The PCI Security Standards Council published the PCI DSS v3.0 on November 7th 2013 and it contained a whopping 19 "evolving requirements" (changes to the standard in response to emerging threats). In this article, I will provide a brief analysis of three of those evolving requirements that I believe are likely to present specific implementation and operational challenges for hoteliers with geographically dispersed hotels.
Evolving Requirement 9.3 New requirement to control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination.
Translation: Hotel staff should have access to credit card data strictly on a need-to-know basis; and as soon as they leave your organisation, all of their access should be immediately revoked.
In a hotel environment, the Cardholder Data Environment (CDE) would typically encompass system elements such as the desktops running your Property Management System (PMS), as well as any physical storage such as filing cabinets in the hotel back office that contain pieces of paper with credit card details. It is essential that access to those is authorized and based on individual job function (which is perhaps not a revelation); however, the devil is in the detail with 9.3 because it requires that access is revoked immediately upon termination, and that all physical access mechanisms, such as keys, access cards, et cetera, are returned or disabled. High turnover is a well known issue in the hospitality industry – the International Hospitality and Tourism Institute (IHTI) puts turnover at 30% in the UK and 31% in the USA – so the emphasis here really needs to be around employee termination procedures and also temporary worker procedures (e.g. sharing logins or swipe cards while a new starter waits for their induction pack is a definite "no-no"). If you want to ensure compliance with 9.3, these procedures will need to be slick and readily auditable, as a minimum.
Evolving Requirement 9.9.x New requirements to protect devices that capture payment card data via direct physical interaction with the card from tampering and subsitution.
Translation: You will need to start maintaining a complete, detailed inventory of all of the credit card machines at your hotels; and you will potentially need to train your reception staff to spot tampering techniques commonly used by would-be criminals.
This requirement will not become effective until July 1, 2015 (which should be taken as a measure of the training and operational burden that it will potentially present, particularly to the hotel industry). If your organisation has treated asset and configuration management as a "nice to have" in previous years, then think again because 9.9.1 requires that you maintain an up-to-date list of all Point Of Sale (POS) devices including make, model, location, and serial number; and 9.9.2 requires that you periodically inspect these devices to detect tampering (e.g. the addition of ‘card skimmers').
If your hotel support function is located at a distance from your hotels, the reality is that you will either need to schedule regular on-site visits to perform these checks, or you will need to commit to an ongoing process of training and upskilling reception staff to perform the checks themselves. Also, the standard makes it clear that on-site staff should be able to talk convincingly to your Qualified Security Assessor (QSA) about how they would spot a ‘card skimmer' or other malicious device, how they would verify the identity of 3rd party persons claiming to be repair or maintenance personnel, how they would maintain awareness of suspicious behaviour, and how they would report any suspicious behaviour.
Evolving Requirement 11.1.x Enhanced requirement to include an inventory of authorized wireless access points and a business justification (11.1.1) to support scanning for unauthorized wireless devices, and added new requirement 11.1.2 to align with an already-existing procedure, for incident response procedures if unauthorized wireless access points are detected.
Translation: You will need to start regularly scanning for unauthorized wireless networks in your hotels, and you will potentially need to train your reception staff to spot different types of devices that could be connected to hotel computers and other devices by would-be hackers.
Reception desks and check-in kiosks tend to be quite open and inviting by their very nature, and desktop PCs are exposed whenever the reception area is left unattended, so this is likely to present a particular problem at your hotels. So, once again, 11.1.x will mean you are likely to need to upskill your reception staff to be able to spot malicious devices such as Wireless Local Area Network (WLAN) cards inserted into system components, portable or mobile devices attached to system components to create a wireless access point (for example, by USB et cetera), or wireless devices attached to a network port or network device. In busy city hotels, it is also not uncommon to have dozens of wireless access points appearing, disappearing, and re-appearing which only adds to the confusion during the scanning process, unfortunately.
In conclusion, the PCI DSS v3.0 strengthens the standard in a rapidly evolving security landscape; however, it also presents a number of unique challenges for hotel organisations, and it will inevitably create an additional implementation and operational burden that will require substantial investment in many organisations.
