The Payment Card Industry Compliance Process for Lodging Establishments

Transcription

1 The Payment Card Industry Compliance Process for Lodging Establishments A Technology Primer Developed by the American Hotel & Lodging Association s Technology and E-Business Committee Funded by the American Hotel & Lodging Educational Foundation NEI01ENGE PP-3132

2

3 This guide was written by Mark G. Haley and Daniel J. Connolly and produced by the Technology and E-Business Committee of the American Hotel & Lodging Association (AH&LA) through a grant from the American Hotel & Lodging Educational Foundation (AH&LEF). Technology and E-Business Committee Co-Chair Co-Chair Vice Chair AH&LA Officer Liaison AH&LA Officer Liaison AH&LA Staff Liaison Daniel Connolly, Ph.D., Associate Professor University of Denver Clay Dickinson, Executive Vice President Jones Lang LaSalle Hotels Patton Conner, Vice President, Information Resources Marriott International David Kong, President & CEO Best Western International Robert L. Steele, III, General Manager Grand Hyatt Tampa Bay Laurence Barron, Vice President & CIO American Hotel & Lodging Association Members James O. Abrams ISHAE Representative President & CEO California Hotel & Lodging Association Stephen C. Barth Professor University of Houston Carol Beggs Vice President Technology Sonesta International Hotels Corporation Larry J. Beiderman General Manager Loews Annapolis Hotel Art Bouffard ISHAE Representative President New Mexico Lodging Association Kathleen Pearl Brewer, Ph.D. Professor/Director of Graduate Studies University of Nevada at Las Vegas Dennis Carpenter Director, Association Alliances Heartland Payment Systems Cihan Cobanoglu, Ph.D., CHTP Associate Professor University of Delaware HRIM George R. Conrade, CHA, CHTP Assistant Professor University of Delaware HRIM Gregory A. Dugal ISHAE Representative Executive Director Maine Innkeepers Association Rich Ehlers Director ibahn Bernard Ellis Managing Director Americas IDeaS Revenue Optimization Jennifer Fischer Director, Payment System Risk VISA U.S.A. Inc American Hotel & Lodging Association. All rights reserved.

4 William Folkerts Owner Comfort Inn Brian P. Garavuso, CHTP Chief Information Officer Hilton Grand Vacations Company Mark Haley, CHTP Partner The Prism Partnership Gary Haynes Manager, Telecommunication Operations Starwood Hotels & Resorts Worldwide, Inc. Richard J. Jackson, CHTP Vice President, Technology Operations Hilton Grand Vacations Scott K. Joslove ISHAE Representative President & CEO Texas Hotel & Lodging Association Deena Kaufman SVP Revenue & Distribution Preferred Hotels & Resorts Worldwide, Inc. Mike Keppler VP E-Commerce Marriott International, Inc. Mike Kistner Sr. Vice President Operations & Service Delivery Pegasus Solutions, Inc. Doug Linkowski Director Marriott Business Center Sherry Marek Vice President of Marketing Datavision Technologies Inc. Robert Mueller President Samata Management Inc. Daniel C. Murphy, CHA ISHAE Representative President New York State Hospitality & Tourism Association Frank J. Nardozza Chairman & CEO REH Capital Partners, LLC Monika Nerger Vice President of Technology, The Americas Mandarin Oriental Hotel Group William J. Ott, CHA General Manager The Radcliff Inn/Tarco Hospitality, Inc. Dan Ouellette General Manager Crowne Plaza Columbus North Buggsi G. Patel President/Chief Executive Officer BHG Hotels Kirby D. Payne, CHA President HVS/American Hospitality Management Company Darrin Pinkham, CHTP Vice President, Technology Ginn Resort Tina Reese Regional Vice President First Data Commercial Services Revenue Sharing Alliances Douglas C. Rice Chief Executive Officer Hotel Technology Next Generation (HTNG) Andy Ross Vice President of Technology Canyon Ranch Spa Tucson Jeffrey Senior Executive VP, Marketing & Sales Fairmont Hotels & Resorts Jules Sieburgh, CHTP O Neal Consultants Richard Siegel President Siegel Communications Kevin Smith General Manager New Yorker Hotel Management Co., Inc. Chris Wichers Executive Vice President Open Hospitality ii 2008 American Hotel & Lodging Association. All rights reserved.

