News for the Hospitality Executive |
WASHINGTON,
CHICAGO, and AUSTIN (March 15, 2011) –
Three major hotel industry associations, including the American Hotel
&
Lodging Association (AH&LA), Hotel Technology Next Generation
(HTNG), and
Hospitality Financial and Technology Professionals (HFTP) today issued
the
following joint statement to hotels regarding organized cyber crime
attacks on
credit card data. It identifies actions that hotels – and not
their
system vendors – need to take immediately in order to minimize their
vulnerabilities and to avoid the potential for hundreds of thousands of
dollars
in costs and fines that typically result when just a single hotel
system is
breached.
The three associations play pivotal roles in educating hoteliers and hotel IT professionals on critical issues, and in analyzing and addressing them, and represent critical constituencies of General Managers, Controllers, and IT executives at brands, management companies, and hotels. “Our decision to address this jointly is directly related to the magnitude of the threat,” said Joe McInerney, CEO of AH&LA. “We don’t want to dilute the message by saying different things; we all agree on the key steps hotels need to take,” said Frank I. Wolfe, CAE, CEO of HFTP. “Credit card crime is the top issue for hotel company chief information officers (CIOs) today, but they can’t address it effectively without the help of every General Manager and Controller,” said Douglas Rice, CEO of HTNG. This alert is not intended in any way to suggest that hotels should not adhere to the Payment Card Industry Data Security Standards (PCI-DSS), which is the best way to avoid being breached. But these standards are complex and often misunderstood, and take time and money to implement. Hotels that have not yet started their PCI compliance can use this information to help focus their initial efforts. Those who think that they don’t need to do anything about PCI because their vendor provides a PCI compliant system will learn that this is not possible, and that there are key actions they still need to manage themselves. STATEMENT
ON
CREDIT CARD SECURITY
Cyber criminals are systematically attacking systems
that store credit card data, including Point-of-Sale and Property
Management
Systems. The criminal organizations are highly structured and
integrated
with the world’s organized crime rings. Detailed forensic
analysis by law
enforcement agencies and specialized private-sector security practices,
as well
as by security departments at major hotel groups around the world,
leave little
doubt that the attacks on hotels are highly targeted and effective.Many hoteliers believe they are not vulnerable because they use Point-of-Sale and Property Management Systems that have been validated as conforming to the latest PCI security standards. Unfortunately this is far from the case. Even such validated systems can be vulnerable if the hotel operates them in an unsecured manner. Leading forensics firms agree that the most important security measures are those that keep cyber criminals from getting inside the hotel network in the first place. Once inside, there are many ways for them to steal the data, even if the PMS or POS system itself is secure. In most cases, the hotel, not the vendor, is responsible for preventing unauthorized people from gaining access to their system. This is the hole that is most frequently exploited by the criminals. Even when a national hotel brand or management company provides network security for the hotel, the local property remains in control of important elements. We urge every General Manager and every Controller to understand that there are three specific actions that they – not their vendors – must take in order to reduce their hotel’s vulnerability to credit card theft. These actions alone will not guarantee your hotel will not be breached. They may not stop a breach that is already in progress. But according to the Verizon Business/US Secret Service report from 2010, 96 percent of breaches would have been stopped had these measures been in place. Many brands and management companies do not perform these functions for hotels. Those that do, generally do not (often cannot) do them all. Your corporate IT department should be able to tell you, very specifically, which things they have done; you will need to address the others. The three actions are:
To do this right, have your IT
manager or a network
consultant map out your network electronically. They should
identify
every attached device, and then physically try to log in to each one
using the
manufacturer’s default login credentials (easily obtainable via an
Internet
search). If that login and password work, change them. In
53
percent of newsworthy attacks investigated by forensics firm Verizon
Business
in 2009, the thieves gained entry to the network by using the word
“password”
as the password. Don’t make it this easy for them. Task
your IT
Manager to do this, or hire a network consultant.
