You Can Checkout Anytime You Like

PCI Compliance & The Hospitality Industry You Can Checkout Anytime You Like

Orthus are a certified Qualified Security Assessor Company (QSAC) specialising in providing Payment Card Industry (PCI) Data Security Standards (DSS) compliance solutions to the hospitality sector.

You knew that "Hotel California" is the title song from the Eagles' album of the same name and was released in February 1977. Writing credits for the song are shared by Don Felder, Don Henley and Glenn Frey. Went Gold (sold over 1m) within 3 months after its release. It won the 1978 Grammy Award for Record of the Year. Rolling Stone magazine, ranks it as the 49th greatest song of all time. The Rock and Roll Hall of Fame names it as one of the 500 Songs that shaped rock and roll. The song's guitar solo is ranked 8th on Guitar Magazine's Top 100 Guitar Solos.

So

Did you know? "The song was actually an angry response to the band having their credit cards ripped off at all of the hotels we stayed at on the road. We were sick of all the fraud man and thought someone ought to say something." - Don Henley 1979

Lyrics On a dark desert highway cool wind in my hair warm smell of colitas rising up through the air. Up ahead in the distance I saw a shimmering light My head grew heavy and my sight grew dim I had to stop for the night There she stood in the doorway I heard the mission bell And I was thinking to myself this could be heaven or this could be hell Translation Dark + Desert Highway + Convertible + Colitas =? Paranoia = Security Stop for the night = Hospitality industry She = Acquirer Mission bell = Compliance deadline tolling Heaven or hell = Implementation of a risk management framework can be difficult or easy

Lyrics Then she lit up a candle and she showed me the way There were voices down the corridor I thought I heard them say Welcome to the Hotel California Such a lovely place, Such a lovely face Plenty of room at the Hotel California Any time of year, you can find it here Her mind is tiffany-twisted she got the Mercedes Benz She got a lot of pretty, pretty boys that she calls friends How they dance in the courtyard sweet summer sweat Some dance to remember some dance to forget Translation Candle = Milestones approach The way = PCI DSS 6 goals 12 requirements Hotel California = Secure processing, transmittal & storage of credit card data Plenty of room = scoping Any time of year = Validation and annual revalidation Tiffany twisted = Acquirer fines Pretty, pretty boys = Card brands Dancing = Acquirer relationship

Lyrics So I called up the captain please bring me my wine He said we haven't had that spirit here since nineteen sixty nine And still those voices are calling from far away Wake you up in the middle of the night Just to hear them say Welcome to the Hotel California Such a lovely place Such a lovely face They're living it up at the Hotel California What a nice surprise, bring your alibis Translation Captain = IT Director Wine = logs & records Since 1969 = log retention Voices calling = VoIP in scope Wake you up = incident response program requirement Lovely face = Stevie Nicks Bring your alibis = Controls require accountability and evidence

Lyrics Mirrors on the ceiling Pink champagne on ice And she said we are all just prisoners here of our own device And in the master's chambers They gathered for the feast They stab it with their steely knives But they just can't kill the beast Last thing I remember I was running for the door I had to find the passage back To the place I was before Relax said the night man We are programmed to receive Translation Mirrors on the ceiling = CCTV Pink champagne on ice = Glen Fry room service requirement Prisoners of our own devices = physical & technical controls or 3rd Party supplier relationships Master's chambers = board room The beast = regulation Passage back to the place I was before = BC/DR Plans Night man = QSA Programmed to receive = compensating controls

Lyrics Translation You can checkout any time you like, But you can never leave Summary of the industry problem = business requirement for the retention of card data Reminder that once you become compliant you have to remain compliant = not a project, it s a process

Review

The Standard First published January 2005, V.1 released September 7, 2006, the PCI DSS is a set of comprehensive requirements for securing payment data. V2 released November 2010. A multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

6 Goals, 12 Requirements 13

264 Controls

Evidence Types Observation (configuration or process) Documentation Verbal confirmation (interviews) Technical (monitoring of network traffic) Required for each and every control!

