© usd AG 2011 - 1 - www.usd.de Payment Card Crime in the Hotel Industry
Trafficking stolen payment card data is a thriving business. New security violations taking place in international, medium-sized and small companies are regularly published by the press. The estimated number of unreported successful attack cases is even much higher. According to current studies revealed by the payment card organizations, the hotel industry is a prime target for payment card fraud. Professional hacker groups and criminal insiders exploit the low level of security awareness vis-à-vis these kinds of risks, which is very common in this sector. High claims for compensation, loss of both image and of guest confidence and the termination of the payment card acceptance contract can be the consequences of successful payment card data compromise, thus posing a significant threat to your hotel business.
Causes and Reasons
The hotel industry offers payment card thieves a wide vector of attack. Payment card data is widely distributed. Many areas of the hotel receive process and store it. Payment card data is transmitted for reservations using very different ways (by phone, e-mail, fax or online) and reach the hotel long before the guest checks in. In addition to reservations there are, however, still many other scenarios in which payment cards are used in the hotel business. For example, this includes purchases in the hotel shop, booking sports and wellness offers in the spa and fitness area, payments at the hotel bar, in the restaurant, in the casino on the premises, etc.
Payment Card Crime
Hotels Face Great Security Risks
Introducing Countermeasures
In the beginning of 2005, the Payment Card Industry Data Security Standard (PCI DSS) was published by the international payment card organizations Visa, MasterCard, American Express, JCB, Discover and Diners to improve payment card data protection.
The implementation of the security measures defined in this standard is mandatory for all companies which handle payment card data. Merchants and service providers are obliged to exercise due diligence. In most cases, hotels can use the Self-Assessment Question-naire (SAQ) to attest compliance with the standard; if necessary, external security checks are performed. Our PCI Competence Center is at your disposal if you need further information.
usd PCI Competence Center
Our Competence Center provides consulting services to merchants regarding all aspects of the PCI Security Standard. You have questions regarding PCI re-quirements and conditions? You need any help in filling out the SAQ? We are happy to assist you.
Telephone: +49 6103 9034-90 E-mail: [email protected]
What Can I do?
Solutions don’t always have to be complex and expensive. Numerous studies prove that more than three quarters of all attacks could have been avoided by simple means and with little (financial) effort.
Based on our experience gained while working with numerous hotels, we listed the five most important subjects regarding payment card security within the hotel business. The following compact guideline, which you can follow step by step, will show you how to minimize your risk. At the same time, you will fulfill the most important requirements of the PCI Security Standard.
Each of the following pages covers one subject. In addition to the description of vulnerabilities and possible attack vectors, we describe specific countermeasures. Using the check list on each page, you will be able to keep track of the measures to take and come closer to your goal step by step.
In case you should have any questions, we will gladly provide you with the needed information. Please go to the last page for our contact data.
© usd AG 2011 - 3 - www.usd.de
Responsible Payment Card Data Handling
Vulnerabilities
Payment cards are a preferred means of payment in the hotel environment. Accordingly, an abundance of payment card data is to be found on the computer systems in hotels as well as in their booking and accounting software. The large amount of data as well as poorly maintained software and computers attract criminals like a magnet.
The risk to lose control over the security of payment card data increases with the amount of stored data as well as with the associated business processes and the number of staff members handling the data. At the same time, the effort to ensure compliance with the strict requirements of the PCI Security Standard increases. This standard applies to any IT system, employee and media (digital or print-out) which or who are in contact with payment card data.
Measures
The most important principle is: reduced payment card data handling. The term “payment card data” refers to any data that is used in connection with a payment process. The less of this kind of data you permanently store, the less likely it is that this data will be stolen by attackers.
We recommend to first conduct an inventory. How many storage areas do you have for your payment card data? Then think about how long you actually have to keep such data. Check your business processes and try to find out where payment card data usage is absolutely necessary.
Please note the following when storing payment card data:
The payment card owner’s name and the expiry date of the payment card may be stored. The payment card number may only be stored if it is encrypted or masked, for example. Masking means that only the first six and the last four payment card number digits show (e.g. 1234 56xx xxxx 3456). This process is often used when the card number has to be stored for controls and queries.
Security features such as CVV2/CVC2 and PIN must never be stored, otherwise they will lose their security feature function.
