Payment Security Basics You May be Missing

3/19/2012
Data security continues to be a hot-button topic in hospitality, because PCI standards are pushing the industry to speed up compliance and adoption. One major problem is that many hotel owners are not aware of the risks and liabilities a breach can cause and how it can hurt the overall brand. The hospitality industry is significantly less prepared to handle security than other industries. While large retailers have been dealing with PCI for many years, and are therefore savvier when it comes to securing themselves against data breaches, hotels are lagging.
 
Attackers see the opportunities that lie in less-protected organizations and are targeting hospitality operators. With a great deal of sensitive data such as credit cards, debit cards, and other client data, if attackers breach a hospitality system, all of that data can be used for fraud.
 
A misconception is that PCI compliance is the responsibility of the software vendor. This is a common mistake. The hotel is liable if any security breaches occur. Often, hoteliers think if they outsource the credit card handling, the liability goes away, but it does not. Depending on the size of a hotel, if it’s a larger business, it can actually be less expensive for the company to run its own systems.
 
Hotels have to track their vulnerability. This can be done by going to a PCI security standards website. There are plenty of easy-to-read guidelines there and suggestions for how different-sized companies can plan. Compliance certification is divided into two areas: self-assessment and vulnerability scanning. There are questionnaires available online in order to self-assess. Vulnerability scanning is performed by an approved vendor.
 
The new generation of hackers leads to a new security solution
There was a time that hackers just wanted credit card numbers, but the market became saturated. Now the price of stolen credit cards has dropped on the black market, so hackers go after a different type of data in order to steal identities. Hospitality operators are definitely vulnerable and increasing security measures should be a top priority.
 
Lately in PCI, there has been a great deal of talk about a new protection approach called tokenization. It is easier than encryption and the basic idea is to replace sensitive information with fake figures, called “tokens.” This replacement data looks like credit card numbers, but it is completely false, so it cannot be hacked. Tokenization is also very cost-effective and cheaper than encryption methods. Once a hotel implements a tokenization system, the sensitive data remains stored in a secure file, and all of the other systems pass the token in place of the credit card. The tokens can be used to complete the transaction, but are useless if intercepted electronically by a thief.
 
Tokenization is not all equal however. Basic, traditional tokenization can negatively impact a system’s performance and response times. The more modern tokenization will not impact performance and can be even faster than encryption.
 
The inherent problem with encryption is that it requires that “keys” are available, so therefore the system can become vulnerable. Encryption is a mathematical algorithm, so it gets broken – hackers can figure out a way to crack encryption, but with tokenization the information is not there, the new numbers are completely random.
 
Basic security measures to take now
Update passwords. When breaches happen, what has typically gone wrong has to do with passwords. Hospitality operators should eliminate every standard password and change passwords to something that is not a default. Many passwords are on public systems that require a number in the password, so what do the majority of people change it to? Password1. With many breaches you’ll see that they were using password1 as a code.
 
Eliminate hosts with remote access. It shouldn’t be so easy to reach servers in the hotel’s network. If it is too simple for vendors to remotely go into the hotel’s system, then hackers can break in as well. Data thieves know this and they go in and can steal master customer lists.
 
Install a firewall. Systems should always operate with a firewall. If one is not in place, people on the outside can easily access the system.
 
Assume you’re hacked. More and more security experts are saying that the best defense is to always assume that hackers are in the network. Don’t just think that it happens to other organizations. Instead, believe that the system is already compromised and then think about how to encrypt data to best protect it.
 
Remember that the attacker will always be one step ahead. A data thief only needs to find one way to hack through your system, but an organization has to fill all the holes. It’s imperative to secure every access way in to the data. Hackers are going more for systems where they are not using plastic cards, but rather will use browsers and web interfaces, so it’s imperative to protect data on the backend. It’s more cost-effective to secure what they are stealing, so if an attacker is inside or coming through the Internet, but the data is protected – through a method such as tokenization – it is still safe.
 
 
 

X
This ad will auto-close in 10 seconds