moderator Jeremy Rock President RockIT Group Agenda PCI Overview Removing Card Data From Your Hotel Best Practices Questions amp Answers PCI Overview Presenters Mark Haley ID: 933970
Download Presentation The PPT/PDF document "PCI Boot Camp Presented by the PCI Compl..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
PCI Boot Camp
Presented by the PCI Compliance Task Force
Slide2moderator:
Jeremy Rock
President ●
RockIT
Group
Slide3Agenda
PCI Overview
Removing Card Data From Your Hotel
Best Practices
Questions & Answers
Slide4PCI
Overview
Slide5Presenters:
Mark Haley,
CHTP
Managing Partner● The Prism Partnership, LLC
Jeff
Henschel
Director of IT● Benchmark Hospitality International
Chuck
Marratt
Regional Director of IT● Benchmark Hospitality International
Slide66
What is PCI?
What Does PCI Compliance Entail?
Slide7Overview Objectives
What are:
The Payment Card Industry (PCI) Data Security Standard (DSS) and
The Payment Application Data Security Standard (PA-DSS)?
What are the components of a sound data security policy and PCI Compliance?
How do you get to PCI Compliance?
Vocabulary and Concepts for all of above
7
Slide8Overview
Why is Compliance So Important?
PCI & PCI Compliance Defined
Key Issues
Who is responsible for compliance?
What gets overlooked?
How do I plan my compliance journey?
Additional Resources
Questions
8
Slide9Why Is Compliance Important?
PCI Compliance is like insurance
Good business practice
You are vulnerable!
55% of credit card fraud
from hospitality
85% of breaches against
Level 4 merchants*
Potential impact of a breach
Customer Relations
Legal
Financial
* Source: Unified Compliance Framework
9
Slide10Why is Compliance Important?
10
Because they are after us!
Hackers now specifically targeting hospitality
38% of breaches in 2009 in hotels and resorts
Source:
Trustwave
Spider Labs
Slide112010 Market Trends: Industries by Percent of Breaches
*Statistics from
2011
Verizon Business Data Breach Investigation Report
Slide122010 Breach Trends: The Facts
761 Breaches in 2010 (141 in 2009)
89% of victims subject to PCI DSS had not achieved compliance
86% of the breaches were discovered by a third party
86% of the victims had evidence of the breach in their log files
98% of all breached records came from servers
96% of breaches were avoidable through simple or intermediate controls
* All percentages are from the 2011 Verizon Business Data Breach Investigation
Slide13Why is Compliance Important?
You don’t want to make the headlines!
Slide14Breakdown of Cost per Record
Slide15Costs of a BreachFines from issuing brands
Costs to address vulnerabilities
Costs of Level 1 audits in future
Lawsuits from card-issuing banks for card replacement costs
Loss of customer trust and goodwill
Loss of business
Tarnished reputation
Costs of Non-Compliance
15
Slide16Definition
Data security standards for all merchants accepting credit, debit or other cards to protect cardholder data
To ensure the integrity of the global payment card industry
Applies to
ALL
cardholder data
Electronic
Paper
Applies to
ALL
merchants
16
Slide17Definition- Roles
Key Players & Roles
Standards “owned” by PCI Security Standards Council
Enforcement reserved to the issuing brands
17
Slide18Lodging complexity - lifespan of a credit card number in a lodging environment
Definition - Details
Payment Card Industry (PCI) Data Security Standards (DSS)
12 Major Requirements
Applies to everyone handling cardholder data
Merchants
Processors
Intermediaries
Self-Assessment Questionnaire (SAQ) for most merchants
Different forms of SAQ varying with merchant’s processing infrastructure
19
Slide20Definition - Details
Payment Application Data Security Standards (PA-
DSS
)
Formerly known as Payment Application Best Practices (PABP)
Applies to software vendors marketing products that handle cardholder data
Requires software vendors to invest in certification, costly to achieve and maintain
Merchants forbidden to use uncertified payment applications July 2010
20
Slide21Definition of Merchant Levels
Source: http://usa.visa.com/merchants/risk_management/cisp_merchants.html#anchor_2
Merchant Level Description
21
Slide2212 Steps to PCI Compliance
CONTROL OBJECTIVES
COMPLIANCE REQUIREMENTS
Build and Maintain a Secure Network
1
. Install and maintain a firewall configuration to protect
cardholder data
2
. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3
. Protect stored cardholder data
4
. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5
. Use and regularly update anti-virus software
6
. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7
. Restrict access to cardholder data by business need-to-know
8
. Assign a unique ID to each person with computer access
9
. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
22
Slide23Key Issues
Who is responsible?
