25 June 2011

Hotel Security, Data Security & PCI Compliance

As printed in Hotelier Indonesia Magazine, June 2011

For more than a decade, assaults on the hotel industry have spanned the globe and have ranged from physical attacks to breaches in data security.

Aesthetically designed for a guest’s comfort, most properties were not designed with high security in mind.  In normal times, they didn’t need to be.  However, the industry’s open doors provided an easy target for physical assaults.  Covered by the press ad nauseam, a short list of attacks highlight why the industry had increased security measures for guests entering the facilities:


November 2002 – Kenya. Paradise Resort.  15 people died in a suicide bombing at this costal resort in Mombasa.

January 2005 – Spain. Hotel Port Denia.  A bomb contained in a backpack and detonated in a courtyard of the Hotel Port Denia. 
November 2005 -  Jordan. Grand Hyatt Hotel, Radisson SAS Hotel Days Inn Hotel.  Three bombs exploded within minutes at the three hotels killing 57 people and wounding 110.

March 2008 – Thailand. CS Pattani Hotel.  Among the injured was a Thai senator and local politicians, in what was considered one of the safest hotels in the region.
September 2008 -  Pakistan. Islamabad Marriott Hotel.  A truck filled with explosives detonated in front of the Marriott Hotel in the Pakistani capital Islamabad, killing at least 54 and injuring at least 266.

November 2008 – India. Oberoi & Taj Mahal Palace Hotels.  Indian troops stormed Mumbai's luxury hotels after coordinated terrorist attacks left 78 people dead and more than 200 injured.

July 2009 – Indonesia. Jakarta’s Ritz-Carlton Hotel and the Marriott.  Twin blasts took place at the Ritz-Carlton Hotel and the Marriott, which was also the scene of a bombing in 2003. At least nine people were killed and 50 injured.

August 2010 – Brazil. Rio’s Intercontinental Hotel.  A woman was killed after a group of armed men took 35 people hostage in this upscale hotel in Rio.

The industry has taken significant steps in improving physical security to its guests, ensuring that their entire stay will be peaceful and problem free. To achieve this goal, hotels have deployed robust and professional security policies ensuring safety of its guests, staff and the facility.

DATA SECURITY:  How well is your hotel coping with the challenge of data security?

Data security company Trustwave has reported that 38% of all data attacks in 2009 were against hotels and resorts, making the hospitality industry the #1 target for data breaches.  Ninety-eight percent of data these breaches involved credit card numbers.

Cybercriminals have targeted the industry due to:  a) their large pool of credit card data, and b) their failure to implement basic data security precautions such as changing passwords or ensuring software is up-to-date.

The assault on hotel data systems has reached into leading hotels around the world:

November 2008 – USA & Canada.  Radisson Hotels.  A breach in the hotel's credit-card security system allowed outside parties to gain access to customer credit-card information.  Reports indicate the security system was breached for half-a-year, between November 2008 and May 2009.

November 2009 – USA.  Westin Bonaventure Hotel & Suites.  The Los Angeles-based properties disclose a data breach of its POS Systems dating back to several months in 2009.

March 2010 – USA.  HEI Hotels & Resorts.   Investigations at HEI indicate that guest credit cards had been compromised after the electronic Point-of-Sale systems were breached at multiple hotels owned by HEI Hospitality.  The stolen information included credit card type, number, expiration date, security code and the data contained on the magnetic stripe.

June 2010 – USA.  Destination Hotels & Resorts.  More than 700 guests at 21 Destination Hotel’s US properties were victims of credit card theft when the firm’s IT system was hacked.

It’s of little surprise that hotels are particularly vulnerable to today’s savvy cybercriminal when you consider the number of payment channels used by hotels: internet, telephone, in-person and mail order.

Further consider the number of reasons hoteliers need to store cardholder data for guests’ convenience (reservation hold, incidental expenses, loyalty programs and charge-backs). If the cardholder data is not protected within all applications and databases, data breaches will continue to occur at an alarming rate. 

The industry has been addressing the issue of data security through PCI compliance (PCI = Payment Card Industry). Being PCI compliant essentially means the property has taken appropriate steps to make sure that any credit card data received is safe and secure within the system. If the system is up to standards, then you’ve met what’s called the Payment Card Industry’s Payment Application Data Security Standard (PA-DSS).  

As a guideline, the PCI has issued a comprehensive set of requirements for enhancing payment account data security:

·         Install and maintain a firewall configuration to protect cardholder data.
·         Do not use vendor-supplied defaults for system passwords and other security parameters.
·         Protect stored cardholder data.
·         Encrypt transmission of cardholder data across open, public networks.
·         Use and regularly update anti-virus software.
·         Develop and maintain secure systems and applications.
·         Restrict access to cardholder data by business need-to-know.
·         Assign a unique ID to each person with computer access.
·         Restrict physical access to cardholder data.
·         Track and monitor all access to network resources and cardholder data.
·         Regularly test security systems and processes.
·         Maintain a policy that addresses information security.

Experienced market executives say that education is the first point of interaction and interdiction against payment card fraud. The more educated your employees are about proper handling of payment card data, the more secure your organization becomes.

Whether it is your quality security assessor, your internal IT staff or your everyday employee, each should be trained on the importance of practicing security through PCI standards to ensure ongoing security and help the hotel protect guest’s vital data.