The speed and appropriateness with which a company handles an attack on its information systems determines how well it will be able to control the costs and consequences that could result.
Like any business, a hotel or restaurant that exposes payment card data may be held liable for associated losses, including fraud and fines, and may find itself the subject of unwanted attention from government agencies and the media. But in the hospitality business, protecting the brand reputation is critically important for bringing in new customers and maintaining relationships with existing customers.
Even if a compromise event never results in financial losses, it can still lead to a loss of customer loyalty and unfavorable brand reputation – if not dealt with quickly, thoroughly and openly. The time to plan for the unthinkable is now, not after it happens.
Detecting a Suspected Breach
Regular monitoring for the early warning signs of a data compromise should be an important part of your plan. Any sign of a suspected security incident or system intrusion requires that Visa clients and their merchants take immediate action to investigate the incident, limit the exposure of cardholder data, notify Visa and report investigation findings.
Preventive Measures
To minimize the possibility of a data security breach and mitigate the risk of a data compromise, merchants should maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS), and at a minimum the following actions need to be enforced: Implement a firewall to permit network traffic only where there is a defined business need and deny all other network traffic. Use and securely implement Payment Application–Data Security Standard (PA-DSS) compliant applications and update all systems routinely with current security patches. If use of remote access products is necessary, implement the latest security patches and configurations as well as ensure that strong authentication is required for login. Ensure antivirus, anti-spyware and anti-malware software are up to date. Contact product vendors for more information on how to secure their products.
What to Do If Compromised
Hotels or restaurants that have experienced a suspected or confirmed security breach must take prompt action to help prevent additional exposure of cardholder data and ensure compliance with the PCI DSS, PA-DSS and PCI PIN security requirements.
1. Immediately contain and limit the exposure. Minimize data loss. Prevent the further loss of data by conducting a thorough investigation of the suspected or confirmed compromise of information. Compromised entities should consult with their internal incident response team to preserve evidence and facilitate the investigation.
2. Alert all necessary parties immediately:
- Notify your internal incident response team and information security group.
- If you are a merchant, contact your merchant bank.
- If you do not know the name and/or contact information for your merchant bank, notify Visa Incident Response Manager immediately.
- If you are a financial institution, contact the appropriate Visa region at the number provided at the end of this article.
3. Notify the appropriate law enforcement agency.
How Do You Communicate About a Breach?
The way in which a hotel or restaurant communicates a data breach can build or damage its hard-earned trust and corporate reputation. A 2008 survey of U.S. consumers found that an average of 79 percent cite loss of trust and confidence in any business they deal with as a consequence of a security or privacy breach. (The CA 2008 Security and Privacy Survey, by CA Inc.)
An October 2008 consumer confidence survey by Solidcore Systems, Inc., found that 74 percent of U.S. consumers would not shop where they feel their financial or personal information may be at risk.
Every data breach is different and there may be no precedent within your organization for responding. Yet there are some communications principles that can be applied to most data breach situations.
Consider a breach likely and prepare accordingly. Implementing internal structures and protocols to monitor, assess and upgrade security will enable your company to respond rapidly when the alarm bells go off. This will allow you to assemble the correct information; be honest, open and accountable; and distribute vital communications to key audiences quickly.
Have a breach response communications plan in place. Include personnel and processes with the lists and channels needed to execute all communications that might be needed.
Find the facts and tell them fast. In breach cases, determining facts with certainty often becomes the enemy of providing that information quickly. To avoid customers feeling that they’ve been left at risk for too long before being notified, give yourself permission to notify before you know everything, or before you know it with confidence. Stalling, limiting information and appearing guarded can be an invitation for reporters to press, probe and eventually leak out details of your story in multiple reports, or publish critiques of how your company handled (or mishandled) the situation.
Be open, honest and transparent. State your news plainly and publicize how you are notifying customers. By communicating early and delivering on promised updates, the company reduces the likelihood of media coverage that relies on conjecture or possibly incorrect information.
Take ownership and express regret. Immediately acknowledge responsibility for the breach and regret for its impact. Once you’ve done so, you can move from the problem to talking about the solution.
Put an executive face on the issue. Issuing press quotes or public comment from an IT employee, customer service representative or low-level manager does not signal commitment. Sending a personalized notification letter signed by the president or CEO demonstrates how seriously a company is taking the issue.
Take credit for what you are doing. Explain how you have addressed the problem (cooperation with law enforcement, internal review, third-party forensics investigation, etc.) and what you are doing to support customers. Demonstrating activity will advance your objective of reducing customers’ security concerns.
Provide real, customer-focused support. There is no better way to restore trust and credibility than to demonstrate to consumers what you are doing on their behalf and what support you are offering, including such options as toll-free information lines, credit monitoring, investigators or identity restoration services.
Although no formula can account for the many variations and circumstances that may be involved in individual data breaches, these are a few of the principles and recommended best practices from experts in data security and communications should allow you to prepare, react and respond with confidence – and then look back with no regrets.
Eduardo Perez, CFA, leads the Global Data Security Group within the Payment System Risk Department. In this role, he has direct line responsibility for key teams including, U.S. Data Security, Global Third Party Agent Risk, Global Authentication Strategy and Emerging Risk, and Global Security Standards.