Information
-
PCI-DSS : Property Controls Checklist
-
Document No.
-
Conducted on
-
XXXXX - Property Name
Build and Maintain a Secure Network and System
-
PCI DSS Requirement 1 : Install and maintain a firewall configuration to protest card holder data.
-
Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity’s internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity’s trusted network.
A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.
All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.
Starwood Hotels and Resort provide standard firewall and router with standard configuration centralized manage by certified security team.
Property who has enrolled Starwood centralized firewall managed by Starwood and connect to Starwood WAN where the router enrolled and managed by Starwood WAN team, property is complied with this requirement.
Responsible Team : Information Technology -
Is property establish and implement firewall, enrolled firewall to Starwood centralized management (ISS) ?
-
All internet inbound and outbound cables must be connected from/to firewall?
-
Starwood WAN router implemented and managed by Starwood WAN?
-
Does current network diagram is identify all connections between the cardholder data environment and other network, including ant wireless network?
-
Does personal firewall software on any computer (desktops, laptops) that connect to network are activate, actively running and is not alterable by users?
-
PCI DSS Requirement 2 : Do not use vendor-supplied defaults for system passwords and other security parameters.
-
Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information.
Responsible Team : Information Technology -
All default passwords on Operating System that provides security services and system account and Simple Network Management Protocol (SNMP) community string for PMS system have been changed?
-
All default passwords on Operating System that provides security services and system account and Simple Network Management Protocol (SNMP) community string for PMS system have been changed?
-
All default wireless encryption keys, password and SNMP community strings have been changed for all wireless environments connected to the cardholder data or transmitting card holder data.
-
Do all unnecessary services, protocols, daemons, etc. are disable as it not required for the function of system?
-
Is non-console/remote administrative with clear-text protocols such as HTTP, telnet, ftp, etc. use?
-
Does property system inventory is exist and maintain up to dated?
Protect Cardholder Data
-
PCI DSS Requirement 3 : Protect Cardholder Data
-
Protection methods such as encryption, truncation, masking (the first six and the last four digits are the maximum number of digit to be displayed), and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.
Responsible Team : Finance -
Does the data retention and disposal policies procedures and process exist?
-
The sensitive authentication data (credit card authorization) where consists of full credit card number, card validation code or value and PIN data. Storage of sensitive authentication data after authorization is prohibited. If there is a business justification that need to store those sensitive authentication data, Do those sensitive authentication data store securely?
-
Is credit card number masked when displayed to user who are not business need to know in PMS system and when it printed on guest folio?
-
Is credit card number masked when displayed to user who are not business need to know in POS system or printed on the guest checks?
-
Is credit card number masked when print on credit card slip (EDC machine)?
-
Credit card information stored in PMS are encrypted?
-
Credit card information stored in POS are encrypted?
-
PCI DSS Requirement 4 : encrypt transmutation of cardholder data across open, public networks.
-
Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.
Responsible Team : Information Technology/operations -
Do operation teams who deal with customer's credit cards utilize e-mail, instant message and chat to send/received credit card information?
Maintain a Vulnerability Management Program
-
PCI DSS Requirement 5 : Protect all systems against malware and regularly update anti-virus software
-
Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many business- approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may be considered as a supplement to the anti-virus software; however, such additional solutions do not replace the need for anti-virus software to be in place.
Responsible Team : Information Technology -
Does anti-virus software deployed for all servers and computers?
-
Do all servers and computers received up to dated anti-virus definition and perform periodic scan.
-
Does the anti-virus installed at computers cannot be disabled or altered by users?
-
PCI DSS Requirement 6 : Develop and maintain secure systems and applications
-
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor- provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.
Responsible Team : Information Technology -
Is property's vulnerability scan report reviewed and remediate the risks where classified as "high" , "medium" and "low"?
-
Do all systems are protected from known vulnerabilities by installing applicable vendor-supplied security patches and install critical security patches within one month of released?
-
Is change control procedures with approval for implementation of security patches use?
Implement Strong Access Control Measures
-
PCI DSS Requirement 7 : Restricted access to cardholder data by business need to know.
-
To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.
“Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.
Responsible Team : Finance/Operations -
Is access to cardholder data limited to only those individuals whose job requires such access to PMS system?
