Townsend Security Data Privacy Blog

The risks with handling customer data when you’re operating a business are inherent. Whether you run a hotel, resort, or casino you are probably handling thousands to millions of pieces of important customer data, much of which should be protected using technological controls. Most industry standards mandate that you protect data such as names, credit card information, protected health information (PHI), and other personally identifiable information (PII) with strong encryption and encryption key management. Hospitality is one of these industries that must comply with regulations, specifically Payment Card Industry (PCI) security standards as well as state privacy laws.

Unlike retail stores that handle credit card information via individual transactions, businesses that fall under the category of hospitality such as hotels, resorts, and cruise-lines deal with greater risks from having to hold on to a client’s credit card information over time. The property management systems (PMS) that handle this data should be using encryption and encryption key management while the data is stored.

Think back to the last time you booked a hotel reservation. The first thing you were asked to provide was a credit or debit card number. By the time you’ve made your trip, stayed in the hotel, and are ready to check out, do they ask for your credit card again? No. They’ve been storing it since you gave it to them, and they have it on file just in case you ate some snacks out of the minibar. They keep your card number because they’ll want to charge you for those macadamia nuts.

While holding on to customers’ card information mitigates certain risks for hotels, the processes of storing their customers’ sensitive data also results in new, more challenging risks around data security. Many people in the hospitality industry know this and take preventative measures, many businesses are still suffering from the pains of not having a working data security strategy.

What are the pain points?

• Hospitality industry is targeted by hackers
• IT systems of franchise hotels are interconnected, resulting in larger data breaches
• Smaller hotels often have weaker data security systems
• When customer data is held over time there is greater risk of a data breach
• Implementing security that protects the data, such as encryption and encryption key management, has a reputation for being difficult and costly
• Hospitality organizations need powerful solutions that integrate seamlessly into their existing IT infrastructure

The technology vendors that sell hospitality organizations the property management systems and payment application systems that house and protect customer cardholder data need to know that these pain points are real. The only way to protect customers and avoid data breach notification is by protecting the data itself using encryption and strong encryption key management. Encryption renders sensitive data unreadable, and if you’ve securely stored your encryption keys away from the encrypted data, malicious intruders will never be able to “decode” or “unlock” the encrypted data. Implementing a strong encryption key management solution can be difficult for many IT teams in any organization. Offering hotels and casinos powerful encryption key management through their property management and payment application systems is an untapped opportunity for hospitality software vendors to increase revenue.

According to a new report by British insurance firm Willis Group Holdings, insurance claims for data theft worldwide jumped 56% last year, with the largest share of those attacks – 38% – targeting hotels, resorts and casinos.  Intrusion prevention such as firewalls and strong passwords are of course recommended, but hospitality organizations need to know that they will not protect your data from an intelligent hacker. With the appropriate technology in place any hospitality business can not only detect unauthorized or malicious access to sensitive data in real time, but can also be assured that their data is safe if they are using strong encryption and encryption key management. These controls fortify your IT infrastructure with security that does more than give hackers a fun challenge to break through.

To learn more about encryption key management to meet PCI requirements and protect your business in the event of a data breach, download the podcast, “Must-Haves in an Encryption Key Manager,” featuring security expert Joan Ross, CISSP-ISSAP, HISP.

If you’re an independent software vendor (ISV) who sells payment applications to retailers, what does it mean when your payment application meets PCI standards, but doesn’t actually protect your customers? A lot of people out there, especially consumers, wouldn’t even think the security of the software that handles their credit card data is an issue. Many people don’t realize that there’s a huge problem with data security in point-of-sale (POS) and retail software applications. However, time and time again we see major data breaches occurring through cash register systems that process credit card data, which invariably means that those systems aren’t adequately protecting consumer data.

