Card Fraud Opportunities Abound in the Hospitality Industry
Hospitality has consistently been one of the sectors most prone to skimming attacks and data breaches. An ongoing plague since the beginning of this decade, this type of fraud is typically executed through the point of sale (POS), with the target being card-present information held on the consumer’s magnetic stripe. As opportunists, however, criminal hackers will take whatever they can get. In this article, ACI Worldwide will discuss which particular areas of the hospitality industry criminal hackers are targeting and why.
Card fraud is still an attractive avenue for criminals to pursue and hospitality is certainly a leader-in-class for breaches across business sectors. The hospitality industry is usually driven by two classes of merchant: restaurants and lodging. These entities typically exist under the same roof and can even share the same POS network.
Among the list of compromised merchants in 2015 and 2016, 60 percent were restaurants, only two percent were online reservation companies or travel agencies. The number of hotels compromised made up just one percent of breached merchants. However the volume of cards compromised is quite high per incident, shielding the true impact of these breaches. This year, trending targets have included the restaurant, spa, bar and other hospitality areas of lodging facilities. In 2015, the source of breach was typically the front desk. Therefore lodging managers should be mindful of all these vulnerable ‘access points.’
Boutique brands, or smaller brands that have been ingested into larger brands, as well as large brands themselves, were highly targeted last year. The latter can be particularly frustrating, as these big brands should have the IT resources and scale to secure their networks with best-practice measures including point-to-point encryption solutions, token vaults, moving to fully implement EMV or introducing other tokenized payments (e.g. mobile wallets). These protections would severely limit the potential of a successful compromise of payment card data for fraudulent use down the line.
Further, the breaches at hotels are typically far more severe than at restaurants, as the brands that are attacked typically fall on the ‘luxury’ side of the spectrum. Fraudsters will work harder to compromise a high-end hotel, no doubt believing that more affluent customers’ payment cards fetch a higher price on the black market. However, that does not mean economy brands have not been affected; they certainly have, but at a much lower rate than their higher-end peers.
In many cases, brands are affected by data breaches more than once in the same location, even the same POS terminals. Too few brands have done the proper risk assessment and testing necessary to significantly reduce their residual risk of being breached (or breached again). When these businesses are breached, they typically get beaten up in the media, and the breached entity is typically forced to cover the damage. The most shocking observation is the number of names in the sector that have not learned these lessons from their peers.
Ultimately, a hospitality brand must look after its reputation in terms of security. Consumers are becoming increasingly aware that hotels are targeted by hackers and that these are becoming higher probability locations for breach of their card. If the nature of the hospitality industry is to facilitate a comfortable, reduced-anxiety environment, the best place to start is to relieve consumer anxiety around potential loss of personal data once they (and their information) leave the premises.
Card fraud is still an attractive avenue for criminals to pursue and hospitality is certainly a leader-in-class for breaches across business sectors. The hospitality industry is usually driven by two classes of merchant: restaurants and lodging. These entities typically exist under the same roof and can even share the same POS network.
Among the list of compromised merchants in 2015 and 2016, 60 percent were restaurants, only two percent were online reservation companies or travel agencies. The number of hotels compromised made up just one percent of breached merchants. However the volume of cards compromised is quite high per incident, shielding the true impact of these breaches. This year, trending targets have included the restaurant, spa, bar and other hospitality areas of lodging facilities. In 2015, the source of breach was typically the front desk. Therefore lodging managers should be mindful of all these vulnerable ‘access points.’
Boutique brands, or smaller brands that have been ingested into larger brands, as well as large brands themselves, were highly targeted last year. The latter can be particularly frustrating, as these big brands should have the IT resources and scale to secure their networks with best-practice measures including point-to-point encryption solutions, token vaults, moving to fully implement EMV or introducing other tokenized payments (e.g. mobile wallets). These protections would severely limit the potential of a successful compromise of payment card data for fraudulent use down the line.
Further, the breaches at hotels are typically far more severe than at restaurants, as the brands that are attacked typically fall on the ‘luxury’ side of the spectrum. Fraudsters will work harder to compromise a high-end hotel, no doubt believing that more affluent customers’ payment cards fetch a higher price on the black market. However, that does not mean economy brands have not been affected; they certainly have, but at a much lower rate than their higher-end peers.
In many cases, brands are affected by data breaches more than once in the same location, even the same POS terminals. Too few brands have done the proper risk assessment and testing necessary to significantly reduce their residual risk of being breached (or breached again). When these businesses are breached, they typically get beaten up in the media, and the breached entity is typically forced to cover the damage. The most shocking observation is the number of names in the sector that have not learned these lessons from their peers.
Ultimately, a hospitality brand must look after its reputation in terms of security. Consumers are becoming increasingly aware that hotels are targeted by hackers and that these are becoming higher probability locations for breach of their card. If the nature of the hospitality industry is to facilitate a comfortable, reduced-anxiety environment, the best place to start is to relieve consumer anxiety around potential loss of personal data once they (and their information) leave the premises.