The Merchant
23
Slide24What Gets Overlooked?
24
People
Process
Slide25Where Companies Fail Their PCI Audit
2011 Global Security Report
Slide26Action Items
How do I plan my compliance journey?
Assign an Owner
Use your Acquirer
Use your Franchisor/Brand
Establish Documentation
Gather Inventories
Use your Software Vendors
Complete Self-Assessment Questionnaire (SAQ)
May 6 & 7, 2010
26
Slide27Action Items
How do I plan my compliance journey? (continued)
Determine if you need a Qualified Security Assessor (QSA)
Implement Vulnerability Scans from an Approved Scanning Vendor (ASV)
Address SAQ Deficiencies
Update your Documentation
Repeat!
27
Slide28Just Remember…
Data Security is an ongoing process.
Recognize the risks at all levels in your organization.
Understand what you can do to be proactive.
Determine what behaviors and processes may have to change.
28
Slide29Action Items
Budget for PCI
Not a One-Time Expense!
Initial costs may include:
Engage a QSA or other resources
System replacements
Staff costs for initial SAQ
On-going Costs Include:
Quarterly Penetration Scans
Annual SAQ exercise
Internal & External evaluations of technology in scope
Logging and Alert management
Anti-Virus subscriptions
Payment Application upgrades
Intrusion Detection Software
Resources and training to manage security measures
29
Slide30Action Items
Make sure you budget appropriately as PCI compliance is an ongoing expense to your organization.
Costs include but are not limited to items listed below:
Annual Penetration Scanning
External scans of technology in scope
Internal scans of technology in scope
Logging and Alert Management
Anti Virus upgrades/renewals
PMS/POS Annual Upgrades
Intrusion detection software
Resources and training to manage PCI and Security measures implemented.
Slide31Additional Resources
AH&LA publication,
The Payment Card Industry Compliance Process for Lodging Establishments
http://ahla.com/technology
PCI Security Standards Council
http://pcisecuritystandards.org
Visa
http://www.visa.com/cisp
MasterCard
http://www.mastercard.com/us/sdp/index.html
31
Slide32Removing Card Data From Your Hotel
Slide33Presenters:
William Collins
Executive Director – Vertical Market Strategy●
Heartland Payment Systems
Sue
Zloth
Group Manager, Product● Merchant Link, LLC
Bob Lowe
Director of Strategic Relationships● Shift4
Lyle Worthington,
CHTP
Chief Information Officer● Horseshoe Bay Resort
Slide34Where Does Card Data Exist?
Slide35Do You Really Need It?
Why do you have it in the first place?
Old Processes
You Think You Need It
Chargeback documentation
Balancing Risk and Convenience
Does the risk of having credit card data outweigh the convenience it creates?
Slide36Just Say No
Eliminate capturing/storing of Credit Card data unless it is absolutely necessary
Question/Challenge the need
Re-evaluate outdated processes
Card Imprinting
Credit Auth Forms
Accounting/Chargeback Reconciliation
Events/Catering
Develop contingency plans for one-offs
scenarios
Off Line Authorizations
Special Guest Requests, etc.
Evaluate partner’s processes/systems
Ask, Expect, Inspect
Understand effect of introduction of new devices into your environment
Mobile/Tablets
Kiosks
Use technology to protect data you must capture
Slide37Using Technology
PCI Approach: Protect What You “Must” Have
(This used to be a straightforward statement.)
