The Green Sheet Online Edition
June 08, 2009 • Issue 09:06:01
Trustwave alerts hospitality sector
In response to a growing number of data security breaches in the hospitality industry, information and security compliance firm Trustwave issued an alert to help hotels and restaurants identify and address security weaknesses.
Colin Sheppard, Forensic Practice Manager for Trustwave, said much of the problem involves the multichannel acceptance of payments. Channels of acceptance include MO/TO, card-present, point-of-service transactions and card-not-present payments done via the Internet.
According to Sheppard, when a guest books a hotel room online for a property that is part of a hotel chain, a link is formed between the chain's online reservation system and the individual hotel being booked; perhaps a central corporate headquarters will have remote access to the data as well. But weak links in the system can be infiltrated by fraudsters.
Regardless of the method of attack, "if the attacker is able to gain access to a specific property, and there's deficiency in their security, there's the potential to exploit that link back to possibly another property," Sheppard said. He also cited noncompliant or improperly configured payment applications as a major weakness that can increase the risk of data breaches. "In many cases, that includes the use of vendor default passwords," he said.
Michelle Genser, Corporate Communications Manager for Trustwave, added that businesses without internal information technology resources have third-party vendors set up their hardware and software security systems. Hospitality companies, such as resorts, bed and breakfasts and motels, that do not employ security experts trust third-party vendors to correctly install and manage the right security systems for their businesses, she said.
Even if companies are certified Payment Card Industry (PCI) Data Security Standard (DSS) compliant and are following the PCI's best practices today, if their security vendors hire new employees who disregard best practices tomorrow, businesses that rely on those vendors can be noncompliant and vulnerable to breaches.
Laurence Barron, Vice President and Chief Information Officer for the American Hotel and Lodging Association and Member of the PCI Security Standards Council, said when breaches occur, the business entities breached are liable, not the third-party security vendors that may have been the actual problem.
"The properties need to be aware of the potential liability [and] make sure that third parties are compliant, make sure they have conformed to PCI regulated scans, make sure that the companies they get actually do follow best practices," Barron said. "The [entity] that's ultimately liable, and a lot of people miss this, is the place that actually takes the credit card. I've had different hotels say, 'Well I called my company. They said they're compliant, so I'm good.'"
Sheppard also noted that many location managers are under the impression that maintaining data security compliance is handled on a corporate level. "But they need to focus on security themselves and not assume that those systems are secure," he said.
Barron believes that "at some point legislation is going to have to be acted on or the [card brands] are going to have to say, 'If you take a credit card, you must be compliant, you must conform.'" He noted that many business owners still believe security breaches can't or won't happen to them, with the additional problem being smaller operations often don't want to spend money on compliance.
Call to action
In its alert issued May 14, 2009, and entitled Security Alert for Businesses in the Hotel, Motel and Lodging Industries, Trustwave offered eight actions that should be taken immediately by hospitality companies to reduce their security risks and better protect the financial and personal data of their clientele.
- Establish firewalls that properly filter incoming and outgoing data traffic
- Upgrade to Payment Application- (PA) DSS-validated applications and ensure they are configured in accordance with the PCI DSS
- Periodically reboot payment systems to deactivate hidden viruses
- Enforce strong username/password policies for system access
- Properly secure remote access applications
- Review system activity logs daily
- Disable Windows file sharing if not required (if required, grant access to shared folders only to specific user accounts secured with strong passwords)
- Ensure anti-virus/anti-malware software is installed and updated consistently
Access point vulnerability
Trustwave analyzed the cause of breaches it had investigated. The Chicago-based global security firm found that over half of the problems originated in third-party access to businesses' electronic payment systems.
To limit the possibility of weaknesses resulting from third-party access to data, Trustwave wrote a white paper entitled Protecting Cardholder Data for Hospitality Businesses Accepting Payment Cards through Multiple Channels: Hotels, Motels and Lodging. It suggests businesses observe the following best practices:
- Choose compliant service providers recommended by Visa Inc. or MasterCard Worldwide
- Use PA DSS-compliant payment applications
- Require PCI DSS compliance in contracts with third parties handling cardholder data
- Maintain strict policies and procedures for remote access to networks
"It's the hospitality industry today, but obviously we have many other businesses that follow that model," Sheppard said. For example, grocery store chains commonly use payment gateways to aggregate all card data from individual stores within the franchise to central data storage locations.
He stressed that these franchise models are a target because, once attackers break into a system, they hop from one franchise location to the next to steal card data.
According to Genser, Trustwave expects the number of breached hospitality businesses to increase. She indicated that hotel owners often switch hotel brands.
"If they switch brands with a compromised network, it can infect other brands and their respective networks. Due to a lack of data security resources, many hotel owners or operators are unaware that they have fallen victim to a security breach."
The alert and the white paper can be obtained from Trustwave's Web site at www.trustwave.com. In June 2009, the company will present a webinar on the subject of data security in the hospitality industry.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.