Understanding PCI Security Standards
The Payment Card Industry Data Security Standard (PCI DSS) is a set of internationally recognized policies and procedures for businesses that process, store or transmit payment card data. These standards are managed by the PCI Security Standards Council – a global forum for the payments industry to maintain ongoing data protections.
First, to understand PCI DSS, one must understand PCI more broadly. PCI stands for the Payment Card Industry, comprising all debit, credit, prepaid, e-wallet, ATM and POS cards and their associated businesses and infrastructure. Companies across this global ecosystem came together to form the PCI Security Standards Council in an effort to mutually protect sensitive cardholder information.
The Council develops and promotes industry tools, measurements, and benchmarks in the form of PCI Security Standards so that all constituents uphold strong defenses. These comprehensive standards apply to the full lifecycle – from designing hardware and software to transmitting and even destroying data. Adhering to them is essential for reducing fraud and retaining consumer trust.
The Role of PCI DSS
PCI DSS forms the backbone of the Council’s security standards. Officially, PCI DSS consists of 12 overarching requirements related to payment systems and data flows, broken into more granular sub-requirements that provide specifics. It applies to all entities that store, process, or transmit cardholder data and/or impact the security of that data – including hotels.
Some examples of PCI DSS requirements include:
– Building and maintaining secure payment system networks
– Protecting stored cardholder information
– Encrypting data sent across networks
– Limiting access to systems based on necessity
– Identifying and patching vulnerabilities
Combined, these requirements aim to protect payment systems and customers’ sensitive information from compromise. New system deployments must by compliant from inception, while existing systems must align as well.
PCI DSS does not exist in isolation. It ties closely to other Council standards like PIN security requirements, PA DSS for payment software/hardware, and PCI 3DS for 3D Secure transactions. However, DSS lays the overall compliance foundation.
The PCI DSS Journey
Since inception in 2004, PCI DSS has aimed to keep pace with security threats and technology shifts like cloud. Milestone updates occur every 3 years on average. Each new version deprecates older security protocols and introduces additional protections regarding emerging channels and threats.
PCI DSS 1.0 – The original standard focused largely on defining high-level objectives like encryption and firewall usage for securing card data.
PCI DSS 2.0 (2010) – An enhanced standard that brought in concepts like hardening of password policies and changing data protection requirements to deter new attacks.
PCI DSS 3.0 (2013) – With exponential growth in malware and cybercrime, extensive new guidance was added for vulnerability management, penetration testing and improved encryption.
PCI DSS 3.2 (2016) – Recognizing looming threats, this update prepared merchants for migration deadlines to replace outdated protocols that grew vulnerable.
What Arrives with PCI DSS 4.0
Now planned for 2024, PCI DSS 4.0 represents one of the largest modernizations ever of the standard. It has been in the works since 2016, aiming to address emerging channels like mobile and mitigate sophisticated threats to card data.
Several high-level themes span the updates in PCI DSS 4.0:
Enhanced Multi-factor Authentication
MFA will now be required in most places where formerly only passwords sufficed – across personnel, admins, third parties. This protects access and bolsters identity assurance.
Supply Chain & Third-Party Security
With third parties like vendors major hacking targets, PCI DSS 4.0 significantly expands mandates around policing supplier security.
Focus on Initial System Design
PCI DSS 4.0 emphasizes “secure by design” principles – building in security at the start of development cycles via best practices.
Emerging Technology Guidance
Recognizing changing tech like cloud and cryptographic advances, PCI DSS 4.0 prepares merchants with guidance to apply security diligently across new domains.
As PCI compliance is not “one and done”, merchants like hotels should not view updates as optional. They must implement any new PCI DSS 4.0 requirements that are relevant to their business by the associated compliance deadline – which stands roughly 18 months after the release of PCI DSS 4.0.
Obligations for Hotels Under PCI DSS
Hotels, like all hospitality merchants handling payments, fall under the jurisdiction of PCI standards. This encompasses systems like point-of-sale (POS) terminals, property management systems, payment kiosks, booking engines as well as networks transmitting card data.
Based on transaction volume, merchants have different PCI compliance levels which dictate validation needs like scans and audits. Most hotels sit at Level 3 – requiring annual completion of PCI DSS compliance checklist self-assessments, network scans by Approved Scanning Vendors (ASVs) and potential periodic external vulnerability scans. Hotels must prove all relevant PCI requirements are effectively met and sustain protections between reviews.
