PCI DSS Certification in Travel Technology

Nobody can deny that technology and travel are a winning mix. The travel technology economy is developing faster than ever before; becoming more traveller-centric, and making the process of paying for trips much easier online. With that said, an aspect that can sometimes be forgotten, but is absolutely crucial for any OTA selling online, is top-notch security. 

protection camera.jpg


Any entity that store, process and/or transmits cardholder data needs to be PCI DSS certified. Now the question is, what is PCI DSS and how does this affect my business?

The Payment Card Industry Data Security Standard (PCI DSS) is a code of conduct established by the PCI DSS council that every business must follow in order to protect and preserve credit card data provided by cardholders and transfers made via card processing operations. PCI-compliant security is a crucial asset that tells vendors that their transactions with your company are secure. 

The potential liabilities, both financially and reputational as set out by DigitalGuardian and Imperva, should be enough to urge any business owner to prioritize data security. 

The PCI Security Standards Council has brought set 12 criteria for handling cardholder data and maintaining a safe ecosystem. All are required for a business to become compliant and are divided into six key objectives.

The 12 requirements of PCI DSS Compliance

credit card.jpg


1. To secure cardholder data, establish and manage a firewall setup

Foreign or unknown organizations seeking to access private data are effectively blocked by firewalls. Organizations should develop firewall and router standards that provide a uniform approach for granting or rejecting network access rules. Configuration rules should be evaluated every two years, and all unauthorized traffic should be restricted.

2. Unique passwords must be used for system access

The majority of operating systems and electronics have factory default settings such as usernames, passwords, and other vulnerable setup options. These default identities and passwords are simple to guess, and many of them may be found on the Internet. This criterion prohibits the use of default passwords and other security settings.

Basic safeguards and settings should be implemented in addition to a device/password inventory (e.g., changing the password).

3. Data on cardholders should be stored in a safe manner

To begin, you must first determine all of the data you wish to keep, as well as its location and timeframe of retention. Many times, service providers or merchants are unaware that they are storing unencrypted primary account numbers (PAN), therefore using technology like card data detection becomes critical. Certain systems must be used to encrypt card data. These encryptions are implemented using encryption keys, which must likewise be encrypted in order to be compliant. This regulation also contains guidelines for displaying key account numbers, such as disclosing only the first six and last four digits.

4. Transmitted data should be encrypted

Cybercriminals may obtain access to cardholder data when it is transmitted via public networks. Criminals are less likely to get substantial access to data if it is encrypted before being sent and decrypted when it arrives using a secure version of transmission protocols such as TLS, SSH, and others.

5. Anti-virus software must be used and updated on a regular basis

The PCI DSS mandates a proactive and continuous strategy to detecting vulnerabilities in payment card systems. This is known 

as a vulnerability management program, and the first guideline in implementing one is to install an anti-virus solution on all desktops, laptops, and mobile devices via which employees may access the system. Because malicious software threats are continuously developing, security software must be appropriately set and updated on a daily basis.

6. Secure systems and apps must be developed and maintained

It is critical to develop and implement a strategy for identifying and categorizing the risk of security vulnerabilities in the PCI DSS environment using credible external sources. Organizations must reduce the possibility of vulnerabilities by releasing essential updates on schedule.

7. Limit access by the company to cardholder data

In order to install strong access control measures, service providers and merchants must be able to give and deny access to cardholder data systems. This criterion is all about role-based access control (RBAC), which provides need-to-know access to card data and systems. A person or entity may ask for data not required for the present job; such request would not be approved and would therefore not be accepted.

As a result, an access control system must evaluate each request not only on the grounds of the requesting agent but also on 

the basis of circumstances. It must therefore refuse any application which is not expressly allowed.

8. A unique ID must be issued to each user

Each authorized user must have a distinct identity, and passwords must be sufficiently difficult. This guarantees that any access to cardholder data may be traced back to a known user or at the very least instantly identified as illegal. A two-factor authorisation is necessary for remote access.

9. Physical access to cardholder data should be restricted

On-site access control is required for security, which not only restricts but also monitors and tracks movement within a facility. 

Unauthorized entities might obtain access to the system and steal, disable, disrupt, or destroy essential systems and cardholder data if physical access restrictions were not in place. You'll need to set up an access system that allows you to tell the difference between authorized visitors and workers. Physical protection is required for all detachable or portable media carrying cardholder data.

10. All-access to network resources and cardholder data should be tracked and monitored

Log files, system traces, or any technology that allows tracking of sensitive data access is important in avoiding, discovering, or mitigating a data breach. PCI DSS seeks to avoid attacks by forcing businesses to regularly monitor and verify their networks.
Real-time Monitoring and logging, as well as forensic methods, are vital. However, in order for these systems to be effective, they must be built on a solid basis. This criterion concentrates on the foundations, such as the ability to connect all network traffic to a single user.

11. Vulnerabilities must be scanned and tested for

Wireless access points used to obtain confidential information must be tested every quarter. Internal and external vulnerability checks are necessary at least once a quarter, and more frequently if a substantial network change has occurred. 

12. Maintain a policy for all staff that covers information security

It's important that every employee understands what's expected of them in terms of protecting your clients' sensitive information. The sensitivity of the data, as well as individual and organizational responsibility for preserving it, should be understood by all employees.

For compliance, a list of all of the equipment, software, and personnel with access will be required. It is also necessary to document how information enters your firm, where it is held, and how it is used after the point of sale.

At the very least, complying with PCI Security Standards appears to be a challenging task. Compliance is becoming increasingly essential, and it may not be as difficult as you think, particularly if you have the appropriate tools.

Need help monitoring your vulnerability and security risks? MDM technologies can help you out!