Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ hospitality ’


…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web.  Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….

Hotel Leaders Discuss Key Issues – and beyond
 <Tweet this article>
by Jeff Higley
Using a rapid-fire approach, moderator Don Landry covered plenty of ground during Wednesday’s opening general session at the 18th annual Lodging Conference.
Along the way, Landry, owner Top Ten Hospitality Advisors, poked and prodded panelists into addressing key issues ranging from the future of full-service, suburban hotels to merger-and-acquisition activity in the industry to the so-called “electile dysfunction” buzzword that’s sweeping the country……Click here to read more

What Security Benefits Does Contactless Technology Offer? <Tweet this article>
by Blogger News
Contactless technology offers many benefits, including faster and easier transactions, versatility to be incorporated into various personal devices including mobile phones, and improved data security over the magnetic stripe technology.
According to the Smart Card Alliance, “Contactless smart card technology includes strong security features optimized for applications involving payment and identities…..…….
 Click here to read more

Restaurant VARs: 3 Ways To Inject New Life Into Your Business <Tweet this article>         
by Mike Monocello
I’m going to give you a sneak preview of a feature article in next month’s issue of Business Solutions because the VAR we highlight is doing some great stuff that’s really impacting his business. The VAR is Andrew Strickler and his company is Tampa Bay POS. We featured Andrew in our magazine back in 2007. At the time, his company was four years old and business in the hospitality space was absolutely booming….…….  Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion
……………………………………………………………………………………………..………………………………….

For any business – especially those involved in storing, processing or transmitting payment data – information is one of its most important assets. Protecting this information is vital for maintaining customer trust and brand reputation. Beyond having the right security systems, technologies and procedures in place, business owners need to make sure that each and every employee is aware of the role that they play in protecting that important asset.

At Merchant Link, we recently wrapped up our annual Security Awareness Week. Guided by our Learning and Development Team, employees participated in educational trainings and activities that reinforced company security policies and provide information on the latest security threats, challenges and trends. This week on the blog, we’ll share some of the key tips and information we learned to benefit our readers.

Who are criminals targeting?
In March, we highlighted key findings of the 2012 Verizon Data Breach Incident Report.  As in years past, hospitality, retail and financial sectors topped the list.  Criminals tend to go where there’s money to be made and these industries have a high ratio of credit card transactions.  Within these industries,  a whopping 67% of breaches occurred in smaller organizations – level 3 & 4 merchants – that typically don’t have the staff or resources to employ full time security departments.

How are attackers gaining access?
It is important to remember that most data thieves are professional criminals deliberately trying to steal information they can turn into cash.  It makes sense that they would target the “low hanging fruit”.  The Verizon report shows a substantial increase in the number of breaches directly attributed to non-compliant smaller merchants and organizations.  Statistics clearly show that targeted companies have developed a complacency or even ambivalence towards security.  Whether large or small there are a variety of ways thieves can attack your business.

Stolen login credentials are the most common access point.  These credentials are often obtained through social engineering.  Social engineering employs many methods designed to manipulate a person into providing sensitive information that can be used to access personal data, plant a virus or otherwise gain access to your network.  Almost half (46%) of stolen credentials were obtained by telephone and 37% were obtained in person-to-person encounters, according to the Verizon report. 

Accommodation/Food Service providers should also be aware that POS terminals have the highest percentage of user device compromises (35%).  Methods range from installing devices to capturing cardholder data from magnetic stripes to duplicating manager cards or installing malware applications to track keystrokes.  Merchants should ensure their POS system is listed on the PCI DSS website of validated payment applications and approved PIN security devices.

One of the most surprising things revealed in the data breach studies is that it comes down to basic common sense, which as it turns out is not all that common.  Breach studies increasingly show signs that basic security practices are not being exercised. It is similar to leaving your home or your car unlocked and wondering why you had a break in.  Business owners who do not implement basic common sense security practices simply invite an attack and compromise.