5 Acknowledgements American Hotel & Lodging Educational Foundation s Research and Project Funding Committee Editorial Reviewers James O. Abrams, California Hotel & Lodging Association Pearl S. Brewer, Ph.D., University of Nevada, Las Vegas Cihan Cobanoglu, Ph.D., CHTP, University of Delaware Jon Inge, CHTP, ISHC, Jon Inge & Associates Gene Kim, Tripwire Chris Zoladz, Marriott International Disclaimer This publication is intended only as a general guide concerning compliance by the lodging industry with the Payment Card Industry Data Security Standard (PCI DSS), and it does not purport to be, nor should it be used as, a complete or definitive definition of compliance with the PCI DSS or any other standards, regulations, or legislation. While this publication is designed to provide accurate and authoritative information in regard to the subject matter covered, it is published with the understanding that the American Hotel & Lodging Educational Foundation (AH&LEF), the publisher of this document, is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, one should seek out the services of a competent professional person or firm. Nothing contained in this publication shall constitute a standard, an endorsement, or a recommendation by the authors, the AH&LEF, or the American Hotel & Lodging Association (AH&LA). The authors, AH&LEF, and AH&LA disclaim any liability for any use of this publication, or with respect to the use of any information, procedure, methods, forms, or suggestion contained herein, or reliance thereon by any member of the hospitality industry or by anyone American Hotel & Lodging Association. All rights reserved. iii

6

7 About the Authors Mark G. Haley, CHTP Mr. Mark Haley is a partner with The Prism Partnership, LLC. Mr. Haley manages the firm s technology practice. Services include strategy development, needs analysis, system selection, specification development and more. Relevant technologies include customer relationship management, Internet applications, property management, central reservations and global distribution systems, and all aspects of hotel voice and data communications. Mr. Haley has been consulting since 1997, having founded High Touch Technologies after 15 years with ITT Sheraton. He started at Sheraton on the front desk, leaving as director of property technology after a number of positions of increasing responsibility at every level of the corporation. Daniel J. Connolly, Ph.D. (connolly@du.edu) Dr. Daniel Connolly is an Associate Professor of Information Technology at the University of Denver with a dual appointment in the School of Hotel, Restaurant and Tourism Management and in the Department of Information Technology and Electronic Commerce. His teaching, research, and consulting interests focus on the strategic application of information technology and electronic commerce. He routinely presents his work at professional and academic conferences around the world, is a prolific writer, and is often quoted in the industry trade press on hospitality technology-related matters. Dr. Connolly is co-chair of the American Hotel & Lodging Association s Technology and E-Business Committee, a founding member of and executive advisor to Hotel Technology Next Generation (HTNG), and an executive board member of the Hospitality Industry Technology Association (HITA). Before joining the faculty at the University of Denver, Dr. Connolly served on the faculties of Cornell University, Michigan State University, Virginia Tech, and Concord College, where he taught graduate and undergraduate courses in information technology, strategic management, finance, and hospitality administration. Prior to joining academia, Dr. Connolly spent nearly 8 years working at Marriott International s corporate headquarters in the area of information systems American Hotel & Lodging Association. All rights reserved.

8

9 Table Of Contents Executive Summary...1 Section 1 An Introduction to PCI Compliance...6 Section 2 What Does All of This PCI Stuff Mean? Concepts and Definitions...17 Section 3 Lodging-Specific Considerations and Vulnerabilities...25 Section 4 What Do I Have to Do to Comply?...29 Section 5 The Compliance Planning Process...33 Section 6 Self-Assessment Questionnaire D...42 Section 7 What to Do if Compromised...48 Section 8 Checklists...51 Section 9 Additional Resources American Hotel & Lodging Association. All rights reserved. vii

10 Figures and Tables Section 1 Figure 1: A Synopsis of the PCI Data Security Standard...10 Figure 2: The Customer Says: It s All about Protecting ME!...10 Figure 3: Getting Started with PCI!...12 Table 1: Examples of Companies Victimized by Computer Crime...13 Section 2 Figure 4: The PCI Value Chain...18 Figure 5: Visa s Merchant Level Definitions and Validation Requirements...20 Table 2: Merchant Classification Schemes...22 Table 3: PCI DSS Self-Assessment Questionnaires (SAQs)...23 Figure 6: The System Architecture of a Typical Hotel...26 viii 2008 American Hotel & Lodging Association. All rights reserved.

11 EXECUTIVE SUMMARY EVERY lodging establishment, regardless of size, is required to comply with the Payment Card Industry Data Security Standard (PCI DSS, or simply PCI or DSS for short), and failure to comply fully can result in significant financial costs and catastrophic business consequences. This guide, or primer, describes the PCI DSS in the context of the lodging industry, sets forth the consequences of non-compliance in the event of an information security breach, and explains, both broadly and in detail, what lodging operators should do to ensure compliance. This primer should serve as an immediate call to action for every lodging operator. Securing a business enterprise is no easy feat, especially in this high-tech era and for one as complex as a hotel or lodging organization. Nonetheless, it is absolutely necessary and an important obligation for anyone practicing business. Many like to think that their operations are safe or that problems only happen to other organizations, but this thinking is myopic at best and inappropriate given the increase in threat levels, what s at risk, the sophistication of hackers, and the amount of sensitive information entrusted to hotel and lodging associates. Upwards of 55% of credit card fraud comes from the hospitality industry, 1 and the smallest merchants (known as Level 4 merchants) account for over 85% of the compromises, with a noticeable increase in risks coming from franchisees. 2 Increasingly, security breaches are the result of relatively simple and easy-to-fix problems that create vulnerabilities that can be exposed or exploited by relatively unsophisticated hackers or data thieves. A study conducted by Verizon Communications of over 500 data breaches since 2004 reveals a sad but unfortunate truth: most data breaches (87% in this study) can easily be prevented with simple and common security measures and safeguards. 3 These statistics demonstrate an astounding reality and underscore the need for tighter information security practices within the hospitality industry. The threats are very real and could impact you. Thus, you will want and need to read further to be sure you are implementing a multi-pronged security strategy to ensure your operations and guest data are properly protected. 1 Cougias, Dorian. (2008, April 18). Securing Payments: What the Payment Card Industry Data Security Standard Means for your Resort. 8th Annual Resort Conference, San Diego, CA. Mr. Cougias is founder and chief executive officer of Network Frontiers and a member of the PCI Security Standard Council. 2 Visa, Inc. (2008, February 27). Security Best Practices for Level 4 Merchants and Franchise Operators: Payment System Security Compliance. Available: merchants/ l4-franchises-best-practices.pdf. 3 Kerber, Ross. (2008, June 11). Most data theft tied to basic security flaws. The Boston Globe. Available: basic_security_flaws/ American Hotel & Lodging Association. All rights reserved.

