PCI Boot Camp

Presented by the PCI Compliance Task Force

MODERATOR:

Jeremy RockPresident ● RockIT Group

AGENDA

PCI Overview Removing Card Data From

Your Hotel Best Practices Questions & Answers

PCI OVERVIEW

PRESENTERS:

Mark Haley, CHTPManaging Partner● The Prism Partnership, LLC

Jeff HenschelDirector of IT● Benchmark Hospitality International

Chuck MarrattRegional Director of IT● Benchmark Hospitality International

6

What is PCI?

What Does PCI Compliance Entail?

7

Overview ObjectivesWhat are:

The Payment Card Industry (PCI) Data Security Standard (DSS) and

The Payment Application Data Security Standard (PA-DSS)?

What are the components of a sound data security policy and PCI Compliance?

How do you get to PCI Compliance?Vocabulary and Concepts for all of above

8

Overview

Why is Compliance So Important?PCI & PCI Compliance DefinedKey Issues

Who is responsible for compliance? What gets overlooked? How do I plan my compliance journey?

Additional ResourcesQuestions

9

Why Is Compliance Important?

PCI Compliance is like insurance Good business practice You are vulnerable!

55% of credit card fraud from hospitality

85% of breaches against Level 4 merchants*

Potential impact of a breach Customer Relations Legal Financial

* Source: Unified Compliance Framework

10

Why is Compliance Important?

Because they are after us! Hackers now specifically

targeting hospitality 38% of breaches in 2009

in hotels and resortsSource: Trustwave Spider Labs

2010 Market Trends: Industries by Percent of Breaches

40%

25%22%

4% 2% 2% 2% 1% 1% 1%

Demographics

*Statistics from 2011 Verizon Business Data Breach Investigation Report

2010 Breach Trends: The Facts

761 Breaches in 2010 (141 in 2009) 89% of victims subject to PCI DSS had not

achieved compliance 86% of the breaches were discovered by a third

party 86% of the victims had evidence of the breach in

their log files 98% of all breached records came from servers 96% of breaches were avoidable through simple

or intermediate controls

* All percentages are from the 2011 Verizon Business Data Breach Investigation

Why is Compliance Important?

You don’t want to make the headlines!

Breakdown of Cost per Record

15

Costs of a Breach Fines from issuing brands Costs to address vulnerabilities Costs of Level 1 audits in future Lawsuits from card-issuing

banks for card replacement costs

Loss of customer trust and goodwill

Loss of business Tarnished reputation

Costs of Non-Compliance

16

Definition Data security standards for all merchants

accepting credit, debit or other cards to protect cardholder data

To ensure the integrity of the global payment card industry

Applies to ALL cardholder data Electronic Paper

Applies to ALL merchants

17

Definition- Roles Key Players &

Roles

Standards “owned” by PCI Security Standards Council

Enforcement reserved to the issuing brands

Lodging complexity - lifespan of a credit card number in a lodging environment

19

Definition - Details

Payment Card Industry (PCI) Data Security Standards (DSS) 12 Major Requirements Applies to everyone handling cardholder data

• Merchants• Processors• Intermediaries

Self-Assessment Questionnaire (SAQ) for most merchants• Different forms of SAQ varying with merchant’s

processing infrastructure

20

Definition - Details

Payment Application Data Security Standards (PA-DSS) Formerly known as Payment Application Best Practices

(PABP) Applies to software vendors marketing products that

handle cardholder data Requires software vendors to invest in certification,

costly to achieve and maintain Merchants forbidden to use uncertified payment

applications July 2010

21

Definition of Merchant Levels

Source: http://usa.visa.com/merchants/risk_management/cisp_merchants.html#anchor_2

1

•Over 6,000,000 Visa transactions per year for any merchant-regardless of acceptance channel-processing. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

2

•1,000,000 to 6,000,000 Visa transactions per year, applies to any merchant-regardless of acceptance channel-processing.

3

•20,000 to 1,000,000 Visa e-commerce transactions per year.

4

•20,000 or fewer Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Merchant Level Description

22

12 Steps to PCI ComplianceCONTROL OBJECTIVES COMPLIANCE REQUIREMENTS

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes Maintain an Information Security Policy

12. Maintain a policy that addresses information security

23

Key Issues

Who is responsible?

The Merchant

24

What Gets Overlooked?

People Process

Where Companies Fail Their PCI Audit

1 Maint

ain

a Fir

ewall

2 No

Vendo

r Pas

swor

ds

3 En

cryp

ted

Tran

smiss

ions

4 Pr

otec

t Sto

red

Credit C

ard

...

5 Upd

ate

Anti-V

irus S

oftw

are

6 Dev

elop

Sec

ure

System

s and

...

