PCI Considerations for Hospitality and Retail

As credit card and digital wallet purchases replace in-person, paper and coin currency transactions, a company’s ability to support these technologies will become key to customer satisfaction. This is especially true in the hospitality and retail sectors, which are among the most heavily dependent on credit card transactions. Businesses in these and other sectors must continually keep pace with consumer behavior through system updates, migration to cloud platforms or other avenues.

With the release of Payment Card Industry (PCI) Data Security Standard (DSS) v4.0, businesses will have another reason to update their systems. Here’s a look at how these updates may impact organizational compliance.

Redefining the Cardholder Data Environment (CDE)

Most options for adapting to more highly flexible and available environments incorporate cloud-based systems. As the CDE begins to encompass systems hosted by third-party service providers (TPSPs) more frequently, it is critical to understand how the network architecture is designed to maintain appropriate segmentation of payment systems. This segmentation of payment systems prevents scoping in additional system components not intended to be relevant to payment systems and data.

Another way to refine the CDE is by not storing cardholder data within your environment. When removing cardholder data from your environment is combined with effective network segmentation to isolate systems which process and transmit cardholder data, it can significantly reduce the size of your PCI-relevant environment.

Encryption in Transit

PCI Requirement 4 and its sub-requirements address encryption of cardholder data between on-premise systems and cloud-based systems. Important factors include:

  • encryption keys and certificates accepted are trusted and not expired or revoked;
  • encryption methods are secure and an inventory of keys is maintained to facilitate appropriate key management; and
  • certificate management in line with industry best practices.

NIST special publications are considered industry best practice. Strong cryptography guidance can be found in NIST SP 800-52 and SP 800-57. Guidance for key and certificate management practices is available in NIST SP 1800-16.

Defining Responsibilities

Throughout PCI DSS v4.0, there is an increased emphasis on roles and responsibilities for performing activities and requiring that they be documented, assigned, and understood. Listed as requirement X.1.2, it will likely result in more policy and procedure documents as well as more explicit accountability for action and inaction from customer-facing and back-office personnel.

Use and Monitoring of Service Providers

Migration to the cloud comes with considerations about how to appropriately monitor compliance for service providers. Whether your organization uses Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS) providers for hosting systems and software, or a payment processor to complete credit card payments, maintaining an accurate list of TPSPs and monitoring the PCI compliance of these providers is key to maintaining your own organization’s compliance.

PCI requirement 12.8 states that organizations must establish processes for engaging TPSPs and maintain a list of all such providers with which account data is stored, processed, or transmitted. The organization must maintain written agreements with each TPSP that acknowledge responsibility for the security of account data. The PCI compliance status of each TPSP must be monitored at least annually. Additionally, organizations must document which PCI DSS requirements are managed by each TPSP and which are the responsibility of the organization. These considerations can usually be incorporated into the vendor management and compliance monitoring functions.

Protection of Point of Interaction (POI) Devices

While the trend towards online payments may reduce the number of in-person credit card payments, many organizations will not be able to fully remove payment terminals from their physical locations. As with v3.2.1, PCI DSS v4.0 requires protective measures to prevent unauthorized activities with devices that interact with a consumer’s credit card and cardholder information. Among these requirements is 9.5, which mandates that a list of POI devices must be maintained and periodically inspected and personnel must be trained on how to recognize suspicious behavior and tampering.

This list highlights processes that have greater impact on hospitality and retail organizations' compliance with PCI requirements. When planning security and PCI compliance processes, it is important to account for each organization's unique characteristics. Weaver assists with PCI consulting and assessment services for clients ranging from Fortune 50 organizations to small merchants.

To find out how we can help your organization achieve and maintain PCI DSS compliance, or to help strengthen your security program in general, contact us for more information.

© 2022