The Cyber Threat Landscape for 2015

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

March 01, 2015
Cyber Threat
Richard Sheinis, CIPP-US - rsheinis@hallboothsmith.com
FrancesParker

As we look at 2014 in the rearview mirror, we see the year of the big retailer data breach. Target, Home Depot and Neiman Marcus, among others, were all hit, and hit hard. While there are also targets in other industries – think Sony and Anthem – the fact remains that if you process credit cards and have other personal information, you have a bull’s-eye on your back. Don't expect this to change in 2015. In fact, the only change you can expect is that the attackers will continue to develop new techniques and refine current techniques in an effort to steal your data and that of your guests.


One reason for the continued growth of cyber crime is that it is a big, organized, profitable business. Many people have a mental image, aided by advertisements for security software or identity theft protection, that a hacker is a young kid wearing a hoodie pulled over his face, sitting in a semidark room banging away at a computer keyboard.  If hackers were all these lone wolves, data protection would be a lot easier.

Unfortunately, the truth is that organized cyber theft rings generate a much greater volume of hack attacks than could be perpetrated by individual, misguided youths. Tony UcedaVelez, owner of VerSprite, a professional service firm in information security, described the operation of cyber theft rings in Eastern European and other countries as having rooms full of hackers. They are set up much like you would envision a call center. Dozens of people sit at their desks in long rows of cubicles while working on their computers. Instead of handling customer service calls, they are sending out phishing emails by the thousands.

An office building might have several floors filled with dozens or hundreds of these hackers. They don't have to know much about hacking themselves. They are given a script or a specific malware-laced email to send. They go to work every day like so many other office workers. They even have quotas to meet, and pit bosses to make sure they meet them.

The phishing emails and other hacking techniques are researched in testing labs. The bad guys have access to all the same software and cyber protection programs that we do. They test these programs to find the security holes and vulnerabilities. They know which social engineering tricks work best. The cyber theft business is too big to be left to chance. The criminals find the holes in our defenses, and exploit them thousands of times over. Understanding the immense volume and sophistication of cyber attacks is the first step in developing a comprehensive plan to protect the data in your possession.

Cyber crime shows no signs of slowing down. It pays well, and the risk is small compared to other crimes where the criminal must be physically present at the scene of the crime. Don't count on U.S. law enforcement arresting hackers in Eastern Europe. With so little risk and so much to gain, cyber crime is almost a no brainer for the criminals.

The end of 2014 brought the sophisticated attack known as Dark Hotel into the news. These attacks use hotel Wi-Fi networks to hack the devices of guests who are high-value targets, such as business executives, in order to steal a company's sensitive information. When a targeted hotel guest uses the hotel Wi-Fi, he is tricked into downloading malicious software that appears as a legitimate software update. The hacker then installs an advanced key logger, which tracks passwords, in an effort to enter the corporate network.  After the information is obtained, the hacker removes all traces of the malware from the hotel Wi-Fi network, thereby erasing his tracks. Although these types of attacks have been used for several years, their use continues to grow.

An area of security concern identified by Lynn Goodendorf, chief information security officer for Mandarin Oriental Hotel Group, is the apparent reduced effectiveness of traditional anti-virus software. In 2014, Symantec, the well-known developer of anti-virus software, acknowledged that its products could not detect many malware attacks. While we have seen various estimates of the percentage of cyber attacks detected by anti-virus software, the consensus seems to be that a large portion of viruses go undetected.

The problem seems to be the speed at which malware is being developed. Anti-virus software works by detecting the signature of a virus. However, it can only stop those it can detect based on a known database of malware signatures. As hackers develop new malware with previously unrecognized signatures, more and more cyber attacks go undetected by traditional anti-virus software. Hackers are developing new viruses with new signatures faster than they can be identified and recognized. IT Security Institute AVTest registers more than 390,000 new malicious programs every day. In 2012, Imperva, another IT security company, issued a report stating that the initial detection rate for a newly created virus is less than 5 percent. The exact figures might differ from one source to another, but it seems most professionals would agree that a significant percentage of malware is not stopped by the outer wall of defense.

Related to the inability to recognize malware is the “end of life” for certain network components in 2015. The end of life refers to when a manufacturer no longer supports a network operating system (OS) or component. In 2014, Microsoft announced the end of life for the operating system Windows XP. On the surface, this would not seem to present a problem. Any company using Windows XP could continue to do so. However, the end of life can present serious security problems. 

