Hoteliers’ PCI Compliance Programs Should Incorporate New Risk Assessment Guidelines from the PCI Security Standards Council

On November 16, 2012, the PCI Security Standards Council (SSC) released a “PCI DSS Risk Assessment Guidelines Information Supplement.”  The hospitality industry should use the document to help identify threats and associated vulnerabilities that could jeopardize payment card security.

PCI SSC General Manager Bob Russo commented that the document provides, “a strong set of best practices” for hoteliers and others to choose the most appropriate methodology to approach risk management.  Among the key recommendations:

  • Companies, including those in the hotel industry, should implement a formalized risk assessment methodology that best suits the culture and requirements of the company;
  • A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing a hotel company to mitigate such threats and vulnerabilities in a proactive and timely manner; and

 

Importantly, the Guidelines warn that risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls).

The best approach to learning and utilizing the PCI DSS requirements is through vigorous PCI compliance training and developing a reliable PCI compliance program.  Any such program should include custom learning solutions, such as PCI compliance training modules and similar training for hoteliers on best practices for using hospitality technology.

To read more of this article – https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf