Visa Europe, Europe's leading payment system, today launched the first whitepaper aimed at helping the hospitality industry safeguard customer data.
'Hospitality Breaches on the Rise' offers insight on how cyber-criminals target hotels, and guidance on how data can be protected to help businesses comply with the Payment Card Industry Data Security Standard (PCI DSS).
Research by Trustwave, a Visa Qualified Forensics Investigator (QFI), found that 38% of all card compromise incident investigations in 2009 occurred in the hospitality industry - highlighting the need for hotels to protect their payment systems.
Hotels can have more complex payment systems than other retail businesses, making it harder for them to achieve PCI DSS compliance. Compared with some retailers who may have only one point-of-sale, customer card data is stored and retrieved at multiple pay terminals within hotels, such as the reservation desk, restaurant, bar, or for room service, internet access and online bookings.
Visa Europe and Trustwave, in consultation with leading hotels, has developed a series of recommendations to help hoteliers and franchises lower the risk of security breaches:
• Change vendor-supplied defaults for passwords or other security information for Hotel Management Systems (HMS) and Point of Sale (POS) payment systems. The HMS is the central and core component in which cardholder data is stored, processed and transmitted to perform authorisation and settlement across other payment terminals in the network
• NULL sessions (unauthenticated connections to a Windows computer) should be disabled. This is the number one method for hackers to gain information on passwords, groups, services and users
• Install and maintain a firewall to protect data. HMS and POS payment systems should not be directly accessible via the Internet; inbound traffic should be blocked and outbound services should be filtered
• Assign a unique ID to each person with computer access and implement a dual-factor authentication method for remote system access via the Internet. ThiThis will mitigate unauthorised access into HMS and POS payment systems
• Track and monitor all access to network resources and cardholder data to track and monitor anomalies and suspicious attack activity
Stanley Skoglund, Senior Vice President Payment System Risk at Visa Europe said, "Cardholder data held by hotels is a potentially lucrative hub of information for fraudsters who view the hospitality sector as an easy target. By understanding the nature of security threats and the preventive measures that can be taken, hotels can reduce the risk of compromise. Hotels make up a large proportion of data compromises and Visa Europe is keen to work alongside the industry on initiatives like this white paper, to help increase awareness, to help strengthen defences, and reinforce consumer trust."
Visa is introducing a range of guidelines for retailers including advice on emerging technologies such as data encryption and tokenisation, which help secure card data when it is either being moved or stored and make it simpler to achieve PCI DSS compliance.