Almost every OS will have holes that present an opportunity for hackers to breach the network. When these holes are discovered, the OS manufacturers will then issue a patch to close the hole or eliminate the vulnerability. Patches are not uncommon, and are issued with some frequency.

The bigger problem arises when the manufacturer announces it will no longer support the OS, because it means they will no longer issue patches. This unpatched condition combined with the reduced effectiveness of anti-virus capabilities increases the likelihood of zero day malware or virus infection. Therefore, when a vulnerability is exploited by the hackers, it will continue to be exploited because the manufacturer will not issue a security patch to close the hole. This is a security nightmare for any company still using the OS. If companies did not plan and budget appropriately for the end of life of Windows XP, and switch to a different OS, they would be wide open to hackers. A related problem, said Bob Lowe, VP of business development at Shift4, is that if a hotel continues to use a non-supported OS that will no longer be patched, they are out of compliance with Payment Card Industry Data Security Standard (PCI-DSS).

This year will bring another end of life, this time for Windows 2003 servers. Replacing servers can be expensive. Goodendorf cautioned that companies will be tempted not to replace their servers. Companies will be reluctant to spend the time and money to replace servers that are working perfectly fine. However, servers can experience zero day vulnerabilities, much like an operating system. Once Microsoft stops supporting these servers, there will not be patches to fix these vulnerabilities.

Replacing servers is not done overnight. In addition to being costly, it is time consuming. Waiting until the last minute to replace these servers is asking for trouble. If your network uses Microsoft 2003 servers, the smart move is to plan ahead and budget for new servers so you are not stuck.

When anti-virus software is not effective, your employees become another line of defense. This makes security awareness training for employees another area of emphasis for security and privacy experts. The importance of employees well-trained in security awareness increases as the number of threats that reach them increases. Just distributing a computer security policy is not effective training, said Goodendorf. Companies must invest in security awareness training that effectively changes the behavior of employees vulnerable to increasingly sophisticated social engineering tactics used by hackers. Perhaps the better way to describe the challenge is staff learning, rather than staff education. The focus should be on how people learn so that their behavior is modified, then provide an educational experience that will meet this objective.

Daniel Johnson, chief operations officer of the Venza Group, thinks the challenge is to influence behavior. He said we need a philosophical approach to educate staff. Research shows that people do not learn by a singular event. The approach to staff education needs to be more sophisticated. Education should take into account the level of the staff being trained, and the type of training that is best for each category of employees. One size does not fit all when it comes to education.

The importance of computer security awareness training is backed up by recent reports. IBM's 2014 Cyber Security Intelligence Index found that 95 percent of all security incidents involve human error. Many of these successful attacks are the result of social engineering that takes advantage of human weakness. Verizon's 2014 Data Breach Investigations Report found that 78 percent of successful security attacks involved spear phishing emails with attachments containing malware. Egress Software Technologies, an encryption services provider, recently found that 93 percent of breaches were due to human error, poor processes and systems in place, and lack of care when handling data. With such a high percentage of breach events tied to employees' behavior, a good security awareness education program should carry a lot of bang for the buck.

Another security problem identified by Johnson is the occasional competing interests of satisfying the hotel guest while maintaining data privacy and security. He is concerned that satisfying the guest has taken precedence over data security. He noted that quality of a hotel's Wi-Fi has become the No. 1 indicator of guest satisfaction, having taken over the top spot from the comfort level of the beds. Johnson expressed concern that the desire to be accommodating, combined with the increasing sophistication of social engineering, opens the door for greater opportunities for the private information of guests to be disclosed to those with criminal motivations.

Some of the most valuable data held by hotels is still credit card data, said Bob Lowe of Shift4. If that is the case, how can the data be kept secure?  The first line of defense is still the perimeter – keeping the criminals out with strong firewalls and anti-virus protections. The problem is that no perimeter defense will keep out all the threats.

If the outer wall will not stop all of the attacks, and we have a robust employee education plan in place, what else can we do to secure credit card data? Encrypting the data at the point of sale, and when at rest after the sale, is a good method to thwart the hackers, Lowe said.
 
When a credit card is swiped, the credit card information goes from the point-of-sale (POS) device, to a back office server (or a cloud server), to the hotel bank's processor, to the credit card network, to the issuing bank and if approved, the approval works its way back to the POS. The credit card data, if not encrypted, can be stolen through malware in the system anywhere along this journey.
 