12 If your lodging establishment or hotel company processes fewer than one million credit and debit card transactions per year, you are categorized as a Level 4 merchant. Because approximately half of the lodging establishments in the U.S. are under 75 rooms in size, this describes many hotel/lodging operators and the vast majority of the American Hotel & Lodging Association (AH&LA) membership, the intended audience for this publication. You should not assume that your technology vendors and your franchisor (if you are a franchisee) are handling your PCI DSS compliance. It is your responsibility and obligation. In simple terms, PCI was formed to reduce risk and prevent problems related to the misuse of cardholder data. As set forth in the PCI DSS, all merchants accepting payment in the forms of credit and/or debit (i.e., payment ) cards must adopt a series of security measures to protect sensitive customer credit and debit account information. The first thing you need to know about PCI DSS compliance is that, regardless of your size, you need to complete a document called the Self- Assessment Questionnaire (SAQ) and submit it to your acquiring bank (sometimes called a payment card processor or acquirer ). You must also submit a report from a certified vendor stating that it has scanned all of your property s connections to the public Internet and found no vulnerabilities to intrusion. SAQs must be submitted annually. Network scans must be conducted quarterly. Completing the SAQ requires a thorough assessment of your information systems and all business processes associated with payment card data, whether they are related to an information technology (IT) system or not. Good examples here include the need to cease imprinting payment card data on the backs of registration cards at check-in or on restaurant and banquet checks, recording only partial payment card account information on guest folios and payment card receipts, and securing reports that show card numbers. The key step for you, as lodging operator, embarking on a PCI compliance journey is to appoint a person who will have overall responsibility for information security and PCI DSS compliance. This compliance owner, or champion, must assume responsibility for managing the compliance process, maintaining documentation of the process, and overseeing the numerous relationships affected by compliance. Ideally, this should be an operations manager or, depending on the scale of the organization, an executive with clear authority to reach across department lines into the accounting, IT, and other departments American Hotel & Lodging Association. All rights reserved.

13 According to Visa, the top five most common vulnerabilities surrounding payment card fraud are the following: 4 1. Storing prohibited data (i.e., full track data, card verification values, and personal information number [PIN] block information). 2. Unpatched systems. 3. Use of vendor default settings and passwords. 4. Poorly coded (i.e., unsecure) web-facing applications. 5. Unnecessary and vulnerable services on servers. To address these threats, one should pursue three simple steps: 5 1. Eliminate the storage of prohibited cardholder data. 2. Protect cardholder data using secure payment applications. 3. Secure the environment according to PCI DSS. The payment card issuing brands (specifically Visa, MasterCard, American Express, JCB, and Discover) enforce PCI DSS compliance with fines on merchants that fail to comply and document their compliance. These fines can be very steep. Visa s fine structure ranges $5,000 to $25,000 per month. American Express s fine structure begins at $50,000 and goes up from there. Fines are levied through the acquiring bank. In addition, each card-issuing brand can also deny you the privilege of accepting its card brand if it deems that your business is an unacceptable security risk. There are many other reasons to care about PCI and to take it seriously: Your reputation is at risk Consumers want to do business with organizations in which they can trust. Should a lodging operator experience a payment card breach, the media will broadcast the failure to protect customer data to the world. There have been hundreds of such stories in the major media over the past three years. The hotel company will lose business and the goodwill of its most important assets, its guests and its brand reputation. Other financial penalties Beyond the fines imposed by the acquiring or merchant banks (often passed on from the card brands), the banks which issue the cards have successfully demanded compensation from merchants that have experienced information security breaches for their costs in re-issuing 4 Visa, Inc. (2008, February 27). Security Best Practices for Level 4 Merchants and Franchise Operators: Payment System Security Compliance. Available: merchants/ l4-franchises-best-practices.pdf. 5 Greenhaw, Diana. (2008, March 20). Visa s Strategy to Secure the Payment System. Part of an online webinar on PCI compliance sponsored by the AH&LA. Ms. Greenhaw is a business leader for payment system security compliance at Visa, Inc American Hotel & Lodging Association. All rights reserved.

