Townsend Security Data Privacy Blog

Hotels and Hospitality ISVs Can Do More to Prevent Data Breaches

Posted by Liz Townsend on Nov 7, 2013 2:36:00 PM

4 Best Practices to Prevent a Data Breach

Last year a massive data breach at Wyndham Hotels was revealed to have exposed payment card data of over 600,000 customers during three breaches over two years. This has resulted in massive, ongoing litigation from the Federal Trade Commission (FTC).

eBook - Encryption Key Management Simplified In a few articles I read about this breach, recommendations were offered to hotels and payment application ISVs who provide payment software to prevent a data breach from happening to them. Much of these suggestions were variations on a theme: use strong passwords, reset passwords often, use strong firewalls, and get compliant with PCI-DSS or PA-DSS.

There’s nothing inherently wrong with those recommendations. In fact, these are good recommendations. However, businesses in the hospitality and retail industries should know these three facts: Firstly, passwords and firewalls will not keep an intelligent hacker out of your network. They will also not help you if a hard drive or backup tape containing sensitive data is lost or stolen. Lastly, it is possible to get under PCI compliance and still be vulnerable to a breach.

Victims of a data breach will often blame the regulations for not using specific language around how to adequately protect data. Unfortunately, there is some truth to these complaints. Many data security professionals would agree that cyber security regulations do not mandate strict enough guidelines around the protection of sensitive data. For example, the Payment Card Industry Security Standards Council (PCI-SSC) sets forth a set of regulations and recommendations for the protection of credit and debit card-holder data called the PCI Data Security Standards (PCI-DSS). PCI-DSS mandates the use of strong encryption and secure protection of encryption keys for encrypted data at rest or data transferred across networks. However, PCI-DSS does not give specifics on how to manage keys securely and in a way that will prevent a data breach. Thus, many businesses use poor key management and are still at risk for a breach.

PCI-DSS Section 3 puts hospitality businesses on the right track by mandating encryption and key management; protecting the data itself is a critical step to preventing a breach. However, several best practices need to be utilized in order for encryption to do its job. It’s not enough to encrypt--you must protect your encryption keys using these critical steps:

  1. Use a dedicated hardware security module (HSM) or virtual appliance. Using an external, secure key server to manage encryption keys is critical to success. Many companies store their encryption keys on the same server as the encrypted data. If an intruder gains access to this server, they will have access to the key and will be able to decrypt the sensitive data.
  2. User certified solutions. When choosing a key management solution, look for NIST validation and FIPS 140-2 compliance. These certifications ensure that your key manager has been tested by a third-party against government standards.
  3. Use Dual Control, Separation of Duties, and Split Knowledge. These access controls ensure that no single person alone has total access to or management of encryption keys or the encrypted data it protects.
  4. Document Key Lifecycle and Rotation. Your key manager should be able to automatically or manually rotate encryption keys with complete documentation of key rollover and history.

In the articles I’ve read on the Wyndham data breach and FTC litigation, there is almost no mention of the need for encryption, despite the fact that encryption is a primary control mandated by PCI-DSS. It was even revealed that Wyndham had stored cardholder data in the clear (meaning unencrypted), and yet few articles pointed out this massive failure to protect the data itself. While strong passwords and firewalls are considered a fundamental step to preventing unwanted intrusions, most data security experts now agree that with simple attacks such as SQL injection and malware phishing hackers can easily break these barriers. The only way to truly protect data is to protect the data itself, with encryption, and protect encryption keys away from the data.

To learn more about encryption key management, download the eBook, “Encryption Key Management Simplified.”

Encryption Key Management Simplified eBook

Topics: Best Practices, Hospitality/Gaming

Property Management Systems Need Stronger Encryption Key Management

Posted by Liz Townsend on Sep 12, 2013 9:50:00 AM

The risks with handling customer data when you’re operating a business are inherent. Whether you run a hotel, resort, or casino you are probably handling thousands to millions of pieces of important customer data, much of which should be protected using technological controls. Most industry standards mandate that you protect data such as names, credit card information, protected health information (PHI), and other personally identifiable information (PII) with strong encryption and encryption key management. Hospitality is one of these industries that must comply with regulations, specifically Payment Card Industry (PCI) security standards as well as state privacy laws.

Key Management Must Haves Podcast

Unlike retail stores that handle credit card information via individual transactions, businesses that fall under the category of hospitality such as hotels, resorts, and cruise-lines deal with greater risks from having to hold on to a client’s credit card information over time. The property management systems (PMS) that handle this data should be using encryption and encryption key management while the data is stored.

Think back to the last time you booked a hotel reservation. The first thing you were asked to provide was a credit or debit card number. By the time you’ve made your trip, stayed in the hotel, and are ready to check out, do they ask for your credit card again? No. They’ve been storing it since you gave it to them, and they have it on file just in case you ate some snacks out of the minibar. They keep your card number because they’ll want to charge you for those macadamia nuts.

