varying with merchant’s processing infrastructure

Definition details1
Definition - Details

  • Payment Application Data Security Standards (PA-DSS)

    • Formerly known as Payment Application Best Practices (PABP)

    • Applies to software vendors marketing products that handle cardholder data

    • Requires software vendors to invest in certification, costly to achieve and maintain

    • Merchants forbidden to use uncertified payment applications July 2010

Definition of merchant levels
Definition of Merchant Levels

Merchant Level Description

Source: http://usa.visa.com/merchants/risk_management/cisp_merchants.html#anchor_2

Key issues
Key Issues

  • Who is responsible?

The Merchant

What gets overlooked
What Gets Overlooked?



Where companies fail their pci audit
Where Companies Fail Their PCI Audit

2011 Global Security Report

Action items
Action Items

  • How do I plan my compliance journey?

    • Assign an Owner

    • Use your Acquirer

    • Use your Franchisor/Brand

    • Establish Documentation

    • Gather Inventories

    • Use your Software Vendors

    • Complete Self-Assessment Questionnaire (SAQ)

Action items1
Action Items

  • How do I plan my compliance journey? (continued)

    • Determine if you need a Qualified Security Assessor (QSA)

    • Implement Vulnerability Scans from an Approved Scanning Vendor (ASV)

    • Address SAQ Deficiencies

    • Update your Documentation

    • Repeat!

Just remember
Just Remember…

  • Data Security is an ongoing process.

  • Recognize the risks at all levels in your organization.

  • Understand what you can do to be proactive.

  • Determine what behaviors and processes may have to change.

Action items2
Action Items

  • Budget for PCI

  • Not a One-Time Expense!

  • Initial costs may include:

    • Engage a QSA or other resources

    • System replacements

    • Staff costs for initial SAQ

  • On-going Costs Include:

    • Quarterly Penetration Scans

    • Annual SAQ exercise

    • Internal & External evaluations of technology in scope

    • Logging and Alert management

    • Anti-Virus subscriptions

    • Payment Application upgrades

    • Intrusion Detection Software

    • Resources and training to manage security measures

Action items3
Action Items

  • Make sure you budget appropriately as PCI compliance is an ongoing expense to your organization.

  • Costs include but are not limited to items listed below:

    • Annual Penetration Scanning

    • External scans of technology in scope

    • Internal scans of technology in scope

    • Logging and Alert Management

    • Anti Virus upgrades/renewals

    • PMS/POS Annual Upgrades

    • Intrusion detection software

    • Resources and training to manage PCI and Security measures implemented.

Additional resources
Additional Resources

  • AH&LA publication, The Payment Card Industry Compliance Process for Lodging Establishmentshttp://ahla.com/technology

  • PCI Security Standards Councilhttp://pcisecuritystandards.org

  • Visahttp://www.visa.com/cisp

  • MasterCard



William Collins

Executive Director – Vertical Market Strategy●

Heartland Payment Systems

Sue Zloth

Group Manager, Product● Merchant Link, LLC

Bob Lowe

Director of Strategic Relationships● Shift4

Lyle Worthington, CHTP

Chief Information Officer● Horseshoe Bay Resort

Do you really need it
Do You Really Need It?

  • Why do you have it in the first place?

    • Old Processes

    • You Think You Need It

    • Chargeback documentation

  • Balancing Risk and Convenience

    • Does the risk of having credit card data outweigh the convenience it creates?

Just say no
Just Say No

  • Eliminate capturing/storing of Credit Card data unless it is absolutely necessary

    • Question/Challenge the need

    • Re-evaluate outdated processes

      • Card Imprinting

      • Credit Auth Forms

      • Accounting/Chargeback Reconciliation

      • Events/Catering

    • Develop contingency plans for one-offs scenarios

      • Off Line Authorizations

      • Special Guest Requests, etc.

    • Evaluate partner’s processes/systems

      • Ask, Expect, Inspect

    • Understand effect of introduction of new devices into your environment

      • Mobile/Tablets

      • Kiosks

    • Use technology to protect data you must capture

Using technology
Using Technology

PCI Approach: Protect What You “Must” Have(This used to be a straightforward statement.)