Milestone Approach Risk based prioritisation of implementation of the controls Milestone 1 identify what you have, where you have it and write policies to protect it. Milestone 2 Network integrity Milestone 3 Code integrity Milestone 4 Logs & records Milestone 5 Incidents Milestone 6 Auditing & testing

Applicable All systems that process, store or transmit cardholder data (both credit and debit) All systems that connect to them Compliance is mandatory

Scoping X X

Compensating Controls Alternatives to controls Used when a specific control cannot be implemented due to a business process Implement risk-based supplementary control(s) Designed for the business Accepted by the business Must be accompanied by supporting evidence Accompanied by supporting processes

Deadlines Milestones 1-4: September 31, 2009 Full compliance: September 31, 2010 Annual revalidation

Essence PCI DSS is a data risk management framework. Framework only serves to identify, minimise and manage the risk of compromise. Frameworks do not guarantee security. You still own the risk.

Intent Give PCI a Chance! Minimise risk to card holder data

10 Rules Data Security 1. If Dr. Evil can run his programs on your network its not your network anymore. 2. If Dr. Evil can access data on your network its not your data any more. 3. If Dr. Evil can access data entering or exiting your network its not your network any more. 4. If Dr. Evil can upload programs to your website its not your website anymore. 5. If Dr. Evil uses your network to launch an attack on another network its your problem.

10 Rules 6. If Dr. Evil can use your network to access your partners network its your problem. 7. If Dr. Evil can physically access devices on your network its not your data anymore. 8. More often than not, Mini-Me Me works for you. 9. Dr. Evil knows where you hide your spare keys. 10. Dr. Evil is always faster and smarter.

Process Not Checklist

Business Messages Risk management framework Regulatory requirement Losses impact our clients Lost client confidence = Lost System down time = Lost Repair costs = Lost Data theft & fraud = Lost Reputation losses = Lost Fines = Lost

Employee Messages Security of our customer credit card data is critical to our business. We have implemented a detailed security program to protect this data. Security is your responsibility. Security is everyone's responsibility. Failure to meet this responsibility will result in disciplinary action. We need your help and suggestions.

Partner Messages Protection of our customer's credit card data is mission critical to us. We have implemented a PCI DSS compliance program and are pending formal certification. Regulatory compliance is a shared responsibility. Connectivity to our systems require compliance to PCI DSS controls as a condition of contract. If you cannot provide this service, we will find a partner who will. How can we help you comply?

Customer Messages Protection of your personal and credit card data is paramount to our business. We implement a strict security program to protect this data to include rigorous testing of our systems. We are currently pending formal certification of our security practices. If you have any question regarding our policies, do not hesitate to contact us.

Top 10 Audit Findings 1. Card environment not documented 2. Card data not located or marked 3. No card data security policies 4. No card data security awareness program 5. No 3rd party supplier agreements 6. No data access accountability 7. No security testing conducted 8. No intrusion detection system (IDS) 9. Not encrypting data in storage 10. No 2-factor authentication for remote access

Top 10 Challenges 1. Missed deadlines 2. No budget 3. No "buy in" 4. Never implemented a risk management program 5. Lack of risk management expertise 6. Processing hard copy card data (faxes, emails) 7. No card data access accountability 8. No network security posture (IDS, logs & records) 9. No existing security testing framework 10. The one you're thinking of right now

7 Stages of Your Grief Denial This can't be happening, not to me. Anger "Why me? It's not fair!"; "Who is to blame? Bargaining What if we just do Milestone 1 this year?" Depression We ll never do it. What's the point? Hope "It's going to be okay I think we can do it Panic Where in the name of all that s holy do I begin? Acceptance "OK. Bring it on!"

Road Map Gap Analysis Remediation Monthly Acquirer Reporting Pass Scan & Penetration Testing Self or QSA Validation AoC/ RoC Acquirer Card Brands 25.01.2011 CONFIDENTIAL Orthus 2010 33

Final Note You can checkout anytime you like, but you can never leave

1 Lyric Square, London, W6 0NB, United Kingdom Phone: +44 (0)203 170 8955 Fax: +44 (0)203 008 6161 www.orthus.com info@orthus.com 25.01.2011 CONFIDENTIAL Orthus 2010 35