PCI Boot Camp Presented by the PCI Compliance Task Force - PowerPoint Presentation

Slide1

PCI Boot Camp

Presented by the PCI Compliance Task Force

Slide2

moderator:

Jeremy Rock

President ●

RockIT

Group

Slide3

Agenda

PCI Overview

Removing Card Data From Your Hotel

Best Practices

Questions & Answers

Slide4

PCI

Overview

Slide5

Presenters:

Mark Haley,

CHTP

Managing Partner● The Prism Partnership, LLC

Jeff

Henschel

Director of IT● Benchmark Hospitality International

Chuck

Marratt

Regional Director of IT● Benchmark Hospitality International

Slide6

6

What is PCI?

What Does PCI Compliance Entail?

Slide7

Overview Objectives

What are:

The Payment Card Industry (PCI) Data Security Standard (DSS) and

The Payment Application Data Security Standard (PA-DSS)?

What are the components of a sound data security policy and PCI Compliance?

How do you get to PCI Compliance?

Vocabulary and Concepts for all of above

7

Slide8

Overview

Why is Compliance So Important?

PCI & PCI Compliance Defined

Key Issues

Who is responsible for compliance?

What gets overlooked?

How do I plan my compliance journey?

Additional Resources

Questions

8

Slide9

Why Is Compliance Important?

PCI Compliance is like insurance

Good business practice

You are vulnerable!

55% of credit card fraud

from hospitality

85% of breaches against

Level 4 merchants*

Potential impact of a breach

Customer Relations

Legal

Financial

* Source: Unified Compliance Framework

9

Slide10

Why is Compliance Important?

10

Because they are after us!

Hackers now specifically targeting hospitality

38% of breaches in 2009 in hotels and resorts

Source:

Trustwave

Spider Labs

Slide11

2010 Market Trends: Industries by Percent of Breaches

*Statistics from

2011

Verizon Business Data Breach Investigation Report

Slide12

2010 Breach Trends: The Facts

761 Breaches in 2010 (141 in 2009)

89% of victims subject to PCI DSS had not achieved compliance

86% of the breaches were discovered by a third party

86% of the victims had evidence of the breach in their log files

98% of all breached records came from servers

96% of breaches were avoidable through simple or intermediate controls

* All percentages are from the 2011 Verizon Business Data Breach Investigation

Slide13

Why is Compliance Important?

You don’t want to make the headlines!

Slide14

Breakdown of Cost per Record

Slide15

Costs of a BreachFines from issuing brands

Costs to address vulnerabilities

Costs of Level 1 audits in future

Lawsuits from card-issuing banks for card replacement costs

Loss of customer trust and goodwill

Loss of business

Tarnished reputation

Costs of Non-Compliance

15

Slide16

Definition

Data security standards for all merchants accepting credit, debit or other cards to protect cardholder data

To ensure the integrity of the global payment card industry

Applies to

ALL

cardholder data

Electronic

Paper

Applies to

ALL

merchants

16

Slide17

Definition- Roles

Key Players & Roles

Standards “owned” by PCI Security Standards Council

Enforcement reserved to the issuing brands

17

Slide18

Lodging complexity - lifespan of a credit card number in a lodging environment

Slide19

Definition - Details

Payment Card Industry (PCI) Data Security Standards (DSS)

12 Major Requirements

Applies to everyone handling cardholder data

Merchants

Processors

Intermediaries

Self-Assessment Questionnaire (SAQ) for most merchants

Different forms of SAQ varying with merchant’s processing infrastructure

19

Slide20

Definition - Details

Payment Application Data Security Standards (PA-

DSS

)

Formerly known as Payment Application Best Practices (PABP)

Applies to software vendors marketing products that handle cardholder data

Requires software vendors to invest in certification, costly to achieve and maintain

Merchants forbidden to use uncertified payment applications July 2010

20

Slide21

Definition of Merchant Levels

Source: http://usa.visa.com/merchants/risk_management/cisp_merchants.html#anchor_2

Merchant Level Description

21

Slide22

12 Steps to PCI Compliance

CONTROL OBJECTIVES

COMPLIANCE REQUIREMENTS

Build and Maintain a Secure Network

1

. Install and maintain a firewall configuration to protect

cardholder data

2

. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3

. Protect stored cardholder data

4

. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5

. Use and regularly update anti-virus software

6

. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7

. Restrict access to cardholder data by business need-to-know

8

. Assign a unique ID to each person with computer access

9

. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security

22

Slide23

Key Issues

Who is responsible?

