2015/2016 was plagued with security incidents in the hospitality industry. These are just a few of the breaches that made the headlines in the last 12 months:
- Trump Hotel chain suffers data breach again
- Hyatt names hotels affected by payment information malware
- Payment card data breach affects 54 Starwood Hotels
Verizon’s 2016 Data Breach Investigations Report has published a sub-report into the causes behind the majority of security incidents, which includes three main threats affecting the industry.
1. Point-of-sale (POS) intrusions
Compromising the computers and servers that run POS applications is still proving fruitful for attackers seeking payment card data. These attacks are a significant threat to the hospitality sector, and accounted for three quarters of incidents in 2015.
Once attackers gain access to the POS devices, they install malware— usually a RAM scraper—to capture payment card data.
What can you do?
- Ensure you use two-factor authentication, and that your vendors do, too.
- Track who’s using your POS systems to make sure they’re being used by the right people.
- Use antivirus software.
2. Denial-of-service (DoS) attacks
DoS attacks account for 20% of incidents in hospitality. They use botnets to swamp networks with enormous volumes of traffic, bringing organisations to a complete standstill and forcing key services offline. Designed purely to disrupt organisations.
What can you do?
- Separate critical systems onto different network circuits.
- Have a mitigation plan: know the details of your DoS mitigation service.
- Test and update your plan regularly.
3. Insider and privilege misuse
Insider misuse often involves disgruntled employees or ex-employees using their access rights to take confidential information for personal financial gain, but it can also involve collusion with external third parties, such as criminal gangs using insiders to get the data they want.
What can you do?
- Monitor staff behaviour and train them to be vigilant – check out our e-learning courses.
- Look after your data on mobile devices.
- Restrict data access where appropriate.
Make sure you’re PCI-compliant
With POS intrusions being the number one threat facing the hospitality industry, it is imperative that firms make sure they’re PCI-compliant and they maintain their compliance.
The PCI DSS can apply across the whole of your organisation, or to a subset of your organisation if you have correctly compartmentalised the processing, transmission or storage of cardholder data.
It applies to all people, processes and technologies that are involved in the processing, transmission or storage of cardholder data. It does not just cover electronic systems, but extends to paper records, such as receipts, mail order forms, etc., and recordings of phone conversations if they capture cardholder data read out to call centre operators.
Compliance with the PCI DSS is demonstrated by the merchant or service provider successfully completing an audit of the cardholder data environment against the Standard.
Providing compliant documentation is a key requirement of the PCI DSS, but fulfilling that obligation by yourself and from scratch is often time-consuming and filled with errors or inconsistencies.
Receive guidance and documentation templates from a PCI Qualified Security Assessor with the PCI DSS Documentation Toolkit.
With easy-to-use, fully customisable, pre-written templates, this toolkit significantly reduces your risk of error, ensures complete coverage of the requirements of the PCI DSS, and is available with 12 months of free updates and unlimited drafting support.