INFORMATIONSECURITY IN HOTELSCredit Card InformationVishal SharmaInformation Security Consultant
Tourism is one of the six key locational factors for acountry’s Image which gives an idea about a country’sculture & economyHere are some figures relating to nights spend in GermanHotels by resident and non-resident over a period from2010-2011 and the relative expansion of tourism.
Nights spend in Hotels in Germany 2011 (inMillions)total non-residents residents240.8 51.3 189.5percentage increase from 2010 in %total non-residents residents5.40% 6.00% 5.30%
Nights spend in Germany by resident/non-residentnon-residentsresidents
4.80% 5.00% 5.20% 5.40% 5.60% 5.80% 6.00%totalnon-residentsresidents% Change in overnight stay after 2010
But with increasing demand of customers for tourism inGermany, the liability of ensuring customer’s security isalso increasingInformation Assets of a customer• Personal information (identity, nationality, DOB. etc.)• Payment• Purpose of visit• Duration of stay• Facilities/services availed by customer
Modes of Payment:• Cash• Credit/Debit Cards• Travellers’ Cheques• Vouchers• Company Account• Money transfer to the desired account
Ways of booking a room in hotel:• Via mail• Via hotel’s website• At arrival• Via Phone• Travel agency• Via company
NOTE: According to Verizon Data Breach Investigation Report(DBIR) in 2010, hospitality industry was most vulnerable targetby hackers following with financial and retail industriesrespectively. And the most important fact is that 98% of thetargeted data was payment card information.
Other means of credit card information breach• Dummy wi-fi / Hotspot: Wireless internet is one of themost basic services offered by many hotels—However, you might be connecting to hotel’s actualnetwork, instead, you may have simply clicked on a dummyWi-Fi network called “ABC-Free-Wi-Fi”
• Phishing by phone: since the beginning of IP telephonesystems, the risk of telephone phishing has always beenhigher.
• Since in hospitality industry, people are hardly aware ofInformation Security norms, appliance or governance, so Iwould like to shed a little light on PCI-DSS requirements:• PCI –DSS Requirements:• Requirement 1: Install and maintain a firewall configuration toprotect cardholder data• Requirement 2: Do not use vendor-supplied defaults forsystem passwords and other security parameters• Requirement 3: Protect stored cardholder data• Requirement 4: Encrypt transmission of cardholder dataacross open, public networks• Requirement 5: Use and regularly update anti-virus softwareor programs• Requirement 6: Develop and maintain secure systems andapplications• Requirement 7: Restrict access to cardholder data bybusiness need to know
• Requirement 8: Assign a unique ID to each person withcomputer access• Requirement 9: Restrict physical access to cardholderdata• Requirement 10: Track and monitor all access to networkresources and cardholder data• Requirement 11: Regularly test security systems andprocesses.• Requirement 12: Maintain a policy that addressesinformation security for all personnel.
• Network Separation: Isolation of network is not an entityof PCI-DSS but it should be clearly defined that whichchannel we would use in order to perform variousoperations in hotels. Network segmentation or separationcan be done in various ways at physical or logical level:• Configured internal network firewalls• Routers with strong access control lists• IAM-Identity Access Management or the technologies thatrestrict access to a particular segment of a network.
• According to PCI-DSS the business needs should bedefined, policies, and processes should be defined clearlyin order to store individual’s information. So the minimaland only the legitimate information which is highlyrequired should be stored and the retention policiesshould be strictly followed.
• Wireless: When wireless technology is used to store, process,or transmit cardholder data then we need to consider thefollowing in order to have secure transmission over the channel• Install perimeter firewalls between any wireless networks andthe cardholder data environment, and configure these firewallsto deny or control (if such traffic is necessary for businesspurposes) any traffic from the wireless environment into thecardholder data environment.• For wireless environments connected to the cardholder dataenvironment or transmitting cardholder data, change wirelessvendor defaults, including but not limited to default wirelessencryption keys, passwords, and SNMP community strings.• Ensure wireless networks transmitting cardholder data orconnected to the cardholder data environment, use industrybest practices (for example, IEEE 802.11i) to implement strongencryption for authentication and transmission.
• Third Party Outsourcing: According to the businessprocesses defined involved parties needs to involvedcertain measures• They can undergo a PCI DSS assessment on their ownand provide evidence to their customers to demonstratetheir compliance; or If they do not undergo their own PCIDSS assessment, they will need to have their servicesreviewed during the course of each of their customers’ PCIDSS assessments
THANKSInformation security is a ongoing process