PCI Compliance Roundtable Update Presented by the PCI Compliance Task Force PCI ROUNDTABLE GOALS... FURTHER PCI COMPLIANCE INITIATIVES ON BEHALF OF THE HOSPITALITY INDUSTRY Represent the Industry and liaison with the PCI Council, Card Brands, Homeland Security and other key stake holders to help promote and educate all parties on the Industry requirements and issues. Provide a forum for Industry collaboration to address the problems with PCI compliance and data security Develop educational programs and certifications to assist with compliance requirements and ultimately trying to eliminate data security breaches. Create an environment for the sharing and distribution of information and resources to help combat the data security issues facing the industry Develop and distribute “Industry Best Practices” for addressing the problem 1. CERTIFICATION PROGRAMS DEVELOP INDUSTRY FOCUSED CERTIFICATION PROGRAMS Create a form for establishing consistency among all areas of the compliance requirements for the Industry. HFTP to develop Hospitality Industry specific PCI certifications for the following: Forensics' QSA's ASV's Executive Management Middle Management Line Personnel (To be created in conjunction with the PCI Council and other 2. INDUSTRY FAQ FORUM DEVELOP A FREQUENTLY ASKED QUESTIONS (FAQ) FORUM TO BE POSTED AND UPDATED ONLINE Develop a Frequently Asked Questions (FAQ) for Hotels to address baseline questions on PCI compliance and QSA's. The FAQ's should be posted and updated regularly online on HFTP’s Website. (Forum answers to FAQ’s, to be addressed by PCI Council and HFTP certified / authorized professionals) 3. EDUCATION OF EXECUTIVE AND OWNERSHIP GROUPS CREATE AN EDUCATION INITIATIVE TARGETED AT OWNERS AND EXECUTIVES Create a targeted education program to educate Ownership Groups and Company Executives on the need to invest in PCI compliance and the ramifications of a breach both from a business perspective and cost. Focus is on investment in Operational and System security initiatives. 4. PROPERTY STAFF TRAINING MATERIALS DEVELOPMENT OF PROPERTY STAFF TRAINING MATERIALS Develop Power Points and staff training videos to be used at Hotel properties to educate new and existing staff on PCI Compliance operational procedures and the dangers of exposing the property to a breach. Training materials will also to be used to update new information for existing staff. 5. INDUSTRY ROADMAP FOR PCI COMPLIANCE DEVELOP AN INDUSTRY ROADMAP FOR ACHIEVING PCI COMPLIANCE Develop a Hospitality Industry focused Road Map to addressing the 12 PCI Compliance requirements that will take into account the nuances of the following: Software Hardware Operational Policies and Procedures The roadmap will focus on the fact that PCI Compliance is not just IT Driven… 6. ENCRYPTION TECHNOLOGY AND TOKENIZATION USE OF ENCRYPTION TECHNOLOGY AND TOKENIZATION Develop a program to educate the Industry and marketplace on the use of encryption technology and Tokenization. The program will focus on educating and informing Industry Merchants on the current technologies available in the marketplace and the ROI on investing in these technologies Additional focus will be targeted on the benefits of getting the data out of the Systems and Applications… 7. EDUCATION OF THE QSA’S FOCUS ON EDUCATING QSA'S ON INDUSTRY TECHNOLOGIES In general it is felt that many of the QSA's are not familiar with the current Hospitality Industry technologies available in the marketplace. This initiative would provide an avenue for addressing this concern and will assist in trying to standardize the approaches that QSA’s take towards ensuring their clients compliance requirements. One option may be to create a certification in conjunction with the PCI Council that focuses on the Hospitality Industry. 8. EDUCATION OF PCI REGULATORS EDUCATION OF REGULATORS ON HOSPITALITY INDUSTRY REQUIREMENTS Development of a program that will educate internal and external regulators such as CPA's and Internal Auditors of the specific issues affecting PCI compliance in the Hospitality Industry. HFTP will also work closely with the PCI Council and Card Brands to develop specific guidelines to address Industry concerns with regards to the compliance standards and requirements. Given that Hospitality is one of the most targeted Industries specific focus should be directed to the nuances of the applications, systems and operational requirements to help combat the problem. 9. WORKSHOPS TO ADDRESS SAQ’S ESTABLISH WORKSHOPS FOR WORKING THROUGH THE SELF ASSESSMENT QUESTIONNAIRE (SAQ) Many entities struggle with the correct approach for working through the Self Assessment Questionnaires (SAQ’s). Given the importance of these SAQ, it is vital that this be done with a level of consistency. Establish industry guidelines for working through this important document to ensure that the property or company is compliant or has an understanding of what it needs to address to become compliant. 10. HOTEL AND MGMT COMPANY CONCERNS DEVELOP A FORUM TO ADDRESS HOTEL AND MANAGEMENT COMPANY ISSUES IN REGARDS TO MULTIPLE PARTIES INVOLVED WITH THE OVERALL COMPLIANCE RESPONSIBILITY The issue of Brands and Mgmt Companies - How to address PCI where there are multiple parties to the overall compliance responsibility. What are the Owners responsibilities where they cannot affect the operational policies and procedures? How can PCI Compliance requirements be reflected from contractual perspectives? 11. FOSTER SHARING OF INFO ON KNOWN THREATS DISTRIBUTE LISTING OF LATEST THREATS AND OTHER HELPFUL INFORMATION ON A CONTROLLED INDUSTRY WEBSITE Formation of an online repository for the latest threats and information - The industry needs to SHARE information. This could include but is not limited to: Malware threats Common password breaches (Not mention the password but potentially the application provider) Security Software providers (List of most widely used) Monitoring services Industry recognized remediators Speed-up the process for distribution of latest malware threats to antivirus companies 12. TOP 10 FORENSIC / QSA RECOMMENDATIONS PUBLISH/DISTRIBUTE A "CURRENT" PCI FORENSIC / QSA LIST OF RECOMMENDATIONS (TOP 10 RECOMMENDATIONS) With hackers and criminals constantly working at creating new and innovative ways to breach networks and gain access to data. The Industry needs to stay ahead of the game and the certified Forensic and QSA companies are on the forefront of the latest methods be utilized by the “bad guys”. HFTP will work with the various companies to develop a “current” listing of the top 10 recommendations and distribute this listing to the Industry on regularly scheduled basis. The Top 10 list is meant to be highlight the areas that require the most attention and will assist with thwarting the majority of compromises. QUESTIONS? What Did You Think? In order to help us create/provide a better HITEC experience in the future, please take a second to fill out the short survey that will be sent to you via e-mail at the end of the day. And THANK YOU for attending HITEC! Learn how HFTP membership can benefit you, visit www.hftp.org