As I watched the late night news a couple of months ago, there was a special report by Channel 7 in Los Angeles on hotel credit card breaches and what guests can do to address the problem. Many of us had suspected that the industry has a problem with regards to data security, but for obvious reasons only a few of the breaches had actually been publicized. We are already going through a tough economic downturn and the last thing we need are guests receiving more negative press about traveling and staying at hotels. And now on one of the major networks I noticed immediately that there was no industry representative interviewed to provide any input from the hotel’s perspective. As such, the report highlighted much of the negative aspects of the problem with nothing positive on what has been done by so many organizations toward PCI compliance. Then it suddenly struck me that the lack of representation probably had more to do with legal considerations than the network not including the industry perspective on the issue. Nobody wants to be associated with this problem.
This got me to thinking. As an industry, we need to start talking about the issue and sharing information about how to combat the problem rather than continue to secretly address the situation on a case-by-case basis. In an effort to combat the situation, here are a few lessons that I have learned that may be of use to organizations who unfortunately may suffer under the weight of a breach.
Being Proactive
One of the key things learned from managing a breach is the need to be proactive. Very often it looks as though organizations have the deer-in-the-headlights approach. Once they receive the information from their processor or acquiring bank that they have been breached, they wait for assistance and direction from them as it relates to addressing the problem. The card brands, processors and acquiring banks really do not have sufficient experienced resources to address the detailed direction that most hotels and organizations are looking for, and as such, can only provide certain directives, such as the need to conduct an immediate forensic assessment. As a result, organizations who simply follow the basic directives, become reactionary in the sense that they wait for directives from the credit card processing organizations rather than trying to become proactive and hit the issue head on.
There are specific reasons for the current methodology for addressing breaches.Very often, the processor and card brands want you to contact an authorized forensic company immediately so that they can conduct their initial scans and take the initial hard drive images before any remediation efforts are performed. The reason for this is that they would like to capture any and all information associated with the breach to aid in tracking the perpetrators and for research purposes to ascertain the extent of the compromise. This helps them work with the various authorities to help catch the bad guys and it also helps them identify all of the initial credit card numbers that have potentially been exposed so that they can hopefully be proactive and close and re-issue the breached card numbers before extensive fraud can be perpetrated against the breached numbers. These all seem to be (and in many cases are) reasonable requests.
The reality of how things play out, however, is the following: it takes a little time for the processors and card brands to contact the hotel/resort after a breach has occurred–usually a month or two while they establish a common point of purchase (CPP). When they are contacted, there is very little education on the protocols as to how to address the breach, and in most cases they are requested to contact an authorized forensic company immediately to have the network analyzed. Being that financial protocol calls for most hotels and resorts to obtain at least three bids from competing companies, this process can take some time to facilitate until a company is selected and engaged. Very often the forensic companies do not have the resources to come on site immediately and the forensic assessment may only occur a month (or more) after the initial breach was reported. All this time, the perpetrators continue to breach the network and cards continue to be compromised, much to the detriment of the organization and staff. Following the forensics’ onsite visit, it usually takes a minimum of three to four weeks to obtain the reports back indicating where the breach occurred and recommendations how to address the problem. This is in fact if they are able to locate the source of the problem–they conduct a scan and take images of the hard drives at a specific point in time, akin to a snapshot. There are instances where they will not be able to locate or identify the breach. The point being that if you follow protocol whereby you do not try to remediate the network or breach until the forensic report is issued, you could be allowing the bad guys to continue to compromise your guests’ credit cards and data for an extended period of time.
Outside the business issue that guests’ credit cards are potentially compromised during the period of the forensic analysis and assessment, there is also the issue of the fines and penalties that the card brands, processor and banks may elect to levy against the organization for the breach that has occurred. These fines and fees are usually linked to the overall number of cards that have been breached and the financial exposure to these entities. This does not take into account the increased exposure to potential law suits from individual guests and groups who have been compromised during the period of the breach. If you’re seeing a pattern here you are getting the picture. If a reactionary approach is taken to a breach, the more likely the damages and resulting costs are going to increase.
Given these facts, it is recommended that you work with your processor to address your concerns and try to have your remediation team involved from the outset with the forensic team and possibly a certified QSA (recommended but may not be required) to obtain a compromise as it relates to addressing everyone’s interests. The sooner the remediation process can start, the sooner the breach can be contained which benefits everyone concerned.
Creating Checks and Balances
Another issue that is starting to emerge is one of the role of the qualified security assessor (QSA). QSAs provide an important role establishing and verifying PCI compliance. While they are usually not a part of the initial requirement from the processor, they can play an important role verifying the 12-step PCI compliance requirements and can assist in providing guidance on what is required to become compliant. If you speak with representatives of hotels that have been breached, they all say that while the PCI compliance standards point to specific issues affecting PCI compliance, the interpretation of how to achieve compliance varies between different QSAs–particularly when it comes to operational policies and procedures which can sometimes be subjective. For example, when do the potential requirements stifle the business operation to such an extent that it no longer becomes viable to conduct business? Part of this has to do with the ability for the QSA to translate the compliance requirement into an effective business operation. This is where choosing a QSA becomes extremely important and where hospitality experience really should be taken into account.
