• No results found

Payment Card Crime Hotels Face Great Security Risks

N/A
N/A
Protected

Academic year: 2021

Share "Payment Card Crime Hotels Face Great Security Risks"

Copied!
8
0
0

Loading.... (view fulltext now)

Full text

(1)

© usd AG 2011 - 1 - www.usd.de Payment Card Crime in the Hotel Industry

Trafficking stolen payment card data is a thriving business. New security violations taking place in international, medium-sized and small companies are regularly published by the press. The estimated number of unreported successful attack cases is even much higher. According to current studies revealed by the payment card organizations, the hotel industry is a prime target for payment card fraud. Professional hacker groups and criminal insiders exploit the low level of security awareness vis-à-vis these kinds of risks, which is very common in this sector. High claims for compensation, loss of both image and of guest confidence and the termination of the payment card acceptance contract can be the consequences of successful payment card data compromise, thus posing a significant threat to your hotel business.

Causes and Reasons

The hotel industry offers payment card thieves a wide vector of attack. Payment card data is widely distributed. Many areas of the hotel receive process and store it. Payment card data is transmitted for reservations using very different ways (by phone, e-mail, fax or online) and reach the hotel long before the guest checks in. In addition to reservations there are, however, still many other scenarios in which payment cards are used in the hotel business. For example, this includes purchases in the hotel shop, booking sports and wellness offers in the spa and fitness area, payments at the hotel bar, in the restaurant, in the casino on the premises, etc.

Payment Card Crime

Hotels Face Great Security Risks

(2)

Introducing Countermeasures

In the beginning of 2005, the Payment Card Industry Data Security Standard (PCI DSS) was published by the international payment card organizations Visa, MasterCard, American Express, JCB, Discover and Diners to improve payment card data protection.

The implementation of the security measures defined in this standard is mandatory for all companies which handle payment card data. Merchants and service providers are obliged to exercise due diligence. In most cases, hotels can use the Self-Assessment Question-naire (SAQ) to attest compliance with the standard; if necessary, external security checks are performed. Our PCI Competence Center is at your disposal if you need further information.

usd PCI Competence Center

Our Competence Center provides consulting services to merchants regarding all aspects of the PCI Security Standard. You have questions regarding PCI re-quirements and conditions? You need any help in filling out the SAQ? We are happy to assist you.

Telephone: +49 6103 9034-90 E-mail: [email protected]

What Can I do?

Solutions don’t always have to be complex and expensive. Numerous studies prove that more than three quarters of all attacks could have been avoided by simple means and with little (financial) effort.

Based on our experience gained while working with numerous hotels, we listed the five most important subjects regarding payment card security within the hotel business. The following compact guideline, which you can follow step by step, will show you how to minimize your risk. At the same time, you will fulfill the most important requirements of the PCI Security Standard.

Each of the following pages covers one subject. In addition to the description of vulnerabilities and possible attack vectors, we describe specific countermeasures. Using the check list on each page, you will be able to keep track of the measures to take and come closer to your goal step by step.

In case you should have any questions, we will gladly provide you with the needed information. Please go to the last page for our contact data.

(3)

© usd AG 2011 - 3 - www.usd.de

Responsible Payment Card Data Handling

Vulnerabilities

Payment cards are a preferred means of payment in the hotel environment. Accordingly, an abundance of payment card data is to be found on the computer systems in hotels as well as in their booking and accounting software. The large amount of data as well as poorly maintained software and computers attract criminals like a magnet.

The risk to lose control over the security of payment card data increases with the amount of stored data as well as with the associated business processes and the number of staff members handling the data. At the same time, the effort to ensure compliance with the strict requirements of the PCI Security Standard increases. This standard applies to any IT system, employee and media (digital or print-out) which or who are in contact with payment card data.

Measures

The most important principle is: reduced payment card data handling. The term “payment card data” refers to any data that is used in connection with a payment process. The less of this kind of data you permanently store, the less likely it is that this data will be stolen by attackers.

We recommend to first conduct an inventory. How many storage areas do you have for your payment card data? Then think about how long you actually have to keep such data. Check your business processes and try to find out where payment card data usage is absolutely necessary.

Please note the following when storing payment card data:

The payment card owner’s name and the expiry date of the payment card may be stored. The payment card number may only be stored if it is encrypted or masked, for example. Masking means that only the first six and the last four payment card number digits show (e.g. 1234 56xx xxxx 3456). This process is often used when the card number has to be stored for controls and queries.

Security features such as CVV2/CVC2 and PIN must never be stored, otherwise they will lose their security feature function.

