PCI Compliance Roundtable Initiatives

advertisement
PCI Compliance Roundtable
Update
Presented by the PCI
Compliance Task Force
PCI ROUNDTABLE GOALS...
FURTHER PCI COMPLIANCE INITIATIVES ON BEHALF
OF THE HOSPITALITY INDUSTRY

Represent the Industry and liaison with the PCI Council,
Card Brands, Homeland Security and other key stake
holders to help promote and educate all parties on the
Industry requirements and issues.

Provide a forum for Industry collaboration to address the
problems with PCI compliance and data security

Develop educational programs and certifications to assist
with compliance requirements and ultimately trying to
eliminate data security breaches.

Create an environment for the sharing and distribution of
information and resources to help combat the data
security issues facing the industry

Develop and distribute “Industry Best Practices” for
addressing the problem
1. CERTIFICATION PROGRAMS
DEVELOP INDUSTRY FOCUSED CERTIFICATION
PROGRAMS

Create a form for establishing consistency among all areas
of the compliance requirements for the Industry. HFTP to
develop Hospitality Industry specific PCI certifications for
the following:
 Forensics'
 QSA's
 ASV's
 Executive Management
 Middle Management
 Line Personnel
(To be created in conjunction with the PCI Council and
other
2. INDUSTRY FAQ FORUM
DEVELOP A FREQUENTLY ASKED QUESTIONS
(FAQ) FORUM TO BE POSTED AND UPDATED
ONLINE

Develop a Frequently Asked Questions (FAQ) for Hotels to
address baseline questions on PCI compliance and QSA's.
The FAQ's should be posted and updated regularly online
on HFTP’s Website.
(Forum answers to FAQ’s, to be addressed by PCI Council
and HFTP certified / authorized professionals)
3. EDUCATION OF EXECUTIVE
AND OWNERSHIP GROUPS
CREATE AN EDUCATION INITIATIVE TARGETED AT
OWNERS AND EXECUTIVES

Create a targeted education program to educate
Ownership Groups and Company Executives on the need
to invest in PCI compliance and the ramifications of a
breach both from a business perspective and cost.
Focus is on investment in Operational and System security
initiatives.
4. PROPERTY STAFF TRAINING
MATERIALS
DEVELOPMENT OF PROPERTY STAFF TRAINING
MATERIALS

Develop Power Points and staff training videos to be used
at Hotel properties to educate new and existing staff on
PCI Compliance operational procedures and the dangers of
exposing the property to a breach.
Training materials will also to be used to update new
information for existing staff.
5. INDUSTRY ROADMAP FOR
PCI COMPLIANCE
DEVELOP AN INDUSTRY ROADMAP FOR ACHIEVING
PCI COMPLIANCE

Develop a Hospitality Industry focused Road Map to
addressing the 12 PCI Compliance requirements that will
take into account the nuances of the following:
 Software
 Hardware
 Operational Policies and Procedures
The roadmap will focus on the fact that PCI Compliance is
not just IT Driven…
6. ENCRYPTION TECHNOLOGY
AND TOKENIZATION
USE OF ENCRYPTION TECHNOLOGY AND
TOKENIZATION

Develop a program to educate the Industry and
marketplace on the use of encryption technology and
Tokenization. The program will focus on educating and
informing Industry Merchants on the current technologies
available in the marketplace and the ROI on investing in
these technologies
Additional focus will be targeted on the benefits of getting
the data out of the Systems and Applications…
7. EDUCATION OF THE QSA’S
FOCUS ON EDUCATING QSA'S ON INDUSTRY
TECHNOLOGIES

In general it is felt that many of the QSA's are not familiar
with the current Hospitality Industry technologies available
in the marketplace. This initiative would provide an avenue
for addressing this concern and will assist in trying to
standardize the approaches that QSA’s take towards
ensuring their clients compliance requirements.

One option may be to create a certification in conjunction
with the PCI Council that focuses on the Hospitality
Industry.
8.
EDUCATION OF PCI
REGULATORS
EDUCATION OF REGULATORS ON HOSPITALITY
INDUSTRY REQUIREMENTS

Development of a program that will educate internal and
external regulators such as CPA's and Internal Auditors of
the specific issues affecting PCI compliance in the
Hospitality Industry.

HFTP will also work closely with the PCI Council and Card
Brands to develop specific guidelines to address Industry
concerns with regards to the compliance standards and
requirements.
Given that Hospitality is one of the most targeted Industries
specific focus should be directed to the nuances of the
applications, systems and operational requirements to help combat
the problem.
9. WORKSHOPS TO ADDRESS
SAQ’S
ESTABLISH WORKSHOPS FOR WORKING THROUGH
THE SELF ASSESSMENT QUESTIONNAIRE (SAQ)


Many entities struggle with the correct approach for
working through the Self Assessment Questionnaires
(SAQ’s). Given the importance of these SAQ, it is vital that
this be done with a level of consistency.
Establish industry guidelines for working through this
important document to ensure that the property or
company is compliant or has an understanding of what it
needs to address to become compliant.
10. HOTEL AND MGMT
COMPANY CONCERNS
DEVELOP A FORUM TO ADDRESS HOTEL AND
MANAGEMENT COMPANY ISSUES IN REGARDS
TO MULTIPLE PARTIES INVOLVED WITH THE
OVERALL COMPLIANCE RESPONSIBILITY



The issue of Brands and Mgmt Companies - How to
address PCI where there are multiple parties to the overall
compliance responsibility.
What are the Owners responsibilities where they cannot
affect the operational policies and procedures?
How can PCI Compliance requirements be reflected from
contractual perspectives?
11. FOSTER SHARING OF INFO
ON KNOWN THREATS
DISTRIBUTE LISTING OF LATEST THREATS AND
OTHER HELPFUL INFORMATION ON A
CONTROLLED INDUSTRY WEBSITE

Formation of an online repository for the latest threats and
information - The industry needs to SHARE information.
This could include but is not limited to:
 Malware threats
 Common password breaches (Not mention the password
but potentially the application provider)




Security Software providers (List of most widely used)
Monitoring services
Industry recognized remediators
Speed-up the process for distribution of latest malware
threats to antivirus companies
12. TOP 10 FORENSIC / QSA
RECOMMENDATIONS
PUBLISH/DISTRIBUTE A "CURRENT" PCI FORENSIC /
QSA LIST OF RECOMMENDATIONS
(TOP 10 RECOMMENDATIONS)


With hackers and criminals constantly working at creating
new and innovative ways to breach networks and gain
access to data. The Industry needs to stay ahead of the
game and the certified Forensic and QSA companies are on
the forefront of the latest methods be utilized by the “bad
guys”. HFTP will work with the various companies to
develop a “current” listing of the top 10 recommendations
and distribute this listing to the Industry on regularly
scheduled basis.
The Top 10 list is meant to be highlight the areas that
require the most attention and will assist with thwarting
the majority of compromises.
QUESTIONS?
What Did You Think?
In order to help us create/provide a better HITEC
experience in the future, please take a second to
fill out the short survey that will be sent to you
via e-mail at the end of the day.
And THANK YOU for attending HITEC!
Learn how HFTP membership can benefit you,
visit www.hftp.org
Download