Virtual encryption solutions are becoming more and more popular with organizations that are now running their applications and data centers on virtual machines and in the cloud. Although a traditional hardware security module (HSM) for key management may still be the most convenient encryption key management solution for some companies, a virtual encryption key management solution is ideal for companies who are moving to virtual machines and the cloud in order to reduce cost and complexity. Even in virtual and cloud environments, you must protect your sensitive data and manage your encryption keys in order to meet retail, healthcare, and financial regulations such as PCI-DSS, HIPAA/HITECH, and GLBA/FFIEC.

Of course, choosing a virtual key management and cloud-based encryption vendor can be difficult. Heck--encryption key management has a reputation for being difficult in itself. That’s why when choosing a virtual encryption key management solution, it’s important to look for these four differentiating factors:

1. Free 30 day trial any time of the year. Any company who offers a free thirty day trial for only a limited period of time may not be giving you a chance. Sure, installing a virtual encryption key manager is faster and easier than deploying an HSM in your data center, but the backend decision making and evaluation in your company may take at least several weeks, if not months. Look for a virtual solution that you can deploy fast, but without the pressure of a limited trial, and when you’re ready.

2. Client side applications and SDKs. Every company’s IT infrastructure is different. One of the most frustrating aspects of adopting an encryption key management solution can be roadblocks associated with needing specialized solutions or software development kits (SDKs). Today many organizations utilize both a cloud solution as well as physical hardware. Your encryption key management vendor should provide you with resources to make securing these systems easy. Better yet, they should be free.

3. Help you move to any cloud service. The cloud is always growing. With so many different cloud vendors available to you, you’ll want the power to decide which cloud you choose to move to. Your virtual encryption key management vendor should be able to support your move to the cloud whether you decide to move to VMware’s vCloud, Windows Azure, or Amazon Web Services (AWS).

4. World-class, enterprise level encryption key management for businesses of any size. Cost should not be a barrier to security. Choosing a virtual encryption key management solution can be difficult, especially when you’re faced with a tight budget. You should always ask your potential encryption key management vendor about their pricing model--do they price per key manager instance as well as additional costs per connection? Can they scale their solution to meet your company’s needs?

5. Personal attention & world-class service. Bigger isn’t always better. In the complicated world of encryption and encryption key management, you want a vendor who can move fast, pay attention to detail, and be there for you in times of need.

Townsend Security offers NIST FIPS 140-2 compliant virtual encryption key management with the added bonus of specializing in scalable solutions to meet the needs of any size of company. Free 30 day trials have been and will always be available for all of our solutions during any time of the year.

Alliance Key Manager for VMware, vSphere, and vCloud, and Alliance Key Manager for Windows Azure provide full life-cycle management of encryption keys to help organizations meet PCI DSS, HIPAA, and FFIEC compliance in virtual and cloud instances.  With built-in key replication, key retrieval, and administrative controls, Alliance Key Manager virtual machine is a secure, reliable, and affordable key management solution for a wide variety of business applications and databases.  Additionally, Alliance Key Manager supports on-appliance encryption and decryption services so that your encryption key is always kept separate from the data it protects. We provide free client side applications and SDKs to make deployment faster and easier than ever.

Every business is trying to save money and reduce complexity in their IT departments, and many are accomplishing this today by using virtual machines such as VMware and moving to the cloud. With these technologies they can consolidate resources and “rent” space in the cloud to run their applications. However, this can be a dangerous move for businesses with applications and servers that contain sensitive information that must be protected under industry regulations such as PCI-DSS, GLBA/FFIEC, and HIPAA/HITECH. That’s why encrypting this data in virtual environments and in the cloud is critical.

However, businesses need to remember that encryption is only half of the solution. They must securely manage their encryption keys as well. How can they accomplish strong key management in a VMware instance, you ask? With virtual encryption key management, of course. 

Virtual encryption key management is available to VMware users, and will make your decision to move to virtual environments easier than ever. If your concern over data security is preventing you from using a virtual environment, there are 7 reasons why choosing a virtual key manager can help you make that step.

