Hello and welcome. The purpose of this blog is to educate those within the hospitality industry about a risk that constantly needs to be managed....fraud.  I strongly believe in the benefits of educating both our managers and corporate staff about fraud.  It is proven when we educate individuals we reduce our risk.  Periodically I will also throw in some anecdotes from my travels.  I welcome your comments and questions.



Requirement 9 Part 1

While waiting for my Federal Jury Duty to begin, I thought I would do some PCI reading.  In particular Requirement 9.  This covers the physical access to data or systems that house cardholder data.  I now have to wonder if Requirement 9 applies to credit card authorization forms and imprint of credit cards.  This section sates the following:

                               "Use video cameras or other access control mechanisms to monitor individual physical access to sensitive areas.  Review collected data and correlate with other entries.  Store for at least 3 months unless restricted by law.  Note: 'sensitive areas' refers to any data center, server room or any area that houses systems that store, process or transmit data.  This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store."

I think the key word here is "store".  The testing procedures require that the auditor "verify that video cameras or other access control mechanisms are in place to monitor the entry/exit points to sensitive areas.  Video cameras or other mechanisms should be protected from tampering or disabling.  Verify that video cameras or other mechanisms are monitored and that data from cameras or other mechanisms is stored at least 3 months."

I wonder if this doesn't require hotels to maintain cameras in all of the storage areas and in the sales offices.  Yes I said sales offices.  For some reason there are many hotels that maintain credit card authorization forms in their sales files.

Furthermore 9.6 requires physically secure all paper and electronic media that contain cardholder data.  The testing requirements that verification “that procedures for protecting cardholder data include controls for physically securing paper and electronic media (including computers, removable electronic media, networking and communications hardware, telecommunication lines, paper receipts paper reports and faxes.)

There are other parts of Requirement 9 that may be applicable as well.  Those will be discussed later in the week.

PCI Conference

I apologize to all for not posting sooner but I had difficulties for a couple of days while at the PCI conference accessing my blog.  Here are some quick thoughts. 

1.  The standards are being revised this year.  Look for new standards to come out in October.  The sad thing is that most in our industry still don't understand the current requirements.  The PCI Standards Counsel revises them every 2 years. There is talk that they might begin to do it every 3 years.
2.  I asked the Chairman of the Council if he could tell those in attendance what the Top 5 areas in which our industry is not compliant.  In a long drag out answer he said that wasn't the role of the council.  When I followed up and asked where we could get that information he said to ask MC/Visa.  Well I explained to him that I have asked them on a couple of calls and they refused.  So the question lies, how is the industry supposed to protect themselves from the fines if we don't know where we are failing to be compliant?
3.  Speaking of those large fines...I have to wonder what legislation allows MC/Visa and others to issue those fines.  I thought there were laws on the books that prevented one private entity from assessing a fine or penalty on another private entity?  According to the Chairman of the PCI Standards Council, it is the credit card companies and not the council that determines the amount or issues the fines.
4.  The Chairman would not provide a clear answer when asked if the hotel violates PCI if they imprint credit cards on a registration card.  My thought it may not violate PCI but it probably violates most states that have laws regarding PII. 
5.  On March 1, 2010 the most restrictive PII law goes into effect in Massachusetts.  Beware the law covers all Massachusetts citizens regardless of where the hotel is located. 
6.  I have been convinced that PCI Insurance is probably worth the money.  I know Fireman's Fund offers a good product but they don't sell it as a standalone product.  Any insurance that pays for at least the initial audit as a result of a breach I think is worth the money.
7.  If you don't need to keep or have access to sensitive data at the hotel...then don't.  Regardless if it’s electronic or documented. It will save you a lot of headaches later.
8.  Results from an informal and unscientific survey during the PCI Conference indicate that over 80% of the hotel companies no longer request the entire credit card number on their credit card authorization forms.  These same companies no longer ask for copies of the credit card.  Even for group functions.
9.  The PCI Standards Council doesn't deal with reality.  They think one size fits all.
10.  I can't wait for when the credit card companies try to issue a fine for not being in compliance when the hotel has been taken back by the bank.
11.  I wonder if MC/Visa, Amex and Discover are PCI Compliant.  How do we know?  Are they even required to be PCI Compliant?
12.  How pathetic am I writing this on a Saturday night?