Client Data Security Tips for the Hospitality Industry

I was impressed with many of the pointers in Visa Europe’s, first whitepaper aimed squarely at helping the hospitality industry safeguard customer data http://www2.visaeurope.com/documents/ais/hotelbreach_europe_2.pdf . Under the title ‘Hospitality Breaches on the Rise’ it also offers insight on how cyber-criminals target hotels, as well as the  guidance I already alluded to on how data can be protected to help businesses comply with the Payment Card Industry Data Security Standard (PCI DSS).

Hotels often have more complex payment systems than other retail businesses, making it harder for them to achieve PCI DSS compliance. Compared with some retailers who might have only one point-of-sale, customer card data is often captured, stored and retrieved at multiple pay terminals within hotels – such as the reservation desk, restaurant, bar, or for room service, internet access and online bookings.

Cutting to the chase, the tips that impressed me are:-

• Change vendor-supplied defaults for passwords or other security information for Hotel Management Systems (HMS) and Point of Sale (POS) payment systems. The HMS is the central and core component in which cardholder data is stored, processed and transmitted to perform authorisation and settlement across other payment terminals in the network

• NULL sessions (unauthenticated connections to a Windows computer) should be disabled. This is the number one method for hackers to gain information on passwords, groups, services and users

• Install and maintain a firewall to protect data. HMS and POS payment systems should not be directly accessible via the Internet; inbound traffic should be blocked and outbound services should be filtered

• Assign a unique ID to each person with computer access and implement a dual-factor authentication method for remote system access via the Internet. This will mitigate unauthorised access into HMS and POS payment systems

• Track and monitor all access to network resources and cardholder data to track and monitor anomalies and suspicious attack activity

Cardholder data held by hotels is a potentially lucrative source of information for fraudsters who obviously view the hospitality sector as an easy target. By understanding the nature of security threats and the preventive measures that can be taken, managers in the industry can reduce the risk of compromise. The losses from fraud can be significant both in terms of bottom line cost and negative reputation.

Actually implementing the above measures may require specific expertise in some instances, but many are simple management practices. In Expense Reduction Analysts we certainly encourage all our clients to introduce (or maybe just re-invigorate) such practices as easy ways to protect profit, reduce losses and preserve reputations.