From IHG to Sonic: Hospitality Remains Slow to Adopt Greater Credit Card Security Measures

On April 27th, in the wake of the IHG data breach, Hospitality Technology magazine published a piece on how hoteliers could protect themselves from a data breach by “devaluing the data.” It’s almost impossible to prevent a point of sale system or network from being breached, no matter how many safeguards you employ – it could take one stolen password, and a hacker is in your system. The idea of devaluing the data stems from making the internal data – the good stuff that thieves want, like credit card information – useless by encrypting it at the source. That way there is never any clear-text card information in a system to steal. It’s a bit like a bank robber breaking open a safe only to find there is no money. This article from Bluefin will discuss the merits of encrypting personal data at the source.

In October, six months since the IHG security breach was reported, we are again discussing the importance of devaluing the data in the wake of another high-profile hospitality data breach with Sonic Drive-In. The fast food chain, with nearly 3,600 locations across 45 U.S. states, acknowledged a breach in late September. News of the breach broke with noted security author Brian Krebs reporting that multiple financial institutions had reached out to him about a pattern of fraudulent transactions they were seeing. Krebs found that a new batch of five million cards from these institutions were put up for sale on September 18th on a credit card theft website.

The total number of cards breached and locations affected have not yet been disclosed. However, on October 4th, Sonic issued a press release stating that they “discovered that credit and debit card numbers may have been acquired without authorization as part of a malware attack experienced at certain Sonic Drive-In locations.”

As explained in the April piece, malware has been the culprit of many high-profile data breaches, infiltrating POS systems to steal clear-text cardholder data later to be sold on the black market, costing companies hundreds of millions of dollars. Some of the most well-known data breaches involving malware that stole clear-text card data is Target in 2013 and Home Depot in 2014.

However, the reality is that malware has been involved in almost all hospitality data breaches – including this year’s IHG, where malware infected the front desk cash registers of the hotels, stealing customer debit and credit card data as it passed through IHG’s infected point of sale system; Wendy’s in 2016, where remote access credentials were used to install malware at the point of sale, with the malware again locating clear-text cardholder data; and Hilton Worldwide in 2015, where again malware was the culprit in stealing card data from the company point of sale systems.

So from Target in 2013 to Sonic in 2017 – the attack vector remains the same and the end goal of stealing clear-text credit card data is still being accomplished.

Here we are, four years later, and what have we learned? Basically that companies are still not encrypting credit card information, thus essentially “devaluing” this data.

Restaurants, hotels, retail outlets, healthcare organizations, universities – any hospitality organization or merchant that processes credit cards have two security paths they can take in the fight against malware: defend the fort or devalue the data. Defending the fort requires companies and organizations to build stronger, higher walls of security around their systems and data. They can install and maintain all of the security technologies specified in the PCI-DSS requirements including firewalls, intrusion detection, constant patch updates, 24/7 monitoring and 330 other security requirements. To say the least, this can be an arduous and costly effort which isn’t guaranteed to keep the bad guys out, despite even the best efforts.

With the devalue the data approach, companies and organizations employ security technology to devalue the cardholder data before it reaches their point-of-sale systems, rendering the data useless to hackers if it is exposed. A primary security technology that every hospitality organization and merchant that accepts payments should have is point-to-point encryption (P2PE), which encrypts card data immediately upon swipe or dip in the payment terminal, ensuring that it never reaches the merchant’s point of sale system as clear-text card data. P2PE renders credit card data useless to hackers.

P2PE is widely available through major payment processors, solutions providers and payment gateways, yet these breaches clearly demonstrate that companies such as Sonic and IHG did not have encryption solutions implemented. EMV, which authenticates a card, will never encrypt credit card data. A holistic approach to payment security is required, with EMV and P2PE both being essential for point-of-sale card authentication and card encryption. The question is, what will it take for hospitality organizations and merchants to actually implement these solutions and really protect card data?