At the very least, make sure that
the administrative
and remote-access passwords on all your systems have been
changed. Better
still, for each vendor that needs remote access, put in place a process
that
ensures that each time they connect, you know that it is really them
(not
someone who has stolen their password list), and have approved their
connection. While there are many good technology solutions, you
can also
institute a manual policy of issuing one-time passwords that are
changed after
each use. If the vendor wants to connect, have your staff call
them back
on their regular support line with the password. Give the list of
passwords only to trusted staff, and store them under lock and key with
instructions for changing them. Change the password as soon as
the vendor
is done.
If you don’t have a firewall, buy
one and install
it. Even a consumer-grade firewall, available for $100 USD or
less,
provides a lot more protection than nothing. Get a firewall and
configure
it properly to prevent the criminals from reaching your machines
easily.
It should allow only those types of traffic you need, and only to or
from
Internet addresses that you trust.
This is not a complete security plan. The Payment Card Industry Data Security Standards (PCI-DSS) outline many actions that you should take to secure your systems, and provide more details on these and other actions. We strongly recommend that hotels take the PCI requirements seriously, because the threat is real and because PCI is effective. However, many hotels have told us they find completing the PCI standards very challenging, or believe that their vendors have them covered. If this describes your mindset, then it is time for you take ownership of security for your hotel systems. Start work immediately on these three important areas that are entirely under your control; that can be addressed quickly, inexpensively, and effectively; and that can dramatically improve your security. Additional Resources AH&LA has created a primer, Payment Card Industry Compliance Process for Lodging Establishments, which helps demystify PCI compliance and explain it in terms that make sense for hoteliers. This quick reference tool is a great starting point and helps hoteliers quickly get up to speed via check lists, planning guides, and links to additional resources. The cost is $10 for AH&LA members and $20 for nonmembers and may be purchased via the Educational Institute. Members may download a copy via the American Hotel & Lodging Educational Foundation Website. About American Hotel & Lodging Association Serving the hospitality industry for a century, AH&LA is the sole national association representing all sectors and stakeholders in the lodging industry, including individual hotel property members, hotel companies, student and faculty members, and industry suppliers. Headquartered in Washington, D.C., AH&LA provides members with national advocacy on Capitol Hill, public relations and image management, education, research and information, and other value-added services to provide bottom-line savings and ensure a positive business climate for the lodging industry. Partner state associations provide local representation and additional cost-saving benefits to members. About Hospitality Financial & Technology Professionals HFTP, Austin, Texas, USA and Maastricht, The Netherlands, founded in 1952, is the global professional association for financial and technology personnel working in hotels, clubs and other hospitality-related businesses. HFTP provides first class educational opportunities, research, and publications to members around the globe including, the premiere hospitality technology conference HITEC — founded in 1972. HFTP also awards the only hospitality specific certifications for accounting and technology — the Certified Hospitality Accountant Executive (CHAE) and the Certified Hospitality Technology Professional (CHTP) designations. HFTP was founded in the USA as the National Association of Hotel Accountants. About Hotel Technology Next Generation The premier technology solutions association in the hospitality industry, Chicago-based HTNG is a self-funded, non-profit trade organization with members from hotel and hospitality companies, technology vendors to hospitality, and other industry members including consultants, media, and academic experts. HTNG’s members participate in focused workgroups to bring to market open solution sets addressing specific business problems. HTNG fosters the selection and adoption of existing open standards. Where necessary, it also develops new open standards to meet the needs of the global hospitality industry. Membership in HTNG is open to hotel and hospitality companies, technology vendors to hospitality, consultants, academics, press and others. Currently more than 400 corporate and individual members from across this spectrum, including most of the world’s leading hotel companies and technology vendors, are active HTNG participants. |
Contact: AH&LA Kathryn Potter [email protected] Hotel Technology Next Generation Brian Larson Marketing Consultant +1 847 303 5560 www.htng.org Hospitality Financial and Technology www.hftp.org |