Checklist

Perform an inventory of the data storage for payment cards

Minimize retention period for payment card data

Check secure storage/masking of payment card numbers

Do not store payment card data security features

(4)

Secure Hotel Management Software

Vulnerabilities

It is impossible to conduct a hotel business without effective Hotel Management Software (HMS). Usually, this program also stores and processes payment card data. Using an older version or a version that is not validated according to PCI PA-DSS means incurring a high risk. In these cases, data is very often not stored and processed in a secure way

However, using software that is validated according to PCI PA-DSS is not sufficient on its own. How was the software installed? Have you followed all the recommendations and measures specified by the software manufacturer? Do you use a service provider possessing both technical and the necessary security know-how? How, for example, is maintenance and up-dating of the software performed? Are there any unsecure or permanently open accesses for the software developer or service provider? These accesses might, however, also be used and misused by attackers.

Measures

Rely on a Hotel Management Software that is validated according to PCI PA-DSS. Make sure that the software was installed and configured according to the manufacturer’s instructions. For this purpose, the manufacturer has to supply a so-called “Implementation Guide”. Verify that your IT service provider who installs and maintains your software possesses the required security knowledge. Does the service provider know the requirements of the PCI DSS? Discuss with your software manufacturer and/or service provider how maintenance and up-dating is performed via the internet. Are the accesses secured? Is it possible to activate these accesses only during maintenance and to close them afterwards? Provide appropriate training for your staff regarding handling of the Hotel Management Software and make sure that payment card data is only stored on the software and not written down anywhere.

Checklist

Check use of Hotel Management Software that is certified as being PCI PA-DSS compliant

Ensure installation of the HMS according to

Implementation Guide

Check service provider’s security know-how regarding PCI DSS

Initiate staff training for secure handling of the HMS

Arrange for protection/deactivation of HMS internet accesses

Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS)

This security standard was developed by payment card organizations such as e.g. VISA and MasterCard especially for software which is intended to process, store or transmit payment card data. Software validation can be performed according to this standard.

(5)

© usd AG 2011 - 5 - www.usd.de

Reservations via E-Mail or Fax

Vulnerabilities

It happens quite often that guests send reservations via e-mail or fax. These electronically transmitted messages frequently contain payment card information and are inherent security risks.

Measures

1. In order to minimize the number of unwanted reservation inquiries containing payment card data, you should always point out to your guests that sending payment card data via e-mail or fax is unsecure and also not necessary.

2. You should proceed as follows with the remaining unwanted reservation inquiries containing payment card data:

3. Delete the e-mail from your inbox and empty the electronic “recycle bin” in the e-mail program and the operating system. If necessary, print out the e-mail.

4. Discuss further measures for “secure” deletion of e-mails with your IT responsible person or your IT service provider (e.g. deletion from the e-mail server, use of specific deletion programs).

5. Transmit the reservation inquiry/payment card data into your Hotel Management Software.

6. If incoming faxes are automatically transformed into electronic form (e.g. into an e-mail), please proceed as indicated in Points 1 - 3.

5. If reservation inquiries have to be saved, collect and store them safely in a folder, which should best be stored in a closed cabinet that is not accessible to the public.

6. If reservation inquiries no longer have to be saved or if you don’t need them any more after the guests check out, make sure to destroy them safely. For this purpose, use a so-called secure document bin or a document shredder in compliance with Security Level 4.

Staff who might receive e-mails or faxes containing payment card data has to be trained in these procedures.

Checklist

Advise guests of the risk involved in sending payment card data via e-mail or fax

Introduce procedures referring to the handling of e-mails and faxes containing payment card information

Discuss measures for secure deletion with the IT-responsible person/service provider

Initiate training for staff who are in contact with payment card data

(6)

User Names and Passwords

Vulnerabilities

It is quite usual in the service area that the same access data (e.g. user name/password or chip card/PIN) is used by different employees. This is called a “group

account”. However, it is difficult to maintain control over

the allocated group accounts. If an employee leaves the company, that person might pass the access data to unauthorized persons.

Moreover numerous studies show that many users choose the same weak passwords, for example:

 123456789  Mousy123  Iloveyou  Princess  abc123

Short numerical sequences and regular words that are listed in the dictionary are, for example, especially easy to guess. They can easily be cracked by computer programs that repeatedly try all possible combinations and commonly used passwords fully automatically and at high speed.

Software manufacturers assign initial default passwords that are often not changed during

in-stallation or thereafter. If this is the case, an attacker can easily gain administrative access to computer systems by using default password lists that are freely available on the internet.