What can you do to protect your business and customers?
The good news is there are some simple, basic steps you can implement that will have a big impact on your overall security risk.

  • Implement a firewall on remote access services.
  • Change default credentials of point-of-sale (POS) systems and other Internet-facing devices.
  • If a third party vendor is handling the two items above, make sure they’ve actually completed these tasks.
  • Make sure your POS is a PCI DSS compliant application.
  • Eliminate PAN (Primary Account Number) data on-site.

Still not sure how to proceed?  Partner with a payment security expert who can offer you guidance and support on an implementation strategy that makes sense for your business. 

Finally, ask yourself this question…
The impact of a data breach to any business can be very serious.  In addition to fines and legal fees, you may completely lose the ability to process credit cards.  Consider how much time and money you have available for security awareness training and PCI compliance and ask yourself “What is my company’s reputation worth?”  Would you shop at a store or use a bank that allowed your credit card number to be stolen?

Day 1 at the HITEC show and several notable insights from Jibran IIyas, QSA and senior investigator with Trustwave, at the PCI Boot Camp session this morning.

Test your data security smarts with this quick pop quiz, then check out the video for the answers and more insight.

  1. TRUE or FALSE: Allowing web access/web traffic is ok for front desk receptionists who may need it to look up directions and other information for guests.
  2. Which system type do hackers target more inside hotels and hospitality businesses?
    (a) PMS – property management system
    (b) POS – point-of-sale system
  3. 62% of all breaches result from stealing which type of data?
    (a) data in transit
    (b) stored data

And BONUS QUESTION (we’ll reveal the answer tomorrow):
What’s the street value of a stolen credit card?
(a) $1
(b) $20
(c) $50

SILVER SPRING, MD (April 23, 2012) – Merchant Link, a leading provider of payment gateway and data security solutions, today announced it has been designated by AmericInn International, LLC as the preferred provider of payment and data security services for its franchisees. AmericInn® is one of the fastest growing limited service lodging chains with over 260 locations in 27 states. Locations utilizing an integrated property management system for payments are now required to install the Merchant Link solution.

“As credit card data breaches continue to make headlines, and as we continue to grow our business, we knew we had to do everything possible to secure the personal data of our guests,” shared Mark Nicpon, CIO, of AmericInn International, LLC. “Merchant Link’s hosted solution secures cardholder data from the moment of capture and ensures data is not stored anywhere on premise. The solution also helps ease PCI compliance effort and cost for our franchisees.”

The comprehensive solution incorporates the Merchant Link Payment Gateway, TransactionVault tokenization and TransactionShield point-to-point encryption technology. The Merchant Link Payment Gateway provides connectivity to all major processors and sends payments quickly, while detecting and correcting errors along the way. TransactionVault removes guest credit card data from hoteliers’ systems and stores it in a secure, hosted “vault” – away from the business and safe from hackers. TransactionShield encrypts data at the point of interaction and protects it as it travels through the hotel’s IT environment. Decryption occurs within Merchant Link’s cloud-based payment gateway, reducing the risk of comprise.

“AmericInn understands the importance of processing payment transactions securely as well as the value of the support services we provide their franchisees to access information and immediately remediate problems,” said Dan Lane, Merchant Link’s President and CEO. “We are proud that AmericInn has selected Merchant Link as the brand standard for its franchisees and we look forward to working with them.”

Installations are already underway and adoption across the entire chain is expected to be complete over the next 12 months.

About AmericInn
AmericInn® is a leading mid-scale lodging chain with over 260 locations currently open or under development in 27 states. The brand is dedicated to providing an exceptional lodging value for its guests by offering great rates and amenities such as free, hot, home-style AmericInn Perk breakfast, free hotel-wide wireless high-speed Internet, inviting swimming pools and Easy Rewards. AmericInn is part of Northcott Hospitality, owner and developer of successful franchised hospitality brands for more than 50 years. For more information on AmericInn development opportunities visit www.AmericInnDREAM.com or call 1-866-220-7140. For AmericInn reservations visit www.AmericInn.com or call 1-800-634-3444.

