Would your network pass a PCI DSS assessment?

11 Apr

By: Markus Witcomb

Home / PCI DSS

Comments: No Comments.

The hospitality industry is a notoriously easy target for cyber criminals and attackers, who are lured by the lucrative rewards offered by taking advantage of point-of-sale (POS) systems, the high volume of transactions, hotel loyalty programmes and booking databases.

Point-of-sale devices are a common target for cyber criminals. According to the Report, 38% of POS hacking attacks involved stolen credentials, and 31% of confirmed data breaches over the last three years involved POS intrusion.

The attack pattern on POS devices can simplistically be described as follows: compromise the POS device, install malware to collect magnetic stripe data in process, retrieve data, and cash in.

There is ample room for an attack in a hotel via its hospitality management system (HMS), POS devices, Wi-Fi network, hotel network infrastructure or online booking system, but the same equally applies to any hospitality business.

Hoteliers must be able to demonstrate PCI compliance across all IT systems that store, transmit or process credit card data. This generally includes POS and back-office systems. Failure to comply with PCI requirements can result in penalties or sanctions from members of the payment card industry.

Many businesses believe that they are compliant just because they purchased a POS system (hardware & software) from a company that specialises in the provision of these devices.

What they fail to realise, is that the data they transmit over there own network (wired or wireless) also needs to comply with the regulations as set out by Requirements 1 (‘Install and maintain a firewall configuration to protect cardholder data’) and 4 (‘Encrypt transmission of cardholder data across open, public networks’) of the PCI DSS V3.1 regulations.

Whilst network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS
requirement. However, it is strongly recommended as a method that may reduce:

  • The scope of the PCI DSS assessment
  • The cost of the PCI DSS assessment
  • The cost and difficulty of implementing and maintaining PCI DSS controls
  • The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations)

Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment.

The Solution

Whilst there are requirements within the regulations that no IT provider can completely fulfill, ensuring you have a properly configured, managed and secure network is.

DaisySentry from QAIST provides a comprehensive and cost effective way of providing;

  • Network access security for bothhard wired and Wi-Fienvironments
  • Managed firewall
  • Content filtering
  • Malware and intrusion alerts
  • PCI DSS Level 1 certified protection
  • 3G/4G failover
  • Simple VPNs – Secure and encrypted
  • Internet usage and performance stats

For your business network security is not only the sensible action to take, but it is also what’s required by UK Data Protection Legislation and Payment Card Industry Data Security Standards (PCI DSS).

PCI DSS Level 1 ‘certified’ solution

Our service is Level 1 compliant which means it not only addresses a large part of the users PCI requirement’s, but also helps to protect from breach fines, something non-certified solutions can’t do.

Affordable Protection

Our solution is delivered as a fully managed subscription based service so there is no need for you to invest in software, hardware or additional personnel. The system will watch over your business day and night, monitoring all network activity and acting proactively to block threats.

Leave a Reply