Hoteliers have been listening to—or not—the imperatives delivered by all of the major credit card issuers known as “PCI Compliance” since 2005. Lodging has covered PCI in detail before (“It’s in the Cards,” May 2007).
However, the standards defined in PCI have been evolving, with the recent release of a new version of the standards, and Visa has published an updated, aggressive enforcement strategy aimed specifically at the computer systems that process credit card transactions. These new developments warrant a fresh look at PCI.
PCI and pci dss defined
The Payment Card Industry Security Standards Council is a nonprofit organization established and controlled by the major card issuing brands: Visa, American Express, MasterCard, Discover and JCB. Other firms may also join the council for a fee, but the founding brands remain firmly in control.
The council exists to promote the Data Security Standards, and to educate merchants, software developers and the public on data security as well as to oversee the new participants in the process, Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs). Most observers agree that the overarching objective of the card issuers in launching this broad initiative is to protect the consumers’ faith in the global payment card system, so that people continue to use their cards to spend, which creates transaction fees for the brands and drives revenues. This level of proactive and aggressive self-regulation by the industry may forestall further legislative regulation
intended to protect consumers.
The PCI Security Standards Council owns the PCI Data Security Standards, a group of 12 major requirements that, taken together, define what the card issuing brands define as a secure environment for handling sensitive cardholder data. The major requirements include more than 200 specific requirements.
Reviewing the specifics of the requirements is beyond the scope of this article, but the AH&LA publication The Payment Card Industry Compliance Process for Lodging Establishments goes into great detail on planning and executing the compliance journey for a hotel.
Achieving Compliance
Many hotel companies of all sizes have been working toward, some even achieving, compliance for a number of years. Some of these companies were surprised by the release in October of last year of version 1.2 of the standards. On the surface, most of the changes in version 1.2 appear to be clarifications, and in some cases simplifications. The SSC also consolidated the standard and the test for compliance into a single document.
However, some of the modifications will have a substantial impact on some hotel companies. Hotel enterprises running large-scale Wide Area Networks (primarily for CRS communications) will find some challenges in segmenting and segregating network traffic to protect communications with cardholder data. Hotels utilizing wireless networks to carry cardholder data may need to upgrade the encryption protocol in use.
More important than the changes themselves, hotel companies that have begun their compliance initiatives in earnest should continue it. With the exception of the large hoteliers, many hotel companies have not yet begun a meaningful compliance effort. They have simply ignored it, or assumed that is was someone else’s responsibility.
Chris Zoladz, vice president of information protection and privacy for Marriott International, observes, “Some franchisees assume that a franchisor handles it all for them. While there may be some dependence on the franchisor for compliance of systems that the franchises uses but the franchisor controls, learning that they are responsible for the compliance of everything else becomes an awakening.”
Likewise, hoteliers cannot assume that system vendors will make them compliant because they sold them a system with a credit card processing module. As Zoladz says, the merchant is responsible for compliance. For a number of years, Visa has administered a program called Payment Application Best Practices (PABP), which certified Payment Applications (such as a Property Management System, Central Reservations System or Point of Sale system) as complying with the Data Security Standards, if installed and maintained by the merchant according to the DSS and the vendor’s standards. This certification responsibility has been transitioned to the Security Standards Council and renamed Payment Application Data Security Standards, or PA-DSS.
For a software vendor to earn PA-DSS certification, they must engage a Qualified Security Assessor (QSA) certified by the SSC to audit Payment Applications. The QSA will examine the programming code and database to ensure that prohibited information (full track data) is not stored, and that card numbers are encrypted in the database and not displayed on screens and in reports, among other DSS requirements. All software applications that process credit card numbers and are sold or licensed to third parties are subject to certification, and must be re-certified annually.
Responsibilities and Costs
As with the overall PCI DSS, the PA-DSS standards are owned by the Security Standards Council, but enforced by the issuing brands. Visa has published a five-phase compliance cycle. (See adjacent box.)
In Phase V of the compliance cycle, the acquirers are required to ensure that all merchants and agents use only PA-DSS compliant applications. The compliance mandate does not specifically require certification, but the burden of proving compliance then falls on the merchant and acquirer.
For a hotel company, this means that every PMS and POS installed today must be certified as compliant, otherwise proven compliant by the merchant to the satisfaction of the acquirer, replaced prior to July 1, 2010, or cease processing credit cards, at least Visa.
The costs and managerial implications of this mandate are substantial, especially for larger organizations with potentially many third-party systems to ensure they meet the standard or replaced. Marriott’s Zoladz wryly describes the impact as “not trivial” to hotel companies, and goes on to say “The intentions here are good, but seem to lead to unintended consequences for merchants. The costs for operators can be extremely high on a relative scale, especially considering the forced replacement of what is an otherwise effective system with a long usable life remaining, or the burden of ensuring that a not-certified product otherwise satisfies the PCI DSS requirements.”
While some hotel companies may be able to work with their QSA to minimize the number of wholesale system replacements, a lot of hotel companies will be buying a lot of PMS, POS and other applications in 2010.
Adding up the impact of the new version of the standards and scheduled enforcement of Payment Application enforcement, what does the hotelier do? Simply put, the best advice is to continue on the compliance journey. n
Mark G. Haley, CHTP is a partner at The Prism Partnership LLC, a Boston-based consultancy servicing the global hospitality industry in technology and marketing.
|
|
Understanding the Standards
The key things to understand about the PCI Data Security Standards include:
n It is the merchant’s responsibility to comply with the standards.
n All merchants that accept credit cards, regardless of size, are obligated to comply with all of the standards.
n Compliance includes validating full compliance through a self-assessment filed with the merchant’s credit card acquirer, usually done with the assistance of a Qualified Security Assessor (QSA).
n Although the standards are owned by the PCI Security Standards Council, enforcement of the standards is done exclusively by the brands.
n The brands enforce compliance by fining acquirers, who then pass the fines on to the offending merchant.
|
|