14 replacement cards to compromised customers. These costs can run into the millions very quickly. Look for the brands to charge higher interchange rates to merchants that are not certified as compliant as another financial penalty. Additionally, payment processing fees can increase significantly (much like what happens to car insurance rates when an accident or traffic violation is reported). Merchants that experience a breach can also be required to meet expensive increased PCI DSS compliance obligations, such as on-going and mandatory information security audits, forensic investigations, system upgrades, and Internet scans costs which can add up to hundreds of thousands of dollars. Legal penalties PCI DSS is not a law, but elements of PCI compliance have been incorporated into a variety of state laws dealing with information security breaches, and these laws subject the non-compliant merchant to further costs and potential lawsuits. It is, however, a contractual obligation and a matter of business ethics to comply with such a standard. If you fail to comply, you may run the risk of losing the privilege of accepting payment cards to transact business. Given the popularity of payment cards in the lodging industry, it is simply not worth the risk of losing this payment option. It is hard to imagine how a hotel could operate in this day and age on a strictly cash basis. It is the smart thing to do! The core elements of the PCI are simply good business practices that every merchant should accept as common sense. Securing a firm s assets, no matter the type, should be a high priority. Compliance can be a difficult and costly exercise for any lodging operator, but it simply cannot be avoided. It is better and less costly to be proactive rather than reactive. Hoteliers need to take the challenge on or hire someone to do it for them. The risks are too great not to but the benefits are substantial as well. About This Primer This primer is meant to provide an introduction to the PCI and, in a broader context, share some overarching information security principles and related best practices that should be applied by any business. It was designed to introduce and explain key terms and concepts, to raise awareness, to provide a call for action, and to illuminate a path for those just getting started. While it is intended to be a useful resource and reference, it should be noted that this primer is not the definitive source on PCI, nor was it meant to serve this role. The material presented is based upon months of research and interviews with PCI experts. This document will provide you the background, vocabulary, and guidance necessary to understand and complete the SAQ. It is 2008 American Hotel & Lodging Association. All rights reserved.

15 generally advised to seek external assistance from approved industry experts. We do not intend this primer to deliver exhaustive responses to every requirement of PCI compliance for every hotel or lodging establishment nor do we intend to provide a substitute for your own compliance analysis by your internal staff or external consultants. However, this primer will help ensure that your compliance efforts are efficient and effective and provide you guidance so you can seek help where necessary. The document is structured as follows: Section 1 presents a brief introduction to PCI compliance. Section 2 discusses the key concepts you need to understand to move your property or lodging company toward compliance, including describing the roles of all of the participants in the process. Section 3 reviews potential PCI problems and vulnerabilities unique to the lodging industry. Section 4 discusses what you need to do to comply with PCI from a business and cultural perspective. Section 5 presents greater detail and is intended for the person in the organization responsible for information security issues and compliance to guide him/her through the compliance planning process, and it includes discussion of using your acquirer, franchisor, and other resources in your compliance initiative. Section 6 reviews, at a high level, the content of Self-Assessment Questionnaire form D, the one that most lodging operators will need to use. Section 7 discusses what a lodging organization should do if it finds that its cardholder data security has been compromised. Section 8 contains a number of sample checklists that the compliance manager can use to track progress toward compliance. Section 9 identifies other resources available to lodging operators with useful information on compliance American Hotel & Lodging Association. All rights reserved.

16 SECTION 1 An Introduction to PCI Compliance PCI Compliance Pre-Test and Readiness Quiz Think you re ready for PCI now? Is this primer for you? Take this brief quiz and find out! Business Practices Yes No Do you take guaranteed reservations by fax, , or traditional mail? Do you imprint guest credit card account numbers on registration cards, restaurant checks, or banquet checks? Do you use credit card forms with carbon? Do you print the complete credit card number on guest folios, in sales contracts, or on banquet event orders? Do you manually record credit card information in any part of your organization? Do you store paper records containing credit card data? If so, are they kept in an unsecured location? Do you know how and where guest credit card data are collected, stored, processed, and shared or transmitted? Can you identify every location and everyone who touches or has access to guest credit card data? Does your organization shred paper documents before discarding? Do you audio record voice reservations for training and quality improvement purposes? Technology Practices Yes No Does your computer network have a firewall? Do you run virus scans at least weekly on all of your computers? Are your virus scanning software and signature files up-to-date? Do you require users to change passwords at least every 90 days? Are passwords required to consist of numbers, letters, and special characters? Are user access privileges revoked immediately upon or before separation from the company? Do you encrypt all payment transactions that are collected, stored, and transmitted electronically? Do you restrict user access to guest credit card data? Have you asked your computer software vendors if their applications are PCIcompliant, or at least made sure they are not storing track, card verification, and PIN block data? Have you changed all vendor-supplied password defaults and restricted vendor access to your systems? Are your computer servers located in physically secure areas? Are the operating systems you use up-to-date with the latest security patches? Do you conduct regular audits of your computer systems and network security? Do you routinely monitor your organization s systems for changes made to settings, applications, and passwords? Do you have procedures in place to authorize and test changes? Do your systems or applications maintain journal logs? Does your organization use standardized system configurations and access? Don t Know Don t Know If you answered Yes or Don t Know to any of the questions in the Business Practices section, or if you answered No or Don t Know to any of the questions in the Technology Practices section, your organization is likely to be at risk of non-compliance with the PCI standard. Please continue reading this document for more information on PCI compliance and how you can improve your organization s practices and technology security. Please note that these questions are by no means exhaustive and do not ensure PCI compliance. They are provided as a means to stimulate thought, raise awareness regarding common areas and indicators of risk, and take an initial pulse as to how familiar you are with your organization s business and security practices and exposure to potential risks American Hotel & Lodging Association. All rights reserved.

