120 • HOSPITALITY UPGRADE • www.hospitalityupgrade.com | Spring 2005 HOSPITALITY UPGRADE • www.hospitalityupgrade.com | Spring 2005 • 121

12 STEPS TO SAFE SWIPING: NEW CC SECURITY STANDARDS

CREDIT CARD SECURITY STANDARDS: If there is a security compromise what is your company's liability?

If your credit card data handling is up to scratch—CISP certified—it may be the mythical $50 limit. If you haven’t gotten around to CISP yet, add four zeros to that figure.

Does that get your attention?The purpose of this article is to bring the Visa CISP (Card-

holder Information Security Program) program, and similar programs, to your attention. MasterCard has SDP; American Express has DSOP; and Discover has DISC, but we’ll just call it CISP for short.

CISP aims at ensuring the security of cardholder data—and in turn, transactions and personal privacy. Visa and MasterCard have defined standards for the processes and systems related to customer data. The standards, known as the PCI (payment card industry) Data Security Standard, define the criteria for safe handling, and define the basis for Visa’s validation of compliance.

The program is relevant in different ways depending on your company’s transaction volume. Visa groups it like this:

Level 1: Companies that handle more than 6 million transactions a year. (If this is the first you’ve heard of CISP, you’re out of the loop at work because you’re probably already CISP certified. Deadline: 9/30/04)

Level 2: Companies that process 150,000 to 6 million Visa e-commerce transactions a year. (Cancel those HITEC tickets if you’re just starting. Deadline: 6/30/05)

Level 3: Companies that process 20,000 to 60,000 Visa e-commerce transactions a year. (They couldn’t spare you for HITEC anyway, but same cutoff. Deadline: 6/30/05)

Level 4: Companies that process fewer than 20,000 Visa e-commerce transactions per year read this article anyway. (Fine print: “Level 4 merchants must comply with CISP, valida-tion determined at discretion.” Deadline: TBD )

The reason these levels and deadlines should be of interest to you is, quite simply, your company will have to comply sooner or later. And although the CISP/PCI standards are reasonable, sensible, prudent and all that other stuff, adhering to them requires process control and rigor. If your company isn’t CISP-certified already, you’re likely to have to make changes to get there.

Take your knowledge of the way your company (and your systems) handle cardholder data, and put it up against the 12 PCI data security standards. See the sidebar on page 122 to take the test.

So, assuming you’re reading this because you’re not CISP compliant yet, some of these issues require detailed

by Matthew DunnTry this hypothetical on for size: a new desk clerk copies a client’s Visa number from an e-commerce

booking and buys a new MP3 player. Pop quiz: what’s your liability?

work encompassing people, processes and systems. In fact, the workload goes beyond your walls to include your technologies and services vendors. Those 12 bland phrases imply a pretty serious effort.

Far too frequently, an external mandate that includes standards or systems gets tossed by default on the technology workpile. Let me sug-gest that this isn’t “an IT thing,” it’s a business thing. Let’s look at a few pragmatic ways to get compliance efforts rolling.

Executive ownership. Someone with a C in their title cares about this issue, because, let’s face it, credit cards are the cashflow lifeline. Get clarity on who is responsible for achieving compliance and where it sits in his or her objective and budget.

Awareness. For any security issue, workplace culture is the best ally or worst adversary. I’m not suggesting pop quizzes on the 12 standards, but practical stuff like training, reinforcement and recognition.

SPECIAL SECTION CREDIT CARD COMPLIANCE

© 2005 Hospitality Upgrade No reproduction or distribution without written permission.

122 • HOSPITALITY UPGRADE • www.hospitalityupgrade.com | Spring 2005 HOSPITALITY UPGRADE • www.hospitalityupgrade.com | Spring 2005 • 123

Broaden the circle. If you’re a Level 2 to 4 company, you’d be well served to figure out which of your partners is already motivated and equipped to help you with this problem. If you have a credit card processor, start there. (And if they’re not CISP certified, you should be asking some very serious questions.)

Systems vendors are the next logical target. Doing some of what Visa et al want done requires their help. Some vendors have made a clear public commitment to CISP; So-phie Grigg, vice president of research and development for PAR Springer-Miller Systems, said, “We are modifying code to include extra levels of encryption across all applications to support our customers’ need to comply. It’s defined as a project across all of our development teams.”

If you’re on the hotel side of the equation, you can and should ask your key vendors to step up to the plate.

Motivation won’t be a problem in any case. So saith Visa, “Members receive protection from fines for merchants or service providers that have been compromised but found to be CISP compliant at the time of the security breach. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not CISP compliant at the time of the incident.”

Wow, that ought to light a few fires!

Dr. Matthew Dunn is principal of Socratech, Inc., a consulting firm specializing in Internet strategy for hospitality and other industries. He can be reached at (360) 543-7914 or matthew@socratech.com.

PCI Data Security Standard

1 Install and maintain a firewall configuration to protect data

2 Do not use vendor-supplied defaults for system passwords and other security parameters

3 Protect stored data

4 Encrypt transmission of cardholder data and sensitive information across public networks

5 Use and regularly update anti-virus software

6 Develop and maintain secure systems and applications

7 Restrict access to data by business need-to-know

8 Assign a unique ID to each person with computer access

9 Restrict physical access to cardholder data

10 Track and monitor all access to network resources and cardholder data

11 Regularly test security systems and processes

12 Maintain a policy that addresses information security

SPECIAL SECTION CREDIT CARD COMPLIANCE

“...so...without further ado...I’d like to introduce to you, Lothar the Vigilant, our new in-house Visa credit card security CISP-compliancy officer.”