Avoid 2009's Hospitality Hacker Blitz: 15 Need-to-Know Methods of Attack
It's official; 2009 was the year of data breaches in hospitality.
In a multi-industry comparison report by Trustwave, hackers infiltrated hospitality organizations more than any other industry last year, including retail, finance, and more. According to the 2010 Global Security Report, hospitality breaches accounted for a whopping 38% of all braches investigated by TrustWave SpiderLabs, and can be attributed to attacks on the systems responsible for the processing or transmission of payment card data. The report identified software-based point of sale systems (POS) as the most frequently breached area across all of the industries involved (85%), because they represent the easiest method for criminals to obtain credit card data. And for some companies last year, insecure network connections granted hackers unrestrained network access across properties, turning a single breach into a multi-site attack.
So how are hackers infiltrating information technology systems? The 2009 Verizon Business Supplemental Data Breach Report identified and ranked by frequency the following top 15 types of attacks:
- Keylogging and spyware:
Mercury Payment Systems: PCI Partner Program: Mercury Systems' new PCI Partner program is designed to help merchants who do not have the expertise to complete PCI DSS requirements. It offers comprehensive resources to help merchants comply with PCI DSS requirements. In addition to discounted services, support and assistance, the program provides merchant reimbursements in the event of a data security breach.
MICROS Systems: OPERA Enterprise Solution: Effective in version 5.0.02.00 and above, MICROS OPERA Enterprise Solution now includes enhanced credit card tokenization capability, which can be configured to operate with any credit card processing vendor. Using this capability, a special token which corresponds to the credit card transaction, is returned from the credit card processing vendor and stored in the OPERA database. OPERA can also tokenize credit card data that is transferred from other applications which may be connected to OPERA, such as online reservation systems, Web booking engines, or sales & catering systems.
Agilysys: InfoGenesis POS: InfoGenesis POS by Agilysys is an enterprise-ready POS solution that combines powerful reporting and configuration capabilities in the back office with an easy-to-use touch-screen terminal application. The system's Service-Oriented Architecture (SOA) enables interfaces to a wide range of host systems, such as payment card processors and guest management solution providers. InfoGenesis POS v4.1 is certified by the PCI Security Standards Council as PA-DSS compliant, which ensures the security of sensitive payment card data and enables hospitality venues to operate as profitably as possible.
First Data: Secure Transaction Management: First Data and RSA have responded to conversations with retailers through a new service called the First Data Secure Transaction Management. SM service is a unique solution enabling merchants to secure payment card data and remove it from their environment while allowing access when needed. The approach uses a "layered" combination of tokenization, advanced encryption and public-key technologies designed to dramatically simplify the process and reduce the cost of complying with PCI DSS requirements. The solution will be tested in customer trials and available to all merchants in the U.S. by the spring of 2010.
PCI in Hospitality