17 Information Security and PCI Compliance: A Call to Action Information security is a mounting concern among consumers, employees, and businesses alike due to the growing number of computer breaches, payment card fraud, and reports of identity theft. To combat these risks and protect cardholders, the major credit card companies have created a comprehensive data security standard called the Payment Card Industry Data Security Standard (PCI DSS, or simply PCI or DSS). 6 This standard requires numerous changes to business processes, computer applications, and data storage (both electronically and paper-based). The issuing payment card brands can and do impose steep penalties on merchants failing to comply. The complexity and costs associated with complying with PCI will vary greatly depending on the size, nature, and technological sophistication of your operation. However, the concepts advocated within this standard are based on sound practices that one would expect to find in any Information Security 101 textbook. 7 In simple terms, PCI was formed to reduce risk and prevent problems related to the misuse of cardholder data. As set forth in the PCI DSS, all merchants accepting payment in the forms of credit and/or debit (i.e., payment ) cards must adopt a series of security measures to protect sensitive customer credit and debit account information. Most merchants were given notice and a period of time to prepare their organizations and secure their systems. That grace period ended in the fall of 2007, at which point compliance enforcement began. Accordingly, every merchant, regardless of size or type, that accepts credit and/or debit cards should now be compliant with this standard or else face strict penalties and run the risk of losing the privilege to accept credit and debit cards not to mention face public embarrassment, possible regulatory inquires from the Federal Trade Commission (FTC) or state attorneys general, and other significant costs if a breach were to occur. Unfortunately, lodging operators and their software vendors are, in general, behind where they need to be in order to fully comply with this standard. 8 Consequently, your lodging operation and guests may be vulnerable. While some (namely, the large hotel chains) have risen to the occasion, regrettably, many other (mostly smaller and independent) organizations have not. Some may place the blame on lack of resources, but others are simply either unaware of this regulatory requirement or falsely assuming 6 Please see for further information. 7 Rothke, Ben and Mundhenk, David. (2007, November 12). A Guide to Practical PCI Compliance. CIO. 8 Cobanoglu, Cihan. (2007). PCI Revisited. Hospitality Technology, 12 (3), American Hotel & Lodging Association. All rights reserved.

18 that their technology vendors or franchisors are responsible for protecting them. Needless to say, none of these excuses are justifiable. PCI is not optional. It is a critical necessity and here to stay. Thus, every hotelier needs to be on board. One must view security and PCI compliance as an important business function and not simply as a task for one s information technology (IT) department, even though IT can be both part of the problem and part of the solution. Information security is the responsibility of the entire management team and staff in every hotel/lodging organization. Information security and compliance must pervade the organization s culture as an on-going process, not merely a one-time project or event with a specific end state. Consider compliance a moving target with requirements evolving as technology and business needs change and new threats emerge. Becoming compliant is much more involved than tightening up password control, adding encryption, and adding firewalls to the company s computer network. These are all necessary information security precautions, but these represent the low-hanging fruit. On the other hand, technology (e.g., firewalls, encryption, audit trails) provides tools to solve many of the problems addressed by PCI. The reality is that any form of security (whether it is for the physical property, employees and guests, sensitive information, or the establishment s technology) ought to involve everyone in the organization and be created with a comprehensive and holistic strategic view of the business enterprise and its operations. Most importantly, to be successful, direction and support for information security must assume a top-down approach in the organization. 9 While technology can be part of both the problem and the solution, we find that many information security infractions, particularly those involving computers and networks, are the result of human error, poor procedures, misconduct, and/or a lack of awareness or education. Thus, any steps an organization takes with respect to information security must involve an in-depth look at its people, its culture, and its business processes in addition to its technology. A Hotelier s Duty of Reasonable Care to Guests Although PCI is being driven by the payment card issuing brands, some states (most notably Minnesota and Texas) have enacted elements of PCI compliance as law, 10 thereby providing another reason to take PCI 9 Raghavan, Venkat. (2007, October 1). Tear Down That Silo: Compliance in the Executive Suite. CIO. Available: 10 Vijayan, Jaikumar. (2007, May 23). Minnesota Becomes First State to Make Core PCI Requirement a Law. ComputerWorld. Available: do?command=viewarticlebasic&articleid= American Hotel & Lodging Association. All rights reserved.

