PCI Compliance Roundtable Update
Presented by the PCI Compliance Task Force
PCI ROUNDTABLE GOALS...FURTHER PCI COMPLIANCE INITIATIVES ON
BEHALF OF THE HOSPITALITY INDUSTRY Represent the Industry and liaison with the PCI Council,
Card Brands, Homeland Security and other key stake holders to help promote and educate all parties on the Industry requirements and issues.
Provide a forum for Industry collaboration to address the problems with PCI compliance and data security
Develop educational programs and certifications to assist with compliance requirements and ultimately trying to eliminate data security breaches.
Create an environment for the sharing and distribution of information and resources to help combat the data security issues facing the industry
Develop and distribute “Industry Best Practices” for addressing the problem
1. CERTIFICATION PROGRAMS
DEVELOP INDUSTRY FOCUSED CERTIFICATION PROGRAMS
Create a form for establishing consistency among all areas of the compliance requirements for the Industry. HFTP to develop Hospitality Industry specific PCI certifications for the following: Forensics' QSA's ASV's Executive Management Middle Management Line Personnel
(To be created in conjunction with the PCI Council and other
2. INDUSTRY FAQ FORUM
DEVELOP A FREQUENTLY ASKED QUESTIONS (FAQ) FORUM TO BE POSTED AND UPDATED ONLINE
Develop a Frequently Asked Questions (FAQ) for Hotels to address baseline questions on PCI compliance and QSA's. The FAQ's should be posted and updated regularly online on HFTP’s Website.
(Forum answers to FAQ’s, to be addressed by PCI Council and HFTP certified / authorized professionals)
3. EDUCATION OF EXECUTIVE AND OWNERSHIP GROUPSCREATE AN EDUCATION INITIATIVE
TARGETED AT OWNERS AND EXECUTIVES
Create a targeted education program to educate Ownership Groups and Company Executives on the need to invest in PCI compliance and the ramifications of a breach both from a business perspective and cost. Focus is on investment in Operational and System security initiatives.
4. PROPERTY STAFF TRAINING MATERIALS
DEVELOPMENT OF PROPERTY STAFF TRAINING MATERIALS
Develop Power Points and staff training videos to be used at Hotel properties to educate new and existing staff on PCI Compliance operational procedures and the dangers of exposing the property to a breach. Training materials will also to be used to update new information for existing staff.
5. INDUSTRY ROADMAP FOR PCI COMPLIANCE
DEVELOP AN INDUSTRY ROADMAP FOR ACHIEVING PCI COMPLIANCE
Develop a Hospitality Industry focused Road Map to addressing the 12 PCI Compliance requirements that will take into account the nuances of the following: Software Hardware Operational Policies and Procedures
The roadmap will focus on the fact that PCI Compliance is not just IT Driven…
6. ENCRYPTION TECHNOLOGY AND
TOKENIZATIONUSE OF ENCRYPTION TECHNOLOGY AND TOKENIZATION
Develop a program to educate the Industry and marketplace on the use of encryption technology and Tokenization. The program will focus on educating and informing Industry Merchants on the current technologies available in the marketplace and the ROI on investing in these technologies
Additional focus will be targeted on the benefits of getting the data out of the Systems and Applications…
7. EDUCATION OF THE QSA’S
FOCUS ON EDUCATING QSA'S ON INDUSTRY TECHNOLOGIES
In general it is felt that many of the QSA's are not familiar with the current Hospitality Industry technologies available in the marketplace. This initiative would provide an avenue for addressing this concern and will assist in trying to standardize the approaches that QSA’s take towards ensuring their clients compliance requirements.
One option may be to create a certification in conjunction with the PCI Council that focuses on the Hospitality Industry.
8. EDUCATION OF PCI REGULATORSEDUCATION OF REGULATORS ON
HOSPITALITY INDUSTRY REQUIREMENTS Development of a program that will educate internal and
external regulators such as CPA's and Internal Auditors of the specific issues affecting PCI compliance in the Hospitality Industry.
HFTP will also work closely with the PCI Council and Card Brands to develop specific guidelines to address Industry concerns with regards to the compliance standards and requirements.
Given that Hospitality is one of the most targeted Industries specific focus should be directed to the nuances of the applications, systems and operational requirements to help combat the problem.
9. WORKSHOPS TO ADDRESS SAQ’S
ESTABLISH WORKSHOPS FOR WORKING THROUGH THE SELF ASSESSMENT
QUESTIONNAIRE (SAQ)
Many entities struggle with the correct approach for working through the Self Assessment Questionnaires (SAQ’s). Given the importance of these SAQ, it is vital that this be done with a level of consistency.
Establish industry guidelines for working through this important document to ensure that the property or company is compliant or has an understanding of what it needs to address to become compliant.
10. HOTEL AND MGMT COMPANY CONCERNS
DEVELOP A FORUM TO ADDRESS HOTEL AND MANAGEMENT COMPANY ISSUES IN
REGARDS TO MULTIPLE PARTIES INVOLVED WITH THE OVERALL COMPLIANCE RESPONSIBILITY
The issue of Brands and Mgmt Companies - How to address PCI where there are multiple parties to the overall compliance responsibility.
What are the Owners responsibilities where they cannot affect the operational policies and procedures?
How can PCI Compliance requirements be reflected from contractual perspectives?
11. FOSTER SHARING OF INFO ON KNOWN THREATSDISTRIBUTE LISTING OF LATEST THREATS
AND OTHER HELPFUL INFORMATION ON A CONTROLLED INDUSTRY WEBSITE
Formation of an online repository for the latest threats and information - The industry needs to SHARE information. This could include but is not limited to: Malware threats Common password breaches (Not mention the
password but potentially the application provider) Security Software providers (List of most widely
used) Monitoring services Industry recognized remediators
Speed-up the process for distribution of latest malware threats to antivirus companies
12. TOP 10 FORENSIC / QSA
RECOMMENDATIONSPUBLISH/DISTRIBUTE A "CURRENT" PCI FORENSIC / QSA LIST OF
RECOMMENDATIONS (TOP 10 RECOMMENDATIONS)
With hackers and criminals constantly working at creating new and innovative ways to breach networks and gain access to data. The Industry needs to stay ahead of the game and the certified Forensic and QSA companies are on the forefront of the latest methods be utilized by the “bad guys”. HFTP will work with the various companies to develop a “current” listing of the top 10 recommendations and distribute this listing to the Industry on regularly scheduled basis.
The Top 10 list is meant to be highlight the areas that require the most attention and will assist with thwarting the majority of compromises.
QUESTIONS?
What Did You Think?
In order to help us create/provide a better HITEC
experience in the future, please take a second to fill out the short survey that will be sent to
you via e-mail at the end of the day.
And THANK YOU for attending HITEC!
Learn how HFTP membership can benefit you, visit www.hftp.org