Hotel Online
News for the Hospitality Executive
   Hospitality Upgrade

Data Security:
So You've Been Breached, Now What?

This article is from the Summer 2010 issue of Hospitality Upgrade magazine.To view more articles covering technology for the hospitality industry please visit the Hospitality Upgrade Web site or to request a free publication please call (678) 802-5307 or e-mail.
By Jeremy Rock
June 2010

click to view magazine version of this article

If you are like me I had recently become numb to the barrage of information on PCI compliance from various trade publications, seminars, conferences, credit card processing companies and other sources that were continually pushing the importance of becoming PCI compliant. From application providers insisting on upgrades to their systems to network service providers looking to tighten the security on firewalls and segmenting the networks everyone was pushing their services in the name of PCI compliance. As a result most people have become blasé to the ramifications of not being compliant.  Then it happens—the dreaded call from the bank.  “We believe that your systems have been breached and we have multiple sources indicating that the credit cards being transacted at your property are being compromised.” The response is usually how could this have happened? You think you run a secure and tight ship and the systems are PCI compliant and up to date.

When this information is first presented it hits you like a ton of bricks. What do we do now? Interestingly enough one of your first meetings will be with a security representative from either the acquiring bank or American Express. They will usually outline the key issues facing your property and get you on the right track. You will learn that the breach could have occurred as a result of either an electronic network compromise or through a manual breach in an internal operational policy or procedure. As a result, you will need to tackle the issue from two fronts. One targeting the network and electronic credit card data and the second was targeting operational policies and procedures. They will also provide you with some data of the cards that they believe were compromised at the property. From this the first thing that you do is try to identify where the cards were used and which merchant ID numbers were affected. They will also advise you to obtain the following assistance right away.

1)  Hire a certified Forensic Assessment Firm
Once you are known to have been compromised, most card brands and acquiring banks will insist that you immediately contact an officially authorized forensic assessment company that has been officially certified by the card brands, Visa (QIRA), MasterCard (QFI), to have them assist with the identification of where your network has possibly been breached. The number one focus here is to stop the bleeding.  You will soon find out that while these firms can be very effective,  their services come at a price. Working with a good forensics resource will help to identify the potential breach sooner rather than later. As such, you will need to interview a few firms and make a selection in a fairly short space in time in order that they may begin their scans and assessments.  (The one thing that you learn is that until you identify the source of the problem [and perform the necessary remediation work]; your guest’s credit cards will continue to be compromised on a daily and real-time basis.) When interviewing the forensic firm, try to ensure that you hire someone with hospitality experience and more importantly one who has experience with remediation work. One thing that you will find out is that while forensic firms will assist with the identification of a potential breach, they usually do not facilitate the remediation due to a conflict of interest. As such, you cannot rely on the forensic firm to resolve/remediate your problems. Also hiring a forensic firm does not necessarily mean that they will be able to locate and identify how the network was breached. The forensic firms will compile a complete report for the card brands and acquiring bank to provide them with a detailed analysis of the network and potential remediation work that will be necessary to bring the property’s network into compliance.

2)  Hire a certified Qualified Security Assessor (QSA)
Along with a forensic assessment firm, the QSA will assist with performing an in-depth assessment of the overall PCI compliance of the property. They will look at not only the network aspect of things, but will analyze and follow through with the properties overall operational policies and procedures to ensure that all aspects of credit card and data security are being adhered to. In addition, they will provide a GAP analysis of where the property currently stands with regards to its overall PCI compliance and in many cases offer advice for potential remediation of areas of concern.  In many cases, the acquiring bank and card brands will also insist that these assessments be made, especially if the property’s merchant level changes as a result of the breach from say a level 4 to a Level 1.

In speaking with Jeff Tutton, president of Intersec Worldwide (an authorized  PCI – QSA firm), he said, “It is important that you identify and select a QSA and forensic auditor that has real-world remediation experience and is not simply a check-box auditor.”  The remediation aspect of a breach is probably the most important aspect of addressing the fallout from a network breach and working with knowledgeable and technically experienced assessors can make a huge difference to stop the bleeding and more compromise of data. To use an oil spill analogy, a compromise of your credit card data through a breach of your network can be likened to the recent oil spill in the Gulf, until the source of the leak is located  and plugged, your guest and customer credit card information will continue to be compromised at a potentially enormous rate and the overall health of your business will continue to be at risk.

3) Hire an IT Network Remediation Firm
In most cases network breaches are remedied through the use of extremely knowledgeable hospitality-focused network engineer and IT resources that have extensive hands-on experience working with the various applications and programs. In many cases they actually locate the source of the breaches and have the skills to apply the necessary remediation work. Often times, properties call on outsourced IT consulting firms to assist with the remediation aspect of the credit card breaches. Not only are they familiar with the various applications that are impacted by the breaches, but they are also experienced in the overall operational requirements that are also part of the overall PCI compliance requirements. From a practicality standpoint, the hiring of the IT remediation team is probably the most important step to take once learning of a potential breach – the sooner you can identify and remediate a breach, the sooner you can stop the fallout from your guests’cards being compromised.

This is an excerpt of Jeremy’s article. For the remainder of the article and helpful sidebars with items to avoid a breach please visit the full article on Hospitality Upgrade – go to


Geneva Rinehart 
Managing Editor 
Hospitality Upgrade Magazine 
and the Hospitality website

Also See: Hospitality Upgrade Releases Summer 2010 Digital Edition / June 2010

HITEC Exhibitors -- Exclusive Video Opportunity; Technology Companies Have Opportunity to Produce Their Own Videos at a Fraction of the Cost during HITEC with the Help of Hospitality Upgrade and Realview TV / May 2010

Hospitality Upgrade Magazine Expects Record Attendance Numbers at Highly Anticipated Ninth Annual CIO Summit; The CIO Summit will be held September 8-10, 2010 at the Omni San Francisco Hotel in San Francisco, California / May 2010

Hospitality Upgrade Launches Redesigned Web Site / April 2010

Notes: From an IT Service Shop - The Latest Virus Threats: Antivirus Soft, Internet Security 2010 / Geoff Griswold & Bert McDonold / April 2010

7 Steps to Position Your Hotel in the New OTA Environment / Tim Coleman / April 2010

Is Your Site Hospitable? 5 Simple Strategies You Can Use to Improve the Customer Experience and Dramatically Boost Conversion / Claude Guay / December 2009

Aligning Digital E-commerce, Distribution, IT, Revenue Management, Sales, Operations and Marketing Objectives / David Atkins / December 2009

Sales 3.0 Technology; Key to New Business Development in 2010 & Beyond / Carol Verret / December 2009

Hospitality Upgrade Magazine Surveyed Hospitality Industry's Top Technology Leaders at Annual CIO Summit With Intriguing Results / October 2009

Hospitality Upgrade Magazine Reports Record-Breaking Attendance for Annual Meeting of Hospitality Industry's Top Technology Leaders; The eighth annual CIO Summit will be held September 9-11, 2009 at the Royal Sonesta Hotel in Cambridge, Massachusetts / August 2009

Twitter or Not to Twitter; Time Waster or Lead Generator? / Cindy Estis Green / August 2009

Clean Up Your (Server) Room! And find some immediate cost saving hiding in plain sight / Lyle Worthington / July 2009

Marketing to the Cell Phone Generation / Bill Geoghegan / July 2009

To search Hotel Online data base of News and Trends Go to Hotel.OnlineSearch
Home | Welcome| Hospitality News | Classifieds|| Industry Resources | Press Releases
Please contact Hotel.Onlinewith your comments and suggestions.