The Merchant

23

Slide24

What Gets Overlooked?

24

People

Process

Slide25

Where Companies Fail Their PCI Audit

2011 Global Security Report

Slide26

Action Items

How do I plan my compliance journey?

Assign an Owner

Use your Acquirer

Use your Franchisor/Brand

Establish Documentation

Gather Inventories

Use your Software Vendors

Complete Self-Assessment Questionnaire (SAQ)

May 6 & 7, 2010

26

Slide27

Action Items

How do I plan my compliance journey? (continued)

Determine if you need a Qualified Security Assessor (QSA)

Implement Vulnerability Scans from an Approved Scanning Vendor (ASV)

Address SAQ Deficiencies

Update your Documentation

Repeat!

27

Slide28

Just Remember…

Data Security is an ongoing process.

Recognize the risks at all levels in your organization.

Understand what you can do to be proactive.

Determine what behaviors and processes may have to change.

28

Slide29

Action Items

Budget for PCI

Not a One-Time Expense!

Initial costs may include:

Engage a QSA or other resources

System replacements

Staff costs for initial SAQ

On-going Costs Include:

Quarterly Penetration Scans

Annual SAQ exercise

Internal & External evaluations of technology in scope

Logging and Alert management

Anti-Virus subscriptions

Payment Application upgrades

Intrusion Detection Software

Resources and training to manage security measures

29

Slide30

Action Items

Make sure you budget appropriately as PCI compliance is an ongoing expense to your organization.

Costs include but are not limited to items listed below:

Annual Penetration Scanning

External scans of technology in scope

Internal scans of technology in scope

Logging and Alert Management

Anti Virus upgrades/renewals

PMS/POS Annual Upgrades

Intrusion detection software

Resources and training to manage PCI and Security measures implemented.

Slide31

Additional Resources

AH&LA publication,

The Payment Card Industry Compliance Process for Lodging Establishments

http://ahla.com/technology

PCI Security Standards Council

http://pcisecuritystandards.org

Visa

http://www.visa.com/cisp

MasterCard

http://www.mastercard.com/us/sdp/index.html

31

Slide32

Removing Card Data From Your Hotel

Slide33

Presenters:

William Collins

Executive Director – Vertical Market Strategy●

Heartland Payment Systems

Sue

Zloth

Group Manager, Product● Merchant Link, LLC

Bob Lowe

Director of Strategic Relationships● Shift4

Lyle Worthington,

CHTP

Chief Information Officer● Horseshoe Bay Resort

Slide34

Where Does Card Data Exist?

Slide35

Do You Really Need It?

Why do you have it in the first place?

Old Processes

You Think You Need It

Chargeback documentation

Balancing Risk and Convenience

Does the risk of having credit card data outweigh the convenience it creates?

Slide36

Just Say No

Eliminate capturing/storing of Credit Card data unless it is absolutely necessary

Question/Challenge the need

Re-evaluate outdated processes

Card Imprinting

Credit Auth Forms

Accounting/Chargeback Reconciliation

Events/Catering

Develop contingency plans for one-offs

scenarios

Off Line Authorizations

Special Guest Requests, etc.

Evaluate partner’s processes/systems

Ask, Expect, Inspect

Understand effect of introduction of new devices into your environment

Mobile/Tablets

Kiosks

Use technology to protect data you must capture

Slide37

Using Technology

PCI Approach: Protect What You “Must” Have

(This used to be a straightforward statement.)