1. Strong and defensible security in the virtual world - Encryption key management is required or strongly recommended by most industry regulations. This is because in today’s cyber environment, just using strong passwords and firewalls to deter hackers is not enough. Encrypting data at it’s source and using strong key management is the only way to prevent data loss and exposure. If a hacker or malicious users gain access to the encrypted data, and the keys are protected, then the data will be “scrambled” and useless to the intruder.

2. Less expensive - Virtual environments were designed to help businesses reduce costs and complexity by allowing them to run multiple operating systems on a single piece of hardware Instead of having to buy a hardware system for each operating system. The cost of virtual key management is also less expensive since it has no hardware components and is installed directly onto the virtual platform.

3. Less complex - Without the burden of hardware, virtual encryption key management is easier to deploy than the traditional hardware security module (HSM).

4. Helps you meet compliance - If meeting compliance regulations is a concern, encryption key management for VMware will get you in line with several compliance requirements such as PCI-DSS and GLBA/FFIEC. You should always use  NIST FIPS 140-2 compliant key management software to ensure your key management meets the highest standards.

5. Data protection where you need it - Every business’ IT environment is different. Even if you are moving to a virtualized environment for most of your applications, you may still want to run some databases and applications with very sensitive data on their own dedicated servers. If you choose to, you can manage your encryption keys for that data using the virtual key manager as well.

6. Virtual HA and failover - With virtual encryption key management you can choose to use virtual machines for your high availability (HA) and/or failover key managers as well. Of course you can always choose the option of using an HSM for these services as well.

7. Prepares you to move to the cloud -  The amazing thing about virtual environments is that once you have your data center running in them, moving them to the cloud is a piece of cake. In fact, VMware supports a direct move from VMware to vCloud. Many businesses with sensitive data opt for a private cloud option which offers a little more peace of mind; however, most cloud providers including public vCloud are acceptable if you are using encryption and strong key management to protect your data in the cloud!

Townsend Security’s Alliance Key Manager for VMware enables enterprises to lower operational costs, meet compliance requirements, deploy encryption key management in the cloud, and accelerate deployment of mission critical security technology through a virtualized encryption key manager. Alliance Key Manager for VMware supports VMware ESX, VMware vSphere (ESXi), and vCloud Townsend Security is a VMware Technology Alliance Partner (TAP).

Every few years since its inception in 2006 the Payment Card Industry Security Standards Council (PCI SSC) has revised and updated the the Payment Card Industry Data Security Standards (PCI DSS) and Payment Application Data Security Standards (PA DSS) to improve security for the payment card industry worldwide. These revisions, clarifications, and new points of guidance are based on considerations and recommendations by experts in the field of data security as well as over 700 organizations that process cardholder data. At the end of their review period, the PCI SSC concluded that revisions needed to be made based on these problematic themes in the payment card industry:

• Lack of education and awareness of how to implement and maintain PCI standards - a major problem since the improper implementation of PCI standards leads to data loss and breaches
• Weak passwords and authentication
• Lack of consistency of responsibility when implementing necessary third party security features
• Slow detection of threats
• Inconsistency of PCI assessments¹

Since the release of v3.0 in November 2013, many organizations affected by PCI DSS and PA DSS are asking: Are there new revisions regarding encryption and key management in v3.0, and what do I need to do in order to meet new recommendations, regulations, and best practices? Luckily, much of version 3.0 hasn’t changed from 2.0. However, many important clarifications have been made. In section 3 of PCI DSS (the section pertaining to encryption and management of encryption keys), version 3.0 makes clarifications regarding these aspects of encryption and key management²:

• Stricter controls around the protection and deletion of authentication data
• Key management procedures must be both implemented and documented
• The requirement of PAN masking
• The critical use of dual control and split knowledge
• The mandate that logical access for disk encryption must be managed separately and independently of the native operating system authentication and access control mechanisms, and that decryption keys must not be associated with user accounts.