There are two important security technologies that come into play throughout this process, encryption and tokenization. Point-to-point encryption starts at the point of swipe and secures data up to the point of authorization. However, point-to-point encrypted data cannot be stored after authorization. At the time of authorization, or shortly thereafter, tokenization can take over.
 
What is tokenization? As defined by the PCI Council, it is a process by which the primary account number (PAN) is replaced with a surrogate value called a token. The token is usually an alphanumeric representation of the credit card data. After the authorization process, tokenization serves to secure the credit card data at rest in a database. Hotels need this database for incremental authorizations, card-on-file transactions, etc.  When point-to-point encryption and tokenization are used together, the card data never enters the property management system or the hotel's network environment. This results in a dramatic reduction in breach vulnerability.
 
More and more hotels are using this type of technology, said Lowe. But one of the industry problems, as strange as it may sound, is the PCI-DSS system itself. PCI-DSS, of course, is intended to keep credit card data safe by requiring merchants to meet certain security standards. However, PCI-DSS standards are only updated every three years. This is too slow to keep up with the speed at which new security solutions and technology are developed. Lowe would like to see an environment where the certification system is more agile in order to keep up with new payment solutions. He said that PCI is limiting the adoption of point-to-point encryption by having a required specification for a method not preferred, or in use, by the vast majority of the hospitality industry's existing point-to-point encryption solutions.

If a new technology provides better security for credit card data, but the technology is not PCI-DSS compliant, hotels will be hesitant to implement the new technology for fear of falling out of compliance. This is a disincentive for the development of new technologies. A  technology company may not be willing to make the investment to develop a more secure payment technology that dares to be outside the box of PCI-DSS, when PCI-DSS is not due to be revised for another few years, and there is no guarantee that the technology will comply with PCI-DSS when it is revised. As long as the credit card companies and banks require compliance with PCI-DSS specifications, which are only updated every three years, the struggle to secure credit card data may lag behind the new methods developed by the criminals to steal this data. In Lowe's opinion, PCI's refusal to validate new solutions simply because they prefer a different method to manage the encryption keys, harms the industry and confuses hotel operators.

Mobile Risks
The use of mobile devices carries its own data security risks.  We are, riding a mobile wave, as Michael Saylor said in his 2012 book, “The Mobile Wave:  How Mobile Intelligence Will Change Everything!” As mobile devices become a larger part of how we conduct business, what are some of the data stealing techniques related to our use of mobile devices?

Marion Roger, vice president of business development at Hospitality Evolution Resources, LLC, expressed concern about several techniques used to steal data from mobile devices. One technique, called juice jacking, can steal data or inject malware while charging a mobile device. We have all been in a situation where we are traveling, and we are desperate for a power supply to charge a smartphone. It is a sense of relief when we find a charging kiosk in the airport, restaurant or other public place.

The problem is that the charging cable that carries power to your smartphone can also carry data out of your phone or install malware on your phone. The charging cable has four wires. Two wires carry power, and two wires carry data. A malicious kiosk or charging station can suck your phone dry of your address book, notes, and even do a full backup of your device – all of which can then be accessed wirelessly by the hacker. The charging station can also inject malware into your phone through the charging cable. When hitting the road, remember to top off your phone's battery, and carry a personal charger or portable battery backup.

A good option to limit juice jacking is a USB condom. No, that is not a typo! A USB condom is a small device that attaches to the USB end of your charging cable, before you plug it into a power supply. The condom allows power to flow through the charging table to your mobile device, but it blocks the data wires in the cable. This prevents the malicious downloading of data from your device, as well as the installation of malware on your device. A USB condom is a worthwhile investment of about $10, for those who depend on their mobile devices on the road.

Another threat to wireless devices is bluesnarfing. This is a malicious technique of gaining unauthorized access of information from a wireless device through a Bluetooth® connection, often between phones, desktops and laptops. Bluesnarfing exploits another person's Bluetooth connection without their knowledge, to steal information from their device. To combat this technique you can either turn your Bluetooth off when in an area that might be unsafe, or set it to undiscoverable. This setting allows Bluetooth to remain on so compatible Bluetooth products will work, but other Bluetooth devices cannot discover them.

A potential target for cybercriminals are loyalty clubs, Roger said. There are only a few third-party vendors that provide this service. If one of these vendors is targeted, the criminal could hit the motherlode of data that will cut across industry brands.

