Your Campus Hotel and PCI

I have been working with and talking to a number of schools recently that operate hotels on campus. These hotel operations face particular PCI compliance challenges due to the nature of the hotel business. That is, they hold lots of cardholder data like the PAN for reservations (and to charge you that $2 for the bottle of water from the minibar...), and they even retain (occasionally intentionally) security codes (CVV2/CVC2). Therefore, these operations can forget using any of the simplified SAQs; they get to use SAQ D or, if they are big enough, they require an outside assessment by a QSA. I saw this article today on PCI compliance in the hotel/hospitality/resort industry, and I thought I'd pass it along to all of you. The author seems to know the industry, and his advice fits with my own experience. Some of the specific suggestions (and my comments) are:Are users automatically logged off after a maximum 10 - 15 minutes (max) of inactivity? (This is a good practice...actually, 10 minutes seems pretty long. Better yet, make sure this applies to all terminals throughout the property...yes, even Housekeeping.) Is all card holder data in folios, receipts and reports masked with maximum 4 - 6 digits appearing? (continue reading...)