Checklist
Perform an inventory of the data storage for payment cards
Minimize retention period for payment card data
Check secure storage/masking of payment card numbers
Do not store payment card data security featuresSecure Hotel Management Software
VulnerabilitiesIt is impossible to conduct a hotel business without effective Hotel Management Software (HMS). Usually, this program also stores and processes payment card data. Using an older version or a version that is not validated according to PCI PA-DSS means incurring a high risk. In these cases, data is very often not stored and processed in a secure way
However, using software that is validated according to PCI PA-DSS is not sufficient on its own. How was the software installed? Have you followed all the recommendations and measures specified by the software manufacturer? Do you use a service provider possessing both technical and the necessary security know-how? How, for example, is maintenance and up-dating of the software performed? Are there any unsecure or permanently open accesses for the software developer or service provider? These accesses might, however, also be used and misused by attackers.
Measures
Rely on a Hotel Management Software that is validated according to PCI PA-DSS. Make sure that the software was installed and configured according to the manufacturer’s instructions. For this purpose, the manufacturer has to supply a so-called “Implementation Guide”. Verify that your IT service provider who installs and maintains your software possesses the required security knowledge. Does the service provider know the requirements of the PCI DSS? Discuss with your software manufacturer and/or service provider how maintenance and up-dating is performed via the internet. Are the accesses secured? Is it possible to activate these accesses only during maintenance and to close them afterwards? Provide appropriate training for your staff regarding handling of the Hotel Management Software and make sure that payment card data is only stored on the software and not written down anywhere.
Checklist
Check use of Hotel Management Software that is certified as being PCI PA-DSS compliant
Ensure installation of the HMS according toImplementation Guide
Check service provider’s security know-how regarding PCI DSS
Initiate staff training for secure handling of the HMS
Arrange for protection/deactivation of HMS internet accessesPayment Card Industry Payment Application Data Security Standard (PCI PA-DSS)
This security standard was developed by payment card organizations such as e.g. VISA and MasterCard especially for software which is intended to process, store or transmit payment card data. Software validation can be performed according to this standard.
© usd AG 2011 - 5 - www.usd.de
Reservations via E-Mail or Fax
Vulnerabilities
It happens quite often that guests send reservations via e-mail or fax. These electronically transmitted messages frequently contain payment card information and are inherent security risks.
Measures
1. In order to minimize the number of unwanted reservation inquiries containing payment card data, you should always point out to your guests that sending payment card data via e-mail or fax is unsecure and also not necessary.
2. You should proceed as follows with the remaining unwanted reservation inquiries containing payment card data:
3. Delete the e-mail from your inbox and empty the electronic “recycle bin” in the e-mail program and the operating system. If necessary, print out the e-mail.
4. Discuss further measures for “secure” deletion of e-mails with your IT responsible person or your IT service provider (e.g. deletion from the e-mail server, use of specific deletion programs).
5. Transmit the reservation inquiry/payment card data into your Hotel Management Software.
6. If incoming faxes are automatically transformed into electronic form (e.g. into an e-mail), please proceed as indicated in Points 1 - 3.
5. If reservation inquiries have to be saved, collect and store them safely in a folder, which should best be stored in a closed cabinet that is not accessible to the public.
6. If reservation inquiries no longer have to be saved or if you don’t need them any more after the guests check out, make sure to destroy them safely. For this purpose, use a so-called secure document bin or a document shredder in compliance with Security Level 4.
Staff who might receive e-mails or faxes containing payment card data has to be trained in these procedures.
Checklist
Advise guests of the risk involved in sending payment card data via e-mail or fax
Introduce procedures referring to the handling of e-mails and faxes containing payment card information
Discuss measures for secure deletion with the IT-responsible person/service provider
Initiate training for staff who are in contact with payment card dataUser Names and Passwords
VulnerabilitiesIt is quite usual in the service area that the same access data (e.g. user name/password or chip card/PIN) is used by different employees. This is called a “group
account”. However, it is difficult to maintain control over
the allocated group accounts. If an employee leaves the company, that person might pass the access data to unauthorized persons.
Moreover numerous studies show that many users choose the same weak passwords, for example:
123456789 Mousy123 Iloveyou Princess abc123
Short numerical sequences and regular words that are listed in the dictionary are, for example, especially easy to guess. They can easily be cracked by computer programs that repeatedly try all possible combinations and commonly used passwords fully automatically and at high speed.
