HFTP, the American Hotel & Lodging Association (AH&LA) and Hospitality Technology Next Generation (HTNG), issued a joint statement on actions hotel managers should take on hotel credit card security. The statement indicates three actions that hotel managers, along with IT and finance staff, should take immediately in order to minimize their vulnerabilities and to avoid the potential for hundreds of thousands of dollars in costs and fines that typically result when just a single hotel system is breached.
1. Eliminate default passwords.
In 53 percent of newsworthy attacks investigated by forensics firm Verizon Business in 2009, the thieves gained entry to the network by using the word “password” as the password. The statement calls for testing and then eliminating every default password on every machine on the hotel network, and includes tips on how to execute this policy.
2. Eliminate holes in remote access to your network.
Data thieves know that remote access by vendors is an essential part of support for many hotel systems. This step focuses on restricting access to those who truly need it and provides tips on password control that can make granting this access more secure.
3. Don’t operate without a firewall.
This one seems obvious, yet many hotels, especially smaller ones, don’t have a firewall. A recent University of Maryland study counted more than 2,200 attacks on an average Internet-connected computer every day – equating to one every 39 seconds. A hotel without a firewall makes hotel patron credit card data extremely vulnerable – even a consumer model at around $100 can provide enough protection to make the thieves move on to another target.
Further, don’t presume that your property is secure because your vendor supplies a PCI compliant system; breaches can occur through many different systems. Fully implementing the Payment Card Industry Data Security Standards (PCI-DSS) is the best way to avoid a breach, but the steps listed here are a great starting point. PCI standards are important, but they are also complex, often misunderstood, and expensive to fully implement. Consider these three steps as an effective way to focus initial efforts toward PCI compliance.
Read the full statement: Hotel Associations Issue Joint Statement on Credit Card Security
Douglas Rice is Executive Vice President and CEO of Hotel Technology Next Generation (HTNG), a non-profit trade organization dedicated to improving hospitality technology. In addition to running the association, he speaks frequently at industry events and conferences around the world.