  • Protect Stored Data

    • Securely encrypt stored data

    • Encrypt transmissions of cardholder data across public networks

    • Restrict access to data on a “need-to-know” basis

    • Mask PAN by default, reveal to selected people on request

  • Over time, this gets more and more complex. Time for a technology rethink…?

The challenge
The Challenge

Imagine a princess in a castle…

Securing her against attacks ofincreasing sophistication is difficult and expensive.

The solution
The Solution


  • Purpose-Designed Solutions for Consideration

    • Encryption at Swipe or Keyed Entry

    • Tokenization

Technology choices
Technology Choices

Encryption at Swipe or Key

  • Data is Swiped or Keyed into Encryption Device.

  • Transmit ONLY encrypted data through your environment.

  • Two Common Terms Used To Describe (Interchangeable)

    • End to End

    • Point To Point

  • Key To Encryption Solutions

    • Ensure POS/PMS has no ability to decrypt

    • Understand where Card Data gets decrypted

      • The farther down the path the better

        PCI is working on regulatory changes to recognize the use of this solution may reduce Merchants PCI Scope.

Technology choices1
Technology Choices


  • Replacing sensitive cardholder data (CHD) with a piece of data that references Card Data, stored elsewhere.

  • Vendors use different methods to generate Tokens

  • It should not be possible to reverse engineer a Token back to the actual card data.

  • Some solutions combine encryption at entry and tokenization;

    • Encryption used on data in transit

    • Tokenization used on data at rest

      Correct tokenization solutions remove the PMS from the scope of PCI DSS.

Technology choices2
Technology Choices

Your Action Plan

  • Review tokenization and Encryption at Source offerings that are supported by your software providers

  • Select technology solutions that reduce your PCI exposure by removing data from your applications

  • It’s better to not have data at all than to spend a lot of $$ trying to protect it

Cloud computing
Cloud Computing

Does It Solve The Problem?

  • Cloud Computing does not necessarily remove all scope from your property

  • Cards could still exist in your network

  • Some public cloud vendors openly state they can’t and won’t be PCI compliant.

  • Vendors may use other cloud vendors

  • For more information please attend the Cloud Computing Super Session Thursday at 9am

PCI Boot Camp:

Best Practices



Senior Incident Response Consultant ● TrustWave/SpiderLabs

Marty Stanton

Vice President, Information Technology ● Destination Hotels & Resorts

Jerry Trieber, CPA, CHAE, CFE, CFF

Director of Field Accounting ● Crestline Hotels & Resorts

Best practices types
Best Practices: Types

  • The best practices we will discuss today fall into 3 distinct but interwoven areas:

    • Operations

    • Networks

    • Documentation

Best practices operations
Best Practices: Operations

  • Operational best practices should be implemented at all hotels, restaurants, clubs, casinos, and other hospitality enterprises currently accepting credit cards as methods of payment.

  • Those best practices are….

Best practices operations1
Best Practices: Operations

  • Discontinue the imprinting of credit cards if still imprinting.

  • Review proper merchant bank retrieval request and chargeback information requirements: don’t keep documents containing complete credit card numbers for fear of losing a chargeback.

  • Discourage facsimile receipt of credit card authorizations:secure fax machines and their output.

  • Prohibit e-mail receipt of credit card numbers.

  • For all voice, facsimile, or other methods of card receipt, enter directly into the systemand destroy (shred) the paper.

Best practices operations2
Best Practices: Operations

  • Review Sales & Catering Department files for maintenance of documents containing credit card numbers.

  • Do not use Notes, Comments, or other unencrypted fields in Sales, Catering, and other electronic systems for credit card numbers.

  • Review who has access to view guests’complete credit numbers in both thePMS and POS.

  • Review if card data or computer passwords are written on a “sticky note” placed on computer monitors or are otherwise visible or unsecured.

Best practices operations3
Best Practices: Operations

  • Train users to log off their terminals and use tight auto-log off timeouts on payment applications if available.

