Full Attention to Data Security Can Help Avoid Security Nightmares

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

October 01, 2008
Credit Card | Security
Michael E. Smith

View Magazine Version of This Article

Many people responsible for payment card security in the hospitality industry have imagined the nightmare of having to face their boss after a security breach.  In fact, a survey taken earlier this year at the Multi-Unit Restaurant Technology Conference found that security of customer payment card data was the top payment card concern with 68 percent reporting increased customer concern over the past few years.

That statistic shouldn’t be surprising.  After all, data breaches typically result in financial liability for fraud and chargebacks, related fines, costs for security forensics and remediation, legal expenses and government and regulatory scrutiny.  Worst of all may be the embarrassing media headlines which may damage customer trust.

The most valuable item stolen in a data breach, however, is customer trust. The impact is swift, persistent and hard to overcome.  A survey released by Javelin Strategy and Research last year found that only 20 percent of consumers surveyed would likely continue doing business with a company if they learned it had a data breach that may have compromised their card account information.

Security, therefore, must be thought of not as a cost that we have to pay, but rather as a smart, strategic investment that can return significant bottom-line growth.  By making compliance with the Payment Card Industry Data Security Standard (PCI DSS) a 24/7 commitment, you can help avoid having to explain a data breach to your boss – or more importantly to your customers. 

To compliment compliance with PCI DSS, Visa recently announced a series of requirements for U.S. merchants to use payment system software that does not store sensitive card information.  Visa research confirms that vulnerable payment applications have been the leading cause of compromise incidents, particularly within the hospitality industry. 

Criminals have been systematically targeting certain versions of software because of their known security gaps.  For example, some versions of software in use today are known to store the full contents of the magnetic stripe, PIN data or security codes contrary to Visa rules and the PCI Data Security Standard.  These payment card elements are sought by criminals for their potential use in creating counterfeit cards.  In most cases, data storage can be eliminated by using an updated version of a business’ existing payment software.

Under the Visa mandates, U.S. acquirers (banks that service merchants) may not sign on new merchants using known vulnerable payment applications.  A list of vulnerable payment applications is updated quarterly and made available to merchants and agents through their respective acquirers.

Here are some additional important milestones for the phased-in mandates:

  • Effective October 1, 2008, acquirers can only sign new Level 3 and Level 4 merchants that are PCI DSS compliant or utilize applications that are compliant with the Payment Application Data Security Standard (PA-DSS).  PA-DSS does not apply to applications developed for in-house use only or to stand-alone terminals.
  • VisaNet processors and agents are required to decertify all known vulnerable payment applications by October 1, 2009, including those published on Visa’s list of vulnerable payment applications.  As future vulnerable payment applications are identified, VisaNet processors and agents must decertify these applications within 12 months of identification. 
  • Finally, by July 1, 2010, acquirers must ensure their merchants and agents only use applications that comply with the PA-DSS. 

A list of applications that have been validated as being PA-DSS compliant is available at www.visa.com/pabp.

An encouraging sign within the hospitality industry is that a majority of those surveyed indicated that they are already working to implement solutions that do not store sensitive data within their payment systems.

While progress is being made, it’s important to be aware that we are in an arms race with today’s relentless data thieves.  As attacks upon data at rest have become more difficult, computer hackers have increasingly shifted their attacks to intercept cardholder data in motion during transaction authorization through the use of packet sniffers.  Packet sniffers are computer software or hardware used to capture and interpret a stream or block of data (referred to as a packet) traveling over a computer network. Recent investigations have found evidence of packet sniffers installed on critical systems in order to steal payment card track data as it is transmitted over the network during transaction authorization.

Packet sniffers are a form of malicious software or malware. Once network intruders gain entry into a merchant’s system, the packet sniffer programs are installed and can be difficult to detect. 

The threat of packet sniffing underscores the urgency of remaining compliant with all PCI DSS requirements. 

Recommended Mitigation Strategy for Packet Sniffing
The following best practices should be utilized to mitigate the risk of exposure to critical systems, such as point-of-sale (POS) systems, payment processing servers, database servers or other servers where cardholder data resides:

  • Utilize host-based Intrusion Detection Systems (IDS)
  • Monitor firewalls for suspicious traffic, particularly outbound traffic to unknown addresses
  • Implement file integrity monitoring
  • Secure workstations so packet sniffers or other malware cannot be installed
  • Utilize encrypted protocols or encryption to protect sensitive data
  • Use packet sniffers legitimately to detect network intrusion attempts or suspicious activity on a network
  • Ensure anti-virus and anti-spyware software are up to date
  • Routinely examine systems and networks for newly added hardware devices

For more information and mitigation strategies regarding data security vulnerabilities, please visit www.visa.com/cisp to download an alert entitled, “Packet Sniffing Vulnerabilities”.

Protecting payment card data may require a significant devotion of time and resources.  In the final analysis, it is a necessary investment to avoid the far costlier alternative of a data compromise.

Michael E. Smith is the head of payment system risk for Visa Inc. and a regular contributor to Hospitality Upgrade.

Improperly Installed and Maintained POS Systems Increase Risk of Compromise
The hospitality industry is realizing new levels of efficiency from the high-speed connectivity and multifunctional capabilities of new point-of-sale (POS) terminals.  If not properly secured, however they can introduce new vulnerabilities to the POS environment.  To minimize the threat of compromise, it is critical to ensure POS systems are properly configured and not susceptible to common vulnerabilities.

Host Security
Most POS environments consolidate payment system traffic into one central repository—commonly referred to as the host—that provides authorization functionality as well as data backup and various management functions.  A successful intrusion into a network infrastructure or unrestricted physical access can provide direct access to the host. The host is generally a criminal’s most highly prized target because of the sensitive payment information that is stored within or transmitted through this device.  Unauthorized access to the host could also result in the destruction of the data stored on the system or the destruction of the system itself.  Both scenarios would significantly disrupt a restaurant’s or hotel’s ability to conduct business and would likely result in extensive time and money spent to fix the problem.

To minimize the threat of compromise, it is crucial that merchants only use a payment application that has been validated as compliant with the PA-DSS and ensure that its host software does not store any prohibited data elements.  Further, the host system should have the following characteristics:

  • The host must be dedicated solely to processing transaction data only.
  • All user management controls must be compliant with the PCI DSS.
  • The host must be configured in accordance with the PCI standards governing patch management, password management and security configuration.
  • The host must be physically protected in a secured area, accessible to authorized personnel only and all access should be logged and monitored.
  • The host must only accept requests from known sources based on rules governing access requests, rules which are reviewed on a regular basis.
  • Access requests should be logged to identify unusual activity and to assist in scoping the extent of possible exposure in the event of a compromise.
  • A merchant should consult its payment application(s) vendor, reseller or integrator to ask the following questions:
            - Does the product store prohibited data elements, such as full magnetic stripe data,
            PINs or PIN blocks?
            - Are the product and the version in use PA-DSS compliant?
            - Has all previously stored, prohibited data been properly removed from the system(s)?


want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.