Data security is a hot issue with consumers concerned about their data and businesses liable for losses when things go wrong. Understanding the 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS) Compliance can help mitigate data risks.
While it’s vital that every property management system (PMS) and their hotels have robust security, it’s a cost that isn’t core to the business service and can be a challenge to manage.
Knowing your responsibilities under PCI DSS can help you understand whether you want to keep compliance in-house or outsource.
To help you make the best choice for your business, we’re going to explore:
- The 12 requirements of PCI DSS Compliance
- Additional resources to help you understand your obligations
- How to outsource your PCI DSS Compliance and mitigate risk
So you can keep your guests’ card payment data secure, off-site, and compliant.
Here below are the 12 requirements of PCI DSS Compliance along with a description of each requirement.
1. Install and maintain a firewall configuration to protect cardholder data
When you process card payments in your PMS, you’re responsible for keeping guest card data secure. The first line of defense is to have a firewall that can help prevent hackers from accessing details.
2. Do not use supplied default system passwords and other security parameters
Most of your hardware and software will come preinstalled with standard passwords. To be PCI Compliant, you’ll need to change the generic passwords on equipment such as:
- Your WiFi router
- Your Property Management System (PMS)
- Modems
- Point of sale (POS) systems
3. Protect stored cardholder data
All of the card data you hold must be encrypted to ensure it’s not easily accessed if a hacker were to break into your systems. Strong encryption reduces business risks yet can have a high cost in terms of maintaining a team dedicated to keeping data secure.
4. Encrypt transmission of cardholder data across open, public networks
If you need to transfer customer data within your PMS or to outside suppliers or contractors, it’s your responsibility to ensure that the information is encrypted. This information shouldn’t ever be sent to outside organizations or people.
5. Use and regularly update anti-virus software or programs
Another layer of cyber defense you need in place is anti-virus software. It needs to be installed and up to date on every device that works with the primary account number (PAN).
This includes:
- Office computers
- Hotel computers
- POS machines
Plus other bits of kit that interact with cards and card details.
6. Develop and maintain secure systems and applications
All the software that you use, whether developed within your PMS, an off-the-shelf solution, or a software as a service, needs to be fully up to date if they are touching or storing cardholder data.
This makes sure security patches are always downloaded onto secure devices.
7. Restrict access to cardholder data by business need-to-know
Who on your team needs to know card data when guests are checking in and booking trips? Only the people who need to see card numbers and other data should be able to access it — it’s a “need to know” situation. Make sure you review and control who has access and update it as often as needed.
8. Assign a unique ID to each person with computer access
Everyone who can access data needs to have a unique ID. This makes tracking access and understanding potential breaches easier to track and prevent.
9. Restrict physical access to cardholder data
When data needs to be kept in physical form, such as on a signed authorization slip or digital data on a hard drive, access needs to be controlled and restricted. This means you need a locked room, cabinet, or desk to store sensitive data in order to remain compliant.
Whenever the data is accessed, it needs to be logged. This could be through an electronic keycard system or through a manual log.
10. Track and monitor all access to network resources and cardholder data
Along the same lines, whenever guest payment data is accessed, such as the PAN or card number, a log needs to be kept. Data will flow in and out of your PMS as you share information with hotels or partners and how that data moves needs to be tracked and monitored.
11. Regularly test security systems and processes
You might think your PCI DSS systems are robust, but have they ever been tested? You need to find potential vulnerabilities before they become a real-life issue with regular testing of all your processes.
12. Maintain a policy that addresses information security for employees and contractors
Your security procedures around card data and staying PCI Compliant all need to be documented in a policy. Anyone who comes into contact with card and PAN data needs to be aware of the policy. To ensure everyone understands their roles and responsibilities, your policy should outline:
- Information flow
- Where data is stored
- How data should be used
Where can I find more information about PCI DSS Compliance?
The PCI Security Standards Council (SSC) has a detailed range of resources for your PMS and your teams. The information includes:
- Specification frameworks
- Useful tools
- Measurements to use
- Support resources
And is designed to help you prevent data leaks and hacks and deal with them if they do happen.
Other useful links include:
- Self Assessment Questionnaires to help you confirm your PCI DSS Compliance is on-track
- PIN Transaction Security (PTS) requirements if your PMS supplies POS machines to hotels
Public resources that you may also find useful to assess your PCI Compliance include:
- Lists of Qualified Security Assessors (QSAs)
- Payment Application Qualified Security Assessors (PA-QSAs)
- Approved Scanning Vendors (ASVs)
- Qualified PIN Assessors (QPAs)
- Internal Security Assessor (ISA) education program
Can I outsource PCI DSS Compliance?
Data security for guests paying by card is an integral process to your PMS. Yet, with so many other issues to navigate, PCI Compliance is an issue that doesn’t have to occupy your team’s time.
Outsourcing your PCI Compliance to a company like Kovena gives you space to focus on the rest of your business. We will handle all payment processing for your hotels, tokenize the sensitive data, provide all the analytics and reporting you need, and handle the data in the most secure way possible.
Working with Kovena, your PMS has full access to our PCI Travel Vault which securely stores sensitive card data in a fully compliant manner.
Want to see how Kovena can streamline your PCI Compliance? Get in touch and we’ll walk you through it.