Skip to content
Tiatra, LLCTiatra, LLC
Tiatra, LLC
Information Technology Solutions for Washington, DC Government Agencies
  • Home
  • About Us
  • Services
    • IT Engineering and Support
    • Software Development
    • Information Assurance and Testing
    • Project and Program Management
  • Clients & Partners
  • Careers
  • News
  • Contact
 
  • Home
  • About Us
  • Services
    • IT Engineering and Support
    • Software Development
    • Information Assurance and Testing
    • Project and Program Management
  • Clients & Partners
  • Careers
  • News
  • Contact

How to gain a five star security reputation in hospitality

Achieving and sustaining compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a daunting challenge for hotels because they handle many complex payment business cases. For example, consider the numerous new booking options and services to improve the customer’s experience during the reservation process and their stay. Also, debit and credit card payments represent 80% of the industry’s customer payment methods, and it can be difficult to master and protect the stream of payment data running through the business. Applying a well-defined or planned out security approach can help to empower your organization with the necessary tools and knowledge to fulfil the PCI DSS requirements while also building a sustainable PCI compliance program. This approach should help usher in a successful transition to PCI DSS version 4.0 in order to meet the March 31, 2024, deadline, when v3.2.1 is set to expire.

Do you know all your payment channels and credit card flows? 

Considering the complexity of debit and credit card use cases in the hospitality industry, finding the right approach for transitioning to PCI DSS v4.0 can be difficult for an industry that must address changes from the corporate to the franchise level in a timely manner. 

Complexity has increased with the introduction of smartphones and digital wallets as well as the significant reduction of in-person cash payments. For example, in France 6O% of payments are done using a debit or a credit card[1]. Indeed, hotel customers can now book their stay via the corporate website, online travel agencies, such as www.booking.com or www.expedia.com, or hotel applications on their smartphones – in addition to traditional payments at the payment terminal located at the front desk of the hotel. Also, new digital payment channels are available for the customers during their stay: They can book a cab right after selecting and paying for the lunch menu with the hotel application or applications managed by third parties such as  www.karhoo.com or www.resdiary.com. These payment evolutions impacting the hospitality industry require special PCI DSS v4.0 compliance steps.

Four recommended steps in the PCI DSS v4.0 transition

Step 1: Locate, identify and document all the credit card flow in the organization, as stated by the following requirements applicable to all entities subject to PCI security compliance: 

1.2.4 An accurate data-flow diagram(s) is maintained that meets the following:

• Shows all account data flows across systems and networks.

• Updated as needed upon changes to the environment.

12.5.1 An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.

12.5.2 PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment.

(See the PCI Security Standards Council (SSC) Requirements and Testing Procedures, Version 4.0 March 2022.) 

Step 2: As an organization that is subjected to PCI DSS compliance, step 2 of your compliance project is to prepare for the update as soon as possible by knowing your compliance status and level, and select the date of your next assessment. 

Compliance with the PCI DSS demonstrates to customers and third parties that security controls required by the PCI Standards are in place in order to safeguard their confidential data and mitigate the risk of a credit card data breach. The required security controls include, but are not limited to, security policy and process documentation, secure data storage and transmission, development and application security, access control, network isolation, and service providers and third-party management. 

Your organization likely is facing one of two choices: Either maintain your current PCI security compliance while implementing the new applicable requirements or invest in a new project and implement all the PCI security requirements of PCI DSS v4.0. Different FAQs available on the PCI SSC website can help you navigate this big change: If this is your initial PCI DSS assessment, as defined in the PCI SSC FAQ 1485,  your “entity has never undergone a prior PCI DSS assessment that resulted in the submission of a compliance validation document.” In this case, “PCI DSS requirements are expected to be in place at the time of the assessment.” If you are already PCI security compliant, all expected requirements should be in place by the date of your next assessment. Indeed, as per FAQ 1328, after March 31, 2024, PCI DSS v4.0 will be the only active version. Note that your current certification will not expire at the beginning of April, as per PCI SSC FAQ 1565. 