19 compliance seriously and look at it as an important business opportunity to improve business operations and protect information systems, computer networks, and important guest data. Consider this to be an ethical obligation and a good business practice. It should, therefore, be a key component of any hotel company s business strategy and risk assessment. Hoteliers have certain legal obligations to protect their guests from harm and criminal activity. One of the fundamental laws of innkeeping is a duty to exercise reasonable care to safeguard guests from criminal acts. 11 Over the years, what constitutes reasonable care has been expanded by the courts, placing greater obligations and increased liability on hotels. 12 Given the prominence and dependence on IT in the lodging industry today to support the management of lodging establishments and the processing of guest transactions, it seems only logical to assume that this duty should also extend to protecting guest data passing through and stored in the many systems used throughout a hotel, inn, or resort. In many respects, one could view information security as an invaluable and important guest service. Although not specifically requested by guests, many guests expect and assume that a lodging operator will exercise reasonable care to make sure that any PCI-related information collected about them will be properly handled and kept safe. Understanding PCI PCI is not just about technology, although that is an important part of it. PCI is about managing and controlling business risk by protecting guest payment card data, increasing trustworthiness, and maintaining a strong brand reputation as a great company with which to do business. It is also about the organization, its culture and people, information, and the business processes used in the organization. It covers electronic data as well as data stored in paper-based files. PCI affects all merchants globally regardless of size, industry, location, or type of business that accept credit and/or debit cards and covers the collection, storage, transmission, and use of customer and account information embedded in these cards. The PCI DSS is defined by six major categories and 12 key compliance requirements (see Figure 1). Simply put, PCI compliance from a customer s perspective is all about protecting me (see Figure 2); that is, separating guest information that can be found in a typical telephone book from guest identifiable data and 11 Sherry, John E. H. (1993). The Laws of Innkeepers: For Hotels, Motels, Restaurants, and Clubs. Ithaca, NY: Cornell University Press. 12 Feickert, Julie, Verma, Rohit, Plaschka, Gerhard, and Dev, Chekitan S. (2006, August). Safeguarding Your Customers: The Guest s View of Hotel Security. Cornell Hotel & Restaurant Administration Quarterly, 47 (3), American Hotel & Lodging Association. All rights reserved.

20 Figure 1: A Synopsis of the PCI Data Security Standard 13 Control Objectives Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy Twelve Steps to PCI Compliance* Compliance Requirements 1. Install and maintain a firewall configuration to protect data 2. Change vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder magnetic-stripe data and sensitive information across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data to a need-toknow basis 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security *The Payment Card Industry Data Security Standard (PCI DSS) includes numerous sub-requirements not listed here. To see these, visit Figure 2: The Customer Says: It s All about Protecting ME! Information likely to be found in directories such as a typical telephone book Information found on or embedded in a credit or debit card (such as account number, card validation values, PIN block data) 13 IT Compliance Institute. (2007, June 22). Compliance Insight: Challenges and Opportunities of PCI, p. 3. Available: pliance_insight_wp.pdf American Hotel & Lodging Association. All rights reserved.

21 account information related to credit and debit cards (such as track data, card verification values, and PIN block information). 14 These data should be completely safeguarded, wherever and whenever they are used in the organization, and should not be stored unless absolutely necessary and then, only for as long as necessary. In such cases, the organization must take all precautions to encrypt, secure, and control access to the data. The very essence of PCI compliance involves understanding what sensitive guest and payment card data are collected, where they are collected, by whom, how they are used and processed, the storage and transmission of these data, and how these data are disposed of after they have outlived their business usefulness. PCI compliance is about protecting and securing every facet of the business processes, technology, and personnel policies and training that play roles in any of these important business activities. Perhaps the best way to get a handle on how your organization works and its information flow is to follow the money. Organizations reporting the highest degrees of success with PCI compliance have employed a risk-driven model in which resources are prioritized around business risk to ensure proper alignment with the organization s objectives. 15 To understand how best to get started, smaller merchants should consider the model of the PCI compliance cycle presented in Figure 3. Before delving into PCI compliance, one should consider a preliminary compliance assessment to become familiar with the scope and potential problems and opportunities. This preliminary assessment should include a comprehensive review of the organization s portfolio of IT applications, infrastructure, architecture, and network typology; an in-depth review of the company s policies, procedures, and business processes and practices; a risk analysis and gap analysis; network vulnerability scanning; and mapping of the business flows to technology flows. 16 This will provide a good base set of information and set the stage for a more complete audit. The following sections of this primer will discuss each of the major phases of the cycle in more detail. The Risks Are Real And Serious, Too! Unfortunately, it is difficult to ascertain the true number of computer crimes and the costs of these crimes. Companies dislike reporting this information 14 Cougias, Dorian. (2008, April 18). Securing payments: What the Payment Card Industry Data Security Standards mean for your resort. 8th Annual Resort Conference, San Diego, CA. Mr. Cougias is founder and chief executive officer of Network Frontiers and a member of the PCI Security Standard Council. 15 Rothke, Ben and Mundhenk, David. (2007, November 12). A Guide to Practical PCI Compliance. CIO. Available: 16 Rothke, Ben and Mundhenk, David. (2007, November 12). A Guide to Practical PCI Compliance. CIO. Available: American Hotel & Lodging Association. All rights reserved. 11

