|
News for the Hospitality Executive |
| By Jeremy Rock - January 2011 Abridged version - to see the full article please click here See Part 1 of Data Security  As I watched the late night news a couple of months ago, there was a special report on hotel credit card breaches and what guests can do to address the problem. Many of us had suspected that the industry has a problem with regards to data security, but for obvious reasons only a few of the breaches had actually been publicized. We are already going through a tough economic downturn and the last thing we need are guests receiving more negative press about traveling and staying at hotels. And now on one of the major networks I noticed immediately that there was no industry representative interviewed to provide any input from the hotel’s perspective. As such, the report highlighted much of the negative aspects of the problem with nothing positive on what has been done by so many organizations toward PCI compliance. Then it suddenly struck me that the lack of representation probably had more to do with legal considerations than the network not including the industry perspective on the issue. Nobody wants to be associated with this problem. This got me to thinking. As an industry, we need to start talking about the issue and sharing information about how to combat the problem rather than continue to secretly address the situation on a case-by-case basis. In an effort to combat the situation, here are a few lessons that I have learned that may be of use to organizations who unfortunately may suffer under the weight of a breach. Being Proactive One of the key things learned from managing a breach is the need to be proactive. Very often it looks as though organizations have the deer-in-the-headlights approach. Once they receive the information from their processor or acquiring bank that they have been breached, they wait for assistance and direction from them as it relates to addressing the problem. The card brands, processors and acquiring banks really do not have sufficient experienced resources to address the detailed direction that most hotels and organizations are looking for, and as such, can only provide certain directives, such as the need to conduct an immediate forensic assessment. As a result, organizations who simply follow the basic directives, become reactionary in the sense that they wait for directives from the credit card processing organizations rather than trying to become proactive and hit the issue head on. There are specific reasons for the current methodology for addressing breaches.Very often, the processor and card brands want you to contact an authorized forensic company immediately so that they can conduct their initial scans and take the initial hard drive images before any remediation efforts are performed. The reason for this is that they would like to capture any and all information associated with the breach to aid in tracking the perpetrators and for research purposes to ascertain the extent of the compromise. This helps them work with the various authorities to help catch the bad guys and it also helps them identify all of the initial credit card numbers that have potentially been exposed so that they can hopefully be proactive and close and re-issue the breached card numbers before extensive fraud can be perpetrated against the breached numbers. These all seem to be (and in many cases are) reasonable requests. The reality of how things play out, however, is the following: it takes a little time for the processors and card brands to contact the hotel/resort after a breach has occurred–usually a month or two while they establish a common point of purchase (CPP). When they are contacted, there is very little education on the protocols as to how to address the breach, and in most cases they are requested to contact an authorized forensic company immediately to have the network analyzed. Being that financial protocol calls for most hotels and resorts to obtain at least three bids from competing companies, this process can take some time to facilitate until a company is selected and engaged. Very often the forensic companies do not have the resources to come on site immediately and the forensic assessment may only occur a month (or more) after the initial breach was reported. All this time, the perpetrators continue to breach the network and cards continue to be compromised, much to the detriment of the organization and staff. Following the forensics’ onsite visit, it usually takes a minimum of three to four weeks to obtain the reports back indicating where the breach occurred and recommendations how to address the problem. This is in fact if they are able to locate the source of the problem–they conduct a scan and take images of the hard drives at a specific point in time, akin to a snapshot. There are instances where they will not be able to locate or identify the breach. The point being that if you follow protocol whereby you do not try to remediate the network or breach until the forensic report is issued, you could be allowing the bad guys to continue to compromise your guests’ credit cards and data for an extended period of time. Outside the business issue that guests’ credit cards are potentially compromised during the period of the forensic analysis and assessment, there is also the issue of the fines and penalties that the card brands, processor and banks may elect to levy against the organization for the breach that has occurred. These fines and fees are usually linked to the overall number of cards that have been breached and the financial exposure to these entities. This does not take into account the increased exposure to potential law suits from individual guests and groups who have been compromised during the period of the breach. If you’re seeing a pattern here you are getting the picture. If a reactionary approach is taken to a breach, the more likely the damages and resulting costs are going to increase. Given these facts, it is recommended that you work with your processor to address your concerns and try to have your remediation team involved from the outset with the forensic team and possibly a certified QSA (recommended but may not be required) to obtain a compromise as it relates to addressing everyone’s interests. The sooner the remediation process can start, the sooner the breach can be contained which benefits everyone concerned. Other issues to address now: Create a Checks and Balances
System - Consider the creation of a qualified security assessor(QSA)
role within your organization
Remediation - If a breach is detected it is important to show proactive steps have and are being taken to protect sensitive data. Share Knowledge within the Industry Some suggestions for the industry moving forward include:
 Jeremy
Rock is the president of the RockIT Group, a technology consulting firm specializing in new development and refurbishment projects. He can be reached at jrock@rockitgroup.com. For related articles on this topic please see:
|
| Contact: Geneva Rinehart Managing Editor Hospitality Upgrade Magazine and the Hospitality Upgrade.com website www.hospitalityupgrade.com/ grinehart@hospitalityupgrade.com |