Understand why compliance is crucial for your business and its stakeholders to determine the right sponsorship and resource allocations for your project. In the hospitality industry, hotels are either corporate or franchise entities. This situation creates complexity since, for the customers, the corporate entity is also responsible for the payment card data processed by the franchise organization. One key success factor in this type of large organization is to implement the right governance model by assigning clear roles and responsibilities for the implementation and maintenance of the requirements. This approach is not only a good practice but also a requirement since the new version of the standard puts some emphasis on business-as-usual compliant processes, as stated in the Payment Card Industry Data Security Standard Requirements and Testing Procedures, Version 4.0, March 2022:

12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.

12.4 PCI DSS compliance is managed.

12.4.1 Additional requirement for service providers only: 

Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include: 

• Overall accountability for maintaining PCI DSS compliance. 

• Defining a charter for a PCI DSS compliance program and communication to executive management.

Step 3:  Formally assigning roles and responsibilities is step 3 of the security compliance project, with a PCI security compliance manager in charge of the coordination and follow-up of all required tasks. Customers in this industry frequently have a PCI security compliance manager position at the corporate level supported by local PCI contacts responsible for coordinating the local implementation of the PCI security compliance program. 

The hospitality industry relies a lot on payment and property management system service providers, IT infrastructure service providers, and cloud providers in order to maintain and provide payment channels. It’s important to outline the responsibility of each party for the implementation of each requirement through a signed contract. Requirements 12.8.2 and 12.8.5 of the standard clearly support this approach, since written agreements are mandatory along with a responsibility matrix: 

12.8.2 Written agreements with TPSPs [third-party service providers] are maintained as follows:

• … with all TPSPs with which account data is shared or that could affect the security of the CDE [cardholder data environment].

• … acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.

12.8.5 Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity.

In the hospitality industry, franchises are often seen as third-party service providers.  The property owner using the franchisor’s brand name also should participate in the compliance program of the franchisor and demonstrate their compliance. This could be achieved through appropriate compliance documentation depending on the number of card transactions processed locally. The compliance document can be either a Report on Compliance (ROC) or the appropriate self-assessment questionnaire (SAQ). The appropriate management of the relationship with the service providers is very important; it represents a huge workload that should be done diligently.  

PCI DSS v4.0 comes with a lot of technical challenges. It’s important to understand them and know the ones that are applicable to your environment. Let’s explore some examples: 

Multifactor authentication (MFA) technology Requirement 8.4.2

MFA is implemented for all access into the CDE.

Multifactor authentication technologies are now mandatory for all personnel with access to the credit card environment. This requirement is a challenge due to the number of front desk agents with access to the credit card data on the booking systems. This requirement also has an impact on the Property Management System (PMS) used to manage payment at the front desk. It can be quite a challenge to implement this feature if it’s not supported by the PMS used in the hotel. Many hotels use Opera PMS, Sihot PMS or some Cloud PMS. 

Security of payment page scripts Requirement 6.4.3

All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:

• A method is implemented to confirm that each script is authorized.

• A method is implemented to assure the integrity of each script.

• An inventory of all scripts is maintained with written justification as to why each is necessary.

The appropriate solution should be used in order to identify, list and protect all the scripts used on the different payment pages in the business environment. 

Step 4: Know and understand your technical environment and the challenges that your organization will face in order to implement the applicable new requirements. 

Conclusion

Hotels are receiving a major makeover these days—and not just with the room decor. New payment models are challenging PCI DSS compliance in new ways. Organizations are on a journey in which it’s important to clearly know the starting point and the destination. PCI DSS version 4.0 brings solutions but also many challenges that require your organization to identify key concerns as well as an appropriate means for resolving them. Breaking down complex issues into smaller manageable ones is the best approach for such projects. Having a step-by-step methodology is essential for successfully implementing the new requirements in your organization. 