Merchant Link recently has named Laura Kirby-Meck as executive vice president of sales and marketing. Laura is a hospitality industry veteran with more than twenty years of experience leading successful sales teams and implementing marketing strategies to position leading hospitality companies in the market.

Following is an exclusive podcast with Laura who discusses payment security trends for the hospitality sector and beyond.

Listen to internet radio with SecurityCents on Blog Talk Radio

We are coming to the end of the year, when everyone takes a look back and reflects on the past 12 months and tries to determine the trends that will impact the coming year. Many industries are facing a sobering outlook for 2012 and looking to do more with less.

The hospitality sector in particular has struggled with the economic downturn the past few years. Steve Short, president of NetLink Resource Group, says that it is still possible for hospitality executives to achieve their goals by investing in smart IT projects to drive business growth.

By smart, I assume he means that these IT projects should help the company meet business objectives while simultaneously saving the company money. My guess is that many will look to implement cloud solutions that require less management and maintenance.

But specifically, the hospitality sector should focus on investment in projects that secure their sensitive customer data and by extension, their brand reputation. The potential return on investment includes simplified PCI compliance. Technology solutions such as point-to-point encryption and tokenization have been reviewed by the PCI Council, resulting in documents that guide executives on how to properly implement these solutions.

As budgets decrease and focus on ROI increases. making sense of the dollars and cents is more challenging ever. But given the cost of compliance, and the cost of a potential data breach, the hospitality sector should seriously consider and measure the ROI of protecting their data.

To read more from Steve Short and his predictions, check out his blog on HTFP Connect.

This week, Hotel Technology Next Generation (HTNG) is gathering for its North America Members Meeting in San Diego.  Before the show kicked off, we wanted to know what to expect.  What would be the hottest topics for the show?  What payment security trends are impacting the hospitality industry?

We were fortunate enough to interview Sue Zloth, chair of the Payments and Data Security work group, and co-chair of the Software Forum for HTNG who shared her insights.

Listen to the podcast here.

Stay tuned for more exclusive podcasts on SecurityCents!

By Beth McGarrity

As we head into the RSA conference this year, it is always interesting to speculate on the big news that will happen at the show.  It also makes us look back at the year before.  Of course, given our focus, the news that stood out for us, may not have been the same for everyone else.  In particular, we noticed a lot of buzz around PCI standards and protecting cardholder data.  This was right after it was reported that hotels were the number one target for hackers.

So this year, we wanted to look back at the major hacks of 2010 in the hospitality and lodging industry, with the hope that 2011 will be a much better year.  They included the following breaches:

  • Wyndham Hotels and Resorts: Prior to the RSA conference last year, news broke that Wyndham suffered a second attack.  According to reports, the attack was to the central network, where the hacker moved information to an off-site URL before the company discovered the intrusion.
  • Destination Hotels & Resorts: We blogged about this breach back in June.  The resort reported the possibility that over twenty of its hotels could have been compromised, leaking sensitive cardholder data.  According to a company statement, the company discovered a malicious software program designed to gain access to only credit card information that was physically swiped.
  • HEI Hospitality: Back in September, we pointed out that the hospitality industry was still under attack.  It became very apparent when HEI Hospitality announced a breach to its IT systems impacting potentially 3,400 customers. DataBreaches.net reports that the point-of-sale system used in a number of its hotels were compromised and transactions were illegally intercepted.

Who else got hacked in 2010? This list included a number of restaurants listed in this recent article in Hospitality Technology.

According to research from Harris Interactive, 76 percent of customers would not return to an establishment if they were notified that their personal information was stolen.  This is a wake up call for the hospitality industry which is driven by the customer experience.  Now is the time to take action and ensure that all systems are locked down and credit card information is not stored within your network.