The hospitality industry shares many of the same data security vulnerabilities as the retail industry — accepting and storing cardholder information and personal information collected through participation in loyalty and rewards programs — yet lags in the adoption of data security practices, which makes it an attractive target for cybercriminals. We talk to Gary Palgon to understand the basics surrounding the key data security issues and what hotels can do to secure valuable information. Though many of these issues fall in the realm of IT, knowing the basics are a must for all digital hotel marketing professionals too.
[Hotelemarketer.com] What are the most common problems associated with data security and how do payment cards feature here?
[Gary] The most common problem is that data is not secure; rather, it generally resides in applications and databases as unsecured, clear-text data in most cases … whether it’s payment card information or other sensitive consumer or employee information.
[Hotelemarketer.com] Your recent press release stated that 38% of all data security attacks were against hotels and resorts last year, making the hospitality industry the #1 target for breaches – what is the source of this information and how is this usually evaluated? (Global vs US-centric, methodology?)
[Gary] Trustwave’s Global Security Report 2010: Based on data collected by Trustwave’s SpiderLabs, this report includes analyses of investigations of data compromised in 2009, detailed technical information on top vulnerabilities, and an actionable global remediation plan.
[Hotelemarketer.com] The release also stated that 98% of all 2009 breaches involved credit card numbers – why is this data particularly at risk and how do these breaches usually occur?
[Gary] It’s important to understand the context of the report, as well, in that as much as credit cards were involved in the majority of the breaches, they only represented 6 percent of sensitive data being stolen last year (see http://datalossdb.org/statistics). The bulk of stolen data centered on social security numbers, and names and addresses.
The reason why credit card numbers were involved to such a high extent is that they require the least amount of effort to convert into dollars. When it becomes too difficult to steal credit card numbers, criminals will look to the other types of sensitive data that will still yield conversion into dollars, but perhaps require a little more work. With social security numbers, for example, you’d have to first create a fake identity … then follow this additional effort by obtaining a credit card in order to make purchases.
[Hotelemarketer.com] If you were to list the top 3 data breach scenarios at hotels, what would they be? How does the hospitality industry differ from most other retailers in this respect?
[Gary] With regard to data breaches, hotels are not unlike other industries, in that typical data-breach scenarios include:
- Lost laptops with unencrypted sensitive information on them,
- Lost backup tape drives with unencrypted sensitive information on them, and
- Attacks on core data repositories within the enterprise, like applications or databases, through a website or a direct database attack.
So, the nature of the attack scenarios is not that much different. What is different, however, is the fact that the retail industry in general has taken a more aggressive approach in addressing these issues. As a result, criminals have sought other, “softer” targets. To this end, the hospitality industry has become a bigger target in recent years because of its lack of focus regarding data security.
[Hotelemarketer.com] What sort of security standards should most retailers including hotels comply with…and what do these standards stipulate?
[Gary] Retailers, including hotels, need to comply with not only security standards like the Payment Card Industry’s Data Security Standard (PCI DSS), but also with State Breach Notification Laws in the U.S., with the U.K.’s Data Protection Act and the European Data Protection Directive, all of which require protection of other sensitive consumer information like social security numbers, name/address data, protected healthcare information, etc.
[Hotelemarketer.com] What is state of the art in the data security space and how can hoteliers ensure they’ve got all avenues to potential breaches secured?
[Gary] Tokenization is a technology that enables surrogate data, called tokens, to replace sensitive data throughout the enterprise while storing the encrypted sensitive in a centralized data vault – think of the latter as Fort Knox in the U.S. where the world’s gold is stored or the Tower of London in the U.K. where the Crown Jewels are stored. It’s easier to protect the gold or jewels in one place than throughout their respective countries. The same model applies to sensitive data in the form of the centralized data vault. In addition to that, format-preserving tokens allow the business applications to function as they did previously (such as for analyzing transactional trends), but at the same time they lower the risk since the tokens have no intrinsic value, whereas credit cards do.