Measures

As a basic principle, only individual user names and passwords should be assigned. Do not share any user ID. Each employee has to choose and set a personal password after installation. You should always use secure, so-called complex passwords with a minimum length of seven digits and with a mix of uppercase and lowercase letters and digits. Here’s a way to come up with secure passwords and memorize them:

Your IT responsible persons or your IT service provider should be obligated to change default passwords. Due to the potentially high threat, Visa Europe has published a separate hand-out about password security

Checklist

Terminate the use of group accounts

Obligate staff and service providers to use

complex passwords

Technically enforce the use of complex passwords

Obligate IT responsible persons and service providers to change all default passwords

Here’s a way to come up with secure passwords and memorize them:

(1) Think of a sentence to remember (e.g., My 1st sentence to remember is perfect!)

(2) You can then create your own password using the first character from each word, i.e.: M1ststrip!

(7)

© usd AG 2011 - 7 - www.usd.de

Secure Network for You and Your Guests

Vulnerabilities

Many hotels offer their guests access to the internet. There are major risks involved if the network (non-wireless or by WLAN) designated for your guests' internet access is connected to the hotel office network. Attackers can try to get into the hotel office network and gain access to payment information by using the guests’ network, which is usually open. WLAN is a notable example of a system that is not confined to the inside of the hotel building as it is readily accessible for anybody on the street. Missing or weak encryption (such as WEP) of the communication connection and insufficient protection of the WLAN access points enable attackers to penetrate the office network.

Another weak point is the access to the WLAN access points settings. Manufacturers of WLAN hardware assign default passwords for the access to the settings. Anybody who knows the default passwords published on the internet is able to cause malfunctions (such as turning off the WLAN system), steal data and deactivate encryption. The name of the access stations (the so-called “SSID”), preconfigured by the manufacturer, is frequently left unchanged, which additionally facilitates successful attacks.

Measures

Separate the network for the guests from your office network whenever possible. A physical separation is the best solution, i.e. a separate wiring system and separate data processing. If this is not possible, instruct an IT service provider who will then separate the networks logically using appropriate protection measures (e.g. a

firewall), thus providing and operating secure guest networks independently from your office network. Guests will receive the access data for the internet access free of charge or by means of a prepaid voucher. This way, you know who uses your guest network and the guest doesn’t have to disclose any payment card data to activate the internet access.

Instruct your IT responsible person or your IT service provider to secure the access points and your hotel office WLANs. Instruct them to install strong encryption technology (such as WPA2), to use strong encryption passwords as well as to regularly change the passwords (especially if persons familiar with the passwords leave the company). Change the name (the so-called SSID) of the WLAN access points. Change the default passwords for the access to the settings of the WLAN access points. Also use complex passwords in this context.

Checklist

Separate guest network for internet access from the office network of the hotel

Hire specialized providers for the provision of guest networks

Introduce vouchers or individual access data for the internet access activation

Activate secure WLAN encryption (e.g. WPA2)

Establish protection of access points and

(8)

About usd AG

As an IT security consulting company, we support companies in all aspects of payment card security. This includes technical aspects such as security scans, penetration tests, risk analysis, staff training or the implementation of security processes. However, our core business is providing conceptual consulting services and successfully certifying our customers according to the international security standards of the payment card industry. We do not sell specific products but rather provide independent and objective consulting services to our customers.

Our expertise is based on many years of experience in the IT security and systems engineering fields as well as in the practical application of the BSI, ISO27001 and PCI security standards.

As Qualified Security Assessor (QSA), Payment Application Qualified Security Assessor (PA-QSA) and Approved Scanning Vendor (ASV), accredited by the PCI Council, we are authorized to certify companies through-out Europe according to PCI DSS and PCI PA-DSS. Together we analyze your situation and find integrated solutions with an eye to risks, feasibility and budget.

Information and Support

Do you have any questions or do you need any support? We are at your disposal and would be happy to help you. Telephone: +49 6103 9034-60 Telefax: +49 6103 9034-88 E-Mail: [email protected] Internet: www.usd.de Robert-Bosch-Straße 25 a 63225 Langen

References

Related documents

In addition to requirements specifying the security controls you apply to the systems and networks handling credit card transactions, the Payment Card Industry Data Security

The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules designed to make certain all businesses managing and processing payment card information keep their

Payment  Card  Industry  Data  Security  Standard.    Credit  card  processing  security 

Site Data Protection (SDP) program • Less than 20K e- commerce or 1M overall transactions • Self-assessment questionnaire recommended annually • Network scan recommended

Payment Card Industry Data Security

• Sony PS Network – 2011 – Hackers accessed an old database 

THE PAYMENT CARD TRANSACTION Payment Brand Network Acquirer (Merchant Bank) Merchant Cardholder Issuer (Consumer Bank) Service Provider... MOBILE COMMERCE

It is a global security program that was created to increase confidence in the payment card industry and reduce risks to the Payment Card Brands, Merchants, Service Providers