Version 3.0 has also split requirement 3.5.2 into two separate requirements to emphasize the importance of both storing encryption keys in a secure location (3.5.2) as well as in the fewest possible locations (3.5.3)²

Based on the themes they found and the revisions made, it is clear that the PCI SSC is moving toward making their regulations stricter. What’s even more interesting is that in this last review, more than half of the recommendations were taken from experts and organizations outside of the United States. This is likely because the United States is farther behind other countries such as the European Union in terms of credit card data security, and since the PCI SSC sets worldwide regulations, they must set standards that meet the highest expectations.

We recommend all organizations worldwide look to the highest standards and follow best practices and recommendations (whether they are required or not) since these evolving requirements are based on current conditions and threats in the data security world and indicate future hardened regulations.

To learn more about encryption key management best practices download NIST Special Publication 800-57 “Recommendations for Key Management: Parts 1, 2 & 3” 

¹ PA-DSS & PCI DSS change highlights

² PCI DSS 3.0 summary of changes

But Are They Doing Enough?

Following the Adobe data breach that was reported in October of this year, other internet companies are still asking their users to reset their passwords. Facebook, Evernote, and now Vimeo are among companies who have alerted their users to the dangers of using identical passwords for multiple websites.

The Adobe breach of usernames and passwords is one of the largest in history, exposing upwards of 150 million usernames and passwords. Data breaches that expose this kind of login information are extremely problematic today since so many people use the same login information for many websites including banking and healthcare sites. Access to these sites could lead a hacker to uncovering information such as date-of-birth or even a social security number that could be used for identity theft or fraud. Unfortunately, the Adobe breach could lead to identity theft for millions.

No company wants to be considered the cause of identity theft, which is why these other businesses are taking action to reset user passwords. The big question that comes to my mind, however, is: Are they doing enough? When Adobe revealed the breach, it also brought to light the fact that they had not been using adequate security to protect their customers’ sensitive information. The beach occurred on a backup system where customer data was encrypted using DES encryption (a weak and outdated encryption standard that is no longer recommended for protecting sensitive data.) The Secure Hash Algorithm 2 (SHA-2) is the current standard (along with the use of salts to add an extra layer of security) for username and password protection. Using DES encryption goes against best practices when it comes to username and password security, and although Adobe was using SHA-2 to protect most of it’s users’ data, the backup systems were the ones that were hacked.

It’s difficult to speculate on any company’s security practices, but the precedent of poor security practices when it comes to securing usernames and passwords is widespread. In 2013, several major (and widely publicized) data breaches of user information were traced back to the use of weak and out-of-date hash algorithms. LinkedIn, eHarmony, and LivingSocial all experienced similar, major data breaches earlier this year. The Adobe breach signals that major e-commerce businesses may be ignoring the lesson their peers had to learn the hard way. As we’ve seen, willful ignorance is not a method of data protection.
Besides asking their users to change their passwords what could Adobe have done, and what can Vimeo, Facebook, and Evernote do now to protect sensitive user information?

• Update hash algorithms as soon as possible where all sensitive data is stored. Do NOT use MD5 or SHA-1. These are known to be weak and you should just never use them. Use one of the SHA-2 family of hashes such as SHA-256 or SHA-512.
• Always use a salt with your hashes. Also choose a strong salt value. We recommend adding a minimum of 128-bits of cryptographically strong Salt to the password you are hashing.
• Protect your salt value using a hardware security module (HSM), such as an external key management server. Like encryption keys, the salt value should be protected away from the hashed and salted data.

To learn more about data breach prevention, download the podcast, “How LinkedIn Could have Avoided a Data Breach.”

What Should You Look for in a Strong Technology Partner?

What does a strong technology partnership look like? One of the biggest challenges growing businesses face is bringing on new partners and building relationships that are built on solid people and products. Business executives are fearful, and rightly so, that any new technology partner may pose a huge risk to their own company. Any partnership is a basic agreement based on the trust that a partner’s product is good, will not fail, and will be market available in the long run. Most executives have experienced that trust being broken.

In a recent video with Townsend Security CEO Patrick Townsend and Mark Foege, Business Development Consultant and Principal at the Colvos Group, both Mr. Townsend and Mr. Foege outlined the importance of building strong technology partnerships for success, and what to look for in a partner.

