Technology : Security altogether , but they should have a defined plan for the personal information they do collect — specifically what it will be used for , what individuals in the organization have legitimate need to access it and how it will be safely disposed of when the time comes . “ If it ’ s not needed , don ’ t collect it ,” Carrington says . “ You can ’ t lose what hasn ’ t been collected .”
Hackers target hotels Hotels face outsized challenges in securely completing credit card transactions compared to other sectors . Retail and restaurants need only transmit sensitive data once per transaction , but hotels must send the same data at least twice , at the time of check-in and again at checkout , doubling the exposure risk . Moreover , while retail and restaurants might hold that data for a period past the transaction , the dispute window in those industries is usually about 45 days . Hotels may have to hold the data for six months or more after factoring in the advance booking window and a lengthier dispute period .
Hackers perceive that a successful data breach for hotels would be more lucrative than in other consumer segments , says Jeffrey Parker , vice president of technology for Stout Street Hospitality , a Denver-based management company .
“ Hotels have a big struggle — our average transactions are huge compared to retail or even restaurant transactions ,” Parker says .
Indeed , the recent data breach of U . S . hotels managed by White Lodging Services Corp . — which exposed the names printed on customers ’ credit and debit cards , credit and debit card numbers , the security code and card expiration dates — is a testament to how attractive the hotel industry is to hackers .
To mitigate this , look for tokenization to gain more traction in 2014 as a strategy to fend off card data theft . With tokenization , credit card data is replaced by what is essentially indecipherable coding before it is transmitted and later translated , so if the transmission were to be intercepted by hackers , the data would be worthless .
Even with tokenization , though , employee naiveté remains another hurdle to data security . Hospitality workers tend to want to help guests any chance they get , posing a data security risk through “ social engineering .” A rudimentary example of this might be someone engaging a worker in friendly banter in an effort to procure a network access code . Or , more surreptitiously , a guest could offer a sob story about needing to urgently print a document and convince a front desk agent to insert a USB drive into a back-of-house computer , unknowingly uploading any number of malicious programs . Addressing social engineering challenges starts with retraining employees to maintain an appropriate vigilance about computer threats , says Stan Stahl , president of Los Angeles-based data security firm Citadel Information Group .
Beyond PCI compliance Top executives need to be made fully aware of data security risks and continuously engaged in risk management . “ This is not something that should be delegated to a compliance department , because the reputation of the organization could be in peril ,” Carrington says .
Perhaps the most egregious data security mistake some hotel companies continue to make is failing to physically segregate guest Internet from back-of-house networks . In addition , the hotel ’ s credit card processing network should be physically segregated from all other networks .
Likewise , Stahl suggests designating a segregated back-office computer solely for online banking . “ There ’ s no reason for a hotel not to be doing that , and yet I don ’ t know any that are ,” he says .
If data must be transferred between networks , do so only on a secure network that can be tracked and logged .
Data security tips
››
Make sure computer programs are updated with the latest security patches . Daily updating is best , but weekly is the minimum frequency . ›› Change passwords often .
››
Control Internet access by installing site-scanning software that prevents employees from accessing dangerous websites , intentionally or accidentally . Similarly , control what can be downloaded onto hotel networks by blocking access to cloud storage servers like Dropbox and Google Drive , which can be used as attack vectors . ››
Never allow a foreign
USB drive on a back-ofhouse network . ››
Issue policies governing explicitly what guest information franchisees and management companies are and are not permitted to collect . ››
Consider buying cyber crime insurance ; while banks typically reimburse individuals who are victims of fraud , businesses usually must absorb monetary losses . For a small company , a breach could be financially devastating . › › Create a detailed crisis management and brand protection plan if a breach does occur .
www . hotelsmag . com March 2014 HOTELS 47