Share | |
Mr. Carr

Finance & Investment

Credit Card Security: Update on Securing Payments/Cardholder Data

By Bob Carr, Chairman & CEO, Heartland Payment Systems

As hotels become increasingly popular targets for cybercriminals, protecting cardholder data is more critical now than ever for you and your guests alike. In just a few brief seconds — from the time a guest swipes a credit or debit card to pay for a stay or a purchase until the transaction is complete— sensitive cardholder data can be vulnerable. If your hotel’s system is breached, you could pay steep fines and face legal issues, business recovery and the rebuilding of customer confidence — as well as the possibility of going out of business. Payment Card Industry (PCI) compliance is important to ensure your hotel has certain security safeguards in place, but it may not be enough to prevent intrusions.

With that in mind, many payments processors and security/ technology providers have developed a wide array of “solutions” as an answer to these requirements and the overall threats to cardholder data security. End-to-end encryption has emerged as the forerunner in the payments industry, offering protection from card swipe to and through a processing network.

End-to-End Encryption

Encryption scrambles cardholder data so it cannot be read. True end-to-end encryption safeguards cardholder information from the moment a card is swiped or hand-keyed, to and through a processor’s network — not just at certain points of the transaction flow — rendering it useless in the event of a compromise. It is important to make card data indiscernible as it enters the payment cycle so if firewalls are weak, the enemy gains nothing of commercial value.

Because this encryption model assists in protecting data before it enters your payment system, it reduces the cost of PCI compliance and the risks of being non-compliant. An end-to-end solution should include four zones of the card processing ecosystem:

  1. From data entry/card read at your hotel to the payments processor’s authorized network;
  2. From entry to that network and throughout the entire processor/sub-contractor network where data is in motion;
  3. While the data resides in a central processing unit (CPU) or a host security module (HSM). An HSM is a specialized server that locks down information;
  4. In storage where data is at rest.

Keep in mind that not all encryption is end-to-end. Some solutions only encrypt the data between each zone when the data is in transit, leaving the information in the clear at other points. Any encryption solution that does not start at the card swipe or key entry and include all of these four zones is not end-to-end; it is “point-to-point.”

By exposing data at certain points in the lifecycle of a transaction flow, point-to-point encryption creates the type of vulnerabilities in your hotel’s system that sophisticated criminals actively seek out. Further, only encryption technologies that employ both hardware and software protections secure data in flight and data stored on subsystems.

Other Solutions

Other promising new technologies and processes that address the issue of protecting payment card data are available. Alone, these technologies do not provide the adequate security necessary to protect your guests’ sensitive cardholder and payment account data from cyber thieves. However, when combined with end-to-end encryption, these solutions safeguard your data and protect your establishment from fraud with a comprehensive and robust system.

One such promising technology is tokenization, which replaces the sensitive cardholder data obtained during a card transaction with a marker — or token — in your hotel’s system. A token takes the place of the original data; the token does not allow the entity that stores that information to know anything about the original data or the tokenization scheme. Unlike encrypted data, the token cannot be reversed to reveal the original data. Retrieving the original data that was replaced by the token requires a database that maintains the relationship between the token and the original data. The data is stored so when you need to access this information to issue a refund or for another reason, you can retrieve it.

Tokenization secures the information stored only after it is initially authorized or the original data is replaced with the token. While tokenization alone does not provide protection against data theft during transmission, when combined with end-to-end encryption, tokenization can enhance the protection for your hotel and guests.

An evolving technology, Chip & PIN, makes it harder for criminals to clone payment cards. Each payment card contains a chip that authenticates the card as the original and incorporates special single-use data to prevent replay of old transactions. The cardholder inputs a personal identification number (PIN) to confirm he/she is the authorized user.

While Chip & PIN has proven to be reasonably effective in detecting fraudulent cards, it does not protect sensitive data after it is swiped or during transmission to the processor’s network. This provides the opportunity for the data to be accessed and compromised before the transaction is complete. This data, in turn, can be used to create magnetic stripe-only cards or for transaction activity that does not require a card to be present to complete the transaction.

To implement Chip & PIN, card issuers must issue new cards manufactured with the integrated chip. Merchants must update their terminals and point-of-sale systems, and consumers have the added step of keying in their PIN at the point of sale. The need to encrypt the data retrieved at the point-of-sale system and in transmission still exists with Chip & PIN deployment.

Best Protection for the Best Value

There’s no shortage of competing security solutions on the market, so evaluate each one critically for the best value and protection. The marketplace is also rife with confusion and payments processors/ data security providers looking to increase their revenue by charging more for something you have the right to have: state-of-the-art data security. Many are imposing extra fees and taxes for this security … from additional transaction fees, monthly encryption fees, key management fees, activation fees, insurance fees … to other unnecessary security “taxes” — that may bring you no extra value. Be on the lookout for processors and equipment manufacturers who unnecessarily charge these fees. You shouldn’t have to absorb them.

The fees are often hard to decipher on your monthly processing statements. Some may appear to be extraneous, when in fact they provide a necessary service — like those that may be associated with computer scanning. Others may seem legitimate, when in fact they buy you nothing. That’s why it’s so important to know what you are paying — and to whom — so you can control your card processing expenses and save money.

