Credit Card Security: Update on Securing Payments/Cardholder Data
By Bob Carr Chairman & CEO, Heartland Payment Systems | October 17, 2010
As hotels become increasingly popular targets for cybercriminals, protecting cardholder data is more critical now than ever for you and your guests alike. In just a few brief seconds - from the time a guest swipes a credit or debit card to pay for a stay or a purchase until the transaction is complete- sensitive cardholder data can be vulnerable. If your hotel's system is breached, you could pay steep fines and face legal issues, business recovery and the rebuilding of customer confidence - as well as the possibility of going out of business. Payment Card Industry (PCI) compliance is important to ensure your hotel has certain security safeguards in place, but it may not be enough to prevent intrusions.
With that in mind, many payments processors and security/ technology providers have developed a wide array of "solutions" as an answer to these requirements and the overall threats to cardholder data security. End-to-end encryption has emerged as the forerunner in the payments industry, offering protection from card swipe to and through a processing network.
Encryption scrambles cardholder data so it cannot be read. True end-to-end encryption safeguards cardholder information from the moment a card is swiped or hand-keyed, to and through a processor's network - not just at certain points of the transaction flow - rendering it useless in the event of a compromise. It is important to make card data indiscernible as it enters the payment cycle so if firewalls are weak, the enemy gains nothing of commercial value.
Because this encryption model assists in protecting data before it enters your payment system, it reduces the cost of PCI compliance and the risks of being non-compliant. An end-to-end solution should include four zones of the card processing ecosystem:
- From data entry/card read at your hotel to the payments processor's
- From entry to that network and throughout the entire
processor/sub-contractor network where data is in motion;
- While the data resides in a central processing unit (CPU) or a host security
module (HSM). An HSM is a specialized server that locks down information;
- In storage where data is at rest.
Keep in mind that not all encryption is end-to-end. Some solutions only encrypt the data between each zone when the data is in transit, leaving the information in the clear at other points. Any encryption solution that does not start at the card swipe or key entry and include all of these four zones is not end-to-end; it is "point-to-point."