[Hotelemarketer.com] How does the application of security best practices vary across the growing array of distribution and payment channels, i.e. web bookings, call centres, hotel reservation numbers, walk-ins, etc?
[Gary] Different payment channels require different approaches to security. For example, a website is considered a “card not present” environment, while a hotel walk-in is considered a “card present” environment. Each situation has different “best practices” for protecting sensitive data, like protecting the swipe from being skimmed when present. Call centers, on the other hand, need to protect against individuals, like reservationists, from writing down or remembering sensitive information. An entirely different security practice is required for these channels.
[Hotelemarketer.com] How can hotels at various levels ensure the highest level of data security regardless of size and affiliation, i.e., independent properties vs chains, franchises vs owned hotels, etc.?
[Gary] Hotels, regardless of the type, need to adopt security standards that are commensurate with the types of sensitive data they are gathering … i.e., whether it’s credit card numbers or other types of consumer information. Individual hotel owners and/or franchise groups need to understand that a breach in a single franchise-owned hotel can tarnish the entire hotel brand. Education regarding the importance of protecting the sensitive data of a business is critical and should be an ongoing exercise to both corporate employees as well as franchisees.
About the Interviewee:
Gary Palgon, CISSP, is vice president of product management for data protection software vendor nuBridges, Inc. He is a frequent contributor to industry publications and a speaker at conferences on eBusiness security issues and solutions. Gary can be reached at gpalgon@nubridges.com. To learn more about nuBridges, please visit www.nubridges.com.
Data (in)security is certainly a thorn in the side of the hospitality industry, but there are systems available to ensure that guest data remains secure. Tokenization has evolved to allow hotels to issue credits, maintain cards on file, secure multiple charges on a single card, and process tips and open tabs, all while keeping credit card data encoded to protect it from potential threats. Gary hit the nail on head when he said that one data breach at one property can tarnish an entire brand name- look at what happened with Radisson in 2009, and also Wyndham in early 2010. Hoteliers who don’t realize the severity of the issue will suffer as a result- guests must be assured that their information is secure in order for them to even consider returning to a property. I just recently wrote a 3-part series on this issue on my blog- feel free to check it out!
LikeLike
This is a very serious issue and we have encountered a lot of hoteliers being worried about having their data in the “cloud” so that they would not have full control over it. That’s why we have now moved to making sure all our systems and software work with the data present at the hotel’s venue – in their hands, so that they have full control and don’t need to rely on a third party.
PCI DSS and other security standards definitely must be adhered to.
LikeLike
This is something that always concerns me when using hotels. I always keep my cards btw.
LikeLike
Data security is a very important but difficult discipline to instil within a hotel. Staff take calls over the telephone and if they can’t get access to the enter the card details directly into the terminal have a tendency to write them down. This has obvious implications for data security.
LikeLike
Data security is extremely important and we get this question asked all the time as a the hotel industry’s leading cloud technology provider for hotel PMS.
Let’s throw some more light on these two critical aspects:
Data Security – Hotels are normally concerned about the vulnerability of their vital data, more so if it’s maintained off site. However, as against the common perception, in case of CLOUD computing, such critical data is even more secure on a dedicated server which would have stricter access restrictions, protection from different malware, better anti-virus software, regular data backups and software patch management. The hotel can have a non-disclosure, security and data safety contract signed with the vendor and take periodical backup of the data on its own servers as a contingency measure.
Connection Loss – Not being able to access the server when a tired guest is waiting to check-in is every hotel manager’s nightmare. This is another concern that many hotel managers have when it comes to opting for a CLOUD based Property Management System. However, it must be noticed that with the changing times, internet connectivity is no longer as it used to be a decade or even few years ago. High speed and internet access is more reliable and affordable than ever before. As a contingency measure, a hotel can have multiple internet connections from different vendors. Because of its ease of use, the system can even be accessed over phone.
Hotelogix is a highly effective and first of its kind true cloud based hotel management system which has users across 18 different countries all over the world. Its affordability and performance makes it the ideal choice for mid and small size hotels world over.
LikeLike