Another issue affecting the role of the QSA is the increasing trend of QSAs that not only perform assessments and advise hotels/clients of what they need to remediate, but who also facilitate the remediation as well. In this case there are no checks and balances in place to review the QSA's recommendations and they are placed in a position where they can potentially be viewed as writing their own checks. This issue has been highlighted for a number of years now with recognized industry monitoring agencies and companies such as Gartner reporting on the issue as far back as Nov. 20, 2008, and indicating that the, “PCI Quality Assurance Program did not go far enough to prevent conflicts of interest from occurring.”
This is not to say that QSAs are intentionally creating work from their recommendations, but the fact is that their interpretation of what is required may be more stringent than what is actually necessary. For example, if there is an issue with the age of network switching equipment and the new recommendation calls for the replacement of the switch, the QSA may recommend a very expensive product that has full security features and monitoring capabilities when a lower cost product with similar features may suffice. The QSA may recommend segmenting the network and the procurement of an outside monitoring service. This may be highly recommended, but not required. Very often the QSAs or affiliate remediation providers may be partnered with monitoring programs and applications, and receive remuneration for the ongoing term of the contract. As such, it is important to have either an in-house resource or a third-party review the recommendations to ensure that the necessary checks and balances are in place. Failure to do this could prove to be a costly venture for the organization.
Remediation
Following the forensic report and the identification of the specific issues associated with the breach, the card brands and processor confer to review the report and address the concerns identified regarding the security breach. Many times if the hotel has engaged a QSA, the QSA will aid in identifying the key areas of security concern with the forensic and highlight the items earmarked for remediation within the overall report. This will provide the members of the card brands and processor with an overview of how the breach occurred, what the security features were missing to potentially allow the compromise, and what is being done to remediate and address the problem. Additionally a timeline is requested for getting these items addressed. This shows a proactive approach to addressing the problem and for bringing the entity to a status of compliance.
Now here is the part that is not well communicated by the various parties. Once it has been established that the hotel or organization is not compliant, the card brands reserve the right to assess a fine for being out of compliance. As such, it is incumbent upon the property or organization to speed up the remediation process to mitigate and limit the exposure to ongoing assessments or fines. Additionally, just because the property addresses or remediates the issues, does not necessarily mean that the assessments or fines will be reduced or eliminated. It is the responsibility of the property or organization to conduct the full 12-step PCI assessment (potentially with the aid of a certified QSA) and submit this report to the processor and card brands showing the full remediation of all non-compliance issues. Only once this report has been received and validated by the various parties to show that the property or organization is in full compliance will they elect to cease the penalties and fines. In many cases, the property is not educated on the proper filing procedures and as such may be subjected to unnecessary penalties that could have been eliminated had they known the correct proactive protocols to follow.
So What Do We Do about the Problem?
There are many facets to the issue of data security and PCI compliance. In trying to research some of the industry breaches that have occurred, one thing became prevalent. While many people whose organizations were either breached or have invested in making them compliant wanted to share their knowledge, most were unable to share publicly due to legal concerns and other considerations. Very little knowledge is being shared on this important issue with the overall industry. The result is that while most networks are being breached via the same methods, (password compromises being the most prevalent) the lack of transparency is actually aiding the perpetrators and making their crimes easier. With as much knowledge on this issue, we should be able to lock down most of the networks and greatly limit the exposure of our industry to this silent business killer.
Last year Trustwave reported that hotels accounted for 38 percent of all of its credit card fraud clients. It highlights that this is a growing problem and that unless we start addressing the problem as an industry, the problem is only going to get worse.
Here are some suggestions for moving forward:
- Create an organization that can address the issue from an industry standpoint so that we can work with the PCI Council to create industry-specific standards.
- Create an organization that will promote the sharing of information about the latest breaches and develop methods to thwart the perpetrators of these crimes.
- Create educational programs for hotels and organizations to learn how to secure their networks to an industry standard, and implement the latest security technology such as tokenization at their facilities.
- Create industry-specific, step-by-step procedures to do once you have been notified that you have been breached.
- Establish a procedure whereby all forensic companies and hotels share the information they find on new malware with the various antivirus application providers. Many forensic companies have a wealth of information which they share internally but not with the industry. The sooner we get these the quicker we can react as an industry to the problem.
We are all in this problem together and the sooner we start helping each other the better off as an industry we are going to be.
Jeremy Rock is the president of the RockIT Group, a technology consulting firm specializing in new development and refurbishment projects. He can be reached at jrock@rockitgroup.com.
©2010 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.