Protect Stored Data
Securely encrypt stored data
Encrypt transmissions of cardholder data
across public networks
Restrict access to data on a “need-to-know”
basis
Mask PAN by default, reveal to selected people on request
Over time, this gets more and more complex. Time for a technology rethink…?
Slide38The Challenge
Imagine
a princess in a castle…
Securing
her against attacks
of
increasing sophistication is difficult and
expensive
.
Slide39The Solution
TAKE THE PRINCESS OUT OF THE
CASTLE
!
Purpose-Designed Solutions for Consideration
Encryption at Swipe or Keyed Entry
Tokenization
Slide40Technology Choices
Encryption at Swipe or Key
Data is Swiped or Keyed into Encryption Device.
Transmit ONLY encrypted data through your environment.
Two Common Terms Used To Describe (Interchangeable)
End to End
Point To Point
Key To Encryption Solutions
Ensure POS/PMS has no ability to decrypt
Understand where Card Data gets decrypted
The farther down the path the better
PCI is working on regulatory changes to recognize the use of this solution may reduce Merchants PCI Scope.
Slide41Technology Choices
Tokenization
Replacing sensitive cardholder data (CHD) with a piece of data that references Card Data, stored elsewhere.
Vendors use different methods to generate Tokens
It should not be possible to reverse engineer a Token back to the actual card data.
Some solutions combine encryption at entry and
tokenization;
Encryption used on data in transit
Tokenization used on data at rest
Correct tokenization solutions remove the PMS
from the scope of PCI DSS.
Slide42Technology Choices
Your Action Plan
Review tokenization and Encryption at Source offerings that are supported by your software providers
Select technology solutions that reduce your PCI exposure by removing data from your applications
It’s better to not have data at all than to spend
a lot of $$ trying to protect it
Slide43Cloud Computing
Does It Solve The Problem?
Cloud Computing does not
necessarily remove all
scope from your property
Cards could still exist in your
network
Some public cloud vendors openly state they can’t
and won’t be PCI compliant.
Vendors may use other cloud vendors
For more information please attend the Cloud Computing Super Session Thursday at 9am
Slide44PCI Boot Camp:
Best Practices
Slide45Presenters:
Jibran
Ilyas
Senior Incident Response Consultant ●
TrustWave
/
SpiderLabs
Marty Stanton
Vice President, Information Technology ● Destination Hotels & Resorts
Jerry
Trieber
, CPA,
CHAE
,
CFE
,
CFF
Director of Field Accounting ● Crestline Hotels & Resorts
Slide46Best Practices: Types
The best practices we will discuss today fall into 3 distinct but interwoven areas:
Operations
Networks
Documentation
Slide47Best Practices: Operations
Operational best practices should be implemented at all hotels, restaurants, clubs, casinos, and other
hospitality
enterprises currently accepting
credit
cards as methods of
payment
.
Those best practices
are
….
Slide48Best Practices: Operations
Discontinue
the imprinting of credit cards if still imprinting.
Review
proper merchant bank retrieval request and chargeback information requirements: don’t keep documents containing complete credit card numbers for fear of losing a chargeback.
Discourage
facsimile receipt of credit card authorizations
:
secure fax machines and
their
output
.
Prohibit e-mail receipt of credit card numbers
.
For all voice, facsimile, or other methods of card receipt, enter directly into the
system
and destroy (shred) the paper.
Slide49Best Practices: Operations
Review Sales & Catering Department files for maintenance of documents containing credit card numbers.
Do
not use Notes, Comments, or other unencrypted fields in Sales, Catering, and other electronic systems for credit card numbers.
Review
who has access to view guests
’
complete credit numbers in both
the
PMS and POS.
Review
if card data or computer passwords are written on a
“sticky
note” placed on computer monitors or are otherwise visible or unsecured.
