Tech Talk

Recent posts

Enterprise System Pitfalls: Summary
Today I’m wrapping up a series of posts on the broad topic of Enterprise System Pitfalls. In this series, my hope was to help shed light on the primary problems that cause us to miss budgets, fall short on capabilities, or completely fail when implementing an enterprise system. 

The Year in Review
As 2019 comes to a close, it’s time to count our blessings. One of mine has been the privilege (and fun!) of being able to reach out to so many interesting companies and get them to tell me what they’re doing that’s different, disruptive, and game-changing. The list of things I have to write about in future columns has only gotten longer in the nine months since I started writing this column.

Sustainable Innovation
Sustainability can yield multiple benefits to hotels. Saving energy and water yields direct cost savings. Revenue can be generated by guests who prefer to deal with businesses that minimize their environmental impact. And many would argue that conserving scarce resources is simply the right thing to do.

Meetings Innovation
The sale and delivery of groups and meetings is perhaps the most significant and under-automated functions for many hotels. Even though groups often account for 30% to 60% of revenue, most group bookings are still handled manually for most if not all of steps, as they move from a meeting planner’s research to a confirmed booking.

The biggest enemy to any system is complexity. In a system of inputs and outputs, such as an enterprise system, more complexity means more parts are used in interaction with inputs to create the outputs. Every part that must be built and maintained costs time and money

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.


Point-of-Sale System Breaches, Hackers Do Not Descriminate

by Mary Siero
“We're deeply sorry for the inconvenience and frustration this issue has caused our guests.” Those are the words prepared by the public relations staff for the 40 million Target customers impacted by the data breach announced in December 2013. Besides having their information stolen and sold on the underground market, many of those guests found themselves with banks, credit unions, and state benefit programs closing down their cards as a result of "recent fraudulent activity occurring on customer’s compromised cards.” Those cards have been or will be reissued and the customers will not be financially liable for losses but they still have had unnecessary hassle introduced into their holidays.

It has been widely speculated that the Target breach was the result of a computer virus that was introduced via a software update on every point of sale (POS) device. This is similar to what has been seen before; most recently in October 2013 where a variant of malware (malicious software or virus) assigned the moniker “Dexter” was identified as the culprit in a massive data breach affecting the South African fast-food industry. Like the Target breach, the South African breach cost local banks there tens of millions of rand (South African monetary unit) and is reported to be one of the worst breaches in that country’s history.

In both instances the culprit is reported to steal data through RAM scraping, a technique where the data is stolen from the memory inside the computer that manages real-time data keeping it accessible so that transactions can be quickly processed.

On January 19, 2014, Beth Belton of USA Today reported that the author of the virus used in the Target and Nieman Marcus attacks was likely written by a 17-year-old hacker from Russia. As first described in Hospitality Upgrade's Summer 2011 article, “Who’s That Knocking At My Computer”, the Russian cybercriminals dominate the threat landscape. Ms. Belton revealed that that the teenager identified as Sergey Taraspov sold his malware to dozens of cybercriminals for about $2,000.

With credit and debit card fraud growing more prevalent all the time (Nilson Report statistics put this type of fraud at $11.3 billion worldwide in 2012) the pressure on retailers to prevent these types of breaches will only increase.

Ensuring your organization is compliant with the Payment Card Industry (PCI) standards is an important step toward protecting yourself from these types of breaches. It is crucial however, to remember that good security will always lead to compliance, but compliance will not always lead to good security. As you review your compliance plan for PCI make sure your goal is more than just to be “minimally compliant.” The extra effort involved in implementing better security controls is well worth it when you consider the impact a breach could have on your business and more importantly your reputation.

As a result of the trends in the ways attacker breach credit card data the Payment Card Industry (PCI) has responded with improved and tougher standards. PCI Data Security Standards (DSS) 3.0, effective beginning January 2014 (although not mandatory until January 1, 2015) provides some new guidance related to Point of Sale (POS) Systems that is overdue. The new standards would have significantly lowered the risk of a breach of the type that occurred at Target and others.

The changes that impact POS systems fall into one of three categories, scoping, inspection of devices and anti-malware practices.

Historically organizations have been able to “scope out” much of their network (i.e., carve it out from being subject to the requirements of the standard) by putting their POS system on a separate network segment, i.e., implementing network segmentation. In this way, only the segment of the network on which the POS system resides is subject to the standards and the other network segments are not. The theory behind this is that vulnerabilities in the non-POS segment cannot impact the segment that contains the POS system.

PCI DSS 3.0 still allows you to use segmentation and scope out portionss of the network but now requires proof that the segmentation truly isolates the POS system from the rest of the network. The proof required is in the form of validation through testing that the segments are separate and that a vulnerability in the non-POS segment would not be able impact the segment containing the cardholder data. Typically a network penetration test is looked to provide this validation.

Another new requirement in PCI DSS 3.0 is “9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.” This requirement, which requires periodic inspections of POS devices, is considered a best practice under the new standard until June 15, 2015 when it becomes a requirement. This standard strengthens card present transactions (like those at the Target stores) by ensuring that terminals are evaluated on a regular basis to ensure they have not been compromised.

Lastly, the new standard addresses the need for increased vigilance on systems not commonly targeted for malware attacks. While the standard specifically calls out systems such as the iSeries or AS400s, devices with Apple or Mac OS’s would also fall into this category. This recognition that malware and viruses can be created to target any and all technologies is a key improvement to the standard and injects reality for those who think it can’t happen to me, because their system is not a common target for hackers.

About The Author
Mary Siero
Innovative IT

Mary Siero is an executive level Information Technology Consultant with experience in several industries in both IT and business departments. Her diverse background has provided her with a unique perspective about IT's role and the value it can bring to the businesses it supports. Mary has over 30 years' experience in engineering and technology from industries such as Gaming and Hospitality, Healthcare, Consumer Products, Manufacturing and Education.

Blog post currently doesn't have any comments.
Leave comment

 Security code