ORLANDO—In the realm of Internet security, this much is certain: Keeping data safe has become increasingly difficult; hotels are breached more and more often; and the resulting penalties and fines can bankrupt owners.
But as for finding a definitive solution to those certitudes, IT professionals are shooting limited resources at a rapidly moving target.
A good place to start is by setting a comprehensive strategy at the corporate level, panelists concurred during a breakout session at last week’s HITEC at the Orange County Convention Center in Orlando.
“From a fundamental standpoint, we need to look at our systems and decide how are they secured. Do you have policies … that take into account what access all of these systems have?” said Darrin Pinkham, president of DP & Associates Hospitality Technology Consulting. “… We have to decide what are we putting in place that protects our guest at the end of the day.”
The most common industry benchmark is the Payment Card Industry Data Security Standards, a list of guidelines agreed upon by the five major credit card brands. Any company that acts as the merchant of record for credit card transactions must be PCI compliant.
Thayer Lodging Group, which owns 15 hotels comprising 3,391 guestrooms, performs frequent audits at each of its properties to ensure compliance, said Mike Dickersbach, the company’s VP of IT.
“We typically invest just on physical infrastructure anywhere from (US)$50,000 to (US)$150,000 just to bring security up to speed,” he said.
For cash-strapped hoteliers, that might seem like an egregious expense, but it’s nothing compared to the fines imposed by the payment card industry, legal costs and brand damage incurred at the event of a breach, the panelists said.
“It only takes one breach to justify the cost, unfortunately,” Dickersbach said.
It’s nearly impossible to calculate the return on investment in security devices; it’s more akin to buying insurance, said Nelson Garrido, VP technology, Noble Investment Group. Ask owners to invest US$50,000 on security upgrades at their properties, and they might balk—but show them the resulting costs of a single breach, and they’re far more likely to make approve the expenditure.
While PCI might be the industry standard, compliance doesn’t ensure safe harbor, the panelists said. If you were found to be compliant one day and suffered a breach the next, you most likely would be considered noncompliant.
As one panel attendee put succinctly, “It’s an inherent contradiction to be compliant at the time of a breach.”
But the problem for hoteliers is the very nature of transactions. Every time guests book rooms or make on-site purchases with their credit cards, there is a number associated with that action—a number that potentially can be hacked by cybercriminals.
DP & Associates Hospitality Technology Consulting
“The way we do our business is a big issue,” Garrido said. “The credit card number just keeps floating around.”
Tokenization—a process in which sensitive data is broken into pieces that are indecipherable without a key—presents a good alternative to this solution, although there’s still a vulnerable text file that “sits” on the file for a moment, Pinkham said. “There’s flaws.”
A better solution would be for banks to fundamentally change the processes around transactions, the panelists agreed—something that’s unlikely to happen as they continue to push responsibility on hoteliers.
“Yes, the banks can do something, but as we can see … they’re just going to keep shifting that responsibility down to the merchant,” Garrido said. “ … Yes, they could have fixed this, but it costs them money and they’re not going to spend it.”
As such, PCI standards should be thought of as a guideline—a good first step—to foster data security, said Simon Eng, VP Information Technology, CTF Hotels and Resorts.
In addition to maintain PCI compliance, IT professionals face a number of other challenges in the fight to protect guests’ personal information:
People: The biggest weakness in data security is people—the associates who handle credit card transactions, Garrido said. Hoteliers can put in as many systems or policies as they want, but if employees don’t follow them, a breach is far more likely to happen.
The best defense against such lapses is training, training and more training, the panelists said. Information security needs to become an engrained part of every company’s culture.
Passwords: Passwords should change on a consistent basis, Pinkham said. If nothing else, hoteliers should change passwords from new systems and programs.
VP of IT
Thayer Lodging Group
“A lot of the vendors have (administrator) passwords that they use to save passwords on all their systems,” he said. “… the breaches that occur are generally by people that aren’t that smart. They’re just spending some free time. It’s like a game.”
Vendors often use their own names for the default username and password. And if the hacker figures out the password on one system, he or she can access every other system.
Push from brands: Just as banks are pushing responsibility for data security on to owners, so too are brands. However, it’s important to note that brands often have the most to lose, Pinkham said.
“That brand’s name generally is the one that’s talked about out there (in the event of a breach), and they have huge remediation to resolve the issue,” he said. “At the end of the day, we all have responsibility on this. It behooves us to put the onus back on the brands to make them compliant.”
Dickersbach has even gone as far as fitting PCI compliance into the brand management contract.