Trustwave raises alarm, advises hospitality sector
In response to a growing number of data security breaches in thehospitality industry, information and security compliance firmTrustwave issued an alert to help hotels and restaurants identify andaddress security weaknesses.
Colin Sheppard, Forensic PracticeManager for Trustwave, said much of the problem involves themultichannel acceptance of payments. Channels of acceptance includeMO/TO, card-present, point-of-service transactions and card-not-presentpayments done via the Internet.
According to Sheppard, when aguest books a hotel room online for a property that is part of a hotelchain, a link is formed between the chain's enterprise wide, onlinereservation system and the individual hotel being booked; perhaps acentral corporate headquarters will have remote access to the data aswell. But weak links in the system can be infiltrated by fraudsters.
Regardlessof the method of attack, such as key logging, skimming or sniffing, "ifthe attacker is able to gain access to a specific property, and there'sdeficiency in their security, there's the potential to exploit thatlink back to possibly another property," Sheppard said. (Translation: Security is only as strong as the weakest link)
He alsocited noncompliant or improperly configured payment applications as amajor weakness that can increase the risk of data breaches. "In manycases, that includes the use of vendor default passwords," he said.
Third-party peril
Even if companies are certified PaymentCard Industry (PCI) Data Security Standard (DSS) compliant and arefollowing the PCI's best practices today, if their security vendorshire new employees who disregard best practices tomorrow, businessesthat rely on those vendors can be noncompliant and vulnerable tobreaches.
Laurence Barron, Vice President and Chief InformationOfficer for the American Hotel and Lodging Association and Member ofthe PCI Security Standards Council, said when breaches occur, thebusiness entities breached are liable, not the third-party securityvendors that may have been the actual problem.
"The propertiesneed to be aware of the potential liability [and] make sure that thirdparties are compliant, make sure they have conformed to PCI regulatedscans, make sure that the companies they get actually do follow bestpractices," Barron said. "The [entity] that's ultimately liable, and alot of people miss this, is the place that actually takes the creditcard. I've had different hotels say, 'Well I called my company. Theysaid they're compliant, so I'm good.'"
Sheppard also noted thatmany location managers are under the impression that maintaining datasecurity compliance is handled on a corporate level. "But they need tofocus on security themselves and not assume that those systems aresecure," he said.
Barron believes that "at some pointlegislation is going to have to be acted on or the [card brands] aregoing to have to say, 'If you take a credit card, you must becompliant, you must conform.'" He noted that many business owners stillbelieve security breaches can't or won't happen to them, with theadditional problem being smaller operations often don't want to spendmoney on compliance.
Call to action
- Establish firewalls that properly filter incoming and outgoing data traffic
- Upgrade to Payment Application- (PA) DSS-validated applications and ensure they are configured in accordance with the PCI DSS
- Periodically reboot payment systems to deactivate hidden viruses
- Enforce strong username/password policies for system access
- Properly secure remote access applications
- Review system activity logs daily
- Disable Windows file sharing if not required (if required,grant access to shared folders only to specific user accounts securedwith strong passwords)
- Ensure anti-virus/anti-malware software is installed and updated consistently
Access point vulnerability
Trustwaveanalyzed the cause of breaches it had investigated. The Chicago-basedglobal security firm found that over half of the problems originated inthird-party access to businesses' electronic payment systems. Tolimit the possibility of weaknesses resulting from third-party accessto data, Trustwave wrote a white paper entitled Protecting CardholderData for Hospitality Businesses Accepting Payment Cards throughMultiple Channels: Hotels, Motels and Lodging. It suggests businessesobserve the following best practices:
- Choose compliant service providers recommended by Visa Inc. or MasterCard Worldwide
- Use PA DSS-compliant payment applications
- Require PCI DSS compliance in contracts with third parties handling cardholder data
- Maintain strict policies and procedures for remote access to networks
Accordingto Genser, Trustwave expects the number of breached hospitalitybusinesses to increase. She indicated that hotel owners often switchhotel brands. "If they switch brands with a compromised network, it caninfect other brands and their respective networks. Due to a lack ofdata security resources, many hotel owners or operators are unawarethat they have fallen victim to a security breach."
The alert and the white paper can be obtained from Trustwave's Web site at www.trustwave.com. In June 2009, the company will present a webinar on the subject of data security in the hospitality industry.