PCI Security Woes
This issue of Hospitality Technology magazine includes a copy of the 10th annual Restaurant Technology Study. The study polls HT's restaurant-operator readers on a host of technology-related topics, ranging from the most important features of a point of sale system to loyalty programs and more.
For the first time, this year's study includes a section on Payment Card Industry (PCI) data security standards - the standards that credit card companies have co-created to protect cardholder data. In this section of the study, we asked restaurant operators if they believed their restaurant to be fully compliant with PCI data security standards. Nearly 80% said yes. But when we drilled a little deeper and began asking respondents about compliance with specific requirements, a new picture emerges: Just 45% regularly test their security systems and processes and only slightly more (53%) track and monitor all access to network resources and cardholder data.
Confusion at the Core
This confusion represents a very serious problem which continues to plague many restaurant operators. I fear that we may witness more than a few lawsuits filed by credit card companies against hospitality operators before the dangers associated with non-compliance are truly understood by operators; primary among them severe monetary loss and guest distrust. But this concern is not for restaurant operators alone. I recently conducted a similar poll to gauge PCI compliance within the lodging community and found that more than half of hotels are not fully compliant with PCI DSS.
At the core of the problem is general confusion surrounding who is responsible for PCI compliance, and a heavy dose of the "not me" syndrome. Far too many operators think that compliance is the responsibility of someone other than themselves; perhaps a POS or IT vendor, or perhaps the payment processor.
The reality, however, is that all parties involved in handling, processing, and storing credit card data and card holder information have shared responsibilities. The ultimate responsibility in a hotel or restaurant lies with the operators themselves.
Take Action
The solution is education, application and control; three words that are easy to say but difficult to enact. For the education component, there are several solutions. Associations such as the American Hotel and Lodging Association (AHLA) provide web-based presentations on PCI compliance. Credit card companies, such as Visa and MasterCard, and the PCI Security Council provide educational materials and self-assessment guidelines. The University of Delaware is hosting The Payment Card Industry Compliance in Hospitality Conference on May 1-2, 2008 at its campus in Newark, DE, keynoted by Bob Russo, general manager of the PCI Security Standards Council.
When it comes to application, a dedicated team must be created that will focus on PCI compliance and one person should hold ultimate accountability for its efforts. Ample resources and authority should be afforded to the team so that it may work to ensure compliance. Any resources spent on this issue should be viewed as protection for the future, and will return in dividends. Compliance initiatives must be communicated to all levels of the organization from entry level personnel to the most senior-level staff. Top level support is required.
Finally, hospitality organizations should provide control through self-audits on a regular basis to ensure they continue to be in compliance with the 12 requirements of PCI DSS. As the organization changes, ongoing control is the key to success.
For the first time, this year's study includes a section on Payment Card Industry (PCI) data security standards - the standards that credit card companies have co-created to protect cardholder data. In this section of the study, we asked restaurant operators if they believed their restaurant to be fully compliant with PCI data security standards. Nearly 80% said yes. But when we drilled a little deeper and began asking respondents about compliance with specific requirements, a new picture emerges: Just 45% regularly test their security systems and processes and only slightly more (53%) track and monitor all access to network resources and cardholder data.
Confusion at the Core
This confusion represents a very serious problem which continues to plague many restaurant operators. I fear that we may witness more than a few lawsuits filed by credit card companies against hospitality operators before the dangers associated with non-compliance are truly understood by operators; primary among them severe monetary loss and guest distrust. But this concern is not for restaurant operators alone. I recently conducted a similar poll to gauge PCI compliance within the lodging community and found that more than half of hotels are not fully compliant with PCI DSS.
At the core of the problem is general confusion surrounding who is responsible for PCI compliance, and a heavy dose of the "not me" syndrome. Far too many operators think that compliance is the responsibility of someone other than themselves; perhaps a POS or IT vendor, or perhaps the payment processor.
The reality, however, is that all parties involved in handling, processing, and storing credit card data and card holder information have shared responsibilities. The ultimate responsibility in a hotel or restaurant lies with the operators themselves.
Take Action
The solution is education, application and control; three words that are easy to say but difficult to enact. For the education component, there are several solutions. Associations such as the American Hotel and Lodging Association (AHLA) provide web-based presentations on PCI compliance. Credit card companies, such as Visa and MasterCard, and the PCI Security Council provide educational materials and self-assessment guidelines. The University of Delaware is hosting The Payment Card Industry Compliance in Hospitality Conference on May 1-2, 2008 at its campus in Newark, DE, keynoted by Bob Russo, general manager of the PCI Security Standards Council.
When it comes to application, a dedicated team must be created that will focus on PCI compliance and one person should hold ultimate accountability for its efforts. Ample resources and authority should be afforded to the team so that it may work to ensure compliance. Any resources spent on this issue should be viewed as protection for the future, and will return in dividends. Compliance initiatives must be communicated to all levels of the organization from entry level personnel to the most senior-level staff. Top level support is required.
Finally, hospitality organizations should provide control through self-audits on a regular basis to ensure they continue to be in compliance with the 12 requirements of PCI DSS. As the organization changes, ongoing control is the key to success.