A recent global survey on the safety of point of sale devices, which process high volume of debit/credit card transactions, has referred that they have become the payment sector's Achilles' heel as hackers continue to focus on vital customer information for illegal purposes. The unscrupulous elements can steal card information from anywhere or any industry where the card transactions through POS channels are prevalent.
According to a senior executive of Marriott International, the data stealing was often observed to have taken place at the franchised locations where the franchise owners had brought in outside systems for card transactions and data storage without knowing its vulnerability.
He says that for multi-users environments, if POS terminals
are not standardized across the organizations and are individual in nature for each hotel, the vulnerability is very high. "Some hospitality joints host their own website, have their spa or golf management system, which opens up holes in the firewall," he opines.
Seeing the awareness level among retailers and also increase in cases of data attacks, POS software vendors
across the country are taking extra care to protect the vital data at the clients' end from being stolen by third party servers. Though there is a cost attached with safeguarding the data, the overall cost of not plugging POS loopholes can be substantial and sometimes detrimental for the business.
The survey also pointed out that for hotel industry, the data breaches can cost an average-sized hotel more than $3 million per attack. Apart from loss of credibility which leads to business loss, hoteliers may end of being entangled in legal issues too. So, how to avoid such data pilferages? By following a few tips, hoteliers can avoid those costs as well as the headaches of data pilferage.
Keep guest data offsite
More care should be exercised when hoteliers handle sensitive customer data. Technical analyst Sunil Batra says, "If I own a large hotel, I won't wish anyone coming directly to me with payment information. I may opt for a proxy payment system." Explaining further, he says, "People should take advantage of an outside hosting system which can collect payment card details under secured environment. This is possible through an outside hosted page."
Cloud computing systems can also be used to handle guest credit card data. However, it is imperative that such a system needs proper credentials to access.
Alex Zozaya, CEO of Apple Leisure Group, says his company which has 37 resorts spread across Mexico, Central America and the Caribbean through six brands, uses an offsite customer relationship management (CRM) system which takes very good care of customer data.
Fiber optic cabling
Some of the high-end hotels in India have installed anti-data-theft system that involves fiber optic cabling which runs into each guestroom. Batra says, the cabling works are done by hoteliers primarily to maintain high bandwidth when guests carry multiple mobile devices into their hotel. "The fiber optic network also features highly secure firewall technology," he adds.
"We see no reason why we wouldn't want to put it everywhere," he said when asked about the possibilities of putting the technology in place to secure POS transactions. However, he cautioned that technology infrastructure separate from the hotel's POS system
should be covered.
Hotels are generally inclined to virtualize their LAN inside the place and desist from separating it for the back office and guest. "We must have a virtual private network for back office and make sure that it is an encrypted one and needs credentials to access it," he says.
Hotels have no business to store credit card information on their system. The best way to keep the credit cards off the system is through the concept of tokenization. It is another layer of security that should be in place ahead of time. Tokenization substitutes a number that cannot be used to make a charge through another organization. Another advantage of using tokens is that they do not have to be protected.
However, despite the best practices and having powerful firewall, data hacks still do occur. In the event of a malware attack, employees should do the following things immediately:
- A thorough analysis of the network to see how far the breach has spread.
- Separate the system where the breach occurred from the main server.
- Wipe the hard drive and reinstall it from scratch.
- Make an image and copy of the hard drive that will be used for forensic purpose.