Start by understanding all of the business cases and payment flows in your organization. The second milestone of the journey is to know your current PCI security compliance status and plan the next assessment. Then, formally assign roles and responsibilities with a PCI security compliance manager in charge of the coordination and follow-up of all required tasks. Finally, set up a compliance organization and program before undertaking all the technical challenges related to your IT environment. Learn more about Verizon’s PCI assessments here.

[1]https://www.banque-france.fr/system/files/2023-08/Banque_de_France%20-%20Strat%C3%A9gie_mon%C3%A9taire%20-%20rapport_annuel_de_lobservatoire_de_la_securite_des_moyens_de_paiement_2022.pdf

O’Pa-Gnou Félix Grebet is a senior consultant, PCI QSA, CISM, CISA in Verizon Cyber Security Consulting, France. 

Data and Information Security
Read More from This Article: How to gain a five star security reputation in hospitality
Source: News

Category: NewsJanuary 9, 2024
Tags: art

Post navigation

PreviousPrevious post:Canada Life’s efforts to equally strengthen talent and techNextNext post:オールステート:デジタル改革へのクラウドファーストアプローチがもたらした成果

Related posts

Barb Wixom and MIT CISR on managing data like a product
May 30, 2025
Avery Dennison takes culture-first approach to AI transformation
May 30, 2025
The agentic AI assist Stanford University cancer care staff needed
May 30, 2025
Los desafíos de la era de la ‘IA en todas partes’, a fondo en Data & AI Summit 2025
May 30, 2025
“AI 비서가 팀 단위로 지원하는 효과”···퍼플렉시티, AI 프로젝트 10분 완성 도구 ‘랩스’ 출시
May 30, 2025
“ROI는 어디에?” AI 도입을 재고하게 만드는 실패 사례
May 30, 2025
Recent Posts
  • Barb Wixom and MIT CISR on managing data like a product
  • Avery Dennison takes culture-first approach to AI transformation
  • The agentic AI assist Stanford University cancer care staff needed
  • Los desafíos de la era de la ‘IA en todas partes’, a fondo en Data & AI Summit 2025
  • “AI 비서가 팀 단위로 지원하는 효과”···퍼플렉시티, AI 프로젝트 10분 완성 도구 ‘랩스’ 출시
Recent Comments
    Archives
    • May 2025
    • April 2025
    • March 2025
    • February 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • September 2024
    • August 2024
    • July 2024
    • June 2024
    • May 2024
    • April 2024
    • March 2024
    • February 2024
    • January 2024
    • December 2023
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • July 2023
    • June 2023
    • May 2023
    • April 2023
    • March 2023
    • February 2023
    • January 2023
    • December 2022
    • November 2022
    • October 2022
    • September 2022
    • August 2022
    • July 2022
    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • April 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • October 2018
    • September 2018
    • August 2018
    • July 2018
    • June 2018
    • May 2018
    • April 2018
    • March 2018
    • February 2018
    • January 2018
    • December 2017
    • November 2017
    • October 2017
    • September 2017
    • August 2017
    • July 2017
    • June 2017
    • May 2017
    • April 2017
    • March 2017
    • February 2017
    • January 2017
    Categories
    • News
    Meta
    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    Tiatra LLC.

    Tiatra, LLC, based in the Washington, DC metropolitan area, proudly serves federal government agencies, organizations that work with the government and other commercial businesses and organizations. Tiatra specializes in a broad range of information technology (IT) development and management services incorporating solid engineering, attention to client needs, and meeting or exceeding any security parameters required. Our small yet innovative company is structured with a full complement of the necessary technical experts, working with hands-on management, to provide a high level of service and competitive pricing for your systems and engineering requirements.

    Find us on:

    FacebookTwitterLinkedin

    Submitclear

    Tiatra, LLC
    Copyright 2016. All rights reserved.