I saw this article today on PCI compliance in the hotel/hospitality/resort industry, and I thought I'd pass it along to all of you. The author seems to know the industry, and his advice fits with my own experience. Some of the specific suggestions (and my comments) are:
- Are users automatically logged off after a maximum 10 - 15 minutes (max) of inactivity? (This is a good practice...actually, 10 minutes seems pretty long. Better yet, make sure this applies to all terminals throughout the property...yes, even Housekeeping.)
- Is all card holder data in folios, receipts and reports masked with maximum 4 - 6 digits appearing? (Masking is good and should be used for all reports and screens except in very few cases. This is spelled out in PCI. If masking is good, truncation would be even better.)
- Is card holder data masked or encrypted within the database? (PCI requires that all cardholder data be rendered unreadable. Usually, this means encryption. I'd add here that encryption is a good start, but restricting who has access to the data -- also mandated by PCI -- is pretty important too. BTW, did I mention all the fun you now get to have with the rest of Requirement 3 like key management...?)
- Is track data or card verification codes encrypted within the database? (OMG! OK, OK, I'm calming down...sort of. If you keep the security codes, don't encrypt them...PURGE THEM. These codes are sensitive authentication data and you are not to retain them; ever; no, really: ever.)
Read the article.
Posts
No comments:
Post a Comment