By Sue Zloth
This week, three major hotel industry associations issued a joint statement urging hotels to take action against organized attacks on consumer credit card data. Why? Not too long ago, hotels were targeted by hackers more than any other industry, and this fact alone is very concerning. According to Joe McInerney, CEO of AH&LA, “Our decision to address this jointly is directly related to the magnitude of the threat.” Additionally, hotels need to understand the actions that must be taken to protect themselves and to avoid the costs and fines that result when a hotel is attacked.
Payment Card Industry Data Security Standards (PCI DSS), of course, lays out standards that hotels need to follow to achieve the minimum security baseline but many hoteliers are finding it challenging to get a handle on PCI. In fact, even if a hotel’s corporate office endorses and promotes vendors to help with meeting these standards, independent operators are often overwhelmed by the ins-and-outs of meeting PCI compliance.
So what should hoteliers do? According to the statement issued, here are three specific actions hotels (not their system vendors) need to take immediately:
- Eliminate EVERY default password on EVERY machine on your network.
- Eliminate holes in remote access to systems inside your network.
- Use a firewall.
I would add to that by recommending that the easiest way to protect yourself from attack is to ensure that you have nothing of value on your systems. If hackers are looking for payment card numbers, then simply remove them from your systems – entirely. A hacker can’t steal something that is not there. Tokenization and point-to-point encryption allow for hoteliers to minimize their card environment.
Personally, I applaud these associations for coming together to express the importance of this threat and unite in the call to action for hotels. I hope that each hotelier pays attention and takes action against these threats.
Write a Comment