BreachExchange mailing list archives
Tokenization key to data security
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 14 Feb 2014 13:00:01 -0700
http://hotelnewsnow.com/Article/13156/Tokenization-key-to-data-security The whole credit card hacking problem is once again in the forefront for the hotel industry. One of my companies is in the business of specifically serving as a credit card processor for hotels, so I have deep knowledge of this topic. As late as 2010, it was the Wyndham Hotel Group security breach, and now it's White Lodging. The industry seems to have pretty much ignored the Wyndham breach and warnings of more to come. The White Lodging, Target and Neiman Marcus breaches should serve as wake-up calls. Hoteliers in particular are at risk, as they oversee credit card transactions outside of the traditional single swipe required in retail or online shopping, which immediately sends data into encrypted storage. In hotels there is first the reservation, often online or by phone or through a third-party booking source, followed by check-in at the front desk or kiosk. The card data then resides for days in the hotel system during the stay to accommodate added charges to the card in the restaurant, gift shop or spa. The charge information is often kept electronically, accessible in case of charge backs and other things. Each time and at each point of access, there is a risk of a hacker gaining access in some way, just as Target has been hacked by going through a legitimate vendor to gain entry to the system then to the card swipe terminals. All hotel managers think they have secure systems, but even Wyndham and White Lodging, two very well-run companies with sophisticated and highly professional management, did not. Other hotel breaches have occurred, but you never hear about them. Complications Credit and debit card processing is much more complicated than most in the hotel industry realize or than CFOs want to acknowledge. When we sign up new clients, we analyze their merchant charge statements from their existing processor. We often find that even at large ownership and management companies with sophisticated and highly qualified CFOs and controllers, with what they think are clear processing contracts as to the merchant rate, hoteliers do not really understand how much they are really paying for processing due to the complexity of how charges are levied and how the charge card system really works. They are usually paying more than they think. Card security is far more complex. Finance associates often tell you they understand payment card industry compliance and related matters and that your systems are secure. However, we find in most cases they don't fully understand all the technology and hacking vulnerability aspects, and the IT staff often does not fully understand card processing security protocol, which often falls outside their regular expertise. Take action You need to make credit card security a high priority due to the potential reputational and legal costs of a breach. Don't assume when your CFO says, "We are PCI compliant and safe," that he is right. He might honestly think so, but he might not have a full understanding of card security or areas of vulnerability. As we have seen, many do not really understand what they are being charged despite their financial and accounting sophistication and insistence to you that they do. Credit card and debit card transactions are very complex. There is real risk you might not even know is happening until it's too late. As we've all read in the news, there have been successful attacks on top-secret programs at defense companies that thought their military secrets were secure. The cost of a payment breach is severe. Association fines alone can exceed $500,000, which would cripple many businesses. Plaintiff lawyers jump in. National news reports proliferate as they did with White Lodging. While breach insurance is an option, there needs to be a focus instead on eliminating exposure and avoiding a breach completely. Protecting against a breach While PCI compliance is the first step in security, an added layer of protection is that of point-to-point data encryption. Certain processors provide technology where data is encrypted at the point of entry, making it impossible for hackers to identify card data should they gain access to seemingly already secure POS systems. There is available a dual-layered payment card security solution that combines software- or hardware-based encryption with tokenization technology. This system secures the transaction from the moment of swipe--prior to transmission and throughout the payment process--with encryption and prevents card data from entering the merchant's card data environment by replacing the primary account number with a random-number token. The process works like this: 1. Consumer presents card to merchant. 2. Card data is encrypted and transmitted to processor front end. 3. The processor front end decrypts the data payload. 4. Card data is sent to issuing bank for authorization and, in parallel, tokenized. 5. Token is paired with authorization response and sent back to the merchant. 6. Merchant stores token instead of card data in their environment and uses token for all subsequent business processes. The process eliminates exposure and removes the costly liability of a payment breach. It reduces the costs and time associated with PCI-mandated security scans and questionnaires. It improves efficiencies by allowing merchants to focus on projects that contribute to revenue rather than securing cardholder data. Credit card security and identity theft is the biggest risk you face, financially and legally. These risks are potentially far greater than a single incident on premises or some sort of storm or other damage short of a total destruction of the hotel. Just believing your systems are fully secure because your staff says so is not always good enough. The technology is complex and often outside the expertise of your CFO or IT officer and their staff.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Tokenization key to data security Audrey McNeil (Feb 19)