22 Figure 3: Getting Started with PCI! The PCI Compliance Cycle because of the negative publicity, the adverse impact to business, and the potential to lure copycats. Following California s lead in 2003, most states and the District of Columbia have adopted laws requiring companies to report the known or suspected loss or theft of certain personal information such as payment card information, social security numbers and driver s license numbers. Even with these laws in place, it is difficult to get a true read on computer-related crime, but evidence suggests it is on the rise. For the past 12 years, the Computer Security Institute has been tracking computer crime and security breaches across a variety of industries, universities, and governmnetal agencies. In its most recent (2007) study of 494 security practitioners, 194 respondents reported combined losses of almost $67 million, or approximately $350 thousand per organization. 17 Despite fewer responses, the reported losses increased considerably from the year before. In the 2006 study, 313 security practitioners reported collective losses of nearly $52.5 million, or almost $168 thousand per organization 17 Richardson, Robert. (2007) CSI Computer Crime and Security Survey. San Francisco: Computer Security Institute. Available: American Hotel & Lodging Association. All rights reserved.

23 participating in the study. Given the substantial spike in losses despite fewer responses, one can only assume that these data points represent just the tip of the iceberg. The messages are clear. Computer crime is both common and expensive. The risks are real and can happen to anyone, even you! How would you like to become front-page news as a result of a weakness in your organization s security? That s exactly what happened to Best Western, which captured international attention from a story that ran in Scotland s The Sunday Herald entitled Revealed: 8 Million Victims in the World s Biggest Cyber Heist. 18 The article, although not factually correct, is still sobering. According to a statement from Best Western, a breach did occur at its 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, but the exposure was limited to guests who had done business at that hotel within a certain seven-day window of time. 19 Despite the fact that much of the information reported in the article was false or overhyped, the fact remains that there was a breach and that irreparable damage has been done to Best Western s reputation. Issues of trust and information safeguards will be at the forefront of guests minds when transacting business with this company. Unfortunately, Best Western is not alone in becoming headline news. Table 1 identifies some of the many victims of computer breaches to illustrate the seriousness of the risks and to show just how real the threats are. It puts names and faces to the victims to emphasize that security breaches could just as easily happen to your company. No one is totally immune to such threats; thus, everyone must take every reasonable measure to reduce the likelihood of being attacked or becoming the focal point of criminal computer activity and the next news headline. What s worse, smaller companies, if victimized, may not have the financial resources or staying power and find themselves forced to go out of business. Table 1: Examples of Companies Victimized by Computer Crime Estimated # of Date Customers Company Industry Announced Problem Affected TJX Companies Retail January 2007 Computers Hacked 100+ Million Hannaford Brothers Grocery March 2008 Computers Infected by Malware 4.2 Million Atlantis Resort Hospitality January 2006 Computers Hacked 55 Thousand Okemo Mountain Ski March 2008 Computers Infected by Malware 46 Thousand Resort 18 Revealed: 8 million victims in the world s biggest cyber heist. (2008, August 24). The Sunday Herald. Available: var php. 19 Best Western downplays hack attack. (2008, August 28). Hotel Marketing.com. Available: attack American Hotel & Lodging Association. All rights reserved. 13