  • Always consider proper storage, retention and disposal of paper and other sources of credit card numbers.

  • Select photocopiers and facsimiles with encrypted disk driveswith auto-delete capability (24 hours).

  • Control physical access to server rooms, Front Deskand any other areas where credit card numbersare stored or processed. Consider loggingand badging all visitors to these areas andrequirement to surveil all data centers byvideo.

Best practices operations4
Best Practices: Operations

Conduct training on PCI Compliance!

Training on PCI Compliance should include:

  • Making training materials consumer-friendly.

  • Annual training certification signed by all employees.

  • Making training certification a part of the “Acceptable Use Policy.”

  • Awareness of phishing, spear-phishing, pharming, and “vendor impostors.”

Best practices networks
Best Practices: Networks

  • Best practices regarding networks fall into 3 categories:

    • Passwords;

    • Remote Access; and

    • Operations.

Best practices network passwords
Best Practices:Network Passwords

  • All default passwords should be changed before connecting a device to the network. Devices to be reviewed include:

    • Payment application servers;

    • Other servers;

    • Routers; and

    • Firewalls.

Best practices network passwords1
Best Practices:Network Passwords

  • The SSID names for wireless networks should also be changed: how many networks named “Linksys Router” have you observed when looking for wi-fi “hot spots!?”

  • Be mindful of the definition of a “strong password” for PCI purposes, as it differs from that for non-PCI purposes!

  • Passwords for all users of payment applications should be unique:

    • No shared passwords!

    • Create unique passwords for vendors!

    • Use tools and policies to expire passwords, force strong passwords, and do not allow re-use of prior passwords!

Best practices network remote access
Best Practices:Network Remote Access

  • PCI Compliance requires that remote access privileges be closely controlled and monitored.

  • Regarding vendors:

    • Access should be “on-request” from the property and not from the vendor.

    • The property must initiate the remote access connection.

    • Logging should be embedded in the access tool used.

    • Default ports should be changed.

    • Remote access should be added to vendor agreements and contracts.

    • Hotel personnel trained to authenticate callers purporting to be vendors requesting access for support – very important!

Best practices network remote access1
Best Practices:Network Remote Access

Regarding employees:

  • Access should be “on-request” from the employee, approved by the department head/EC member, with a valid reason for access.

  • Access should be granted only to those applications needed by the employee and not to the entire network, depending upon where payment applications reside.

  • Default ports should be changed.

  • A remote access program with strong authentication and logging should be used!

Best practices network operations
Best Practices:Network Operations

  • Maintain separation of guest and employee networks.

  • Insure that there are anti-virus subscriptions on all computers and that they are current!

  • See that security patches are applied regularly!

  • Be alert for skimmers and keystroke loggers!

  • Be alert for rogue software, PCs, and wireless or USB devices!

  • Use a laptop or smartphone to scan for rogue devices.

Best practices network documentation
Best Practices:Network Documentation

  • PCI Compliance requires significant levels of documen-tation, including 4 different types of self-assessment questionnaires (SAQs), dependent upon a property’s “merchant level” classification.

  • SAQ D is the most common type of SAQ.

  • The PCI Compliance Roundtable is examining new user-friendly types of the SAQs, including the SAQ D.

Best practices network documentation1
Best Practices:Network Documentation

  • Other types of PCI Compliance-based documentation that should be prepared include:

    • Acceptable Use Policy;

    • Backups and Disaster Recovery;

    • Incident Response Plans;

    • Merchant level deter-minationletters from acquirers;

    • Proof of PCI PA-DSS Compliance letters from payment applications used; and

    • Network vulnerability scan reports.

Best practices network documentation2
Best Practices:Network Documentation

  • An sample user-friendly SAQ-D is here:

What Did You Think?

In order to help us create/provide a better HITEC

experience in the future, please take a second to fill out the short survey that will be sent to you via e-mail at the end of the day.

And THANK YOU for attending HITEC!

Learn how HFTP membership can benefit you,

visit www.hftp.org