According to the last DBIR (Data Breach Investigations Report) conducted by the Verizon Risk Team, the hospitality industry ranked among the most attacked industries. It has been targeted for years by cybercriminals seeking to steal credit card information, mainly because of the high number of transactions and the ease of infecting multiple locations within a hotel chain.
The fact is that hotels tend to keep card data in several different places: central reservation system, third party partners, the front desk, e-mails, and card authorization forms – physical and virtual POS systems and PMS (Property Management Systems), including connected systems. There are simply too many places where card data is vulnerable to theft and intrusions are possible.
Unfortunately, the hospitality industry has been very slow to identify breaches. Very often hotels are alerted only after customers voice that their card has been fraudulently used or when the credit card processing bank alerts the hotel about a potential credit card breach.
Once a hacker has compromised a POS or PMS, they can remain logged into the system for days, months or even years, undetected. And, usually, when they are in the system it is not just credit card information that is at risk, but also personal information such as names, addresses, ID numbers, and passports. This data, credit card data in particular, is not stolen by hackers only to be used for purchase, but also to be sold. On the dark web the value of a valid credit card with SAD can reach over 50 dollars!
Many hotels believe that they need to retain credit card data for a variety of reasons; first of all for better customer service, which is precisely why they are at risk.
Changing the way credit card data is stored is the first step in defending against cyber criminals for any hotel. Only capturing and storing the payment data when it is absolutely necessary can immediately lower the risk of that data falling into the wrong hands.
To establish and maintain a correct PCI DSS program within the IT department is crucial not only to demonstrate compliance to acquirers and payment brands, but primarily to challenge and improve the internal IT security process. The PCI Standard forces IT managers to verify if the current technologies and processes are appropriate or not and if all critical data store locations are necessary. The smaller the card data environment (as long as protections are implemented properly), the more difficult it will be for criminals to target and steal it.
The primary focus for any entity dealing with credit card data should be: “if you don’t need it, don’t store it”.
Do everything possible to eliminate data, train staff, create processes and find technologies that help with this effort. Often it is possible to replace the data currently stored or transmitted by encrypting or tokenizing the data. This will help reduce the scope of a PCI assessment and simplify compliance.
And, when possible, outsource the whole credit card managing process to a PCI compliant service provider. To outsource not only reduces the risk associated to with credit card management, but also dramatically reduce the effort to achieve PCI DSS compliance.