24 TJX Companies is the parent to popular retail brands such as T.J. Maxx, Marshalls, A.J. Wright, Bob s Stores, and HomeGoods. Because of the magnitude of its breach, the company serves as the poster-child representing the need for PCI compliance. In January 2007, the company publicly revealed that its systems were breached as early as July of 2005, but it took nearly 18 months before the breach was discovered. 20 Initially, TJX estimated that account information for as many as 45.7 million cards was compromised. Today, payment card officials estimate that the true number exceeds 100 million cards. The cost, in terms of legal fees and restitution, to TJX is $197 million and growing. This figure doesn t include the loss of business, damage to its reputation, or technology upgrades. According to one court filing, TJX violated nine out of twelve PCI DSS guidelines. 21 Had TJX been more attentive to PCI DSS, it could have avoided the compromise, litigation, negative press, and expense of not being more responsible. Unfortunately, the damage has been done. The company executives are left thinking if only after it is too late. The New England based Hannaford Brothers, an operator of over 300 grocery stores in six states, represents another company to be victimized from systems that were compromised. 22 On March 17, 2008, the company reported that someone had penetrated its systems and installed an unauthorized program (malware) used to intercept credit and debit card data en route from the point-of-sale system to the bank for authorization. Initial estimates suggest as many as 4.2 million credit and debit card numbers were stolen. The Hannaford case is particularly concerning for two reasons. First, the company was considered to be PCI compliant! This underscores the need to continuously test and audit systems to ensure the integrity of the information security measures and business processes; one s work is never done when it comes to information security. While being PCI compliant can greatly reduce risks, it does not completely eliminate them or guarantee that one s systems are totally safe. They provide a minimum set of standards that help, but one may still need to pursue additional strategies. Second, the Hannaford incident illustrates how sophisticated and bold hackers are becoming; they are finding ways to circumvent increased levels of information security and operate under the radar screen for long periods of time before being detected. From this case, one can see that technology is a double-edged sword. It helps not only the well intentioned but also those with malicious intent. 20 Jewell, Mark. (2008, April 2). TJX Could Pay MasterCard $24M for Breach. Associated Press. Available: 21 Vijayan, Jaikumar. (2007, October 26). TJX Violated Nine of 12 PCI Controls at Time of Breach, Court Filings Say. ComputerWorld. Available: do?command=viewarticlebasic&articleid= &source=rss_topic Kerber, Ross. (2008, March 28). Advanced Tactic Targeted Grocer. The Boston Globe. Available: American Hotel & Lodging Association. All rights reserved.

25 The hospitality industry is not immune to having its systems compromised. In early 2006, the Atlantis Resort in the Bahamas reported that a database containing key guest information had been compromised, potentially exposing the personal information of 55,000 guests, including their payment card, bank account, and social security data. 23 More recently (March 2008), Vermont s Okemo Mountain Resort ski area publicly disclosed that over 46,000 credit and debit card transactions may have been compromised over a 16-day period in February 2008 when account information was being transmitted from the company s point-of-sale systems to the bank for validation and authorization. 24 The above incidents are unfortunate but very real illustrations of how vulnerable organizations are, how grave the consequences can be, and how prevalent the threats really are. Hopefully, these stories will heighten awareness and concern in the lodging industry, provide a necessary wake-up call to hoteliers, and result in a call to action to make information security a top priority. These cases underscore the need to be proactive, diligent, and disciplined and to make information security a top priority at all levels of the organization. Because of the growing risks and number of reported incidents, information security and PCI are here to stay and must be embraced. Therefore, compliance should be incorporated in any risk management strategy. Summary PCI compliance is about protecting customers, being a trustworthy business, and reducing risk. Ultimately, it is about brand reputation. Although it is next to impossible to completely eliminate the risk of a breach, you can greatly reduce both your exposure to threats and your business exposure should a breach occur by following the PCI guidelines and implementing robust information security best practices. The general rule regarding payment card data is that if you don t have a need to keep customer (or guest) data and payment information, then you shouldn t keep them. If you do need them, then you must carefully protect them (with secure and controlled access) and store them only as long as necessary but no longer. Given that PCI compliance is part of a contractual agreement with acquiring banks and that it is being written into laws in some states, the risks and impact associated with non-compliance, and the negative publicity that can arise should a violation or compromise occur, one must heed the call to get more involved in understanding PCI and ensuring compliance. 23 Niccolai, James. (2006, January). Update: 55,0000 Customer IDs Stolen from Bahamas Hotel Atlantis Resort Admits to Database Break-in. InfoWorld. Available: com/article/06/01/11/73799_ HNidsstolen_1.html. 24 Vijayan, Jaiumar. (2008, April 2). Vermont Ski Area Reports Hannaford-Like Theft of Payment Card Data. ComputerWorld. Available: do?command=viewarticlebasic&art icleid= &intsrc=hm_list American Hotel & Lodging Association. All rights reserved. 15

26 PCI compliance is not optional; it is required. The cost associated with protecting data is a cost of doing business and should not be viewed as discretionary spending. Finding the appropriate balance between safeguards and vulnerabilities isn t always easy. In many ways, information security is like insurance. You must have it and can seemingly never have enough of it. Its value only becomes evident when it is absent but when one wishes it were there. In other words, once a breach has occurred, it is at that point that business executives and owners wish they and their organization were more serious, cautious, and proactive about educating employees and implementing information security measures. The reality today is that information security is a business imperative. It is of high importance and not something to shy away from but rather to embrace. Having said that, one should not boast about one s information security measures, because that will only offer up a challenge to maliciously-minded people to see if they can crack or beat whatever information security has been put in place. Remember, the implementation of any information security measure is an on-going, disciplined process, not a one-time initiative especially considering the high employee turnover rates in the lodging industry, the pace at which technology changes, and the evolving nature of PCI compliance itself. Information security is a job that is never done and is something that should be shared by everyone in the organization. It must be pervasive in an organization s culture and a requisite competency. It should not be seen as optional, as a burden, or merely as a cost to be controlled, but rather as a top priority and fiduciary responsibility to one s guests. Also, remember that on-going education and monitoring are absolute musts when it comes to information security and PCI compliance American Hotel & Lodging Association. All rights reserved.