1. Start work now on compliance with the new PCI DSS version 4.0.

There are over 50 new requirements in the latest version of the Payment Card Industry Data Security Standard (PCI DSS) version 4.0, which takes effect April 1, 2024. The deadline for most changes is March 31, 2025. This signals a clear acknowledgment that the new requirements will require time to plan and implement. A few examples include:

Expanded multi-factor authentication requirements.Increased password length.New e-commerce and phishing requirements.

Although the PCI DSS is a set of standards that ensures contractual compliance with credit card issuers rather than governmental regulatory compliance, it is a globally recognized standard. Not meeting and maintaining it carries financial liability. In addition, card data is highly targeted by organized crime using multiple and varied attack methods, making this a high risk for everyone in the hospitality business.

One positive note about the new version: In Section 13 of PCI DSS v.4.0, “Additional References,” you’ll find a table of external organizations referenced in the new requirements. This integration of other standards boosts thePCI Security Standard’s value and significance because it incorporates and acknowledges relevant elements from other recognized standards such as the Cloud Security Alliance, Center for Internet Security, and the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST). This demonstrates the PCI Security Council’s commitment to best practices and not some extreme or unique set of requirements that are applicable only to card data.

2. Focus on Cloud Security

In the hospitality industry, the rate of cloud migration has continued with the use of both public and private clouds. Multicloud strategies are the norm. This increased dependence on cloud systems and services translates to higher security vulnerabilities not adequately considered during rapid implementation.

Along with that, the transition to cloud systems initiates changes to past operational processes and resources designed for on-premise environments. This, in turn, requires new skills, tools and changes in procedures. These steps can improve protection of data stored and transmitted via cloud services:

Conduct a cloud security gap assessment: Developing a baseline assessment of your current state is always a practical and valuable place to start. Cloud security standards you can use to conduct an assessment include:

• NIST publication: SP800-210, which can be used to identify challenges in Software as a Service (SaaS), Platform as a Service (PasS) and Logging as a Service (LaaS). This standard is also a resource for formulating strategies and accessing control designs.
• International Standards Organization (ISO) 27017 applies to cloud service providers, includinganycloudsystemsprovidedbyfranchisorstofranchisees. Adherencetothis standard is a respected way to lower risks in a cloud environment. If your company is a customer of a cloud service provider, you’ll want to make sure you meet this standard as part of your third party risk management.
• Cloud Architecture Frameworks published by AWS, Azure and Google can help you analyze and review cloud platform security, in addition to considering performance, cost efficiency and compliance.

A final note on cloud security: As you plan this type of assessment, be sure you have well qualified people in cloud security, whether you use internal or external resources.

Provide formal cloud security training for internal staff: One of the best investments in your overall cybersecurity program is to provide ongoing training to your internal staff. These are the people with day to day visibility into and knowledge of your business activities, as well as the technology supporting them. Equip them well with solid ongoing training. There are four recognized leaders offering cloud security training and certifications:

• Cloud Security Alliance (cloudsecurityalliance.org), which offers a Certification of Cloud Security Knowledge (CCSK), as well as free research papers,userforums,etc. This is an excellent resource overall to help you stay informed.
• CompTIA (https://www.comptia.org) offers a CompTIA Cloud+ course and certification. This is a more basic level of training and is appropriate as a first level of cloud security knowledge.
• SANS Institute (https://www.giac.org/focus-areas/cloud-security/) offers certification in five specialized and advanced cloud security courses: Cloud Security Essentials, Cloud Security Automation, Cloud Threat Detection, Web Application Defender and Public Cloud Security.
• ISC2’s Certified Cloud Security Professional (CCSP) certification requires:    

* at least five years of paid work experience in IT    

* at least three years of which must be in information security    

* at least one year in one of the ISC2 cloud knowledge domains

The certification is vendor agnostic and has a high level of credibility for application to real world situations. This is a preferred certification for someone with management responsibility for cloud security.

Investigate new security tools and techniques to manage multicloud environments: As mentioned earlier, the migration to cloud systems presents the need for new skills, tools and changes in procedures. Key areas to evaluate include: governance, provisioning and access controls and cloud management tools. You should also review disaster recovery plans for a major outage or failure in a cloud service.

The marketplace encompasses a broad spectrum of new technologies and tools. We can expect these to evolve and change. With this in mind, conduct a thorough evaluation and testing before you buy new products and avoid long term contracts. But don’t let this hinder you from stepping out to obtain tools and techniques that will reduce risks.

3. Measure & Report Security Processes for IT Operations

One of the most effective ways to make sure you’re carrying out critical and fundamental security processes is to set up metrics that get reported to C-level executives on a monthly basis. An added bonus: You can the reports to support audits and demonstrate proper governance. Examples of essential security procedures that IT normally manages include:

Vulnerability scanning and patchingProvisioning and decommissioning of computing devices such as laptops, tablets, mobile phones, etc.Configuration management for servers, firewalls, etc.Executing backups and periodic testing of the restore procedureMonitoring application whitelisting and anti-virus e.g. counts of blocked malware, removal of malware, etc.Implementing changes to privileged access. Maintain a list of all persons with privileged access including name, job title and location.