Data Security in the Golf Industry

from Vietnam Golf Magazine

January 2015

www.vietnamgolfmagazine.net

Data security company Trustwave has reported that 45% of all data attacks in 2013 were against the retail industry, making the it the #1 target for data breaches.  In prior years, the hotel & resort industry was the most targeted.   Operating in both the hospitality & retailing industry, Golf Clubs are likely candidates for cyber-terrorism.

For years, cybercriminals have targeted the retailing & hospitality industries due to:  a) their

Vietnam Golf Magazine
January 2015

large pool of credit card data, and b) their failure to implement basic data security precautions such as changing passwords or ensuring software is up-to-date.

The assault on information systems has reached into leading retailers and resorts around the world:

April - September 2014 - USA & Canada.  Home Depot Stores.  A few weeks back (8 Sept 2014), Home Depot  confirmed that its payment security systems have been breached, a data theft analysts say could rival Target Corp's massive breach last year.  The data theft likely impacts customers in stores across the USA and Canada, with investigations ongoing on how deeply online customers were affected.

November - December 2013 - USA.  Target Stores.  Target Stores were hit by a major credit-card attack involving up to 40 million accounts in late 2013.  It has been reported that Target has spent $146 million to resolve data breach-related issues since the fourth quarter of 2013.

March 2010 – USA.  HEI Hotels & Resorts.   Investigations at HEI indicate that guest credit cards had been compromised after the electronic Point-of-Sale systems were breached at multiple hotels owned by HEI Hospitality.  The stolen information included credit card type, number, expiration date, security code and the data contained on the magnetic stripe.

June 2010 – USA.  Destination Hotels & Resorts.  More than 700 guests at 21 Destination Hotel’s US properties were victims of credit card theft when the firm’s IT system was hacked.

November 2009 – USA.  Westin Bonaventure Hotel & Suites.  The Los Angeles-based properties disclose a data breach of its POS Systems dating back to several months in 2009.

November 2008 – USA & Canada.  Radisson Hotels.  A breach in the hotel's credit-card security system allowed outside parties to gain access to customer credit-card information.  Reports indicate the security system was breached for half-a-year, between November 2008 and May 2009.

The largest known breach at a U.S. retailer was at TJX Cos in 2007, which had more than 90 million credit cards stolen over about 18 months.

It’s of little surprise that resorts and retailers are particularly vulnerable to today’s savvy cyber-criminal when you consider the number of payment channels used: internet, smart phone, telephone, in-person and mail order.

Further consider the number of reasons why golf courses, retailers and resorts need to store cardholder data for guests’ convenience (reservation hold, incidental expenses, loyalty programs and charge-backs). If the cardholder information is not protected within all applications and databases, data breaches will continue to occur at an alarming rate.

The industry has been addressing the issue of data security through PCI compliance (PCI = Payment Card Industry). Being PCI compliant essentially means the property has taken appropriate steps to make sure that any credit card data received is safe and secure within the system. If the system is up to standards, then you’ve met what’s called the Payment Card Industry’s Payment Application Data Security Standard (PA-DSS). 

As a guideline, the PCI has issued a comprehensive set of requirements for enhancing payment account data security:

• Install and maintain a firewall configuration to protect cardholder data.
• Do not use vendor-supplied defaults for system passwords and other security parameters.
• Protect stored cardholder data.
• Encrypt transmission of cardholder data across open, public networks.
• Use and regularly update anti-virus software.
• Develop and maintain secure systems and applications.
• Restrict access to cardholder data by business need-to-know.
• Assign a unique ID to each person with computer access.
• Restrict physical access to cardholder data.
• Track and monitor all access to network resources and cardholder data.
• Regularly test security systems and processes.
• Maintain a policy that addresses information security.

Experienced market executives say that education is the first point of interaction and interdiction against payment card fraud. The more educated your employees are about proper handling of payment card data, the more secure your organization becomes.

Whether it is your quality security assessor, your internal IT staff or your everyday employee, each should be trained on the importance of practicing security through PCI standards to ensure ongoing security and help the hotel protect guest’s vital data.