Create a security culture of data protection, compliance

January 11, 2012

National Report—The next time a guest checks out and you hand over the folio, tell him you only accept cash. No credit cards. See what kind of reaction you get. Would your hotel be able to survive if you couldn’t accept plastic?

It’s a nightmare hotel operators would never want to experience, but if managers don’t start implementing processes to secure guest’s personal data, it could soon become a reality. Credit card processors are threatening to pull the plug on merchants who fail to follow Payment Card Industry compliance standards and consequently wind up with a security breach.

It’s no secret that the hotel industry has been one of the easiest targets and hardest hit by hackers looking to steal identities. According to a recent Trustwave Global Security report, the hospitality industry was the target of 38 percent of security breaches investigated by the company in 2009, representing the most investigations of any industry.

“The average investigation can cost anywhere from $1,000 to $12,000, and a large property can be much more than that,” said Nicholas Percoco, SVP of SpiderLabs at Trustwave, a provider of on-demand data security, often hired by credit card brands to investigate breaches. “And that’s only the investigation part. If merchants have to go back and fix the problems, they might have to buy all new systems. They will incur fines, and sometimes they will have to pay recovery costs for the fraud loss.

“The worst-case scenario is that the hotel cannot take credit cards or the hotel closes,” Percoco said.

To ensure they are taking the necessary steps to secure consumer data, Visa has levied a July 1 deadline for merchants to conform to the PCI Data Security Standard, a set of requirements for enhancing payment account data security developed by the PCI Security Standards Council.

Create a culture
The 12 standards that must be in place before a merchant can be deemed PCI-complaint are good stepping stones toward securing guests’ personal data, but most experts recommend taking a more comprehensive approach to security. Hotels that are truly concerned for their guests’ personal information will create a safety and security culture.

Click here to read, "PCI compliance: A 12-step program"

“This is really not so much about compliance as it is about security,” said Bob Russo, GM of the PCI SSC. “It’s about making sure security is the first thing on your mind. Compliance, which means checking a box, comes as a byproduct. If you’re just checking the boxes on these things but not putting them into practice, it doesn’t do you any good.”

Beyond hardware and software encryption, most security breaches have resulted from human error at some point in the communication process.

Dean Permenter, principal of the Hospitality Security Consulting Group, said most of the breaches he has investigated have occurred as a result of users failing to perform the basic security measures. Databases can be left open, servers can be easily accessed, user IDs can be simple to crack and passwords are sometimes left as default.

“At most hotels, if you ask what their information data security policy is, [they] look at you like ‘what?’” he said. “You must create an information security policy and look at what data you collect and how you handle it.”

Click here to read, "To prevent security breaches, know how they occur"

Permenter said most hotel brands have been adhering to compliance standards that ensure their technology is encrypted for a number of years. Many independent properties are still in the dark. On top of that, he said, even branded hotels have neglected creating a safety and security culture to protect their guests’ information as it passes through multiple channels. Because the economy has slowed down and staffs have been downsized, the resources sometimes aren’t there.

“As you look at this, you realize this isn’t a technology problem,” he said. “It’s a management process issue.”

Beyond the 12 steps
Warren Dehan, president of Northwind-Maestro, recently went through the application and review process to have Northwind’s property-management tools deemed PCI-compliant. Dehan said beyond working with PCI-compliant partners, hotels should be persistent in training employees to take extra caution when collecting or handling guests’ personal data. Because of the potential consequences, he said hoteliers should be putting more resources toward PCI compliance.

“My advice is for hotels to have someone assigned as the PCI compliance officer,” Dehan said. “It’s typically put on the lap of the IT person, but typically the IT person has enough on his plate.”
Also, particularly at small or independent properties, IT staffs are often outsourced and not on property, which can create challenges.

David Ellis is director of forensic investigations for SecurityMetrics, a data security firm certified to perform PCI scans, audits, penetration tests and forensic analysis. Ellis has his own thoughts on why the hotel industry has been such an easy target.

“The hospitality industry is very good at taking care of customers, but their understanding of IT issues doesn’t go very deep,” he said. “They have to trust someone else to do it.”

Ellis said to take the proper precautions, a hotel must invest money in security, whether it be upgrading technology or employing a staff member to oversee the pipeline through which guest data travels. He said spending money in a preventive manner will be much cheaper than overcoming a breach.

“There is no single silver bullet that will provide a secure environment for customers’ credit card information,” Ellis said. “Securing credit card information should employ multiple layers of security features.”

He recommended the following precautions: include secure coding in your website; install firewalls that filter both inbound and outbound data; use a payment application that is segmented from all other business applications and that can only communicate with trusted sources; and install updated anti-virus software on all servers and individual point-of-sale terminals.

“They generally look at it as an expense that doesn’t generate revenue,” Ellis said. “With dollars being as tight as they are, it’s hard for them to write that big check. But it could be the most valuable insurance policy they ever buy.”