Software manufacturers assign initial default passwords that are often not changed during
in-stallation or thereafter. If this is the case, an attacker can easily gain administrative access to computer systems by using default password lists that are freely available on the internet.
Measures
As a basic principle, only individual user names and passwords should be assigned. Do not share any user ID. Each employee has to choose and set a personal password after installation. You should always use secure, so-called complex passwords with a minimum length of seven digits and with a mix of uppercase and lowercase letters and digits. Here’s a way to come up with secure passwords and memorize them:
Your IT responsible persons or your IT service provider should be obligated to change default passwords. Due to the potentially high threat, Visa Europe has published a separate hand-out about password security
Checklist
Terminate the use of group accounts
Obligate staff and service providers to usecomplex passwords
Technically enforce the use of complex passwords
Obligate IT responsible persons and service providers to change all default passwordsHere’s a way to come up with secure passwords and memorize them:
(1) Think of a sentence to remember (e.g., My 1st sentence to remember is perfect!)
(2) You can then create your own password using the first character from each word, i.e.: M1ststrip!
© usd AG 2011 - 7 - www.usd.de
Secure Network for You and Your Guests
Vulnerabilities
Many hotels offer their guests access to the internet. There are major risks involved if the network (non-wireless or by WLAN) designated for your guests' internet access is connected to the hotel office network. Attackers can try to get into the hotel office network and gain access to payment information by using the guests’ network, which is usually open. WLAN is a notable example of a system that is not confined to the inside of the hotel building as it is readily accessible for anybody on the street. Missing or weak encryption (such as WEP) of the communication connection and insufficient protection of the WLAN access points enable attackers to penetrate the office network.
Another weak point is the access to the WLAN access points settings. Manufacturers of WLAN hardware assign default passwords for the access to the settings. Anybody who knows the default passwords published on the internet is able to cause malfunctions (such as turning off the WLAN system), steal data and deactivate encryption. The name of the access stations (the so-called “SSID”), preconfigured by the manufacturer, is frequently left unchanged, which additionally facilitates successful attacks.
Measures
Separate the network for the guests from your office network whenever possible. A physical separation is the best solution, i.e. a separate wiring system and separate data processing. If this is not possible, instruct an IT service provider who will then separate the networks logically using appropriate protection measures (e.g. a
firewall), thus providing and operating secure guest networks independently from your office network. Guests will receive the access data for the internet access free of charge or by means of a prepaid voucher. This way, you know who uses your guest network and the guest doesn’t have to disclose any payment card data to activate the internet access.
Instruct your IT responsible person or your IT service provider to secure the access points and your hotel office WLANs. Instruct them to install strong encryption technology (such as WPA2), to use strong encryption passwords as well as to regularly change the passwords (especially if persons familiar with the passwords leave the company). Change the name (the so-called SSID) of the WLAN access points. Change the default passwords for the access to the settings of the WLAN access points. Also use complex passwords in this context.
Checklist
Separate guest network for internet access from the office network of the hotel
Hire specialized providers for the provision of guest networks
Introduce vouchers or individual access data for the internet access activation
Activate secure WLAN encryption (e.g. WPA2)
Establish protection of access points andAbout usd AG
As an IT security consulting company, we support companies in all aspects of payment card security. This includes technical aspects such as security scans, penetration tests, risk analysis, staff training or the implementation of security processes. However, our core business is providing conceptual consulting services and successfully certifying our customers according to the international security standards of the payment card industry. We do not sell specific products but rather provide independent and objective consulting services to our customers.
Our expertise is based on many years of experience in the IT security and systems engineering fields as well as in the practical application of the BSI, ISO27001 and PCI security standards.
As Qualified Security Assessor (QSA), Payment Application Qualified Security Assessor (PA-QSA) and Approved Scanning Vendor (ASV), accredited by the PCI Council, we are authorized to certify companies through-out Europe according to PCI DSS and PCI PA-DSS. Together we analyze your situation and find integrated solutions with an eye to risks, feasibility and budget.
Information and Support
Do you have any questions or do you need any support? We are at your disposal and would be happy to help you. Telephone: +49 6103 9034-60 Telefax: +49 6103 9034-88 E-Mail: [email protected] Internet: www.usd.de Robert-Bosch-Straße 25 a 63225 Langen