Slide50Best Practices: Operations
Train users to log off their terminals and use tight auto-log off timeouts on payment applications if available.
Always
consider proper storage, retention and disposal of paper and other sources of credit card numbers.
Select
photocopiers and facsimiles with encrypted disk
drives
with auto-delete capability (24 hours).
Control
physical access to server rooms, Front
Desk
and any other areas where credit card
numbers
are stored or processed. Consider
logging
and
badging
all visitors to these areas
and
requirement to
surveil
all data centers
by
video.
Slide51Best Practices: Operations
Conduct training on PCI Compliance!
Training on PCI Compliance should include:
Making
training materials consumer-friendly.
Annual
training certification signed by all employees.
Making
training certification a part of the “Acceptable Use Policy.”
Awareness
of phishing, spear-phishing,
pharming
, and “vendor impostors.”
Slide52Best Practices: Networks
Best practices regarding networks fall into 3 categories:
Passwords;
Remote Access; and
Operations.
Slide53Best Practices:Network
Passwords
All default passwords should be changed before connecting a device to the network. Devices to be reviewed include:
Payment
application servers;
Other servers;
Routers; and
Firewalls.
Slide54Best Practices:
Network Passwords
The
SSID names for wireless networks should
also
be changed: how many networks named
“
Linksys Router” have you observed when
looking
for
wi-fi
“hot spots!?”
Be mindful of the definition of a “strong password” for PCI purposes, as it differs from that for non-PCI purposes!
Passwords for all users of payment applications should be unique:
No shared passwords!
Create unique passwords for vendors!
Use tools and policies to expire passwords, force strong passwords, and do not allow re-use of prior passwords!
Slide55Best Practices:
Network Remote Access
PCI
Compliance requires that remote access privileges be closely controlled and monitored.
Regarding vendors:
Access should be “on-request”
from
the property and not
from
the vendor.
The property must initiate the remote access
connection
.
Logging should be embedded in the access tool used.
Default ports should be changed.
Remote access should be added to vendor agreements and contracts.
Hotel personnel trained to authenticate callers purporting to be vendors requesting access for support – very important!
Slide56Best Practices:Network Remote Access
Regarding employees:
Access should be “on-request” from the employee, approved by the department head/EC member, with a valid reason for access.
Access should be granted only to those applications needed by the employee and not to the entire network, depending upon where payment applications reside.
Default ports should be changed.
A remote access program with strong authentication and logging should be used!
Slide57Best Practices:
Network Operations
Maintain separation of guest and employee networks.
Insure that there are anti-virus subscriptions on all computers and that they are current!
See that security patches are applied regularly!
Be alert for skimmers and keystroke loggers!
Be alert for rogue software, PCs, and wireless or USB devices!
Use a laptop or
smartphone
to scan for rogue devices.
Slide58Best Practices:Network Documentation
PCI Compliance requires
significant
levels of
documen
-
tation
, including 4 different
types
of self-assessment
questionnaires
(SAQs),
dependent
upon a property’s
“
merchant level” classification
.
SAQ
D is the most common type of
SAQ
.
The PCI Compliance Roundtable is examining new user-friendly types of the
SAQs
, including the
SAQ
D.
Slide59Best Practices:Network Documentation
Other types of PCI Compliance-based documentation that should be prepared include:
Acceptable Use Policy;
Backups and Disaster Recovery;
Incident Response Plans;
Merchant level
deter-
mination
letters from
acquirers
;
Proof of PCI PA-DSS
Compliance
letters from
payment
applications
used
; and
Network vulnerability
scan
reports.
Slide60Best Practices:Network Documentation
An
sample user-friendly
SAQ
-D is here:
Slide61Questions
Slide62What Did You Think?
In order to help us create/provide a better HITEC
experience in the future, please take a second to fill out the short survey that will be sent to you via e-mail at the end of the day.
And THANK YOU for attending HITEC!
Learn how HFTP membership can benefit you,
visit www.hftp.org