The problem with data security in payment applications arises when retail ISVs and POS vendors certify their payment applications with the Payment Card Industry Security Standards Council (PCI-SSC). The PCI-SSC requires that these businesses use strong encryption and encryption key management in their payment applications. Although most payment application vendors incorporate encryption and encryption key management into their solutions, many of them do it poorly, skating by with the minimum requirements. In the end, their applications pass certifications but would not protect their customers--or themselves--in the event of a data breach.

And data breaches are happening every day! Today data breaches are considered a matter of “when,” not “if.” It is almost a certainty that it is only a matter of time before a data breach affects one of your customers.

Unfortunately, encryption and encryption key management are complicated tools for ISVs to build on their own--in fact, doing a “home grown” encryption project is almost never recommended by encryption experts. Because many ISVs don’t have the resources to create their own encryption and encryption key management, Townsend Security offers an encryption key management solution that retail ISVs and POS vendors can integrate into their applications to provide their customers with industry standard, certified data security solutions.

We recently published an eBook titled, “Overcoming Critical Security Issues - a Guide to Proper Encryption Key Management,” for POS vendors and Retail ISVs. Read an excerpt written by Townsend Security Founder and CEO Patrick Townsend and download the eBook now:

“Merchants are very worried about data breaches and the potential effect of a breach on their business. The average data breach costs a company $5.5 million, which includes the cost of fines as well as the costs associated with lost business, litigation, and brand damage. A successful exploit of poor data security can destroy years of work building brand reputation. Smaller businesses may never fully recover from a well-publicized data breach. Payment application vendors with poor encryption and key management are subjecting not only their customers to these risks, but themselves as well.”

Good encryption and key management for credit card numbers will also give payment application vendors an advantage over their competitors. PCI standards are not set in stone; data security is constantly evolving to meet new challenges and threats. CEOs and Product Managers in the payment application industry should be having a high-level discussion about data security. Now is the time to move to a second generation data security strategy for protecting customer credit card information. You need a solution that doesn’t just look good on paper, but will protect you and your customers in the event of a breach.”

To read more, download the eBook now.

ISV Executives Can Improve their Payment Applications with the Right Encryption and Key Management Partner

Your company competes against many other ISVs selling niche retail management software and payment applications. You need a strong partner to guarantee you are providing the best encryption and key management to your customers.
Because when payment applications don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data, they leave your customers extremely vulnerable to data breaches.

At Townsend Security, we offer industry standard AES encryption and certified key management and we believe that good encryption and key management is the cornerstone of good security.  Here are three ways we believe a good partner should help ease the burden of data security:

1. Reduced Cost and Complexity          

I know... you are thinking “Key management is both costly and difficult” - while that reputation was accurate ten years ago, today certified encryption key management using best practices can be achieved quickly, easily, and at an affordable price. We help you by offering encryption key management that is quick and easy to deploy, has a cost effective licensing model, and we will even OEM or “white label” for you because we don’t believe issues around branding should get in the way of good data security.

2. Provide Certified Solutions

We believe that data security should be constantly evolving to meet the challenges of new security threats. Retail ISVs and payment application software companies need to know that although their solution may have earned a PA-DSS certification, these standards, like all PCI standards, are not set in stone. Just because a solution has been certified once, outdated encryption and key management practices might not suffice during the next certification process. Since encryption and key management are necessary components of payment application systems, providing customers with third party OEM NIST-certified AES encryption and FIPS 140-2 compliant key management would give an ISV some critical advantages.

Townsend Security not only supplies NIST and FIPS 140-2 certified encryption and key management, we'll help you achieve your own FIPS certification under our OEM program. In order to confidently protect your customers, NIST and FIPS certifications ensure that encryption key management has been tested against government standards and will protect compromised data in the event of a breach.

3. Protect Your Customers

While many payment applications have a PA-DSS certification, in order to protect your customers from a data breach, you must not only meet these certifications, but also build a security solution that will truly protect data at rest and data in transit using industry best practices. Data security must be a critical element in your risk management plan and conveyed well to your customers.