Legislative Outlook
Cybersecurity is important enough for President Obama to have put forth four cybersecurity priorities during his 2015 State of the Union Address. The president wants to see legislation which improves consumer security. Two parts of the president's plan, referred to as the Personal Data Notification and Protection Act, would impact the hospitality industry. First, he wants legislation to include a federal mandate for hacked companies to notify customers of breaches within 30 days of the discovery of the hack. The second part of President Obama's plan, which would affect the hospitality industry, is to increase the ability for law enforcement agencies to investigate and prosecute cyber criminals. The president wants to incentivize private companies to share information about data breaches with Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC).
 
At least part of President Obama's motivation in announcing this plan is to show the current hodgepodge of data security and privacy laws in the United States is to put it kindly, messy. There is currently no national data breach notification or security law that applies to all businesses. These laws tend to be industry related, and are based on the idea of protecting specific classes of consumers. There is HIPAA in the healthcare industry to protect patients as consumers, and the Gram-Leach-Bliley Act for clients of the financial services industry.  The FTC uses the Unfair and Deceptive Trade Practices Act to protect consumers generally. Without any regulatory guidance or standard whatsoever, the FTC decides when and where they think data security was not strong enough, or privacy policies were not honored.

Adding to the confusion is the fact that 47 of the 50 United States have their own breach notification laws. The problem is that these laws can vary greatly from one state to another as to when notification must be given, how notification is given, and what information must be contained in the notification.  Only a few states require a business to have certain data security measures in place. Which state law do you follow if you have a breach incident? It is not necessarily the law of the state where the breach occurred. That would be too easy. You have to comply with the laws of the state where your respective guests are residents, which might be every state in the country.

Making the issue more confusing are the state laws that regulate the secure destruction or disposal of personal information. These laws often apply to any personal information, including medical information of hotel employees, not just guest information or credit card data. Some states, although not too many at this time, are proactive and require businesses to have data security precautions in place. Some of these state laws are vague, only requiring "reasonable and appropriate" security measures, while other states have more specific requirements. A full review of the laws of each state is beyond the scope of this article, but it is worthwhile to discuss how these laws are coming about, and where they are going.

As we said, traditionally data privacy and security have been treated as a consumer protection issue. By comparison, countries in the European Union treat security and privacy as fundamental human rights. Everyone is entitled to have his or her personal information protected, wherever it is, no matter who is holding it, and regardless of the industry.

U.S. lawmakers, frustrated by recent big retail data breaches, seem to be adopting a more European view of personal data. The state of Massachusetts has been a leader in this regard. Massachusetts requires any business that owns or licenses personal information about a Massachusetts resident to have a written comprehensive information security program with administrative, technical and physical safeguards. They must identify and assess reasonably foreseeable internal and external risks to the security of the personal information.

There is soon to be proposed legislation in New York that seems to have even more strict data security requirements than those in Massachusetts. Since this legislation, if passed, would be the most strict law in any of the U.S., a more detailed review is warranted.

The New York legislation would apply to all entities that collect and/or store personal information of a New York resident. It is not industry or consumer based. Personal information would include the combination of an email address and password, and an email address in combination with a security question and answer. It would also include medical, biometric and health insurance information. As employers it would require hotels to protect employee personal information, as much as guest information.

Entities would be required to have reasonable security measures in place, including:

  • Administrative safeguards to assess risks, train employees and maintain safeguards.
  • Technical safeguards to (i) identify risks in their respective network, software and information processing; (ii) detect, prevent and respond to attacks; and (iii) regularly test and monitor systems controls and procedures.
  • Physical safeguards to have special disposal procedures, detection and response to intrusions, and protect the physical areas where information is stored.

The legislation would create a cottage industry by allowing entities that obtain independent third-party audits and certifications showing compliance with these data security requirements to use the certification in litigation as a rebuttable presumption of having reasonable data security.  This rebuttable presumption is an important carrot to encourage compliance with the requirements.

The legislation would offer another carrot to encourage businesses to implement even more robust data security measures; providing a safe harbor to any business that does so. To obtain this safe harbor carrot, a business would be required to categorize its information systems based on the risk a data breach imposes on the data stored. After information systems are categorized, a data security plan based on multiple factors would be implemented and followed. Once a business is certified as having met this standard, it would be granted a safe harbor that could include an elimination of liability altogether.
 
