Townsend Security Data Privacy Blog

Property Management Systems Need Stronger Encryption Key Management

Posted by Liz Townsend on Sep 12, 2013 9:50:00 AM

The risks with handling customer data when you’re operating a business are inherent. Whether you run a hotel, resort, or casino you are probably handling thousands to millions of pieces of important customer data, much of which should be protected using technological controls. Most industry standards mandate that you protect data such as names, credit card information, protected health information (PHI), and other personally identifiable information (PII) with strong encryption and encryption key management. Hospitality is one of these industries that must comply with regulations, specifically Payment Card Industry (PCI) security standards as well as state privacy laws.

Key Management Must Haves Podcast

Unlike retail stores that handle credit card information via individual transactions, businesses that fall under the category of hospitality such as hotels, resorts, and cruise-lines deal with greater risks from having to hold on to a client’s credit card information over time. The property management systems (PMS) that handle this data should be using encryption and encryption key management while the data is stored.

Think back to the last time you booked a hotel reservation. The first thing you were asked to provide was a credit or debit card number. By the time you’ve made your trip, stayed in the hotel, and are ready to check out, do they ask for your credit card again? No. They’ve been storing it since you gave it to them, and they have it on file just in case you ate some snacks out of the minibar. They keep your card number because they’ll want to charge you for those macadamia nuts.

While holding on to customers’ card information mitigates certain risks for hotels, the processes of storing their customers’ sensitive data also results in new, more challenging risks around data security. Many people in the hospitality industry know this and take preventative measures, many businesses are still suffering from the pains of not having a working data security strategy.

What are the pain points?

  • Hospitality industry is targeted by hackers
  • IT systems of franchise hotels are interconnected, resulting in larger data breaches
  • Smaller hotels often have weaker data security systems
  • When customer data is held over time there is greater risk of a data breach
  • Implementing security that protects the data, such as encryption and encryption key management, has a reputation for being difficult and costly
  • Hospitality organizations need powerful solutions that integrate seamlessly into their existing IT infrastructure

The technology vendors that sell hospitality organizations the property management systems and payment application systems that house and protect customer cardholder data need to know that these pain points are real. The only way to protect customers and avoid data breach notification is by protecting the data itself using encryption and strong encryption key management. Encryption renders sensitive data unreadable, and if you’ve securely stored your encryption keys away from the encrypted data, malicious intruders will never be able to “decode” or “unlock” the encrypted data. Implementing a strong encryption key management solution can be difficult for many IT teams in any organization. Offering hotels and casinos powerful encryption key management through their property management and payment application systems is an untapped opportunity for hospitality software vendors to increase revenue.

According to a new report by British insurance firm Willis Group Holdings, insurance claims for data theft worldwide jumped 56% last year, with the largest share of those attacks – 38% – targeting hotels, resorts and casinos.  Intrusion prevention such as firewalls and strong passwords are of course recommended, but hospitality organizations need to know that they will not protect your data from an intelligent hacker. With the appropriate technology in place any hospitality business can not only detect unauthorized or malicious access to sensitive data in real time, but can also be assured that their data is safe if they are using strong encryption and encryption key management. These controls fortify your IT infrastructure with security that does more than give hackers a fun challenge to break through.

To learn more about encryption key management to meet PCI requirements and protect your business in the event of a data breach, download the podcast, “Must-Haves in an Encryption Key Manager,” featuring security expert Joan Ross, CISSP-ISSAP, HISP.

Must Haves in an Encryption Key Manager

Topics: Payment Applications, Property Management Systems (PMS), Hospitality/Gaming