4 min read
To streamline operations, improve service and remain competitive, hotels use computers to handle numerous tasks. While automation facilitates hotel operations and often makes a better stay for guests, it also opens hotels to digital threats perpetrated by malicious actors.
Hotel operators should be aware of attacks, which can significantly hurt their brand reputation and bottom line, not to mention the safety and welfare of employees and guests.
According to Statista, the hospitality industry generates a revenue of up to 550 billion dollars globally each year. The industry seems to be one of the most attractive segments accounting for around 40% of all data breaches and credit card theft worldwide.
The forerunner of breaches in hotels, according to Verizon DBIR, are POS breaches. A whopping 96% of the data accessed from the industry was payment data, 2% personal data, and 1% credentials. Most of the POS breaches are opportunistic and financially motivated and involve primarily malware and hacking threat actions. The amount of time it takes for a hacker to compromise is quick, but it often takes hotels months to discover the data breach.
Hackers are targeting hotels because of the type of point of sale (POS) systems utilized. These are often integrated, non-compliant, POS environments running applications that are not as secure as modern, hardened payment terminals designed to capture and encrypt payment data. Hotel systems send the data to the back office instead of directly to the payment processor, adding an additional step that creates weakness in the hotel POS system.
In addition, there are large volumes of payment card transactions between restaurants, on-site shops, spas, parking, and the front-desk, ensuring there is plenty of customer data for a hacker to compromise.
One recommended way to cybersecure your hotel's and patron's data is to ensure that you are PCI Compliant.
The Payment Card Industry Security Standards Council (PCI SSC) has put forth a set of stipulations, the Payment Card Industry Data Security Standard (PCI DSS), in response to rapid PCI expansion.
Hotels should make sure they are compliant with these regulations, which require businesses to send credit-card information in a secure environment, to prevent paying heavy fines and losing data, revenue, and customer trust.
"Ultimately, the responsibility for a breach falls back on the individual hotel and not the franchise, so it is important that each entity take responsibility," says Mark Cline, Vice President of Sales, Netsurion.
It is difficult to achieve PCI Compliance, especially for small hotels with limited staff and budget.
According to Verizon, more than 80% of data breaches involved stolen or weak passwords. Every individual dealing with customer data should have the ability to set their password and be prompted to change at least every quarter. Passwords should be required to have a combination of special characters, upper and lower-case letters, and numbers.
Holding training sessions keeps security at top of mind for employees. Training is available on the PCI Security Standards Council website depending on your hotel's needs.
In addition to training, it can be helpful to assign one staff member to take charge of all tasks related to PCI Compliance so important deadlines don't slip through the cracks.
Not every P2PE solution is PCI DSS validated. Any third party that is handling your customer's information including reservation systems, POS systems, and property management systems, should be compliant. Be sure to verify your solutions with the PCI Security Standards Council.
Purge any unnecessary digital or hard copy records that include customer information or credit card data that are not essential for business. The more data you store can make your hotel more vulnerable to a data breach.
Your hotel should regularly review its processes and watch for updates to be made to PCI DSS. When those updates are available, ensure that you are taking the proper steps to remain compliant.
We've been helping hoteliers with PCI Compliance since its inception by providing affordable managed network security solutions that make compliance easy and efficient. Learn how to simplify the process and be audit-ready at all times, while still focusing on your business.
Take 5 minutes to learn which of the 12 requirements you need to spend extra attention on to gain compliance.
Verizon DBIR 2017
PCI Security Standards
5 min read
4 min read