Is PCI Enough?
Pop quiz: What do Wyndham Hotel & Resorts, Best Western International, Heartland Payment Systems, and a number of high-end restaurants and hotels in the Washington D.C. area all have in common? If you read the headlines, you know that it's not good news. They all were victimized by a security breach, resulting in the theft of their customers' credit card data.
While some of the instances were small Best Western's breach affected just 10 guests, according to the hotel company and others were large the D.C. incident resulted in a $750,000 shopping spree at stores like Gucci and Barney's of New York with the stolen card numbers it is clear that the need to guarantee the protection of guests' credit card information is not going away. As the U.S. economy continues to battle its way out of a recession, it can even be argued that the threat of credit card theft in the hotel and lodging segments will continue to grow as instances of theft increase.
Ask any operator in the hospitality segment and they will tell you that the first line of defense against a data security breach is compliance with Payment Card Industry Data Security Standards (PCI DSS). From data encryption to system firewalls, PCI DSS presents merchants with a list of twelve requirements that will ostensibly safeguard them against data breaches. Although there is a lot of value associated with PCI DSS compliance, it is often not enough. Merchants, hospitality operations included, can be completely compliant with PCI DSS requirements and still be subject to a security breach as a result of manual processes, poor business practices, insufficient training, a lack of policies, human misconduct and more.
"Unfortunately, PCI DSS does not adequately address the human element of breaches. While it does set out the minimum-security standards from primarily a technology perspective, the weakest links in breach prevention are people," says Edi Goodman, chief privacy officer for Identity Theft 911 (www.identitytheft911.com), an identify theft resolution service.
One of the first areas where operators fail when creating a culture of information security is in recognizing that PCI compliance is a shared responsibility across an entire organization. Because it is so easy for one small mistake to happen, resulting in the loss of brand reputation and the cost of associated legal fees, it is essential that hotel and restaurant staffers are fully aware of the repercussions of a security breach. Security and privacy should not fall on executives or the IT department alone.
"Management needs to create and reinforce a culture of information security as a component of the service ethic," write the authors of a recent HT article, "PCI DSS Compliance: Just Whose Responsibility is it?" by Daniel J. Connolly, associate dean for undergraduate programs at the university of Denver's Daniel College of Business, and Mark G. Haley, CHTP, a partner at the hospitality technology consulting firm The Prism Partnership. "Leadership needs to start at the top of the organization and be accepted across the company. Deploying information security vertically by the IT department will not drive a culture change," the authors say.
Identity Theft 911's Goodman concurs: "Information security should fall on the organization as a whole, at every level. Plenty of organizations have fallen due to a low level employee with too much access and too little training on information management."
Beyond common sense
According to Visa and the National Federation of Independent Business (NFIB), 57 percent of small businesses do not view securing customer data as something that requires formal planning, and 39 percent say they rely on "common sense" to keep their data safe. What many hotel and restaurant operators do not realize is that common sense is not enough to prevent a security breach.
"An information security breach is not always an electronic intrusion that exposes millions of people," says Goodman. "Data breaches can also involve one or two people and paper documents. If you accidentally send a bill with sensitive information to the wrong person, that could be considered a data breach under the right circumstances and state laws."
How can operators prevent a breach beyond PCI DSS? Experts tell HT that hospitality operators should focus on several core areas:
- Data encryption: Lock down and encrypt data transmission and data storage of all types. These include LAN, WAN and wireless networks, virtual and physical data handling, externally hosted applications, third-party and external partners, emerging technologies, and internal, external, remote and mobile staff. Maybe even adding encryption to the communication aspect of applications is appropriate.
- Education: Train all employees on corporate policies when it comes to handling sensitive customer information. "Policies are only worth something if people know about them and are trained on how to use them," says Goodman. "In addition, proper oversight is also required to make sure that policies are being followed, training is ongoing and continues with every new employee."
- This should also include training staff to recognize identify theft warning signs, such as waiters keeping small credit card readers in their pockets, or inaccurate charges showing up on guests' bills. Although these methods are not as large as a network breach, they can still cost a company in money and reputation. The Times-Picayune reported that a waitress at a New Orleans Bubba Gump Shrimp Seafood Co. location was charged in March with selling up to 50 customers' credit card information for up to $220 a piece through the use of a machine used to scan credit cards.
- Hiring processes: Conduct both criminal and credit background checks on all potential hires. Know who is being hired and if they have a history of theft.
- Pinpoint the issue: Breaches often come to light months after an incident occurred via the credit card companies, whose fraud management systems pinpoint a widespread breach. At this point the damage has already been done. While PCI only requires merchants to aggregate and store log data, hospitality operators need to more closely monitor the configurations on the devices that handle credit card data. New executables, unauthorized changes, and a large flow of data leaving a network can be telltale signs of a problem.
- Future proofing: "It is a lot less expensive to put the preventative and proactive tools and solutions in place to avoid and/or proactively deal with a data security breach than to have to reactively deal with and pay for a data beach. An ounce of prevention is worth a pound of cure," reminds Goodman.
RELATED ARTICLESAdditional reporting by Joe Skorupa, editor-in-chief, RIS News; Experts taken from "PCI is Not Enough: A Two Step Approach to Pinpoint an Attack," by Mike Rothman, SVP of strategy, eIQnetworks; and "Keeping Ahead of the Thief: PCI Compliance for the Small Business," by Henry Helgeson, president & Co-CEO, Merchant Warehouse.
Identity Theft Targets Hospitality: Protect Guests
PCI DSS Compliance: Just Whose Responsibility is It?
PCI DSS Compliance: Just Whose Responsibility is It?
Understanding PCI Version 1.2