According to Patrick Townsend, "Getting partnerships right is difficult. You really need someone who’s going to behave like a partner and not an adversary. It seems obvious, but in fact it’s very difficult to accomplish in most technology environments.”

One example Mr. Townsend gave was for an OEM partner. If a company integrates a partner’s product into their own technology, and that partner hasn’t built the product well, doesn’t provide solid back end support, or if their company folds and the product is no longer available, then the partnership can become toxic and unsustainable. 

Mark Foege reiterated that strategic successful partnerships are built on three core components:

• Powerful solutions
• Minimized cost
• Minimized complexity

These components ensure that the product will not only be affordable and easy to use by end users, but the products will be powerful, and by integrating or selling them a business will be able to grow new revenue.

At the end of the day, a business only wants to partner with a technology company that has a good reputation. Mr. Foege recounted, “I was recently speaking with one of our partners, and I had asked them, what’s important to them when they partner with somebody. He said, my reputation is only as good as the reputation of those that I partner with, and that’s why they were excited to partner with Townsend Security. We realize that everything we do impacts the reputation of our partners. That’s why it’s important to us to provide solid, high value products, to make sure we are offering consistently first class support, and we work with our partners to make sure that their customers are completely delighted."

When it come to encryption and encryption key management, having a strong, trustworthy partner is critical to your success in providing strong data security to your customers. Encrypting sensitive data is easier than ever, and protecting encryption keys is easier today as well; however, providing these solutions without thorough back end support from your encryption key management vendor can be disastrous. That’s why Townsend Security provides extensive support, knowledge, and training to all of our partners as well as marketing materials, encryption libraries, and many other resources to make offering encryption a painless task. 

To learn more about Townsend Security partnerships, watch the full video below or visit out partner page.

4 Best Practices to Prevent a Data Breach

Last year a massive data breach at Wyndham Hotels was revealed to have exposed payment card data of over 600,000 customers during three breaches over two years. This has resulted in massive, ongoing litigation from the Federal Trade Commission (FTC).

In a few articles I read about this breach, recommendations were offered to hotels and payment application ISVs who provide payment software to prevent a data breach from happening to them. Much of these suggestions were variations on a theme: use strong passwords, reset passwords often, use strong firewalls, and get compliant with PCI-DSS or PA-DSS.

There’s nothing inherently wrong with those recommendations. In fact, these are good recommendations. However, businesses in the hospitality and retail industries should know these three facts: Firstly, passwords and firewalls will not keep an intelligent hacker out of your network. They will also not help you if a hard drive or backup tape containing sensitive data is lost or stolen. Lastly, it is possible to get under PCI compliance and still be vulnerable to a breach.

Victims of a data breach will often blame the regulations for not using specific language around how to adequately protect data. Unfortunately, there is some truth to these complaints. Many data security professionals would agree that cyber security regulations do not mandate strict enough guidelines around the protection of sensitive data. For example, the Payment Card Industry Security Standards Council (PCI-SSC) sets forth a set of regulations and recommendations for the protection of credit and debit card-holder data called the PCI Data Security Standards (PCI-DSS). PCI-DSS mandates the use of strong encryption and secure protection of encryption keys for encrypted data at rest or data transferred across networks. However, PCI-DSS does not give specifics on how to manage keys securely and in a way that will prevent a data breach. Thus, many businesses use poor key management and are still at risk for a breach.

PCI-DSS Section 3 puts hospitality businesses on the right track by mandating encryption and key management; protecting the data itself is a critical step to preventing a breach. However, several best practices need to be utilized in order for encryption to do its job. It’s not enough to encrypt--you must protect your encryption keys using these critical steps:

1. Use a dedicated hardware security module (HSM) or virtual appliance. Using an external, secure key server to manage encryption keys is critical to success. Many companies store their encryption keys on the same server as the encrypted data. If an intruder gains access to this server, they will have access to the key and will be able to decrypt the sensitive data.
2. User certified solutions. When choosing a key management solution, look for NIST validation and FIPS 140-2 compliance. These certifications ensure that your key manager has been tested by a third-party against government standards.
3. Use Dual Control, Separation of Duties, and Split Knowledge. These access controls ensure that no single person alone has total access to or management of encryption keys or the encrypted data it protects.
4. Document Key Lifecycle and Rotation. Your key manager should be able to automatically or manually rotate encryption keys with complete documentation of key rollover and history.