Protect Stored Data

Securely encrypt stored data

Encrypt transmissions of cardholder data

across public networks

Restrict access to data on a “need-to-know”

basis

Mask PAN by default, reveal to selected people on request

Over time, this gets more and more complex. Time for a technology rethink…?

Slide38

The Challenge

Imagine

a princess in a castle…

Securing

her against attacks

of

increasing sophistication is difficult and

expensive

.

Slide39

The Solution

TAKE THE PRINCESS OUT OF THE

CASTLE

!

Purpose-Designed Solutions for Consideration

Encryption at Swipe or Keyed Entry

Tokenization

Slide40

Technology Choices

Encryption at Swipe or Key

Data is Swiped or Keyed into Encryption Device.

Transmit ONLY encrypted data through your environment.

Two Common Terms Used To Describe (Interchangeable)

End to End

Point To Point

Key To Encryption Solutions

Ensure POS/PMS has no ability to decrypt

Understand where Card Data gets decrypted

The farther down the path the better

PCI is working on regulatory changes to recognize the use of this solution may reduce Merchants PCI Scope.

Slide41

Technology Choices

Tokenization

Replacing sensitive cardholder data (CHD) with a piece of data that references Card Data, stored elsewhere.

Vendors use different methods to generate Tokens

It should not be possible to reverse engineer a Token back to the actual card data.

Some solutions combine encryption at entry and

tokenization;

Encryption used on data in transit

Tokenization used on data at rest

Correct tokenization solutions remove the PMS

from the scope of PCI DSS.

Slide42

Technology Choices

Your Action Plan

Review tokenization and Encryption at Source offerings that are supported by your software providers

Select technology solutions that reduce your PCI exposure by removing data from your applications

It’s better to not have data at all than to spend

a lot of $$ trying to protect it

Slide43

Cloud Computing

Does It Solve The Problem?

Cloud Computing does not

necessarily remove all

scope from your property

Cards could still exist in your

network

Some public cloud vendors openly state they can’t

and won’t be PCI compliant.

Vendors may use other cloud vendors

For more information please attend the Cloud Computing Super Session Thursday at 9am

Slide44

PCI Boot Camp:

Best Practices

Slide45

Presenters:

Jibran

Ilyas

Senior Incident Response Consultant ●

TrustWave

/

SpiderLabs

Marty Stanton

Vice President, Information Technology ● Destination Hotels & Resorts

Jerry

Trieber

, CPA,

CHAE

,

CFE

,

CFF

Director of Field Accounting ● Crestline Hotels & Resorts

Slide46

Best Practices: Types

The best practices we will discuss today fall into 3 distinct but interwoven areas:

Operations

Networks

Documentation

Slide47

Best Practices: Operations

Operational best practices should be implemented at all hotels, restaurants, clubs, casinos, and other

hospitality

enterprises currently accepting

credit

cards as methods of

payment

.

Those best practices

are

….

Slide48

Best Practices: Operations

Discontinue

the imprinting of credit cards if still imprinting.

Review

proper merchant bank retrieval request and chargeback information requirements: don’t keep documents containing complete credit card numbers for fear of losing a chargeback.

Discourage

facsimile receipt of credit card authorizations

:

secure fax machines and

their

output

.

Prohibit e-mail receipt of credit card numbers

.

For all voice, facsimile, or other methods of card receipt, enter directly into the

system

and destroy (shred) the paper.

Slide49

Best Practices: Operations

Review Sales & Catering Department files for maintenance of documents containing credit card numbers.

Do

not use Notes, Comments, or other unencrypted fields in Sales, Catering, and other electronic systems for credit card numbers.

Review

who has access to view guests

’

complete credit numbers in both

the

PMS and POS.

Review

if card data or computer passwords are written on a

“sticky

note” placed on computer monitors or are otherwise visible or unsecured.

