The Hospitality Industry: In the Hacker’s Crosshairs

According to the Verizon 2010 Breach Investigations Report, the hospitality industry, along with financial services and retail, remains one of the “Big Three” industries affected by breaches. Why have the hackers turned their attention to the hotel industry?

Some reasons include the use of PC-based point-of-sale (POS) or property management systems (PMS) for the processing of payments, the high number of transactions and the retention of card data for reservations. These reasons create a target all too inviting for hackers to pass up.

As hotels become increasingly popular targets for cyber criminals, protecting guests’ credit and debit card data becomes all the more important. Yet, these days it is not enough to just meet the Payment Card Industry (PCI) requirements.

As a vulnerable industry, hotels must look for additional protection to combat hackers and cyber criminals. In just a few brief seconds — from the time a credit or debit card is swiped until the transaction is complete — sensitive cardholder data can be vulnerable. Guests’ credit and debit card data is also extremely vulnerable as it is stored in hotel systems from the time of reservation until check out, as reservations tend to be made in advance.

While PCI compliance is a necessary must, hotels should look to advanced solutions such as end-to-end encryption as the best protection against cyber threats. That type of encryption is the only solution currently on the market that offers protection from card swipe to and through a processing network.

End-to-End Encryption

True end-to-end encryption scrambles cardholder data so it cannot be read from the beginning of the transaction to the end — rendering it useless to anyone trying to view it.

It is important to make card data indiscernible as it enters the payment cycle, preventing cyber thieves from obtaining anything of commercial value.

Because this encryption model assists in protecting data before it enters your payment system, it reduces the cost of PCI compliance and the risks of being non-compliant. An end-to-end solution should include four zones of the card processing ecosystem:

  1. From data entry/card read at your hotel to the payments processor’s authorized network
  2. From entry to that network and throughout the entire processor/sub-contractor network where data is in motion
  3. While the data resides in a central processing unit (CPU) or a host security module (HSM). An HSM is a specialized server that locks down information
  4. In storage where data is at rest

Maximizing Encryption Benefits

As noted in the “Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance” white paper published by the PCI Security Standards Council in October 2010, in order for business owners to maximize encryption benefits, here are three of the most important points:

  1. Hardware based encryption must be protected by a tamper resistant security module (TRSM)
  2. Keys must be unique for each device
  3. There must be a frequent rollover of keys (i.e. every 50 transactions)

Keep in mind that not all encryption is created equal. Software-based encryption is nice to have, but it is not as secure as hardware-based encryption. Encrypting data after it has passed through a merchant system in the clear is quite different than encrypting data the moment a card is swiped in a hardware-protected tamper-resistant security module (TRSM). Protecting data during disparate stages of the transaction life cycle, like point-to-point encryption, is hardly the same as protecting it continuously throughout the entire life cycle, like true end-to-end encryption.

Currently there are no industry standards for encryption and there’s no shortage of competing security solutions on the market. Because the marketplace is rife with payments processors and data security providers looking to increase their revenue by charging business owners extra fees and taxes for enhanced security, it is critical that you evaluate each solution critically for the best value and protection.

William Collins is the executive director of Vertical Market Strategy for Heartland Payment Systems and a member of the HFTP PCI Compliance Task Force.

Collins has over 20 years experience in developing and implementing sales, marketing and technology strategies for businesses across multiple industries, including lodging and hospitality. Heartland Payment Systems is the fifth largest payments processor in the United States and is a leader in the development of end-to-end encryption technology designed to protect cardholder data, rendering it useless to cyber criminals. You can find more information at HeartlandPaymentSystems.com and E3secure.com.

You May Also Like

About the Author: Administrator

1 Comment

  1. End-to-end data encryption is surely one of the important areas to look into for hotels storing credit card details in internally hosted systems, thus affecting their PCI-DSS scope. The Verizon 2010 breach investigation report however suggests more significant root causes for actual data breaches, such as the perimeter network traffic control, change of vendor supplied defaults, vendor remote access and weak password policies.

    I would encourage hoteliers responsible for defining strategies for improving data security to scan as a minimum the authentic executive summary of the Verizon report for determining the implementation priorities (this being applicable to not only the credit card data but also personal details and other business sensitive information). Although it is certain that the future attacks won’t look the same once the current holes are plugged….

    Please feel also welcome to consult the “PCI DSS in Hospitality” professional discussion group on LinkedIn – http://lnkd.in/tyFEnq – for guidance and real-life implementation best practices related to PCI DSS in hotels, resorts and lodges shared by other hospitality professionals.

    Let’s continue to jointly fight the cyber crime in hospitality and make hotels a trustful place for the guests!

    Jan Popovic
    IT Infrastructure and PCI DSS Expert

Comments are closed.