With our NIST and FIPS certified encryption and key management solutions, retail ISVs can offer easy and affordable industry standard data security. Townsend security has redefined what it means to partner with a security company. Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model.  So when (not if) your customer experiences a data breach, and you have implemented adequate security that renders the compromised data unreadable, you will not only be your customer’s hero, but your own company’s hero as well.

In this complimentary podcast, security expert Patrick Townsend discusses “How Retail ISVs Can Improve Their Payment Applications” with Paul Taylor from Security Insider.
 

As always, we welcome your comments and questions! 

When it comes to encrypting credit card numbers to meet PCI security regulations and prevent data breaches, point of sale (POS) vendors selling payment application software often implement encryption key management that is cobbled together and doesn’t meet best practices. For POS vendors who supply retail businesses with complete cash register systems, including POS terminals and payment application software, inadequate key management solutions leave retailers vulnerable to data breaches.

Although all POS vendors must certify their payment application software under the PA-DSS standard, many vendors skate by with poor encryption and encryption key management that has been thrown together to meet the bare minimum requirements.

Although their vendors have passed the test, retailers are still experiencing some of the largest data breaches because their POS vendors don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data.

At the end of the day, individual businesses are responsible for their own data security; however, POS vendors offering payment application software can boost their own security posture and protect their own reputation by offering better encryption key management for credit card numbers to their customers. Database administrators and information security officers in retail companies can ease their fear and anxiety about their POS solutions. They can rest easy if their POS vendor provides a FIPS-certified encryption and key management solution with these three advantages:

1. Encryption Key Management that is Easy to Use - Good encryption key management should be easy to install, configure, evaluate, license, and sell to end users. Townsend Security’s 1U server plugs right into your IT infrastructure and requires no on-site technician to install. Our cross-platform encryption key management HSM integrates seamlessly into Microsoft, IBM i, Linux and other legacy platforms. Our team provides training, OEM integration, NIST and FIPS certifications, marketing materials, and consistent back end support as well as sample code, binary libraries, applications, key retrieval and other tools you and your customers need to implement encryption and key management fast and easily.

2. Encryption Key Management that is Cost Effective - Small and mid-sized retailers are a growing target of hackers due to the fact that these companies tend to have less data security. These companies, however, need to secure their sensitive data and must meet compliance regulations just like larger businesses do. We strongly believe that cost should not be a barrier to any business. Townsend security offers cost-effective licensing and easy deployment for seamless integration in less time and at an affordable price. We also offer OEM and “white label” options to save time and pain around branding. The average data breach costs a company $5.5 million. With better encryption and key management, you can save your customers millions of dollars.

3. Encryption Key Management that Protects Your Company in the Event of a Breach - In today’s technology climate, data breaches are no longer a matter of “if,” but “when.” Even the strongest networks can be hacked. The only way to secure data is to encrypt the data itself, thereby making it unreadable and unusable to unauthorized users. However, the encrypted data is only as safe as the encryption keys! In the retail industry, the responsibility of a data breach will fall on the retail company that experienced the breach, as well as the POS and software vendors. If a breach occurs to one of your customers, encryption key management will protect your customers and protect your own organization as well.

Almost every single POS vendor offers encryption and key management for their payment applications, but not every POS vendor does the job right. In these cases, a retailer may pass a PCI audit but still be vulnerable to a data breach. With a NIST-certified OEM encryption key management solution, a POS vendor can offer retail customers the best data security available and generate new revenue with that offer.

The last thing a POS vendor wants is a data security plan that looks good on paper but doesn’t deliver when the going gets tough. The good news is that the right tools are easily available to companies who want to not only meet, but exceed compliance and prepare for evolving data security standards. “Good security breeds good compliance and not the other way around -- compliance is the low bar,” says Mark Seward, senior director of security and compliance for Splunk. With a Townsend Security partnership, POS vendors can offer their customers industry standard and NIST/FIPS certified solutions by implementing an OEM encryption key manager that is customized for their specific applications.