News for the Hospitality Executive |
Data Security:
So You've Been Breached, Now What? |
This article is from the Summer 2010 issue of Hospitality Upgrade magazine.To view more articles covering technology for the hospitality industry please visit the Hospitality Upgrade Web site or to request a free publication please call (678) 802-5307 or e-mail. |
By
Jeremy Rock June 2010 click to view magazine version of this article If
you are like me I had recently
become numb to the barrage of information on PCI compliance from
various trade
publications, seminars, conferences, credit card processing companies
and other
sources that were continually pushing the importance of becoming PCI
compliant.
From application providers insisting on upgrades to their systems to
network
service providers looking to tighten the security on firewalls and
segmenting
the networks everyone was pushing their services in the name of PCI
compliance.
As a result most people have become blasé to the ramifications
of not being
compliant. Then it happens—the dreaded call from the bank.
“We
believe that your systems have been breached and we have multiple
sources
indicating that the credit cards being transacted at your property are
being
compromised.” The response is usually how could this have happened? You
think
you run a secure and tight ship and the systems are PCI compliant and
up to
date. When
this information is first
presented it hits you like a ton of bricks. What do we do now?
Interestingly
enough one of your first meetings will be with a security
representative from
either the acquiring bank or American Express. They will usually
outline the
key issues facing your property and get you on the right track. You
will learn
that the breach could have occurred as a result of either an electronic
network
compromise or through a manual breach in an internal operational policy
or
procedure. As a result, you will need to tackle the issue from two
fronts. One
targeting the network and electronic credit card data and the second
was
targeting operational policies and procedures. They will also provide
you with
some data of the cards that they believe were compromised at the
property. From
this the first thing that you do is try to identify where the cards
were used
and which merchant ID numbers were affected. They will also advise you
to
obtain the following assistance right away. 1) Hire a certified Forensic
Assessment Firm 2) Hire a certified Qualified
Security Assessor (QSA) In
speaking with Jeff Tutton,
president of Intersec Worldwide (an authorized PCI – QSA firm),
he said,
“It is important that you identify and select a QSA and forensic
auditor that
has real-world remediation experience and is not simply a check-box
auditor.”
The remediation aspect of a breach is probably the most important
aspect of
addressing the fallout from a network breach and working with
knowledgeable and
technically experienced assessors can make a huge difference to stop
the
bleeding and more compromise of data. To use an oil spill analogy, a
compromise
of your credit card data through a breach of your network can be
likened to the
recent oil spill in the Gulf, until the source of the leak is
located and
plugged, your guest and customer credit card information will continue
to be
compromised at a potentially enormous rate and the overall health of
your
business will continue to be at risk. In most cases network breaches are remedied through the use of extremely knowledgeable hospitality-focused network engineer and IT resources that have extensive hands-on experience working with the various applications and programs. In many cases they actually locate the source of the breaches and have the skills to apply the necessary remediation work. Often times, properties call on outsourced IT consulting firms to assist with the remediation aspect of the credit card breaches. Not only are they familiar with the various applications that are impacted by the breaches, but they are also experienced in the overall operational requirements that are also part of the overall PCI compliance requirements. From a practicality standpoint, the hiring of the IT remediation team is probably the most important step to take once learning of a potential breach – the sooner you can identify and remediate a breach, the sooner you can stop the fallout from your guests’cards being compromised. http://www.hospitalityupgrade.com/_magazine/magazine_Detail-ID-514-So-You%E2%80%99ve-Been-Breached-Now-What.asp Jeremy Rock is the president of the RockIT Group, a technology consulting firm specializing in new development and refurbishment projects. He can be reached at [email protected]. For related articles on this topic please see:
|
Contact: Geneva Rinehart Managing Editor Hospitality Upgrade Magazine and the Hospitality Upgrade.com website www.hospitalityupgrade.com/ [email protected] |