In the articles I’ve read on the Wyndham data breach and FTC litigation, there is almost no mention of the need for encryption, despite the fact that encryption is a primary control mandated by PCI-DSS. It was even revealed that Wyndham had stored cardholder data in the clear (meaning unencrypted), and yet few articles pointed out this massive failure to protect the data itself. While strong passwords and firewalls are considered a fundamental step to preventing unwanted intrusions, most data security experts now agree that with simple attacks such as SQL injection and malware phishing hackers can easily break these barriers. The only way to truly protect data is to protect the data itself, with encryption, and protect encryption keys away from the data.

To learn more about encryption key management, download the eBook, “Encryption Key Management Simplified.”

Townsend Security, an industry leader in data security and encryption key management, will be exhibiting at the PASS Summit in Charlotte, North Carolina this year on October 15-18. We will feature our FIPS 140-2 compliant encryption key management hardware security module (HSM), along with our new hosting option for managing your encryption keys in the cloud.

Will you be attending PASS this year? The Professional Association of SQL Server (PASS) hosts this summit every year and is the largest conference for SQL users and professionals worldwide. Look for us in booth #322 to learn more about how easy encryption and encryption key management can be with your SQL Server. Whether you are using a legacy version of SQL Server or SQL Server 2012 with Transparent Data Encryption (TDE) and Extensible Key Management (EKM), Alliance Key Manager can manage your encryption keys.

How Alliance Key Manager for SQL Server protects your data:

• Automation of all key management tasks including rotation, retrieval, and generation in a central location
• Uses Microsoft’s Extensible Key Management (EKM) interface to support Transparent Data Encryption (TDE) on SQL Server 2008/2012
• Works with all versions of SQL Server

Key Management Hosted in the Cloud
Townsend Security's new Alliance Key Manager Hosted HSM solution allows customers to own a dedicated key manager HSM in a hosted environment consisting. The solutions consists of a production and high availability (HA) HSM in geographically dispersed data centers under an ITIL-based control environment independently validated for compliance against PCI DSS and SOC frameworks. Unlike other hosted encryption key management offerings, only the customer has administrative and security access to the HSMs.

Encrypting Data in Microsoft SharePoint
Since Microsoft SharePoint runs on top of a SQL Server environment, protecting data in SharePoint is easier than ever. Many SQL administrators are fearful that their users are storing sensitive, unencrypted data in SharePoint, and they rightly should be. Alliance Key Manager for SQL Server can help to secure this data.

Encryption Key Management for SQL Server Enterprise Edition
Alliance Key Manager for SQL Server integrates seamlessly with TDE and EKM technologies to enable automatic encryption in SQL Server 2008/2012 Enterprise Edition and above. Additionally, Alliance Key Manager for SQL Server supports cell level encryption, which allows database administrators to select the columns they wish to encrypt in a database - a benefit for many administrators with larger databases.

Encryption Key Management for SQL Server 2005
Many SQL users are still running earlier editions of SQL Server that don’t support EKM & TDE. However, running older versions of SQL Server does not limit your ability to encrypt data and manage encryption keys! Townsend Security supports cell level encryption for SQL Server 2005.

Multi-Platform Environments
Alliance Key Manager isn’t exclusive to the Microsoft SQL suite. In fact, our key management server integrates easily into complex, multi platform environments with many types of databases, operating systems, and programming languages. Our encryption key manager can protect data on the IBM i (AS/400), DB2, Oracle, Linux, Windows, and in the cloud.

To learn more, download our white paper "Encryption Key Management for Microsoft SQL Server 2008/2012."

Patrick Botz, founder of Botz and Associates and former Lead Security Architect at IBM, recently published a White Paper in conjunction with Townsend Security discussing dual control, split knowledge, and separation of duties--three critical controls needed to protect encryption keys and encrypted data on the IBM i platform. These controls are considered “best practices” in the IT industry, and it is common knowledge amongst security professionals that without these controls in place, any organization could be at risk for a major data breach.

