Outsmart Hospitality Hackers
By Christina Volpe, Associate Editor
It's official; 2009 was the year of data breaches in hospitality. In a multi-industry comparison report by Trustwave (www.trustwave.com
), hackers infiltrated hospitality organizations more than any other industry last year, including retail, finance and more. According to the 2010 Global Security Report, hospitality breaches accounted for a whopping 38% of all breaches investigated by TrustWave SpiderLabs, and can be attributed to attacks on the systems responsible for the processing or transmission of payment card data.
The report identified software-based point of sale systems (POS) as the most
frequently breached area across all of the industries involved (85%), because they represent the easiest method for criminals to obtain credit card data. For some companies in last year's industry-wide blitz, insecure network connections granted hackers unrestrained network access across properties, turning a single breach into a multi-site attack.
An operator's first line of defense against a data security breach is of course compliance with Payment Card Industry Data Security Standards (PCI DSS). Here are just a few solutions from the vendor community that can help:
InfoGenesis POS by Agilysys (www.agilysys.com
) is an enterprise-ready POS solution that combines powerful reporting and configuration capabilities in the back office with an easy-to-use touch-screen terminal application. The system's Service-Oriented Architecture (SOA) enables interfaces to a wide range of host systems, such as payment card processors and guest management solution providers. InfoGenesis POS v4.1 is certified by the PCI Security Standards Council as PA-DSS compliant, which ensures the security of sensitive payment card data and enables hospitality venues to operate as profitably as possible.
For its part, the new 7.05 and 8 versions of Maitre'D by Posera (www.maitredpos.com
) are fully PA DSS v1.2 PCI DSS compliant. The Maitre'D EFT Module allows operators to communicate directly with financial institutions to authorize credit and debit card transactions. A proprietary algorithm embedded within Maitre'D automatically generates new encryption keys for every single transaction that takes place (maintenance free).
Additionally, Hypercom's (www.hypercom.com
) Optimum T4200-2.0 countertop and M4200-2.0 mobile product lines are both PCI PTS 2.1 certified. The certification covers the company's fixed countertop and mobile payment terminals sold in European markets. Each Optimum terminal incorporates Hypercom's full X509 PKI (public key infrastructure) HyperSafe Secure security layer to protect the terminal and applications from hacking and malware attacks.
Vendor Safe Technologies' (www.vendorsafe.com
) LAN Scribe Logging Client is a local area network event logging and notification solution for critical file inspection and other security-related events. Key features include: PCI logging for local area networks delivered via SaaS; validation of continuing integrity of a POS application by constantly monitoring file changes in protected directories; e-mail/SMS messaging notifications of critical file changes as they occur; and more.
Tableside & self-service solutions
Digital Dining Handheld POS (www.digitaldining.com
) offers restaurants a tableside payment and ordering solution which defends against credit card skimming. Skimming most often occurs as the result of employees who steal payment data directly from the consumer's payment card or from the payment infrastructure at a merchant location. The Digital Dining solution allows guests to use their credit cards for payment without having to relinquish the card.
TableTop Media (www.tabletopmedia.com
) offers a pay-at-the-table and digital promotion device, called Ziosk, that can be placed on restaurant tabletops. Ziosk is fully PCI PA-DSS compliant and offers wireless portability, an integrated printer, DVD quality video and 3D applications for entertainment.
Action Systems, Inc., (www.rmpos.com
) makers of the Restaurant Manager POS, offers a version of its Write-on Handheld software for use on Apple's iPod touch. Write-on Handheld allows servers to take orders and process payments right at the table.
First Data (www.firstdata.com
) and RSA have partnered to offer a service called the First Data Secure Transaction Management. The service enables merchants to secure payment card data and remove it from their environment while allowing access when needed. The approach uses a "layered" combination of tokenization, advanced encryption and public-key technologies to reduce the cost of complying with PCI DSS requirements.
Merchant Link's TransactionVault solution (www.merchantlink.com
) is a tokenization solution for data security. TransactionVault delivers data security to merchant/customers by replacing sensitive cardholder data from the POS/PMS and other systems with a token and storing the sensitive data in the Merchant Link secure vault, out of the merchant's location and safe from the reach of hackers. According to the company, TransactionVault enables merchants to skip 175+ of the PCI DSS requirements listed in the Self Assessment Questionnaire (SAQ D), lowering the merchant's cost and effort of attaining and maintaining PCI Compliance.
