Login

3 Ways to Protect Your POS From Hacks

Data hackers are breaking into hotels’ technology infrastructure by way of POS vulnerabilities. Here are three ways to keep these invaders at bay.

GLOBAL REPORT—The point of sale has emerged as the hotel industry’s Achilles’ heel as hackers continue to target guests’ credit card information. 
 
The reason is simple, said sources contacted for this report. The POS handles a high volume of credit card transactions.
 
John Bell worked in IT for Marriott International for a dozen years before going out on his own to form IT consulting company Ajontech. During his time at Marriott, the data attacks that occurred at the company’s franchised locations had a common thread: The franchise owner brought in an outside system. 
 
“They’re putting things in place not knowing it’s a vulnerability,” he said.
 
“Clearly, if there is a POS that is not one that is standardized across the organization but is individual to each hotel, that could represent a point of vulnerability,” Bell continued. “Some hotels like to host their own website or their own spa or golf management system. That opened up holes in the firewall.”
 
Lara Shortz, a senior associate with law firm Michelman & Robinson, said she has noted an uptick in the number of clients asking about data security.
 
“People are putting preventative measures in place,” she said. “I can’t tell you how many people want us to speak on the topic.”
 
The cost of not tightening up POS loopholes can be substantial, Shortz said. Data breaches on average can cost a hotel upward of $3 million per attack when factoring in the costs of notifying those who were affected, working with an outside security team, etc. 
 
Hoteliers can help avoid those costs, as well as the headaches that accompany POS system breaches, by following three tips. 
 
1. Keep guest data offsite
Bell stressed that hoteliers need to be careful in how sensitive customer data is handled.
 
“If I’m a large hotel company, I don’t want anyone going directly to my hotel” with payment information, he said. “I want to proxy everyone going to my hotel.”
 
He suggested taking advantage of an outside hosting company that collects payment card industry data. That can be done via a secure solution such as an outside hosted page.
 
That’s the tact taken by Apple Leisure Group, the portfolio of which includes 37 resorts spread across Mexico, the Caribbean and Central America through its six brands. CEO Alex Zozaya said the company uses an offsite customer relationship management system.
 
“We take very good care of customer data,” he said.
 
Bell said he prefers to use cloud computing systems when it comes to handling guest credit card data. It’s important that such a system requires the proper credentials to access, he added.
 
“Whoever is operating that cloud can take on a lot of that responsibility” of protecting data, Bell said.
 
2. Rethink the infrastructure
The Atlanta Marriott Marquis is preparing to install a new system that will feature fiber optic cabling running to each of the hotel’s guestrooms. Dick Wagner, technical consultant, emerging technologies, said the cabling is being installed primarily to ease the bandwidth strain caused by guests carrying multiple mobile devices into the hotel. 
 
That said, the fiber optic network also features highly secure firewall technology.
 
“We see no reason why we wouldn’t want to put it everywhere,” he said when asked about the possibilities of putting the technology in place to secure POS transactions.
 
Bob Combie, VP of asset management at Sunstone Hotel Investors, said the real estate investment trust also is considering fiber optic technology for its hotels. How it is used in the company’s properties likely will be assessed on a case-by-case basis.
 
“We’re in the planning stages,” he said. “It was a compelling reason to (consider adding the cabling).”
 
Bell cautioned that technology infrastructure separate from the hotel’s POS system should be covered.
 
“Hotels tend to virtualize their LAN inside the hotel and separate it for the guest and back office,” he said. “Virtualization is not enough. You need a virtual private network for the back office, not just a separate virtual network. But make sure it is an encrypted network and you need credentials to access it.”
 
3. Tokenization
Shortz said some forethought is required when a hotel staff is trying to decide on an IT security strategy. “Security protocols should be in place ahead of time,” she said.
 
Another layer of security that should be given such attention ahead of time has to do with the concept of tokenization, Bell said.
 
“Hotels have no business having credit card information on their system at all,” he said. “The way to keep credit cards off your system is to use tokenization. It substitutes a number that cannot be used to make a charge through another organization.”
 
Another benefit of using tokens is that the tokens do not have to be protected, Bell said.

-

After the hack
Despite the best laid plans, data hacks still do occur. For instance, White Lodging Services Corporation has dealt with multiple incidents. The company suffered a malware attack in 2014 and then also was hit with a separate string of incidents that took place from 3 July 2014 to 6 February 2015 at 10 of the company’s properties. The incidents were linked to food-and-beverage POS systems at the hotels.
 
In a statement, White Lodging said it engaged a third-party security firm to provide security technology and managed services but still was a target a second time. White Lodging did not respond to a request for comment prior to press time.
 
In the event of a hack, Bell said hotel employees should do the following:
 

  • Unplug the system where the breach occurred.
  • Scan the network to see how far the breach has spread.
  • Make an image and copy of the hard drive that will be used for forensic analysis.
  • Wipe the hard drive clean and reinstall it from scratch.

  “That will take care of the vast majority of malware,” he said.