Long-Term PCI Compliance: 6 Tips
You’ve consulted a Qualified Security Assessor (QSA), implemented a PCI compliant solution, and have filled out the self-assessment questionnaire. This makes you PCI compliant, right? Think again.
“There are three things that really come into play with PCI: people, processes and technology,” says Bob Russo, general manager, PCI Securities Council (www.pcisecuritystandards.org). “Some combination of these is what is going to keep you safe, so you have to really make sure that you are not falling down on any one of these three areas.”
One area where lodging and foodservice operators often run into trouble is with ongoing PCI maintenance and monitoring. According to the 2011 editions of Hospitality Technology’s “Restaurant Technology Study” and “Lodging Technology Study,” maintaining PCI compliance in the long-term often posses a challenge, possibly due to difficulties experienced in educating staff members or as a result of lean IT staffs.
HT sat down with PCI experts and operators to identify the best practices for ongoing PCI compliance, and to gain some tips on how to build a solid compliance foundation.
1. Pick vendors wisely: Whether you are implementing a brand new system or adding additional hardware/software to an existing system, vendor partnerships are key to ongoing maintenance as they can provide not only educational support, but they can make sure that your system is running at top speed. Lacking in this area is especially detrimental for smaller organizations. “We rely quite a bit on our vendors,” says Terri Menking, who heads up the implementation of technology for Heilan Management. The 43-unit Chili’s (www.chilis.com) operator, which is partnered with Radiant Systems (www.radiantsystems.com) and SecurityMetrics (www.securitymetrics.com), relies on its vendors for firewall and software maintenance. “One or two people who are doing other technology-type jobs just can’t keep up with it [firewall maintenance]. So for us, having a team that is devoted to keeping up with the PCI compliance rules, the changes in those rules, and then keeping the firewalls current,” is important.
She suggests that customer service and responsiveness are two important qualities to look for in a vendor partnership. “We run our company lean so most of us in the home office wear a lot of hats. I don’t have time to wait a day and a half for someone to get back to me,” she says.
Like Heilan Management, the nine-unit Taco John’s (www.tacojohns.com) franchisee Preferred Restaurant Group, also believes in the importance of forming a strong vendor partnership. Preferred is working with BHI SecureConnect (www.bhi.com), which flew out to all of its sites to install its firewalls.
“They showed us how to use it, and then on a going-forward basis, every time that we added a piece of equipment they were very responsive to opening ports or doing whatever we needed to do to make sure that our equipment is not only secure but that it does what it needs to do,” says Shannan Grosz, information technology and project management, Preferred Restaurant Group. “In my position, I have the ability to check on stores to see when scans are done, to make sure that we are in compliance, and that there are no deviations from what needs to be done.”
2. Double-check third-party integrators: The sister standard to PCI, PA-DSS, sets forth a number of controls that every point-of-sale vendor has to comply with, thus ensuring that the software is certified and that it can be deployed in a PCI compliant fashion, allegedly. “A lot of folks hire a third-party, a systems integrator, to deploy the point-of-sale system and many times they don’t follow the implementation guides which stipulate certain procedures that have to be followed,” says Trustwave (www.trustwave.com) SVP of delivery James Paul, such as the changing of default passwords. “If you don’t do that, and a hacker knows the default password for that point-of-sale vendor, that is a pretty big target.”
Paul suggests that organizations ask a number of targeted questions of their integrators to ensure proper installation: “Can you confirm with me that you changed all of the default passwords, that everything that you were supposed to do has been done? That you haven’t created any back door scenarios with remote management capabilities of these systems that use shared accounts or shared passwords?”
3. When a picture is worth 1,000 words: How often do you actually take a look at your POS to check for hardware tampering? This action, although quite simple, can help to catch potential breaches in your company’s security. “Take a picture of the POS when you first get it,” suggests the PCI Council’s Russo. “Pull it out on a regular basis. Does it look different? Is there an overlay, are there more wires? Has someone tried to open it to insert a card skimmer?”
4. Employee education: There is a wealth of educational materials and seminars that are dedicated to PCI compliance. Yet the ability to successfully disseminate that information, and not to mention your company’s own general security processes, to franchisees and lower staff members is often hard to achieve.
Preferred Restaurant Group created a security policy and distributed it to each of its restaurants. “New managers, assistant managers and anyone with access to credit card information is required to read that policy manual and understand what our policies are regarding security and credit card information,” says Grosz. “And then we have a sign-off sheet that indicates, ‘yes I have actually read our corporate policy manual and our Internet security manual.’”
Heilan Management, which is currently in the process of revamping how its trains its staff, is taking their approach to employee education one step further. “We put materials out there and instructions to be able to go over this stuff when [managers] hire new folks, and then you just kind of forget about it,” says Menking. “So what we have found in probably the last six months is a real need to keep that continuing education going, so we actually established centers, restaurants that we call education centers, and part of that education is maintaining what they need to do.”
5. Ditch the check-list mentality: It’s often hard not to think of the 12 PCI requirements as a check-list. But there is a big danger in approaching PCI in this manner, especially when it comes to maintenance and monitoring, says the PCI Council’s Russo. Take logging for example, which is required to be turned on according to PCI. “Do you ever look at those logs? Are you getting so many false positives coming in on these logs that you just decided, ‘I am not looking at them anymore’? Every time there is a breach, and a forensics company goes in to try and figure out what happened, they always find this information in the logs. So if in fact you turned logging on and someone is looking at these logs on a regular basis, there is a reasonability good chance that you can get in there and stop it [a breach] before it becomes hundreds and thousands of cards,” says Russo.
6. Secure your paper trail: Believe it or not, dumpster diving for discarded receipts or documents that contain credit card information does happen. “Ensure that none of the receipts have a complete credit card number on them,” says Preferred Restaurant Group’s Grosz. “We found early on when we were taking credit cards that we did have some locations that had that, and it has since been replaced. Complete numbers do not appear on any receipt, so if a receipt is lost or discarded, that information is still secure.”