Just like financial controls that are put in place to prevent fraud in a business, these concepts are used in IT security to prevent data loss. As data breaches are reported in the news almost every day, we can easily see the consequences of data loss: public scrutiny, hefty fines, lost business, and litigation are just a few of the ramifications. Implementing these controls reduces the potential for fraud or malfeasance caused by the mishandling of data or a data loss event due to hackers, employee mistakes, or stolen or lost hardware.

In this white paper Patrick Botz outlines the importance of these three controls and explains why they must be used to protect data stored in IBM i databases. Botz discusses on-board master key capabilities provided by the IBM Cryptographic Services APIs on an IBM i, the limitations of the IBM i Master Key Facility, and why organizations should use third-party key management to protect their sensitive data.

The top 3 critical best practices are:

Separation of Duties - This is widely known control set in place to prevent fraud and other mishandling of information. Separation of duties means that different people control different procedures so that no one person controls multiple procedures. When it comes to encryption key management, the person the person who manages encryption keys should not be the same person who has access to the encrypted data.

Dual Control - Dual control means that at least two or more people control a single process. In encryption key management, this means at least two people should be needed to authenticate the access of an encryption key, so that no one single person has access to an encryption key

Split Knowledge - Split knowledge prevents any one person from knowing the complete value of an encryption key or passcode. Two or more people should know parts of the value, and all must be present to create or re-create the encryption key or passcode. While split knowledge is not needed to create data encryption keys on the IBM i, it is needed for the generation of master keys which are needed to protect data encryption keys. Any encryption keys that are accessed or handled in the clear in any way should be protected using split knowledge.

The three core controls should always be used when storing or transferring encrypted sensitive data. A certified, hardened security module (HSM) designed to secure data encryption keys and key, or master, encryption keys should implement these controls into the administration of the key manager. NIST FIPS 140-2 validation is an important certification to look for in an encryption key manager. This certification ensures that your key manager has been tested against government standards and will stand up to scrutiny in the event of a breach.

Automatic Encryption on V7R1
With the release of IBM i V7R1, users can now encrypt data automatically with no application changes. This is great news for IBM i users since encryption has been a difficult task in the past, needing specialized encryption solutions for earlier versions of IBM i. Protecting your encryption keys in a an external key management HSM is the critical next step to protecting your encrypted data.

To learn more about encryption key management for the IBM i download the full White Paper “Encryption Key Management for IBM i - Sources of Audit Failures,” by IBM i security experts Patrick Botz and Patrick Townsend.

What do business executives need to know about encryption key management best practices? As it turns out, CEOs don’t need to know every tiny detail about encryption and the tools used to protect encryption keys, but they do need to know enough to protect their business and mitigate major risks.

Just like financial and legal best practices that business executives are tuned in to and monitor weekly, if not daily, business leaders need to have a heightened awareness of how their IT departments are handling both their own and their customers’ sensitive data. Sensitive data such as credit card information, social security numbers, protected health information (PHI), and other personally identifiable information (PII) such as names, addresses, email addresses, and passwords needs to be protected as mandated by industry regulations and many state laws. Unencrypted data or encrypted data with poorly protected encryption keys is a ticking time bomb that could lead to a major data breach.

I recently sat down with Patrick Townsend, Founder and CEO, to discuss the critical security risks executives face, how to start a conversation on data security with your IT team, and the encryption and key management best practices that will save your company from a data breach.

Patrick Townsend explains the importance of protecting encryption keys:

“Executives need to know that A.) they might not be encrypting the data that they need to, and B.) if they are encrypting that data, they might not be protecting their encryption keys, which are the core secret that have to be protected the right way. When you leave the house in the morning and you lock your door, you don’t tape the key right next to the lock. Your house key would be easy to find when you come home, but we all know that’s a bad practice. In a similar way, a lot of organizations are not implementing best practices around protecting encryption keys and are putting their business at risk.”