-
Is access to cardholder data limited to only those individuals whose job requires such access to POS system?
-
PCI DSS Requirement 8 : Identify and authenticate access to system components.
-
Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes.
The effectiveness of a password is largely determined by the design and implementation of the authentication system—particularly, how frequently password attempts can be made by an attacker, and the security methods to protect user passwords at the point of entry, during transmission, and while in storage.
Responsible Team : Information Technology -
Does unique ID assigned for all users who need access to all cardholder data?
-
Are user IDs and privileged user IDs have been implemented with only the privileges specified on the documented or user access on-line approval?
-
Are all inactive user accounts remove/disable at least every 90 days?
-
Are user IDs used by vendors to access, support or maintain system component via remote access enabled only during the time period need and disabled when not in use?
-
Does user account setting and password parameters setting are follow Starwood user account and password standard?
-
Is verifying user identity perform before modify/reset any authentication credential (password, new key, new token)?
-
PCI DSS Requirement 9 : Restrict physical access to cardholder data
-
Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. “Media” refers to all paper and electronic media containing cardholder data.
Responsible Team : Information Technology/Security/Finance -
Is physical access to systems in cardholder data environment restricted to only authorized person?
-
Is video camera implemented to monitor individual physical access to sensitive area with footage store for at least three months, unless otherwise restricted by law?
-
Is access control mechanisms implemented to restricted and monitor individual physical access to sensitive area and review collected data?
-
Are the publicly accessible network jacks restricted access using physical (locked panduits) and/or logical (IP address locked down)?
-
Are the wireless access point, gateways, handheld devices, network/communications hardware, and telecommunication lines restricted on physical access?
-
Are there procedures defined for identifying and distinguishing between onsite personnel and visitors?
-
Is visitor log implemented and contains visitor's name, firm represented and on-site personal authorizing physical access?
-
Does visitor log retained for at least three months?
-
Are media backups stored in a secure location (preferably an off-site) and review the location's security as least annually?
-
Is strict control over the internal and external distribution of the media in place including classify media so the sensitivity of the data can be determined?
-
Does off-site media log with management approval when move media from/to secure off-site location implement?
-
Does media inventories perform at least annually?
-
Does the periodically media destruction performed follow media retention and destruction policy (shred, incinerate or pulp hard copy material, render cardholder data on electronic media) ?
-
Are the devices that capture payment card data ( card swipe or dip) protected from tempering and substitution (skimming) ?
-
Are the devices that capture payment credit card been inventoried and maintain up to dated include make, model of device, serial number, location, IP address (if applied) ?
-
Is regular inspection of device surface to detect tampering perform periodically?
-
Is training provide for personnel to be aware of attempted tempering or replacement of devices?
Regularly Monitor and Test Network
-
PCI DSS Requirement 10 : Track and monitor all access to network resource and cardholder data
-
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.
Responsible Team : Information Technology -
Is audit trail (Security Event Information Management) enabled and active to generate audit log of all individual user accesses to cardholder data?
-
PCI DSS Requirement 11 : Regularly test security systems and processes
-
Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.
Responsible Team : Information Technology -
Does wireless access points scanning performed with proper documentation quarterly?
-
Does a change-detection mechanism ( File Integrity Management - FIM ) implemented?
Maintain an Information Security Policy
-
PCI DSS Requirement 12 : Maintain a policy that addresses information technology for all personnel
-
A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment.
Responsible Team : Finance & All Operations -
Is the information security policy are publish, maintain, disseminate. All personnel are aware of the sensitivity of data and their responsibilities for protecting it?
-
Is Starwood Technology usage policy in place and use?
-
Is there formal security awareness program to make all personnel aware of the importance of cardholder data security ( Property Data Handling / online PCI training provide at least annually ).
-
Does hiring process include personnel screening/background check?
-
If property shares cardholder data with a service providor, do the service provide list available and the agreement has Starwood PCI verbiage?
-
Does the incident response plan (BCP - Business Continuity Plan / Contingency plan) created and cover all key systems to be implemented in the event of system breach?
-
Does the incident response plan (BCP - Business Continuity Plan / Contingency plan) train and tested at least annually?
Approvals
Approval
-
Checked by : please put champion full name here
-
Add signature
-
Approved by : please put approver full name here
-
Add signature