The elimination of liability sounds nice, and is a strong incentive for businesses to have strong security measures in place. However, we must wonder whether such an incentive will be a part of the legislation in the face of anticipated opposition from plaintiffs' attorneys.

Lastly, the legislation is expected to provide an incentive for businesses to share forensic reports with law enforcement should they be the victim of data breach. A proper incentive to encourage such sharing with law enforcement would be a prohibition on using any shared report against the business in any future litigation, and prohibiting any governmental agency from using the report against the business in any proceeding.

Although the authors of these security statutes are undoubtedly well meaning, they only add to the potential confusion. When your guests might be residents of any of these states, theoretically, you should comply with the data security laws of every state which has enacted such laws. If you comply with one state, you may or may not comply with the laws of other states. Even complying with the laws of the state with the strictest requirements does not guarantee compliance with every aspect of the laws of all states. It is the Rubik's Cube of data security compliance. As more states pass data security laws requiring businesses to proactively implement data security procedures, the confusion is bound to worsen before it becomes better.

President Obama's push for a national breach notification law may not be the panacea desired. Simply because there might be a federal law on this subject, does not mean that states cannot also have their own laws, unless the federal law supersedes state laws. If a state law is more strict, or has more regulations than the federal law, businesses might still be required to meet the stricter standards of the state law.

These few tips will help you navigate the cyber waters and stay cyber safe in 2015.
 
Richard Sheinis (CIPP-US) is a partner in the data security and privacy group of Hall Smith Booth, PC. Frances Parker is an associate at the firm. The authors can be reached for comment at rsheinis@hallboothsmith.com.

©2015 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

 

The Next Wave:
A Mobile Attack

According to Gartner, Inc., one of the world's leading information technology research and advisory companies, nearly 2.2 billion smartphones and tablets were sold to end users in 2014. While security incidents originating from mobile devices are rare, Gartner projects that by 2017, nearly 75 percent of mobile security breaches will be the result of mobile application misconfiguration.

To do significant damage in the mobile world, malware needs to act on devices that have been altered at an administrative level.
“The most obvious platform compromises of this nature are ‘jailbreaking’ on iOS or ‘rooting’ on Android devices. They escalate the user's privileges on the device, effectively turning a user into an administrator,” said Dionisio Zumerle, principal research analyst at Gartner. 

While these methods allow users to access certain device resources that are normally inaccessible (in fact, in most cases they are performed deliberately by users), they also put data in danger. This is because they remove app-specific protections and the safe “sandbox” provided by the operating system. They can also allow malware to be downloaded to the device and open it up to all sorts of malicious actions, including extraction of enterprise data. Rooted or jailbroken mobile devices also become prone to brute force attacks on passcodes.

It is recommended to keep mobile devices fixed in a safe configuration by means of a mobile device management (MDM) policy, supplemented by app shielding and containers that protect important data.

Source: "Analysts Discussed Mobile Security Threats and Trends at the Gartner IT Infrastructure & Operations Management Summits 2014" Gartner – http://www.gartner.com/newsroom/id/2753017

 

Wireless Charging, IoT and Data Security
by The Wireless Power Consortium

The Internet of things (IoT) is making new services and operational efficiencies for hotels and public places possible. The IoT also creates new portals through which a hacker may enter. 
Imagine this scenari Your guest steps into the lobby of your property and receives a text: “Welcome home. Your room is 724.”  Your guest goes directly to his room and unlocks the door with his phone. He places his phone on a wireless charger and an app comes up that allows him to control the window shades, room HVAC, adjust the bed and desk, and gives him easy access to room service. Also, his family pictures stream to the bedside digital picture frame and the movie that he could not complete on the flight starts streaming to the room monitor. It is a new world of interactive services, personalization and operational efficiencies. Sure, these things are possible now, but unless the phone is reliably charged, it is irresponsible to provide these services without offering easy, ubiquitous charging. That is where wireless charging steps in.

