Blog | Townsend Security

Hotels and Hospitality ISVs Can Do More to Prevent Data Breaches

Written by Liz Townsend | Nov 7, 2013 10:36:00 PM

4 Best Practices to Prevent a Data Breach

Last year a massive data breach at Wyndham Hotels was revealed to have exposed payment card data of over 600,000 customers during three breaches over two years. This has resulted in massive, ongoing litigation from the Federal Trade Commission (FTC).

In a few articles I read about this breach, recommendations were offered to hotels and payment application ISVs who provide payment software to prevent a data breach from happening to them. Much of these suggestions were variations on a theme: use strong passwords, reset passwords often, use strong firewalls, and get compliant with PCI-DSS or PA-DSS.

There’s nothing inherently wrong with those recommendations. In fact, these are good recommendations. However, businesses in the hospitality and retail industries should know these three facts: Firstly, passwords and firewalls will not keep an intelligent hacker out of your network. They will also not help you if a hard drive or backup tape containing sensitive data is lost or stolen. Lastly, it is possible to get under PCI compliance and still be vulnerable to a breach.

Victims of a data breach will often blame the regulations for not using specific language around how to adequately protect data. Unfortunately, there is some truth to these complaints. Many data security professionals would agree that cyber security regulations do not mandate strict enough guidelines around the protection of sensitive data. For example, the Payment Card Industry Security Standards Council (PCI-SSC) sets forth a set of regulations and recommendations for the protection of credit and debit card-holder data called the PCI Data Security Standards (PCI-DSS). PCI-DSS mandates the use of strong encryption and secure protection of encryption keys for encrypted data at rest or data transferred across networks. However, PCI-DSS does not give specifics on how to manage keys securely and in a way that will prevent a data breach. Thus, many businesses use poor key management and are still at risk for a breach.

PCI-DSS Section 3 puts hospitality businesses on the right track by mandating encryption and key management; protecting the data itself is a critical step to preventing a breach. However, several best practices need to be utilized in order for encryption to do its job. It’s not enough to encrypt--you must protect your encryption keys using these critical steps:

  1. Use a dedicated hardware security module (HSM) or virtual appliance. Using an external, secure key server to manage encryption keys is critical to success. Many companies store their encryption keys on the same server as the encrypted data. If an intruder gains access to this server, they will have access to the key and will be able to decrypt the sensitive data.
  2. User certified solutions. When choosing a key management solution, look for NIST validation and FIPS 140-2 compliance. These certifications ensure that your key manager has been tested by a third-party against government standards.
  3. Use Dual Control, Separation of Duties, and Split Knowledge. These access controls ensure that no single person alone has total access to or management of encryption keys or the encrypted data it protects.
  4. Document Key Lifecycle and Rotation. Your key manager should be able to automatically or manually rotate encryption keys with complete documentation of key rollover and history.

In the articles I’ve read on the Wyndham data breach and FTC litigation, there is almost no mention of the need for encryption, despite the fact that encryption is a primary control mandated by PCI-DSS. It was even revealed that Wyndham had stored cardholder data in the clear (meaning unencrypted), and yet few articles pointed out this massive failure to protect the data itself. While strong passwords and firewalls are considered a fundamental step to preventing unwanted intrusions, most data security experts now agree that with simple attacks such as SQL injection and malware phishing hackers can easily break these barriers. The only way to truly protect data is to protect the data itself, with encryption, and protect encryption keys away from the data.

To learn more about encryption key management, download the eBook, “Encryption Key Management Simplified.”