Tokenization key to data security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://hotelnewsnow.com/Article/13156/Tokenization-key-to-data-security

The whole credit card hacking problem is once again in the forefront for
the hotel industry. One of my companies is in the business of specifically
serving as a credit card processor for hotels, so I have deep knowledge of
this topic.

As late as 2010, it was the Wyndham Hotel Group security breach, and now
it's White Lodging. The industry seems to have pretty much ignored the
Wyndham breach and warnings of more to come. The White Lodging, Target and
Neiman Marcus breaches should serve as wake-up calls.

Hoteliers in particular are at risk, as they oversee credit card
transactions outside of the traditional single swipe required in retail or
online shopping, which immediately sends data into encrypted storage.

In hotels there is first the reservation, often online or by phone or
through a third-party booking source, followed by check-in at the front
desk or kiosk. The card data then resides for days in the hotel system
during the stay to accommodate added charges to the card in the restaurant,
gift shop or spa. The charge information is often kept electronically,
accessible in case of charge backs and other things.

Each time and at each point of access, there is a risk of a hacker gaining
access in some way, just as Target has been hacked by going through a
legitimate vendor to gain entry to the system then to the card swipe
terminals. All hotel managers think they have secure systems, but even
Wyndham and White Lodging, two very well-run companies with sophisticated
and highly professional management, did not. Other hotel breaches have
occurred, but you never hear about them.

Complications
Credit and debit card processing is much more complicated than most in the
hotel industry realize or than CFOs want to acknowledge.

When we sign up new clients, we analyze their merchant charge statements
from their existing processor. We often find that even at large ownership
and management companies with sophisticated and highly qualified CFOs and
controllers, with what they think are clear processing contracts as to the
merchant rate, hoteliers do not really understand how much they are really
paying for processing due to the complexity of how charges are levied and
how the charge card system really works.

They are usually paying more than they think. Card security is far more
complex. Finance associates often tell you they understand payment card
industry compliance and related matters and that your systems are secure.

However, we find in most cases they don't fully understand all the
technology and hacking vulnerability aspects, and the IT staff often does
not fully understand card processing security protocol, which often falls
outside their regular expertise.

Take action
You need to make credit card security a high priority due to the potential
reputational and legal costs of a breach.

Don't assume when your CFO says, "We are PCI compliant and safe," that he
is right. He might honestly think so, but he might not have a full
understanding of card security or areas of vulnerability.

As we have seen, many do not really understand what they are being charged
despite their financial and accounting sophistication and insistence to you
that they do. Credit card and debit card transactions are very complex.
There is real risk you might not even know is happening until it's too
late. As we've all read in the news, there have been successful attacks on
top-secret programs at defense companies that thought their military
secrets were secure.

The cost of a payment breach is severe. Association fines alone can exceed
$500,000, which would cripple many businesses. Plaintiff lawyers jump in.
National news reports proliferate as they did with White Lodging. While
breach insurance is an option, there needs to be a focus instead on
eliminating exposure and avoiding a breach completely.

Protecting against a breach
While PCI compliance is the first step in security, an added layer of
protection is that of point-to-point data encryption. Certain processors
provide technology where data is encrypted at the point of entry, making it
impossible for hackers to identify card data should they gain access to
seemingly already secure POS systems.

There is available a dual-layered payment card security solution that
combines software- or hardware-based encryption with tokenization
technology. This system secures the transaction from the moment of
swipe--prior to transmission and throughout the payment process--with
encryption and prevents card data from entering the merchant's card data
environment by replacing the primary account number with a random-number
token.

The process works like this:


1. Consumer presents card to merchant.
2. Card data is encrypted and transmitted to processor front end.
3. The processor front end decrypts the data payload.
4. Card data is sent to issuing bank for authorization and, in parallel,
tokenized.
5. Token is paired with authorization response and sent back to the
merchant.
6. Merchant stores token instead of card data in their environment and uses
token for all subsequent business processes.


The process eliminates exposure and removes the costly liability of a
payment breach. It reduces the costs and time associated with PCI-mandated
security scans and questionnaires. It improves efficiencies by allowing
merchants to focus on projects that contribute to revenue rather than
securing cardholder data.

Credit card security and identity theft is the biggest risk you face,
financially and legally. These risks are potentially far greater than a
single incident on premises or some sort of storm or other damage short of
a total destruction of the hotel. Just believing your systems are fully
secure because your staff says so is not always good enough. The technology
is complex and often outside the expertise of your CFO or IT officer and
their staff.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!