PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI) Affordable ~ Clean ~ Safe ~ Simple ~ Flexible
2 PCI Compliance What does PCI stand for? Payment Card Industry Data Security Standard Data Security Standards require us to protect guest credit card information Who is required to meet PCI security standard? All entities that accept credit or debit card payment, collect, process or store credit card transaction information
3 Value Place Franchise Services (VPFS) Policy Brand Standard requires all S-Ps, PMCs and Value Place properties to be operated in accordance and compliance with PCI merchant operating standards Policy Purpose To define guidelines for accepting and processing credit cards and storing personal cardholder information To ensure cardholder information supplied to Value Place is secure and protected
4 What is the scope of this Standard? Any Value Place employee that processes, transmits, handles or could have access to cardholder information Cardholder information may be in a physical or an electronic format All employees that have access to NiteVision All employees that have access to the property s safe All employees who have access to guest studios
5 What s involved in complying with PCI? Property Management Company or S-P will select a Qualified Independent Scan Vendor Vendor will provide quarterly security scans to PMC/S-P Initial and annual online employee training is provided by the vendor Upon online training completion and testing, employee will receive electronic certificate. This should be printed off and filed.
6 All transaction processes must meet the following standards: Electronic credit card numbers should not be transmitted or stored on a personal computer or email account Credit card numbers should NOT be accepted via email and you must not email credit card information Physical cardholder data must be locked in a secure area
7 All transaction processes must meet the following standards: Access must be limited to employees that require the use of this data Access must be restricted on a need to know basis Store only essential information Do not store Card Validation Code (Security Digits, V Code, or CID) Do not store user PIN or full data from the card s magnetic stripe
8 All transaction processes must meet the following standards: Credit card information, if it does NOT need to be retained, must be destroyed Do not destroy 3 rd party forms until the payment has been processed completely Information must be destroyed by shredding (crosscut) immediately AFTER processing, or immediately AFTER this information no longer needs to be retained
9 All transaction processes must meet the following standards: Credit card receipts may only show the last four digits of the credit card number. Card Number xxxxxxxxxxxx8868 If receipts show more than the last four digits, the receipts must be shredded or retained in the locked safe Any employee with access to NiteVision, credit card information and/or access to the safe MUST comply with the Payment Card Industry Data Security Standard
10 Confidentiality & Security of Account Information All 3 rd Party Authorizations must be stored in a secure place and locked at all times Old and current registration cards cannot have 3 rd Party Authorizations attached Implement a retention policy for all 3 rd Party Authorization forms Consider a 90 day retention policy or when a guest checks out destroy the 3 rd Party Authorization Old files could help support credit card charge backs
11 Locking Safe Requirements ALL employees that have access to the locking safe MUST be PCI certified NO EXCEPTIONS
12 Security Best Practice 3 rd Party Authorization Faxed Applications Log all 3 rd Party Applications that have been faxed to the property This provides a good audit trail if needed in the future Never throw fax logs away Fax log consists of: o Date and time fax was received o Name of employee that retrieved and secured form o Name of guest being authorized
13 Security Best Practice Example of Fax Log
14 Security Best Practice Audit Boxes Store previous month s audit boxes in a secured place 3 rd or 4 th floor storage rooms Correctly label each box Access to 3th and 4 th floor storage rooms VP employees only Tip for storing: o Store in empty paper boxes o Paperwork stacks uniformly o Seal boxes with clear packing tape o Person packing/sealing box must initial & date directly over the tape
15 Keep Credit Card Information SAFE NEVER Write down credit card information and leave it unattended Throw away papers, emails, faxes etc. with credit card information listed without shredding Leave the office unattended with a non-compliant employee or visitor Remove anything from the office with credit card numbers showing or available i.e. computers, storage devices, storage files, etc.
16 Controlled Access to the Property s Office ALWAYS Keep office door closed and secured. Not complying could result in a KCD on your next QAR Keep safe closed and locked NiteVision access only by: o Employees that are PCI compliance trained o PMC (must be PCI compliance trained) Same rules apply to anybody accessing networking ports in the property s office
17 Place Required Labels on CPU Use label maker and print out labels Place on computer (CPU) that houses NiteVision software Labels Include the following information: Owner Name: Equipment Purpose: Point of Sale System For help with this machine: Contact
18 Property Visitor(s) All visitors allowed into the Property s Office must be approved by the Property Manager All approved visitors must have a visitor nametag in sight or a Value Place employee name tag Inside Office Area: visitors must be escorted by the Property Manager Outside Office Area: visitor must be escorted by a VP team member A log identifying property visitors must be kept
19 Example of Visitors Log
20 PCI Compliance Penalties for Non-Compliance Fines could be imposed by the affected credit card company Minimum fines from VISA for violation of the Payment Card Industry Data Security Standard begin at $50,000
21 PCI Compliance PCI Compliance Protects the Guest and You If you think a rule was broken? Tell somebody immediately Accidents happen, no one gets in trouble for working on fixing problems and protecting our guests Don t be afraid to ask for help and understanding from your Supervisor PCI Compliance is a TEAM effort that protects our guests
22 PCI Compliance What if there is a security breach, an office break-in, etc? Example: 3rd party forms stolen or removed from office. Contact PMC or Supervisor immediately! Example: Office gets broken into and NiteVision computer is stolen. Call 911, Contact PMC or Supervisor immediately! Example: Safe broken into and credit card numbers have been stolen. Call 911, Contact PMC or Supervisor immediately!
23 QA Compliance Be Prepared Cross cut paper shredder Training certificate filed for all employees o New Employees must be PCI trained/certificate provided within the first week of employment or prior to NiteVision and/or guest room access o Existing Employees trained annually after initial certification Independent Scan Vendor s IP Scan with proof of pass/fail, date scanned o Quarterly remote vulnerability scans required CPU must be labeled with Owner, Contact Information and Purpose Visitors Log o A log identifying property visitors (vendors, service technicians, etc.) must be kept on file at the Front Desk. All visitors must be identified with a visitor nametag and sign in and out.
24 QA Compliance Be Prepared Example of training certificate certifying employee has received PCI Compliance training
25 QA Compliance Be Prepared Example of external IP scan