Preparing for PCI DSS 4.0: Where to Begin
Transitioning to PCI DSS 4.0 warrants significant preparation given expanding requirements. Where should hotel leadership begin?
Establish a Core Compliance Team
A dedicated cross-department team including key IT stakeholders can determine how the hotel processes/stores/transmits card data, liaise with internal teams and vendors, gauge PCI DSS readiness and areas needing enhancement. Leadership backing is vital – since security needs buy-in across functions.
Conduct Gap Assessment
A gap assessment benchmarks existing payment infrastructure and security policies against PCI DSS 4.0 requirements. This identifies where the hotel falls short and must augment defenses. Enlisting a specialized PCI compliance company to facilitate is advisable.
Detail a Roadmap
Catalog every area not meeting 4.0 requirements based on the gap assessment. Construct a comprehensive roadmap to address gaps – encompassing policy changes, vendor assessments, solution deployments and proof of compliance. Continue measuring progress against defined targets.
Achieving PCI DSS 4.0 Readiness
With PCI DSS advancing considerably to address modern threats and channels, where precisely should hotels concentrate compliance efforts? We outline hotel-relevant requirements and solutions.
Encryption and Key Management Revisited
The Issue: Outdated encryption previously thought adequate is now at higher risk for exploitation. Mismanaged and improperly secured keys weaken overall data protection.
Requirements:
– PCI DSS 4.0 will likely formally deprecate older encryption options (3DES, TLS 1.1, RC4) used to protect card data requiring migration by set timelines. DESFire EV1 crypto will see acceptance.
– More frequent encryption key changes will be mandated along with central, automated key management. Keys themselves must have secured storage and access controls.
Solutions:
– Update payment system encryption protocols to leverage AES, TLS 1.2+ or other PCI Council-approved ciphers at minimum.
– Evaluate current key management practices; adopt hierarchical model with Master Key oversight by dedicated team. Automate propagation, rotation especially for keys securing data at rest.
– Implement access controls and auditing capabilities around encryption keys. Securely store keys in a hardened, access-controlled environment like an HSM.
Enhanced Access Protections
1. Implement multi-factor authentication (MFA) based on PCI compliance levels checklist for:
– All personnel – especially remote access to payment networks
– Admin accounts across systems and devices
– Third party access
Options: One-time pins (OTP), biometrics, smart cards, tokenization
2. Mandate passwordless authentication long term by enabling FIDO2 security keys. Deploy password vaults and rotation short term.
3. Strictly control access to card data– implement redaction, masking, tokenization, database-level protections.
Third Party Security
With supply chain threats expanding, PCI DSS 4 ultimately makes merchants responsible for enforcing PCI DSS across outsourced payment services/systems and other third-party conduits.
Requirements:
– Provide PCI SSC list of compliance requirements to third-party providers handling card data
– Obtain evidence of providers’ PCI DSS compliance validation
– Monitor providers to ensure they sustain PCI DSS obligations
Solutions:
– Review all third-party provider contracts
– Update agreements mandating 4.0 alignment by specific timeline
– Develop processes to continually validate third-party compliance through questionnaires and assessments
The Silver Lining: Beyond Checkbox Compliance
While the pending PCI DSS overhaul will require investment, it equally provides hotels an opportunity to implement security best practices that resolve longstanding technology debt and close risk gaps.
Updating protocols not just to minimal passing levels but proactively adopting emerging standards for encryption, identity assurance and data-centric protections demonstrates commitment to guest security – which bolsters brand trust and loyalty.
Further, instead of snapshot validation, hotels can progress towards a mode of sustained compliance-with around-the-clock detection controls like SIEM and SOAR integrated with automated policy enforcement.
The Bottom Line
PCI DSS 4.0 will widen requirements for all merchants handling payments, including hotels. With planning around gap assessments, comprehensive roadmaps and external guidance from PCI compliance companies, hotels can achieve readiness efficiently while avoiding non-compliance penalties.
More so, embracing both the letter and spirit of PCI DSS 4.0 – prioritizing security as a core business imperative beyond checklists – allows hotels to unlock advantages like improved guest confidence, reduced fraud loss, and resilience against emerging attack trends. With vigilant adherence, PCI DSS compliance translates directly into a competitive edge.
Kazim Raza Ahmed is Research Analyst and Content Strategist at Advanced Hospitality Technologies, A pioneering IT Solutions partner in the hospitality industry. Being a content creator Kazim is dedicated to publishing material keeping pace with the rapid technological developments in the hospitality industry.
