HTNG invited outside investigators from Trustwave and Verizon to pick apart its new solution for payment card security. From left to right: Franklin Tallah, Verizon; Marc Bayerkohler, Trustwave; Christian Palomino, Melia Hotels; John Bell, Marriott; Yvette Vincent, Delaware North.
ATLANTA—For nearly half a decade the hotel industry has been debating how to best protect itself from credit card hackers and secure guests’ personal information.
For nearly half a decade the hotel technology trade association known as Hotel Technology Next Generation has been working on a solution where all hotels can adopt the same standard to reach that goal.
On Wednesday, the group announced at its annual North America conference in Atlanta a framework that hotels can adopt to ensure their guests’ credit card information remains in safe hands.
“In the traditional model, we didn’t think any of the solutions today solved the whole problem,” said Yvette Vincent, director of information systems for Delaware North Companies, who participated in the HTNG workgroup that produced the payment card security framework. “We think this framework does.”
At its conference, HTNG invited outside investigators from Trustwave and Verizon to pick apart its solution for payment card security and put them on stage with representatives from the workgroup. The two investigators, both qualified security assessors, lobbed questions about data security to members of the workgroup, and the workgroup members answered confidently, assured their framework will do the job.
“Architecturally, this looks like a complex system, but in reality if you’re a large company this is the architecture you’re putting in anyway,” said John Bell, enterprise architect at Marriott International. “If you’re a smaller company, all that complexity is hidden from you. The architecture is flexible enough so you can scale it to your needs.”
Members of the workgroup cautioned the framework isn’t an end-all, be-all. Guest credit card information will still be vulnerable—particularly when line-level employees must obtain and handle it—but the processes outlined by the workgroup will keep credit card information out of the hotel systems and therefore remove liability if a breach were to occur, they said.
A big part of the solution calls for independent, encrypted swipe mechanisms that will “tokenize” the credit card information upon receiving it and not pass it along to any other hotel systems, such as property-management or point-of-sale software.
“While (the swipe mechanism) is in your hotel, it doesn’t talk to other systems in the hotel—PMS, etc.—so you encrypt it at the swipe and it doesn’t go through any other system in plain text fashion,” Bell said. “That keeps the hotel systems out of the scope.”
How it works
The new HTNG framework builds upon extensive payment card security solutions that several major hotel groups have already implemented. It is an extension of tokenization, a widely used approach that replaces sensitive payment card data with a token. The framework also incorporates emerging payment card approaches for card capture based on point-to-point encryption.
In layman’s terms, the guest’s credit card is swiped at a single encrypted terminal isolated from other hotel hardware and is immediately communicated to a payment information proxy, or PIP, and never sent to the hotel’s internal software systems. If a hotel needs to obtain the actual credit card number at any point, a qualified employee can request it from a single “secure lookup terminal.”
A new HTNG framework for payment card security builds on tokenization and point-to-point encryption.
“We are very careful to not describe how each company installs this architecture,” Bell said. “Different companies will need to do it differently.”
Larger hotel chains, Bell said, might provide their own proprietary tokenization and PIP services. Marriott has been employing its own tokenization capability for a few years, he said. But that can be costly, and hotels or smaller hotel chains without those resources can opt to use a third-party tokenization and PIP service for a nominal fee.
“Most companies will need someone, a professional security company, to be monitoring security updates,” Vincent said.
The solution is not intended to vacate years of work the PCI Data Security Standards organization has done surrounding credit card security nor abandon resources hoteliers have already spent to secure their data, the workgroup members said. Instead, the PCI DSS should be looked at as a minimum starting point and the HTNG framework merely an extension of that.
Looking for holes
Marc Bayerkohler, security consultant with Trustwave, and Franklin Tallah, senior professional services consultant with Verizon Business, each took their best shot at exposing insecurities in the framework.
While Bayerkohler admitted point-to-point encryption and tokenization are “really effective” solutions, he questioned the encryption on the swipe hardware.
Bollen, of Marriott, said the devices—which will come at a cost to the hotelier—are PCI verified, which will satisfy an assessors’ investigation.
Tallah said he was concerned that if the hotel industry largely adopts the new standard, it will add more suppliers (tokenization and PIP servicers), which will lead to more people handling the information and slow down processing speeds.
To this end, Vincent assured the turnaround time isn’t as critical in the hotel space as it is in other industries. Many credit card authorizations, she said, are simply gathering information that will be processed later.
However, the solution isn’t flawless, the workgroup members said.
“We know there are times when an employee has to have this data,” Bell said. “There’s just no elegant way around that. But the secure lookup terminal keeps the access to a minimum and keeps it out of the system.”
The workgroup even addressed rare circumstances where credit card numbers are handwritten and submitted via e-mail or fax. For example, a traveling softball team that needs each family to pay separately may submit a spreadsheet with each family’s credit card number displayed in a list.
To address this concern, Marriott has a form available on its website where users can fill in the information, submit it, and immediately upon submission the credit card numbers will be tokenized. Other companies, such as Delaware North, will immediately detect scanned credit card numbers and tokenize them.
“You have to decide what efforts you’re going to take and how important it is to you,” Vincent said. “We’ve tried to address the most common situations.”
In addition to the standards, Vincent suggested training line-level staff on the importance of guests’ personal information security.
“What happens if you find a credit card lying on the ground?” she said. “There are processes in place for that. You still need a comprehensive process in place.”