Successfully reported this slideshow.

Credit card frauds in hospitality


Published on

According to recent surveys hospitality has been targeted most for the credit card frauds, Most of us are not even aware of it, This presentation will give a small idea about the credit card frauds in hospitality, types of attacks, and their counter measures.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Credit card frauds in hospitality

  1. 1. INFORMATIONSECURITY IN HOTELSCredit Card InformationVishal SharmaInformation Security Consultant
  2. 2. Tourism is one of the six key locational factors for acountry’s Image which gives an idea about a country’sculture & economyHere are some figures relating to nights spend in GermanHotels by resident and non-resident over a period from2010-2011 and the relative expansion of tourism.
  3. 3. Nights spend in Hotels in Germany 2011 (inMillions)total non-residents residents240.8 51.3 189.5percentage increase from 2010 in %total non-residents residents5.40% 6.00% 5.30%
  4. 4. non-residents residentsNights spend in Germany by resident/non-resident
  5. 5. residentsnon-residents total 4.80% 5.00% 5.20% 5.40% 5.60% 5.80% 6.00% % Change in overnight stay after 2010
  6. 6.  But with increasing demand of customers for tourism in Germany, the liability of ensuring customer’s security is also increasingInformation Assets of a customer• Personal information (identity, nationality, DOB. etc.)• Payment• Purpose of visit• Duration of stay• Facilities/services availed by customer
  7. 7. Modes of Payment:• Cash• Credit/Debit Cards• Travellers’ Cheques• Vouchers• Company Account• Money transfer to the desired account
  8. 8. Ways of booking a room in hotel:• Via mail• Via hotel’s website• At arrival• Via Phone• Travel agency• Via company
  9. 9. Check in procedure:
  10. 10. NOTE: According to Verizon Data Breach Investigation Report(DBIR) in 2010, hospitality industry was most vulnerable targetby hackers following with financial and retail industriesrespectively. And the most important fact is that 98% of thetargeted data was payment card information.
  11. 11. Hotels Hacked the mostHospital Financial Ret Food and Business Educati Technolo Manufacturi Otheity Services ail beverage Services on gy ng rs38 19 14.2 13 5 1.4 4 1.4 4
  12. 12. HospitalityFinancial ServicesRetailFood and beverageBusiness ServicesEducationTechnologyEducationManufacturing
  13. 13. Types of Credit Cards Fraud
  14. 14. Identity TheftSource:
  15. 15. Malware
  16. 16. Other means of credit card information breach• Dummy wi-fi / Hotspot: Wireless internet is one of the most basic services offered by many hotels—However, you might be connecting to hotel’s actualnetwork, instead, you may have simply clicked on a dummyWi-Fi network called “ABC-Free-Wi-Fi”
  17. 17. • Phishing by phone: since the beginning of IP telephone systems, the risk of telephone phishing has always been higher.
  18. 18. • Since in hospitality industry, people are hardly aware of Information Security norms, appliance or governance, so I would like to shed a little light on PCI-DSS requirements:• PCI –DSS Requirements:• Requirement 1: Install and maintain a firewall configuration to protect cardholder data• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters• Requirement 3: Protect stored cardholder data• Requirement 4: Encrypt transmission of cardholder data across open, public networks• Requirement 5: Use and regularly update anti-virus software or programs• Requirement 6: Develop and maintain secure systems and applications• Requirement 7: Restrict access to cardholder data by business need to know
  19. 19. • Requirement 8: Assign a unique ID to each person with computer access• Requirement 9: Restrict physical access to cardholder data• Requirement 10: Track and monitor all access to network resources and cardholder data• Requirement 11: Regularly test security systems and processes.• Requirement 12: Maintain a policy that addresses information security for all personnel.
  20. 20. • Network Separation: Isolation of network is not an entity of PCI-DSS but it should be clearly defined that which channel we would use in order to perform various operations in hotels. Network segmentation or separation can be done in various ways at physical or logical level:• Configured internal network firewalls• Routers with strong access control lists• IAM-Identity Access Management or the technologies that restrict access to a particular segment of a network.
  21. 21. • According to PCI-DSS the business needs should be defined, policies, and processes should be defined clearly in order to store individual’s information. So the minimal and only the legitimate information which is highly required should be stored and the retention policies should be strictly followed.
  22. 22. • Wireless: When wireless technology is used to store, process, or transmit cardholder data then we need to consider the following in order to have secure transmission over the channel• Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.• For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.• Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.
  23. 23. • Third Party Outsourcing: According to the business processes defined involved parties needs to involved certain measures• They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance; or If they do not undergo their own PCI DSS assessment, they will need to have their services reviewed during the course of each of their customers’ PCI DSS assessments
  24. 24. THANKSInformation security is a ongoing process