Merchant Link's tokenization solution is now a part of the Micros Opera enterprise hotel management solution (version 5.0.02.00 and above) (www.micros.com
). The enhanced credit card tokenization capability can be configured to operate with any credit card processing vendor. OPERA can also tokenize credit card data that is transferred from other applications which may be connected to OPERA, such as online reservation systems, Web booking engines, or sales and catering systems.
Additionally, Radiant Systems, Inc. (www.radiantsystems.com
) is offering a new suite of payment security products known as Radiant Payment Guard; the suite currently includes Payment Guard MSR, Token Replacement and CPGateway. Payment Guard MSR is an encrypted magnetic strip reader that is installed within Radiant POS hardware terminals. By the end of 2010, Radiant will be shipping all POS terminals with Payment Guard MSR, with most terminals shipping with this security feature by July 1. Token Replacement, which is a security feature of the Aloha POS, assigns a unique identifier to cardholder data at the RBS WorldPay and Radiant Payment Services host to prevent personal information from being stored on the POS. Finally, the CPGateway service works with Radiant's retail product, CounterPoint, to encrypt cardholder data from the store to the hosting center.
Micros and TrustWave are now offering clients the Unified Threat Management (UTM) service and TrustKeeper 3.0 PCI compliance tools. The UTM service enhances the security offered by tokenization. Trustwave's UTM core technology includes a firewall, which regulates traffic that enters and exits the network; gateway anti-virus to stop viruses before they enter a network; Virtual Private Network (VPN) support to ensure confidentiality and security of communication between the merchant and remote employees; and in-line Intrusion Prevention System (IPS) which supplements the firewall to stop attacks at the application layer before it can penetrate network operations.
Micros and Trustwave will also offer Micros' merchants the TrustKeeper 3.0 Web portal which helps streamline compliance validation for all MICROS clients, including non-technical users. Using the PCI Wizard in conjunction with TrustKeeper Agent, clients work through a personalized, guided interview that reduces the complex terminology of PCI into understandable actions.
Lieberman Software's (www.liebsoft.com
) Enterprise Random Password Manager (ERPM) is a privileged identity management solution that automatically discovers, strengthens, monitors and allows secure recovery of local, domain and process account passwords in the enterprise. ERPM identifies every place in a network where privileged accounts are used. It then propagates secure, randomized passwords to each location and grants fast, audited access to authorized IT staff. Should malicious programs and unauthorized users attempt to access an operator's systems, they will encounter the frequently changing passwords propagated by ERPM. Additionally, ERPM helps operators to meet the privileged password security standards of PCI DSS, Sarbanes-Oxley and similar regulations.
PCI partner program
Mercury Systems' (www.mercurypay.com
) new PCI Partner program is designed to help merchants who do not have the expertise to complete PCI DSS requirements. It offers comprehensive resources to help merchants comply with PCI DSS requirements. In addition to discounted services, support and assistance, the program provides merchant reimbursements in the event of a data security breach.
At NRA 2010, Heartland Payment Systems (www.heartlandpaymentsystems.com
) announced the availability of E3, a new end-to-end encryption technology that feature multiple layers of security using both software and temper-resistant hardware, employing the Advanced Encryption Standard encryption. E3 encrypts all Tack 1 and 2 data from the card's magnetic strip the moment it is converted from analog to digital data, and enters a merchant's system as scrambled data. Plus, should a breach occur using E3, Heartland will reimburse a merchant's breach-related fines through the E3 End-to-End Encryption Warranty.
) Veri-Shield Protect eliminates usable cardholder data from POS applications, networks and servers by encrypting it end-to-end. End-to-end encryption ensures card holder information is protected from the exact instant of acceptance, inside a secure device, and remains encrypted as it traverses an enterprise. VeriShield Protect protects against data compromise even in the event of a security breach and offers real-time monitoring. It is available on VeriFone terminals, server software, and as a managed service.
In addition to VeriShield Protect, the company also offers a credit card encryption sleeve for the iPhone that complements its PAYware Mobile application. The sleeve, PAYware Mobile, slips over the iPhone to accommodate credit card swipes. It incorporates a stylus for signature capture and a mini USB port for charging the iPhone while the encryption sleeve is attached.