Michael Hopewell, Managing Information Security Consultant
When a breach is reported in the media, more often than not it’s the well-known large companies that make the headlines. In reality cybercriminals are more successful in attacking smaller companies.
The reason for this is that smaller businesses often have fewer resources and as a result are less likely to have the latest and most up to date security measures in place. Consequently, they run a higher risk of falling victim to the latest cyber-attacks and malware.
More recently we have seen a trend of businesses in the hospitality industry being targeted. Data is of value to the cybercriminal, even information that may appear to have no value outside of a business can be monetised. Using ransomware for example, a cybercriminal can force a victim to pay to recover access to their own data.
With an almost endless supply of new personal and payment information generated by hospitality businesses on a daily basis, it’s easy to see why criminals are setting their sights on this industry. In this article we address why cybercriminals find it easy to exploit the hospitality industry and what steps these businesses can take to reduce the risk of data theft.
Why the hospitality industry is targeted?
In the PCI SSC blog, Stephen Orfei (PCI Council General Manager) emphasised that half of worldwide cyberattacks were against small business and that the hospitality industry is particularly vulnerable to attack, with restaurants being high-value targets for cybercriminals.
The reality is that there are quite a few ways that businesses in the hospitality sector can be attacked:
- Logical attacks: Stealing data from insecure systems and over the Internet. For example, there is a prevalence of point of sale (POS) breaches in hospitality.
- Physical attacks: Cardholder data may be present in physical format (receipts for example) and physical controls (alarm and surveillance systems) may be weak. This offers multiple ways to steal cardholder data.
Cardholder data is a high-value asset and, as the PCI SSC blogs points out, many cybercriminals find it easier to target data in multiple small restaurants and hospitality businesses than in one single attack against a larger business.
The financial returns can be the same but smaller businesses often leave many more possible attack vectors (whether logical or physical) open to the criminal. Therefore, the attack is usually easier and less likely to be detected.
Many hotels use cloud-based or on premise accommodation booking systems, which whilst convenient for managing availability, are also used to store full payment card details to guarantee bookings. Another source of valuable data for criminals may be call recording systems.
Businesses may record their calls for customer services purposes but that may also mean they are storing the primary account number (PAN) and Card Verification Value (CVV2). Depending on the protection measures in place, information stored in these booking and call recording systems can be stolen and used to make fraudulent purchases in-store or online.
The nature of the hospitality business means that cardholder data may also be received and stored electronically in emails and electronic faxes that can be intercepted.
Often consumers and travel agents are more focused on making a booking than they are on the security of the data.
The scope of physical cardholder data available to criminals in a hospitality business may include PAN and/or CVV2 on printouts of emails and booking forms, faxes, merchant receipts, chargeback forms. More often than not, this physical media is not securely controlled – it may be stored in back offices, archive rooms or even outbuildings accessible to more people than is necessary.
Additionally, if a business does not have secure data disposal practices in place, refuse bins may contain merchant receipts and other physical media showing cardholder data that could easily be accessible to the general public.
So what can a hospitality business do about this?
Stephen Orfei’s blog article highlighted the fact that most of these attacks are entirely preventable. To start with, the PCI DSS is a minimum standard that should be used to minimise the risk to cardholder data. Furthermore, it is an industry regulatory requirement worldwide.
However, your hospitality customers may not know where to start to secure their business. We strongly recommend the following steps:
Know where payment card data is handled: Identify the processes that handle cardholder data. Understand where it is received, where it goes, where it is stored and who has access to cardholder data. Only then will the business be able to ensure appropriate controls to cover all areas.
Data retention: Do not keep cardholder data for any longer than necessary. Find out why cardholder data is stored and how long it needs to be kept for. Once this is defined, the business can then ensure they remove any unnecessary data that exceeds this defined time.
Minimise the risk and consider not storing cardholder data at all by using tokenisation systems (that store random tokens instead of storing cardholder data).
Restrict physical access: Only provide access to cardholder data media to employees who have a specific requirement. Most employees do not need access to archive rooms. Businesses can restrict access to cardholder data by locking cardholder data media in cupboards accessible only to those who need access to it.
Review the hospitality booking system: Use a secure solution. Consider using a PA-DSS validated solution (software validated by a qualified payment application assessor). As POS and booking systems are often sources of breaches, it is very important that businesses keep their systems secure:
- Protect the POS by keeping them updated with the latest patches.
- If cardholder data is stored, ensure it is encrypted.
- Ensure access to cardholder data is restricted to those who need to access it.
- Do not keep the CVV2 once payment has been processed. Be aware that once initial payment is made, the CVV2 is not needed to process a no show payment.
- Ensure business websites have undertaken a security test (vulnerability or penetration test).
- Control and limit remote access to business systems. Make sure any remote access uses multi-factor authentication and strong cryptography.
- If the business relies on third party cloud/online booking systems, check that the third party provides assurance they are responsible for securing cardholder data. Ask the third party whether they are a PCI DSS compliant service provider.
Secure/update call recording system: Ensure call recording systems do not store sensitive authentication data (such as the CVV2). Ensure the recorded cardholder data is encrypted (or better still not captured and stored at all).
Future of hospitality
Many lessons have been learned from across all industries. Applications and card payment solutions are becoming more mature and secure. Additionally businesses are becoming more aware of the need to protect their customers as well as their own reputation, recognising the need to adopt secure practices.
They are also realising that they need to consider migrating to new technologies and solutions to avoid being breached and to keep up with consumer expectations.
Talk to Sysnet about reaching out to your customers with our Merchant Contact Services. We offer a wide range of services from inbound terminal upgrade support through to outbound merchant contact. Promoting a new service on your behalf or even safer business practises.
If you are a merchant that requires technical or PCI DSS help, please click here