By learning about the different technologies available today and the slick tactics of providers looking to profit at your expense, you can determine the best security solution for your hotel. By selecting the right processing partner, you can employ end-to-end encryption, get out from under much of the PCI compliance burden and protect your guests’ information and your hotel.

Bob Carr is chairman and chief executive officer of Heartland Payment Systems ¯ the nation’s fifth largest payments processor and the official preferred provider of card processing, gift marketing, check management, payroll and tip management services for the American Hotel & Lodging Association and 38 state lodging associations. In line with Heartland’s commitment to merchant advocacy and education, Mr. Carr spearheaded The Merchant Bill of Rights (www.merchantbillofrights.org) to promote fair credit and debit card processing practices for all business owners. He has also been a driving force in the enhancement of payment card security with E3™ (www.E3secure.com), Heartland’s end-to-end encryption technology. Mr. Carr can be contacted at Bob.Carr@e-hps.com Extended Bio...

HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.

Receive our daily newsletter with the latest breaking news and hotel management best practices.
Hotel Business Review on Facebook
RESOURCE CENTER - SEARCH ARCHIVES
General Search:

MAY: The Hotel Spa
High Value Marketing

Jason Guest

Wireless Internet is changing the way business gets done in the hotel industry. There's a tremendous demand for wireless access - for overnight guests and even for conferences and trade shows. It's not just for email and Web surfing anymore. Video streaming, audio streaming and voice-over-IP are all competing for the same Internet pipe. This is compounded by the growing trend for trade shows and conferences to offer high-speed wireless data service to their attendees, which can slow Internet traffic to a crawl. This demand means opportunities for new revenue streams. Wireless has also created new ways for hotels to connect with their guests to generate loyalty. READ MORE

Derek Wood

In today’s ever increasing ‘digital age’ the importance of providing a quality High Speed Internet Access system for your guests is more important than ever. The recent huge increase in mobile wi-fi devices has just added a new dimension to the problem. And yet to many hotels this service is seen as cumbersome, expensive non-revenue generating and does not rank highly at senior management level when increasing guest satisfaction is being discussed. This article examines some of the issues facing the hotelier today and suggests a few ways to overcome the problems. READ MORE

Roger Crellin

Much to the chagrin of property owners, free WiFi has become a guest expectation rather than a perk. Since the free WiFi model was introduced, hotel operators have faced the rapid adoption of bandwidth-hungry mobile devices such as tablets and smartphones. Not only do guests expect free WiFi, but they also expect ease of use and constant connectivity, similar to what they experience at home. What was once a means to improve satisfaction and engender loyalty, free WiFi that underperforms can actually have the opposite effect, causing dissatisfaction and frustration with a property that doesn’t provide a positive experience. READ MORE

Terence Ronson

As mentioned in a previous article, prior to the birth of IOS (Apple’s operating system), truthfully, we only scratched the surface and played around with implementing Wi-Fi in Hotels. But now, four years later with millions and millions of IOS devices in the hands of millions and millions of our loving guests, this has become the most disruptive of technologies in the modern era. That along with the creation of the smartphone and its Big Brother - the TAB – where there are sales predictions of 153 million units next year, and climbing to 232 million by 2016. This has set loose a tsunami of unparalleled demand - for a strangely invisible service! No wonder CIO’s call Wi-Fi a four-letter word. For the sake of repeating myself, today’s Hotel Wi-Fi network (and more critically tomorrow’s) is one of the principal areas in which your hotel will be judged. READ MORE

Coming Up In The June Online Hotel Business Review

"Hotel Business Review offers weekly articles for hotel management and operation and discussion on emerging growth markets."
Feature Focus
Hotel Sustainable Development: Principles and Best Practices
Sustainability is now a daily topic that affects every facet of hotel development and operations. As hotelier Hervé Houdré recently noted "The goal of Sustainable Development is clearly to secure economic development, social equity, and environmental protection. As much as they could work in harmony, these goals sometimes work against each other". In the June Hotel Business Review, some of the industry's most recognized sustainable development experts come together to identify emerging trends and discuss how sustainability is currently affecting the hotel industry. Each author presents the most important aspects of sustainable development of much interest to hotel owners, operators, investors and developers. We include perspectives and case studies on best practices from leading hotel groups and other industry players.
INSIGHTS FOR INDUSTRY LEADERS BY INDUSTRY LEADERS
"300,000 Rooms Complete, 15,700,000 to Go"
By Larry Mogelonsky, President and Founder, LMA Communications
"Destination Earth: A Customized Approach to Sustainability"
By Mark Hickey, Senior Vice President of U.S. Hotel Operations, Destination Hotels
"Why This New Standard is Going to change Hotel Energy Management Forever?"
By Robert Allender, Managing Director, Energy Resources Management
"How Two Major Hotel Companies are Turning Sustainability into Tangible Business Advantage"
By Christopher Wood, Director of Social Responsibility, ASAE Convene Green Alliance
PLUS: Green Certification - Development & Investment Outlook - Case Studies - Green Design – Sustainable Development Strategies - Green Luxury - CSR Programs - Green Facility Management