Tuesday, October 6, 2009

Your Campus Hotel and PCI

I have been working with and talking to a number of schools recently that operate hotels on campus. These hotel operations face particular PCI compliance challenges due to the nature of the hotel business. That is, they hold lots of cardholder data like the PAN for reservations (and to charge you that $2 for the bottle of water from the minibar...), and they even retain (occasionally intentionally) security codes (CVV2/CVC2). Therefore, these operations can forget using any of the simplified SAQs; they get to use SAQ D or, if they are big enough, they require an outside assessment by a QSA.

I saw this article today on PCI compliance in the hotel/hospitality/resort industry, and I thought I'd pass it along to all of you. The author seems to know the industry, and his advice fits with my own experience. Some of the specific suggestions (and my comments) are:

  • Are users automatically logged off after a maximum 10 - 15 minutes (max) of inactivity? (This is a good practice...actually, 10 minutes seems pretty long. Better yet, make sure this applies to all terminals throughout the property...yes, even Housekeeping.)

  • Is all card holder data in folios, receipts and reports masked with maximum 4 - 6 digits appearing? (Masking is good and should be used for all reports and screens except in very few cases. This is spelled out in PCI. If masking is good, truncation would be even better.)

  • Is card holder data masked or encrypted within the database? (PCI requires that all cardholder data be rendered unreadable. Usually, this means encryption. I'd add here that encryption is a good start, but restricting who has access to the data -- also mandated by PCI -- is pretty important too. BTW, did I mention all the fun you now get to have with the rest of Requirement 3 like key management...?)

  • Is track data or card verification codes encrypted within the database? (OMG! OK, OK, I'm calming down...sort of. If you keep the security codes, don't encrypt them...PURGE THEM. These codes are sensitive authentication data and you are not to retain them; ever; no, really: ever.)

As you are working on PCI compliance on your campus, take a look at that industry's own needs and remember Conway's Laws of PCI: Law 1 - your costs have gone up, so deal with it; Law 2 - you will change the way you do business.

Read the article.

No comments:

Post a Comment