Hotels face looming PCI DSS compliance date

Chris Anderson, Business Risk Advisor, Grant Thornton

TORONTO-Last year, following the announcement of the world's largest breach of payment card information, more attention was paid to existing regulations requiring merchants accepting payment cards, and service providers who performed card transaction processing for these merchants, to prove their compliance with the Payment Card Industry Data Security Standard (PCI DSS).

The looming deadline for filing compliance reports with PCI DSS is October, 2010. This deadline applies to both large and small hotels.

The consequences of not meeting the standards for the protection of confidential information are significant, says Chris Anderson, business risk advisor with Grant Thornton, Toronto.

He gives the example of a small operation with 5,000 credit cards on their database, whose payment card information is breached.  An investigation shows the company had security flaws, and evidence unearths some funny black boxes at the point of sale.

The company gets fined-and the fines are quite large. Then, if they haven't got rid of inactive cards and those cards are still valid, they have to pay the cost of repairing the damage to all the cards that could be compromised.  Even if the breach occurred only with 100 cards, there's the potential for thieves to get data out of the entire 5,000. The company has to pay the cost of the bank to replace all of those cards, plus identity theft monitoring for all cards.

The math is frightening. The bank charges $200 per card to replace and monitor each card, says Anderson. Multiply that by the 5,000 cards in the database, and the result is $1 million-more than enough to break many hotel operations.

Added to these are losses that could result from the possible class action lawsuits from cardholders for not protecting their privacy.

So how can companies protect themselves?

Grant Thornton LLP recommends that businesses whose payment card transactions represent a significant part of their revenue stream have their PCI DSS compliance accurately assessed by accredited professionals with a comprehensive background in IT controls auditing and information systems security.

The assessment looks at the 12 principles of PCI DSS.  The principles pertain to building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.

For a small business, this may mean engaging the skills and expertise necessary to do some internal research that will help them respond to the relatively-short Self Assessment Questionnaire (SAQ) required for compliance-accurately.

"Invariably, some people sign the SAQ and don't care-they do a superficial or minimal job," says Anderson.

Anderson estimates that for a small organization with one location, this assessment would take a couple of days.

Using a car analogy, Anderson calls the assessment "lifting the hood to take a look."

Larger firms would engage a companies certified to provide  Qualified Security Assessors (QSAs), such as Grant Thornton. The QSAs provide a very thorough audit report and comply with the requirements of the card brand.

Canadian businesses have a particular interest in these developments since Canadians are among the world's most frequent users of payment cards. Equally important, Canada has lagged behind Europe in adopting Chip & PIN technology on credit cards, making us an alluring target for international data thieves. According to the Canadian Bankers Association, reported payment card fraud as a whole exceeded half a billion dollars in 2008.

The PCI DSS is overseen by a council founded by the five largest PCI players: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The PCI DSS is designed to protect consumers' payment card data by enforcing security standards ranging from firewall installation to security policies.

"It's important to remember that the PCI DSS process doesn't make a network absolutely invincible from data theft. Nothing will. But when a bank is robbed, it doesn't mean that vaults, guards and cameras have been rendered useless - it means the bank's security system needs to be adapted and strengthened," notes Bashir Fancy, former EVP, Risk Management and Security, VISA, and special advisor, business risk services, Grant Thornton LLP

"The PCI DSS is a mandatory benchmark to help lower the risk and the standard will evolve to keep pace with the threats."

Anderson concludes by emphasizing that the risk of payment card fraud is always present. The most effective PCI DSS compliance needs to be an ongoing process rather than an annual "tick the boxes" exercise.