The hotel industry has been in hot water recently over credit card security, and three of the industry's largest associations are not taking the issue lightly. The group has issued a joint statement regarding organized cyber crime attacks on credit card data. It identifies actions that hotels—not their system vendors—need to take immediately in order to minimize vulnerabilities and avoid the potential for hundreds of thousands of dollars in costs and fines that typically result when just a single hotel system is breached. The recommendations:
- Eliminate every default password on every machine on your network be it server, workstation, router, firewall or any other device that has a password. The most important machines to check are the ones you think are not vulnerable, such as a PC on an engineer's desk for monitoring building systems, or the PC in the parking garage attendant's office or the one in a closet running your keycard system. To do this right, have your IT department or network consultants map out your network electronically. They can identify every attached device and then physically try to log into each one using the manufacturer's default login credentials (easily obtainable via an Internet search). If that login and password work, change them. In 53 percent of newsworthy attacks investigated by forensics firm Verizon Business in 2009,thieves gained entry to the network by using the word "password" as the password. Don't make it this easy for them.
- Eliminate holes in remote access to systems inside your network. Remote access by vendors is an essential part of support for many hotel systems. The data thieves know this, and they know how to use it to get inside your network. They know all the default passwords, and they have even been known to steal master customer lists, complete with current passwords from vendors. At the very least, make sure that the administrative and remote-access passwords on all your systems have been changed. Better still, for each vendor that needs remote access, put in place a process that ensures that each time s/he connects, you know that it is really that person (not someone who has stolen a password lists). While there are many good technology solutions, you can also institute a manual policy of issuing one-time passwords that are changed after each use. If vendors want to connect, have your staff call them back on their regular support lines with the password. Give the list of passwords only to trusted staff, and store them under lock and key with instructions for changing them. Change the password as soon as the vendor is done.
- If you store stacks of money in plain sight in an exit stairwell, you might expect to be robbed. Operating without an Internet firewall is just as risky. Yet many hotels, especially smaller ones, don't have a firewall. If you are connected to the Internet without one, then people you don't know, from around the world and many with malicious intent, can reach into your network. A recent University of Maryland study counted more than 2,200 attacks on an average Internet-connected computer every day—one every 39 seconds. If that computer is in your hotel, and if the intent is to steal credit card data, they will probably succeed. If you don't have a firewall, buy one and install it. Even a consumer-grade firewall, available for US$100 or less, provides a lot more protection than nothing. Get a firewall and configure it properly to prevent criminals from reaching your machines easily. It should allow only those types of traffic you need, and only to or from Internet addresses that you trust.
Of course, this isn't a complete security plan. The three associations recommend that all hoteliers study the Payment Card Industry Data Security Standards, which outline actions they should take to secure systems. However, many hotels find completing the PCI standards challenging or believe that vendors have them covered. If this describes your mindset, the associations say, then it's time to take ownership of security for your hotel systems. Start work immediately on these three important areas that are entirely under your control and that can be addressed quickly, inexpensively and effectively.
—American Hotel & Lodging Association,
Hotel Technology Next Generation,
Hospitality Financial and Technology Professionals