The major risks associated with unencrypted or poorly encrypted data are these:

• A data breach is no longer a matter of “if,” but, “when”
• The average cost of a data breach is $5.4 million, according to the Ponemon Institute
• This cost typically is a culmination of fines, lost customers, brand damage, credit monitoring, and litigation

How does an organization properly encrypt their sensitive data?  They need to follow best practices such as deploying AES encryption and NIST FIPS 140-2 compliant key management, as well as important practices such as separation of duties, split knowledge, and dual control.

Encryption key management best practices will:

• Provide you with strong encryption
• Provide you with powerful, defensible encryption key management
• Protect your business in the event of a data breach
• Put you in compliance with industry and state regulations
• Give you peace of mind

To learn more about the business risks of data security, download our free eBook "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication Between CEOs and CIOs" and learn about the business risks associated with unprotected sensitive data, tools and resources to begin the discussion about data security in your company, and actionable steps you can take today.

The risks with handling customer data when you’re operating a business are inherent. Whether you run a hotel, resort, or casino you are probably handling thousands to millions of pieces of important customer data, much of which should be protected using technological controls. Most industry standards mandate that you protect data such as names, credit card information, protected health information (PHI), and other personally identifiable information (PII) with strong encryption and encryption key management. Hospitality is one of these industries that must comply with regulations, specifically Payment Card Industry (PCI) security standards as well as state privacy laws.

Unlike retail stores that handle credit card information via individual transactions, businesses that fall under the category of hospitality such as hotels, resorts, and cruise-lines deal with greater risks from having to hold on to a client’s credit card information over time. The property management systems (PMS) that handle this data should be using encryption and encryption key management while the data is stored.

Think back to the last time you booked a hotel reservation. The first thing you were asked to provide was a credit or debit card number. By the time you’ve made your trip, stayed in the hotel, and are ready to check out, do they ask for your credit card again? No. They’ve been storing it since you gave it to them, and they have it on file just in case you ate some snacks out of the minibar. They keep your card number because they’ll want to charge you for those macadamia nuts.

While holding on to customers’ card information mitigates certain risks for hotels, the processes of storing their customers’ sensitive data also results in new, more challenging risks around data security. Many people in the hospitality industry know this and take preventative measures, many businesses are still suffering from the pains of not having a working data security strategy.

What are the pain points?

• Hospitality industry is targeted by hackers
• IT systems of franchise hotels are interconnected, resulting in larger data breaches
• Smaller hotels often have weaker data security systems
• When customer data is held over time there is greater risk of a data breach
• Implementing security that protects the data, such as encryption and encryption key management, has a reputation for being difficult and costly
• Hospitality organizations need powerful solutions that integrate seamlessly into their existing IT infrastructure

The technology vendors that sell hospitality organizations the property management systems and payment application systems that house and protect customer cardholder data need to know that these pain points are real. The only way to protect customers and avoid data breach notification is by protecting the data itself using encryption and strong encryption key management. Encryption renders sensitive data unreadable, and if you’ve securely stored your encryption keys away from the encrypted data, malicious intruders will never be able to “decode” or “unlock” the encrypted data. Implementing a strong encryption key management solution can be difficult for many IT teams in any organization. Offering hotels and casinos powerful encryption key management through their property management and payment application systems is an untapped opportunity for hospitality software vendors to increase revenue.

According to a new report by British insurance firm Willis Group Holdings, insurance claims for data theft worldwide jumped 56% last year, with the largest share of those attacks – 38% – targeting hotels, resorts and casinos.  Intrusion prevention such as firewalls and strong passwords are of course recommended, but hospitality organizations need to know that they will not protect your data from an intelligent hacker. With the appropriate technology in place any hospitality business can not only detect unauthorized or malicious access to sensitive data in real time, but can also be assured that their data is safe if they are using strong encryption and encryption key management. These controls fortify your IT infrastructure with security that does more than give hackers a fun challenge to break through.

To learn more about encryption key management to meet PCI requirements and protect your business in the event of a data breach, download the podcast, “Must-Haves in an Encryption Key Manager,” featuring security expert Joan Ross, CISSP-ISSAP, HISP.