The recent data breaches at major retail outlets such as Target, Michaels Stores Inc. and Neiman Marcus brought this type of modern crime to the forefront in the minds of the consumer; and for us in the hospitality community, it really hit home when news surfaced of a breach at White Lodging properties throughout the United States. For those who were not able to keep up with the “screaming headlines’ about this incident, one thing that both consumers and credit card retailers were warned about is that there would be more to come … and obviously they have. I am going to also predict that there will be even more of these that we will hear about over the next few months from other types of businesses and organizations. Regardless of the tens of millions of dollars industries spend to protect credit card data, criminals who try to steal this data are constantly attacking our information systems and eventually they get lucky — for a short time. As in these recent cases, they were shut down.
If you are a consumer, there are a couple of things that you should be aware of that are often not clearly explained in the news.
By the time the story is made public, the breach is OVER and a criminal investigation is already under way. In the case of White Lodging, as soon as they suspected a breach, they notified both federal investigators and the credit card companies immediately. They also hired a third party forensic review of their properties, including more than 150 that were not impacted. Their work with the investigators is ongoing; but as I mentioned, there is no longer any danger from this breach as it was over on December 16th. Finally, while you should definitely review your credit card statement and report any type of suspicious activity, policies of credit card companies such as Visa, MasterCard, American Express and Discover provide that consumers have zero liability for any unauthorized charges if reported in a timely manner.
HFTP, along with allied partners, have long worked towards providing data security education to the industry, and know that it is an issue that needs continual oversight. Even though, PCI Compliance and data security has been on the schedule of our educational conferences for close to a decade, each year it is still a top subject on the agenda. That is because, like we know technology to be, the methods for data theft are always evolving. I urge you as an executive, manager, IT professional, to keep up with the latest methods for data protection, because the information is easily available and making some basic steps can lift your security a few levels.
Recently the PCI Security Standards Council, which is working toward building educational resources, released an infographic that outlined the top 10 simple steps to protect against card fraud. I am going list five below to get you started:
- Educate. Employees should be trained annually on both online and physical security threats as well as on the best practices for protecting cardholder data.
- Update. Your employee manuals with information on the proper handling of sensitive information, including cardholder data.
- Control. Tightly control downloads, software installations, the use of thumb drives and public Wi-Fi connections on computers used for payment card processing.
- Separate. Designate a separate computer for processing of all your online financial transactions. Try to keep this computer separate from social media sites, email and general internet browsing which can present chances for the computer to be susceptible to vulnerabilities.
- Backup. Make sure you regularly back up your computers and the key data you want to protect, whether it’s to a local machine or to an offsite facility, so your business can be up and running again quickly in the unfortunate event of an unauthorized attack.
(Stay Smart on Protecting Against Card Fraud! PCI Security Standards Council)
In addition, I’d like to add three basic actions that are recommended for data security. These suggestions are from a joint statement given in March 2011 by HFTP, the American Hotel & Lodging Association (AH&LA) and Hotel Technology Next Generation (HTNG). These include:
- Eliminate EVERY default password on EVERY machine on your network – server, workstation, router, firewall, and any other device that has a password.
- Eliminate holes in remote access to systems inside your network. Remote access by vendors is an essential part of support for many hotel systems.
- Operating without an Internet firewall is just as risky. Yet many hotels, especially smaller ones, don’t have a firewall. If you are connected to the Internet without one, then people you don’t know, from around the world and many with malicious intent, are reaching into your network.
Cybercrime is not going anywhere, it is a very lucrative activity. The estimated cost to the U.S. is as much as $100 billion annually according to a recent joint study from the Center for Strategic and International Studies and the computer-security firm McAfee. Breaches are seriously investigated and pursued by law enforcement, and the fallout is difficult to recover from.
It is also taken very seriously by HFTP and other like-minded organizations, and that is why we continue to push this information to our members and the hospitality industry as a whole. Please do your part by following up with the numerous resources available to you. From HFTP, visit our PCI Compliance resource page and consider taking one of our PCI Compliance webinars coming soon. Together we will work to keep the data as secure as possible.
Frank Wolfe, CAE is the EVP/CEO of Hospitality Financial and Technology Professionals (HFTP) and an inductee into the International Hospitality Technology Hall of Fame. He often speaks and writes about hospitality technology through the GUESTROOM 20X program, and is a regular columnist for Hotel Management magazine. Wolfe started with HFTP in 1991 as the association’s director of education, and became its EVP/CEO in 1994. Follow him on Twitter @frankwolfe.