7 Res

trict

Phy

sical A

cces

s

8 Ass

ign

Uniqu

e Use

r IDs

9 Ph

ysica

l Acc

ess

10 Log

Man

agem

ent

11 ID

S / V

A

12 M

aint

ain

Secu

rity Po

licy

0102030405060708090

100 97.5

83.674.6

8.1

68.9

90.9

48.4

92.6

7.4

99.298.4 95.1

2011 Global Security Report

26

Action Items

How do I plan my compliance journey? Assign an Owner Use your Acquirer Use your Franchisor/Brand Establish Documentation Gather Inventories Use your Software Vendors Complete Self-Assessment

Questionnaire (SAQ)

May 6 & 7, 2010

27

Action Items

How do I plan my compliance journey? (continued) Determine if you need a

Qualified Security Assessor (QSA)

Implement Vulnerability Scans from an Approved Scanning Vendor (ASV)

Address SAQ Deficiencies Update your Documentation Repeat!

28

Just Remember… Data Security is an ongoing

process. Recognize the risks at all

levels in your organization. Understand what you can do

to be proactive. Determine what behaviors

and processes may have to change.

29

Action Items

Budget for PCI

Not a One-Time Expense!

Initial costs may include: Engage a QSA or other

resources System replacements Staff costs for initial

SAQ

On-going Costs Include: Quarterly Penetration Scans Annual SAQ exercise Internal & External

evaluations of technology in scope

Logging and Alert management

Anti-Virus subscriptions Payment Application

upgrades Intrusion Detection Software Resources and training to

manage security measures

Action ItemsMake sure you budget appropriately as PCI compliance is an ongoing expense to your organization.

Costs include but are not limited to items listed below: Annual Penetration Scanning External scans of technology in scope Internal scans of technology in scope Logging and Alert Management Anti Virus upgrades/renewals PMS/POS Annual Upgrades Intrusion detection software Resources and training to manage PCI and Security

measures implemented.

31

Additional Resources

AH&LA publication, The Payment Card Industry Compliance Process for Lodging Establishmentshttp://ahla.com/technology

PCI Security Standards Councilhttp://pcisecuritystandards.org

Visahttp://www.visa.com/cisp

MasterCard

http://www.mastercard.com/us/sdp/index.html

REMOVING CARD DATA FROM YOUR HOTEL

PRESENTERS:

William CollinsExecutive Director – Vertical Market Strategy● Heartland Payment Systems

Sue ZlothGroup Manager, Product● Merchant Link, LLC

Bob LoweDirector of Strategic Relationships● Shift4

Lyle Worthington, CHTPChief Information Officer● Horseshoe Bay Resort

Where Does Card Data Exist?

Do You Really Need It?

Why do you have it in the first place? Old Processes You Think You Need It

Chargeback documentation

Balancing Risk and Convenience

Does the risk of having credit card data outweigh the convenience it creates?

Just Say No Eliminate capturing/storing of Credit Card data unless it is

absolutely necessary Question/Challenge the need Re-evaluate outdated processes

• Card Imprinting• Credit Auth Forms• Accounting/Chargeback Reconciliation• Events/Catering

Develop contingency plans for one-offs scenarios• Off Line Authorizations• Special Guest Requests, etc.

Evaluate partner’s processes/systems • Ask, Expect, Inspect

Understand effect of introduction of new devices into your environment• Mobile/Tablets• Kiosks

Use technology to protect data you must capture

Using Technology PCI Approach: Protect What You “Must” Have

(This used to be a straightforward statement.)

Protect Stored Data Securely encrypt stored data Encrypt transmissions of cardholder data

across public networks Restrict access to data on a “need-to-know”

basis Mask PAN by default, reveal to selected people on

request

Over time, this gets more and more complex. Time for a technology rethink…?

The Challenge

Imagine a princess in a castle…

Securing her against attacks of increasing sophistication is difficult and expensive.

The Solution

TAKE THE PRINCESS OUT

OF THE CASTLE!

Purpose-Designed Solutions for Consideration • Encryption at Swipe or Keyed Entry

• Tokenization

Technology ChoicesEncryption at Swipe or Key Data is Swiped or Keyed into Encryption Device. Transmit ONLY encrypted data through your environment. Two Common Terms Used To Describe (Interchangeable)

End to End Point To Point

Key To Encryption Solutions Ensure POS/PMS has no ability to decrypt Understand where Card Data gets decrypted

• The farther down the path the betterPCI is working on regulatory changes to recognize the use of this solution may reduce Merchants PCI Scope.

POS/PMS

Gateway

Processor

Card Brands Issuers

Technology ChoicesTokenization Replacing sensitive cardholder data (CHD) with a piece of

data that references Card Data, stored elsewhere. Vendors use different methods to generate Tokens It should not be possible to reverse engineer a Token back

to the actual card data. Some solutions combine encryption at entry and

tokenization; Encryption used on data in transit Tokenization used on data at rest

Correct tokenization solutions remove the PMS from the scope of PCI DSS.

Technology Choices

Your Action Plan Review tokenization and Encryption at Source offerings that

are supported by your software providers

Select technology solutions that reduce your PCI exposure by removing data from your applications

It’s better to not have data at all than to spend a lot of $$ trying to protect it

Cloud Computing

Does It Solve The Problem? Cloud Computing does not

necessarily remove all scope from your property

Cards could still exist in your network

Some public cloud vendors openly state they can’t and won’t be PCI compliant.

