1) Tourism is an important part of Germany's economy and culture, with over 240 million nights spent in German hotels in 2011, a 5.4% increase from 2010. 2) Hotels hold significant customer information such as payment details, personal information, travel plans, which makes them a prime target for hackers seeking financial data. 3) To protect customer information, hotels must comply with PCI security standards which require practices like firewalls, encryption, access control, and regular security testing. Proper network segmentation and access restrictions are also important to reduce risk of credit card fraud and data breaches.

1. INFORMATION
SECURITY IN HOTELS
Credit Card Information
Vishal Sharma
Information Security Consultant

2. Tourism is one of the six key locational factors for a
country’s Image which gives an idea about a country’s
culture & economy
Here are some figures relating to nights spend in German
Hotels by resident and non-resident over a period from
2010-2011 and the relative expansion of tourism.

3. Nights spend in Hotels in Germany 2011 (in
Millions)
total non-residents residents
240.8 51.3 189.5
percentage increase from 2010 in %
total non-residents residents
5.40% 6.00% 5.30%

4. non-residents
residents
Nights spend in Germany by resident/non-resident

5. residents
non-residents
total
4.80% 5.00% 5.20% 5.40% 5.60% 5.80% 6.00%
% Change in overnight stay after 2010

6.  But with increasing demand of customers for tourism in
Germany, the liability of ensuring customer’s security is
also increasing
Information Assets of a customer
• Personal information (identity, nationality, DOB. etc.)
• Payment
• Purpose of visit
• Duration of stay
• Facilities/services availed by customer

7. Modes of Payment:
• Cash
• Credit/Debit Cards
• Travellers’ Cheques
• Vouchers
• Company Account
• Money transfer to the desired account

8. Ways of booking a room in hotel:
• Via mail
• Via hotel’s website
• At arrival
• Via Phone
• Travel agency
• Via company

9. Check in procedure:

10. NOTE: According to Verizon Data Breach Investigation Report
(DBIR) in 2010, hospitality industry was most vulnerable target
by hackers following with financial and retail industries
respectively. And the most important fact is that 98% of the
targeted data was payment card information.

11. Hotels Hacked the most
Hospital Financial Ret Food and Business Educati Technolo Manufacturi Othe
ity Services ail beverage Services on gy ng rs
38 19 14.2 13 5 1.4 4 1.4 4

12. Hospitality
Financial Services
Retail
Food and beverage
Business Services
Education
Technology
Education
Manufacturing

13. Types of Credit Cards Fraud

15. Identity Theft
Source: thehackernews.com

16. Malware

17. Other means of credit card information breach
• Dummy wi-fi / Hotspot: Wireless internet is one of the
most basic services offered by many hotels—
However, you might be connecting to hotel’s actual
network, instead, you may have simply clicked on a dummy
Wi-Fi network called “ABC-Free-Wi-Fi”

18. • Phishing by phone: since the beginning of IP telephone
systems, the risk of telephone phishing has always been
higher.

19. • Since in hospitality industry, people are hardly aware of
Information Security norms, appliance or governance, so I
would like to shed a little light on PCI-DSS requirements:
• PCI –DSS Requirements:
• Requirement 1: Install and maintain a firewall configuration to
protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for
system passwords and other security parameters
• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data
across open, public networks
• Requirement 5: Use and regularly update anti-virus software
or programs
• Requirement 6: Develop and maintain secure systems and
applications
• Requirement 7: Restrict access to cardholder data by
business need to know

20. • Requirement 8: Assign a unique ID to each person with
computer access
• Requirement 9: Restrict physical access to cardholder
data
• Requirement 10: Track and monitor all access to network
resources and cardholder data
• Requirement 11: Regularly test security systems and
processes.
• Requirement 12: Maintain a policy that addresses
information security for all personnel.

21. • Network Separation: Isolation of network is not an entity
of PCI-DSS but it should be clearly defined that which
channel we would use in order to perform various
operations in hotels. Network segmentation or separation
can be done in various ways at physical or logical level:
• Configured internal network firewalls
• Routers with strong access control lists
• IAM-Identity Access Management or the technologies that
restrict access to a particular segment of a network.

22. • According to PCI-DSS the business needs should be
defined, policies, and processes should be defined clearly
in order to store individual’s information. So the minimal
and only the legitimate information which is highly
required should be stored and the retention policies
should be strictly followed.

23. • Wireless: When wireless technology is used to store, process,
or transmit cardholder data then we need to consider the
following in order to have secure transmission over the channel
• Install perimeter firewalls between any wireless networks and
the cardholder data environment, and configure these firewalls
to deny or control (if such traffic is necessary for business
purposes) any traffic from the wireless environment into the
cardholder data environment.
• For wireless environments connected to the cardholder data
environment or transmitting cardholder data, change wireless
vendor defaults, including but not limited to default wireless
encryption keys, passwords, and SNMP community strings.
• Ensure wireless networks transmitting cardholder data or
connected to the cardholder data environment, use industry
best practices (for example, IEEE 802.11i) to implement strong
encryption for authentication and transmission.

24. • Third Party Outsourcing: According to the business
processes defined involved parties needs to involved
certain measures
• They can undergo a PCI DSS assessment on their own
and provide evidence to their customers to demonstrate
their compliance; or If they do not undergo their own PCI
DSS assessment, they will need to have their services
reviewed during the course of each of their customers’ PCI
DSS assessments

25. THANKS
Information security is a ongoing process