What can the hospitality industry learn from the recent duke-out between Best Western International and a Scotland-based newspaper over reports of a massive credit card breech? 1) Protecting guest data is of paramount importance to hotels and restaurants, just as with any retail establishment; 2) Communication regarding breeches must be handled quickly, efficiently, and openly to mitigate any damage to a company's reputation; and 3) there are still at least two sides to every story.
He said, she said
Scotland's Sunday Herald broke a story in late August claiming that, in the "greatest cyber-heist in world history," an alleged security breech of Best Western's online booking system saw a hacker scoop up the personal details of every single customer that booked into one of Best Western's 1,312 continental hotels since 2007. The article claimed that the breech compromised data for more than eight million of the hotel chain's customers, representing more than $4 billion in financial damages.
Best Western immediately responded and denied the claims, calling the story "largely erroneous," and has since issued an official response stating that, on August 21, 2008, three separate attempts were made via a single log-on ID to access data at a single hotel: a 107-room Best Western in Berlin, Germany. Best Western confirms that just 10 customers were affected by the breech and says the company is working with the FBI and international authorities to investigate further.
On the heels of this incident, the entire hospitality industry is looking to Version 1.2 of the Payment Card Industry Data Security Standard (PCI DCC), released just this month, to ensure compliance and to put in place safeguards that will help protect cardholder data.
1.1 becomes 1.2
While there aren't many fundamental differences between versions 1.1 and 1.2, there are several key areas that are important for hospitality operators to understand:
- Wired Equivalent Privacy will no longer be permitted to be used in wireless networks. There are still a significant number of hotels and restaurants that use WEP as a wireless security tool. With version 1.2, they must switch to Wi-Fi Protected Access (WPA).
- Anti-virus software must be used in all operating systems. Provided that about 14 percent of all restaurants do not use anti-virus software at all, it is critical for any business to use regularly updated anti-virus software.
- All public-facing web applications, such as hotel/restaurant reservations or online ordering, are subject to either a) reviews of applications via manual or automated vulnerability assessment tools or methods; or b) installing an application-layer firewall in front of public-facing web applications. This requirement applies to even small restaurants that may be selling only merchandise on their website and accepting credit cards.
- A unique username and password is required for every single employee or manager with computer access. In addition, this password must be unreadable in storage and transmission. This particular requirement is often unmet, particularly in small and independent hotels and restaurants. Some restaurants post supervisor codes and passwords on point of sale systems, while other operators e-mail the usernames and passwords to users in plain text. Practices such as these will result in non-compliance.
- If a company uses offsite storage, it now must be visited physically at least once annually.
- All paperwork containing sensitive credit card holder data must be properly shredded once the need to store that information no longer exists.
Compliance with PCI requires a serious effort from the entire hospitality enterprise. Companies should create a compliance taskforce and monitor compliance on a regular basis. In addition, policies should be established that outline what to do in the event of a breech. Compliance with PCI not only protects the customer, but also reduces a company's chances of landing in a "cyber-heist" headline.