Slide50

Best Practices: Operations

Train users to log off their terminals and use tight auto-log off timeouts on payment applications if available.

Always

consider proper storage, retention and disposal of paper and other sources of credit card numbers.

Select

photocopiers and facsimiles with encrypted disk

drives

with auto-delete capability (24 hours).

Control

physical access to server rooms, Front

Desk

and any other areas where credit card

numbers

are stored or processed. Consider

logging

and

badging

all visitors to these areas

and

requirement to

surveil

all data centers

by

video.

Slide51

Best Practices: Operations

Conduct training on PCI Compliance!

Training on PCI Compliance should include:

Making

training materials consumer-friendly.

Annual

training certification signed by all employees.

Making

training certification a part of the “Acceptable Use Policy.”

Awareness

of phishing, spear-phishing,

pharming

, and “vendor impostors.”

Slide52

Best Practices: Networks

Best practices regarding networks fall into 3 categories:

Passwords;

Remote Access; and

Operations.

Slide53

Best Practices:Network

Passwords

All default passwords should be changed before connecting a device to the network. Devices to be reviewed include:

Payment

application servers;

Other servers;

Routers; and

Firewalls.

Slide54

Best Practices:

Network Passwords

The

SSID names for wireless networks should

also

be changed: how many networks named

“

Linksys Router” have you observed when

looking

for

wi-fi

“hot spots!?”

Be mindful of the definition of a “strong password” for PCI purposes, as it differs from that for non-PCI purposes!

Passwords for all users of payment applications should be unique:

No shared passwords!

Create unique passwords for vendors!

Use tools and policies to expire passwords, force strong passwords, and do not allow re-use of prior passwords!

Slide55

Best Practices:

Network Remote Access

PCI

Compliance requires that remote access privileges be closely controlled and monitored.

Regarding vendors:

Access should be “on-request”

from

the property and not

from

the vendor.

The property must initiate the remote access

connection

.

Logging should be embedded in the access tool used.

Default ports should be changed.

Remote access should be added to vendor agreements and contracts.

Hotel personnel trained to authenticate callers purporting to be vendors requesting access for support – very important!

Slide56

Best Practices:Network Remote Access

Regarding employees:

Access should be “on-request” from the employee, approved by the department head/EC member, with a valid reason for access.

Access should be granted only to those applications needed by the employee and not to the entire network, depending upon where payment applications reside.

Default ports should be changed.

A remote access program with strong authentication and logging should be used!

Slide57

Best Practices:

Network Operations

Maintain separation of guest and employee networks.

Insure that there are anti-virus subscriptions on all computers and that they are current!

See that security patches are applied regularly!

Be alert for skimmers and keystroke loggers!

Be alert for rogue software, PCs, and wireless or USB devices!

Use a laptop or

smartphone

to scan for rogue devices.

Slide58

Best Practices:Network Documentation

PCI Compliance requires

significant

levels of

documen

-

tation

, including 4 different

types

of self-assessment

questionnaires

(SAQs),

dependent

upon a property’s

“

merchant level” classification

.

SAQ

D is the most common type of

SAQ

.

The PCI Compliance Roundtable is examining new user-friendly types of the

SAQs

, including the

SAQ

D.

Slide59

Best Practices:Network Documentation

Other types of PCI Compliance-based documentation that should be prepared include:

Acceptable Use Policy;

Backups and Disaster Recovery;

Incident Response Plans;

Merchant level

deter-

mination

letters from

acquirers

;

Proof of PCI PA-DSS

Compliance

letters from

payment

applications

used

; and

Network vulnerability

scan

reports.

Slide60

Best Practices:Network Documentation

An

sample user-friendly

SAQ

-D is here:

Slide61

Questions

Slide62

What Did You Think?

In order to help us create/provide a better HITEC

experience in the future, please take a second to fill out the short survey that will be sent to you via e-mail at the end of the day.

And THANK YOU for attending HITEC!

Learn how HFTP membership can benefit you,

visit www.hftp.org