Webinar: How to keep your hotel guest data secure

Transcription

1 Webinar: How to keep your hotel guest data secure

2 Securing your hotel guest data Wednesday April 18, :00 pm ET WEBINAR HOST Joshua Molina Ed Vasko Chief Executive Officer

3 QUESTIONS? Type them in the Webex chat bar. 3

4 Today s Agenda Topics covered in this webinar include: EDWARD VASKO, CISSP CEO, Founder Senior Executive, Entrepreneur Cybersecurity Expert ASU Advisory Board AZ Commission on Post-Secondary Education CEV Acquisitions Jefferson Wells Technology will not save bad practices - 3 things to look for and stop right now! Review the recent changes to the PCI DSS and critical deadlines impacting you. Which Self-Assessment Questionnaire is Right for You? Questions and Answers 4

5 Cybersecurit y & Risk Consulting +PCI QSA (Largest in AZ) +MSSP +Tech Reseller +Breach Radar +Channel Program +New Offerings +Global Expansion 20 Services 50 Services 100+ Services 150+ Services 250+ MSSP 300+ SIEM Installation 500+ SIEM Training 185+ Services MSSP 340+ SIEM Installation 880+ SIEM Training

6 Three Things to Change Now! Credit card authorization forms Remove them! Taking credit cards via fax or Stop! When you get a call from Corporate Helpdesk, we re here to help Hang up! 6

7 Three Things to Change Now! Credit Card Authorization Form Generally includes a picture of both sides of the card. Includes Sensitive Authentication Data (SAD) / CVV2 data PCI DSS Section 3.2 states, Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. If you need to take these, destroy them after authorization! 7

8 Three Things to Change Now! Taking Credit Cards via Fax or ! Expands your scope beyond your reservation / property management system. Generally, these are not secured in the same fashion as other PCI-related items. PCI DSS states, The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. If you need to do so, be prepared for significantly increased costs! 8

9 Three Things to Change Now! Call from Corporate Helpdesk Generally, if you didn t initiate the call, it s a scam If they ask for your userid/password or want you to set up a Remote Connection, it s a scam Prep your ENTIRE staff to this issue because all it takes is one weak link 9

10 Risk Landscape for Hoteliers & Small/midsize businesses Half of small businesses report having been the victim of a cyber-attack in the last 18-months. Average cost to a small business from a cyber breach is $21,000. Many small businesses lack anti-phishing measures, antiransomware, off-site data backups, and basic cyber-attack response plans. 10

11 Financial and Reputational Impacts Fines and Penalties More than 90% of merchants who experience a data breach are not compliant at the time of the breach. The merchant is often subject to fines from payment card brands or acquiring bank. Higher subsequent costs of compliance. Almost all small businesses experiencing a breach are out of business in 12-months 11

12 Achieving PCI compliance Step 1 Determine scope of your Cardholder Data Environment (CDE) Step 2 Meet the 6 Major Objectives of PCI DSS Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Controls Regularly Monitor and Test Networks Maintain an Information Security Policy 12

13 VISA s New Requirements for Small Business In 2017, the VISA payment card brand announced changes in PCI requirements for Level 4 merchants. Level 4 merchants, according to VISA, are those organizations with up to 1 million VISA transactions annually. These new requirements include annual validation and reporting of PCI compliance to your acquiring bank. The new requirements apply to U.S. and Canadian merchants with an effective start date of January 31,

14 VISA s New Requirements for Small Business Acquiring banks must now ensure: Level 4 merchants annually validate PCI DSS compliance by January 31, 2017 Participate in VISA s Technology Innovation Program (TIP). OR Visa TIP recognizes merchants that take action to prevent fraud by investing in EMV technology or PCI-approved point-to-point encryption (P2PE) solutions. At least 75% of all transactions must originate through EMV chip-reading terminals or a PCI-validated P2PE solution. 14

15 As of February 1st, 2018 The following PCI DSS v3.2 requirements came into effect on February 1st, These requirements must now be included in the assessment process for applicable entities. For all types of organizations: Change management processes to confirm that affected PCI DSS requirements are in place after significant change (Requirement 6.4.6) Multi-factor authentication for all non-console administrative (Requirement 8.3.1) 15

16 Certifying PCI Compliance Each merchant is required to report its compliance status directly to its acquiring bank. The acquiring bank then reports the merchant s compliance status to the payment card brands. Validation: Complete your PCI self-assessment using the applicable Self-Assessment Questionnaire (SAQ). Complete four clean quarterly ASV network vulnerability scans. Reporting: Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation such as ASV scan reports to your acquiring bank. 16

17 Self-Assessment Questionnaire (SAQ) Ask your acquiring bank which SAQ type is required for your hotel. The Self-Assessment Questionnaire is based on the requirements in the PCI DSS. The most common SAQ is Type D. It applies to: Merchants with walk-in customers who provide their credit card. Merchants with phone customers who verbally provide their credit card details. Merchants with local, electronic storage of cardholder data Questions are included in SAQ-D. 17

18 Other SAQs to Consider 18

19 Helpful Resources PCI SECURITY STANDARDS COUNCIL PAYMENT CARD BRANDS

20 QUESTIONS? Type them in the Webex chat bar. 20

21 SkyTouch.tech/HotelSecurity Special Offer