Vendors may use other cloud vendors For more information please attend the Cloud Computing

Super Session Thursday at 9am

PCI Boot Camp:Best Practices

PRESENTERS:

Jibran IlyasSenior Incident Response Consultant ● TrustWave/SpiderLabs

Marty StantonVice President, Information Technology ● Destination Hotels & Resorts

Jerry Trieber, CPA, CHAE, CFE, CFFDirector of Field Accounting ● Crestline Hotels & Resorts

Best Practices: Types

The best practices we will discuss today fall into 3 distinct but interwoven areas:

Operations

Networks

Documentation

Best Practices: Operations

Operational best practices should be implemented at all hotels, restaurants, clubs, casinos, and other hospitality enterprises currently accepting credit cards as methods of payment.

Those best practices are….

Best Practices: Operations

Discontinue the imprinting of credit cards if still imprinting. Review proper merchant bank retrieval request and

chargeback information requirements: don’t keep documents containing complete credit card numbers for fear of losing a chargeback.

Discourage facsimile receipt of credit card authorizations: secure fax machines and their output.

Prohibit e-mail receipt of credit card numbers. For all voice, facsimile, or other methods of

card receipt, enter directly into the system and destroy (shred) the paper.

Best Practices: Operations

Review Sales & Catering Department files for maintenance of documents containing credit card numbers.

Do not use Notes, Comments, or other unencrypted fields in Sales, Catering, and other electronic systems for credit card numbers.

Review who has access to view guests’ complete credit numbers in both the PMS and POS.

Review if card data or computer passwords are written on a “sticky note” placed on computer monitors or are otherwise visible or unsecured.

Best Practices: Operations

Train users to log off their terminals and use tight auto-log off timeouts on payment applications if available.

Always consider proper storage, retention and disposal of paper and other sources of credit card numbers.

Select photocopiers and facsimiles with encrypted disk drives with auto-delete capability (24 hours).

Control physical access to server rooms, Front Desk and any other areas where credit card numbers are stored or processed. Consider logging and badging all visitors to these areas and requirement to surveil all data centers by video.

Best Practices: Operations

Conduct training on PCI Compliance!

Training on PCI Compliance should include: Making training materials consumer-

friendly. Annual training certification signed by all

employees. Making training certification a part of the

“Acceptable Use Policy.” Awareness of phishing, spear-phishing,

pharming, and “vendor impostors.”

Best Practices: Networks

Best practices regarding networks fall into 3 categories:

Passwords;

Remote Access; and

Operations.

Best Practices:Network Passwords

All default passwords should be changed before connecting a device to the network. Devices to be reviewed include: Payment application servers;

Other servers;

Routers; and

Firewalls.

Best Practices:Network Passwords

The SSID names for wireless networks should also be changed: how many networks named “Linksys Router” have you observed when looking for wi-fi “hot spots!?”

Be mindful of the definition of a “strong password” for PCI purposes, as it differs from that for non-PCI purposes!

Passwords for all users of payment applications should be unique: No shared passwords! Create unique passwords for vendors! Use tools and policies to expire passwords, force strong

passwords, and do not allow re-use of prior passwords!

Best Practices:Network Remote Access

PCI Compliance requires that remote access privileges be closely controlled and monitored.

Regarding vendors: Access should be “on-request”

from the property and not from the vendor.

The property must initiate the remote access connection.

Logging should be embedded in the access tool used. Default ports should be changed. Remote access should be added to vendor agreements and

contracts. Hotel personnel trained to authenticate callers purporting to be

vendors requesting access for support – very important!

Best Practices:Network Remote Access

Regarding employees: Access should be “on-request”

from the employee, approved by the department head/EC member, with a valid reason for access.

Access should be granted only to those applications needed by the employee and not to the entire network, depending upon where payment applications reside.

Default ports should be changed.

A remote access program with strong authentication and logging should be used!

Best Practices:Network Operations

Maintain separation of guest and employee networks.

Insure that there are anti-virus subscriptions on all computers and that they are current!

See that security patches are applied regularly!Be alert for skimmers and keystroke loggers!Be alert for rogue software, PCs, and wireless or

USB devices!Use a laptop or smartphone to scan for rogue

devices.

Best Practices:Network Documentation PCI Compliance requires

significant levels of documen-tation, including 4 different types of self-assessment questionnaires (SAQs), dependent upon a property’s “merchant level” classification.

SAQ D is the most common type of SAQ.

The PCI Compliance Roundtable is examining new user-friendly types of the SAQs, including the SAQ D.

Best Practices:Network Documentation

Other types of PCI Compliance-based documentation that should be prepared include: Acceptable Use Policy; Backups and Disaster Recovery; Incident Response Plans; Merchant level deter-

mination letters from acquirers;

Proof of PCI PA-DSS Compliance letters from payment applications used; and

Network vulnerability scan reports.

Best Practices:Network Documentation

An sample user-friendly SAQ-D is here:

Microsoft Office Excel Worksheet

QUESTIONS

What Did You Think?

In order to help us create/provide a better HITEC

experience in the future, please take a second to fill out the short survey that will be sent to

you via e-mail at the end of the day.

And THANK YOU for attending HITEC!

Learn how HFTP membership can benefit you, visit www.hftp.org