It should no longer come as a sur­prise that the ho­tel and food and bev­er­age in­dus­tries are fa­vorite tar­gets of hack­ers. In­deed, some com­men­ta­tors have sug­gested that hack­ers view the hos­pi­tal­ity in­dus­try as low-hang­ing fruit. The 2011 Global Se­cu­rity Re­port re­leased by Trust­wave’s Spi­der­Labs shows that 67% of the data breach in­ci­dents Trust­wave in­ves­ti­gated in 2010 were from the food and bev­er­age (57%) and ho­tel (10%) in­dus­tries. Ac­cord­ing to the Ver­i­zon-Se­cret Ser­vice 2010 Data Breach In­ves­ti­ga­tions Re­port, the hos­pi­tal­ity in­dus­try joined fi­nan­cial ser­vices and re­tail as part of the “Big Three” of in­dus­tries af­fected by data breaches.

"While a re­duc­tion of breaches within the hos­pi­tal­ity in­dus­try was ob­served from the prior year, hos­pi­tal­ity busi­nesses should re­main on high alert. At this time, it ap­pears that the or­ga­nized crime group re­spon­si­ble for the ma­jor­ity of hos­pi­tal­ity breaches in 2009 ex­panded their tar­get list. In­stead of fo­cus­ing ex­clu­sively on the hos­pi­tal­ity in­dus­try, this group be­came ac­tive within the food and bev­er­age and re­tail mar­kets as well.” 2011 Trust­wave Global Se­cu­rity Re­port

The fac­tors that make the hos­pi­tal­ity in­dus­try par­tic­u­larly vul­ner­a­ble to hack­ers in­clude:

  1. the use of vul­ner­a­ble point-of-sale de­vices (“POS”) and wire­less net­works
  2. the dif­fi­culty of en­forc­ing com­pli­ance with the Pay­ment Card In­dus­try Data Se­cu­rity Stan­dard (“PCI DSS”) in a fran­chise net­work where fran­chisees all use a cen­tral­ized pay­ment pro­cess­ing net­work
  3. the vol­ume of card trans­ac­tions
  4. the re­ten­tion of card data for reser­va­tions and other per­sonal in­for­ma­tion for use in loy­alty pro­grams  

Com­ply­ing with PCI DSS is the right ini­tial step to­ward pro­tect­ing credit card data. But com­pli­ance alone is not a guar­an­tee against a breach. Pass­ing a PCI as­sess­ment only means your com­pany was PCI DSS com­pli­ant on that date. In­deed, 21% of the breached en­ti­ties in­ves­ti­gated by Ver­i­zon in 2010 had been val­i­dated as PCI DSS com­pli­ant dur­ing their last as­sess­ment. Rather, com­pa­nies must be com­mit­ted to ac­tively main­tain­ing the se­cu­rity of their sys­tem on an on­go­ing ba­sis. Com­mon best prac­tice rec­om­men­da­tions for the unique chal­lenges fac­ing the hos­pi­tal­ity in­dus­try in­clude:

  • Re­strict phys­i­cal ac­cess to con­fi­den­tial in­for­ma­tion and adopt new en­cryp­tion and/or to­k­eniza­tion tech­nolo­gies de­signed to ren­der data use­less to unau­tho­rized per­sons, in ad­di­tion to only stor­ing en­crypted pay­ment card data in a cen­tral­ized vault;
  • Use com­plex pass­words (not ven­dor-sup­plied de­fault pass­words) for all ac­cess to pay­ment ap­pli­ca­tions, in­clud­ing POS and wire­less ac­cess; in­stall and up­date anti-virus and anti-spy­ware soft­ware; reg­u­larly scan for ma­li­cious soft­ware; and set ap­pro­pri­ate fire­wall rules; and
  • Ed­u­cate em­ploy­ees and fran­chisees on the com­pany’s data se­cu­rity prac­tices, and re­quire fran­chisees to com­ply.  

The PCI Se­cu­rity Stan­dards Coun­cil pub­lished ver­sion 3.0 of the PIN Trans­ac­tion Se­cu­rity (PTS) Point of In­ter­ac­tion (POI) se­cu­rity re­quire­ments in May 2010. The up­dated stan­dard and de­tailed list­ing of ap­proved de­vices are avail­able on the Coun­cil’s web­site. The Coun­cil’s web­site also con­tains a list of Val­i­dated Pay­ment Ap­pli­ca­tions.