Now imagine that wireless charging is embedded in your environment wherever you need it to be – your home, car, office, café, the airport lounge, airplane or your hotel. The experience of each venue is improved by the smartphone's ability to connect the individual with that environment. Making valuable features like streaming music, GPS and mobile hot spots available in the car only works if using these services does not result in a dead phone battery. That’s why the automobile industry has embraced wireless charging (15 models of cars have wireless charging today and that number will double this year). Hotels around the world have started putting wireless charging in their lobbies, meeting rooms and guestrooms. Libraries, gyms, sports arenas and numerous other public locations are deploying wireless charging and the ability to connect with the venue’s infrastructure and available services. The Internet of things is promising and already offering guests a whole new level of comfort and convenience – made possible by access nodes (e.g., smartphones) that are reliably available.
With this increased level of interaction come new threats to your guests’ data security. We expect that using these services and providing basic information will not result in a hacker's ability to access our device memory stick. Bluetooth, Wi-Fi and other communication systems employ effective encryption technology, but as we have seen with the Apple® iCloud breach, these threats still exist.

Data security protocols are best defined at the beginning of a technology development process. Hard-wired barriers trump even the best software. When the system is designed from the ground up to be secure, it will be. It is less effective to add encryption, credentialing layers or other software after the electronics and communications are designed. Wireless power systems transmit power as well as small amounts of data (for safety, authentication and identification purposes). Many of these systems are meant to be connected to the IT infrastructure of the public locations into which they are deployed.

Wireless power systems are already widely deployed, and like any standard, they are continually evolving and improving. The Wireless Power Consortium considers data security throughout the hardware and software development process. As these systems enable more connectedness and allow you to get closer to your guests, it’s nice to know that data security will not be compromised in the process.

 

According to the F.B.I

Ransomware will continue to be a danger in 2015 according to FBI Special Agent Scott Augenbaum, of the FBI's cyber crime unit in Nashville, Tenn. Ransomware, often going by names like CryptoLocker and CryptoWall, is malware, often downloaded through a malicious email or websites, that encrypts the data on a network, making it inaccessible and unusable. The ransomware also carries a message demanding payment from a few hundred dollars to several thousand dollars, in exchange for the decryption key, which sometimes will work, and sometimes not.

In addition to appropriate firewalls, anti-malware programs and employee computer security awareness, a good backup system is vital to combat ransomware, according to Augenbaum. The first question Augenbaum asks when a business is hit by ransomware is, “How is your backup?” If network data is encrypted, the user can access his backup, without much downtime or loss of data. However, if data is not backed up frequently the loss can be catastrophic.

 In 2015, ransomware is expected to continue to evolve to increase its attacks on mobile devices, according to McAfee Labs November 2014 Threats Report. Ransomware is also expected to target data in the cloud. Once a user’s endpoint is infected, the ransomware will seek to exploit the user’s stored credentials to infect backed up cloud storage data.

 

A few of the technology providers who focus on secure payment processing had a chance to comment on current initiatives and the payment industry as it relates to hospitality and retail.

Merchant Link
It’s a really exciting time for data security in hospitality with point-to-point encryption, tokenization and secure mobile solutions becoming more commonplace at the front desk and in restaurants. Today we are working with GDS and CRS solution providers to tokenize reservations before they get out of the provider’s network, our clients are using encrypting PIN pads to encrypt data in call centers, and most recently clients are utilizing Merchant Link and partner solutions to provide secure methods for collecting third-party payments. We are getting to a point where hotels have no need to touch a real card number. Authenticating the card when present (EMV), securing the data in flight (P2PE) and securing it at rest (tokenization) is the surest way to protect your guests and your brand.
 
Shift4
Securing payment data in hospitality is not a simple task. The hospitality industry needs specialized solutions that can secure reservation data flowing in from a CRS, accept event deposits without having faxed-in card numbers laying around the back office, and securely share card data with third-party vendors like caterers or florists. And, of course, they need to be able to do all this while still delivering the simplicity and functionality their guests expect – things like mobile check-in, EMV and someday soon,  contactless payments. Fortunately, Shift4 supports all of these technologies and makes it easy for our hospitality merchant customers to implement them.

SIX Payment Services AG
SIX offers payment solutions with the international standards laid down by the PCI Security Standards Council. The PCI DSS applies worldwide, and is intended for all parties that transfer, process or save card data. 3-D Secure is the security standard for paying on the Web. With 3-D Secure, cardholders have to identify themselves (which) means an additional step. This makes e-commerce by SIX significantly more secure, and protects hotel and restaurant owners when their customers default on payments. Payment Card Industry PIN Transaction Security (PCI PTS) is a global security standard. Certified payment terminals significantly reduce the risk of data theft. In Switzerland, SIX will introduce the next chip generation 2016 for debit cards which will be named EMVI’16.

 



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.