While holding on to customers’ card information mitigates certain risks for hotels, the processes of storing their customers’ sensitive data also results in new, more challenging risks around data security. Many people in the hospitality industry know this and take preventative measures, many businesses are still suffering from the pains of not having a working data security strategy.

What are the pain points?

  • Hospitality industry is targeted by hackers
  • IT systems of franchise hotels are interconnected, resulting in larger data breaches
  • Smaller hotels often have weaker data security systems
  • When customer data is held over time there is greater risk of a data breach
  • Implementing security that protects the data, such as encryption and encryption key management, has a reputation for being difficult and costly
  • Hospitality organizations need powerful solutions that integrate seamlessly into their existing IT infrastructure

The technology vendors that sell hospitality organizations the property management systems and payment application systems that house and protect customer cardholder data need to know that these pain points are real. The only way to protect customers and avoid data breach notification is by protecting the data itself using encryption and strong encryption key management. Encryption renders sensitive data unreadable, and if you’ve securely stored your encryption keys away from the encrypted data, malicious intruders will never be able to “decode” or “unlock” the encrypted data. Implementing a strong encryption key management solution can be difficult for many IT teams in any organization. Offering hotels and casinos powerful encryption key management through their property management and payment application systems is an untapped opportunity for hospitality software vendors to increase revenue.

According to a new report by British insurance firm Willis Group Holdings, insurance claims for data theft worldwide jumped 56% last year, with the largest share of those attacks – 38% – targeting hotels, resorts and casinos.  Intrusion prevention such as firewalls and strong passwords are of course recommended, but hospitality organizations need to know that they will not protect your data from an intelligent hacker. With the appropriate technology in place any hospitality business can not only detect unauthorized or malicious access to sensitive data in real time, but can also be assured that their data is safe if they are using strong encryption and encryption key management. These controls fortify your IT infrastructure with security that does more than give hackers a fun challenge to break through.

To learn more about encryption key management to meet PCI requirements and protect your business in the event of a data breach, download the podcast, “Must-Haves in an Encryption Key Manager,” featuring security expert Joan Ross, CISSP-ISSAP, HISP.

Must Haves in an Encryption Key Manager

Topics: Payment Applications, Property Management Systems (PMS), Hospitality/Gaming

Gambling with Data: Gaming Industry Must Protect Credit Cards

Posted by Liz Townsend on Aug 14, 2013 11:11:00 AM

More than any other industry, it is surprising that the gaming industry struggles with protecting customer credit card information. For businesses that deal in money, you’d think that protecting this asset would be their number one concern. However, just like every other industry, some casinos still lack many proper controls such as encryption and encryption key management to keep customer card data safe.

eBook - Encryption Key Management Simplified

The truth is, there are so many credit and debit card transaction points from the moment a customer walks into a casino. At every single point a customer swipes their card, that card information needs to be encrypted. This isn’t just a best practices--credit card encryption is mandated by the Payment Card Industry Security Standards Council (PCI-SSC). This means that at any point during any transaction, credit card numbers should never be transferred, processed, or stored “in the clear.” PCI also sets regulations around how businesses handling credit card data should manage encryption keys.

Even though encryption key management is required by PCI, not every business manages their encryption keys, and if they do, not every business does it right. Just like in the financial world, there are several critical encryption key management “best practices” that should be put in use in order to manage encryption keys in the most secure way possible. The number one risk associated with not following best practices is data loss. A data breach of credit card numbers can be devastating, especially if your business relies on customer loyalty.

Whether you’re a casino, gaming vendor, or gaming ISV providing card processing applications to casinos, always look for an encryption key management solution with these 3 features:

  • Follows Best Practices - Your encryption key management vendor should have best practices integrated into their solution in order to guarantee your success. Best practices include having certified solutions, using industry standard encryption, and implementing controls such as dual control and separation of duties.
  • World Class Support - When protecting critical customer data, your reputation is only as good as your encryption key management vendor’s reputation for providing solid products and world class support. Choose a vendor that has a reputation for helping customers.
  • World Class Partner - If you’re a gaming ISV that sells applications that handle credit card data inside casino IT networks, you should be offering your customers encryption key management to protect that data. Choosing an encryption key management partner is a big decision, and you should look for one with a powerful solution that will grow with you and is focused on your success.

The gaming industry isn’t exempt from needing to protect sensitive data, although it is sometimes the industry that flies under the radar and has some of the biggest issues around data security. As we have seen, data breaches "are not a matter of if, but when."  Encryption key management is fundamental to protecting yourself from a data breach. By protecting yourself from a breach, you in turn will in turn maintain your customers' loyalty to your casino - because who wants to play at a casino who gambled with their personal information and lost.

Download eBooK: "Encryption Key Management Simplified"

Topics: Data Privacy, Encryption Key Management, Hospitality/Gaming