By Graeme Zwart, PXP Information Security Compliance Officer
Criminals make money from stolen card data. They make fake cards to withdraw money from ATMs. They also buy things with stolen card data to sell on for a profit. Anyone and everyone who has card data is a potential target - and that includes hoteliers.
1. If you don’t need it, don’t store it
Our first piece of advice in combatting the card data criminals is don’t store what you don’t need.
Hotels used to store guests’ card details to guarantee a reservation in advance, top up an authorisation during the stay, or process delayed and amended charges after check-out. Nowadays that’s no longer necessary — or desirable.
The longer you store card details on your systems, the more chances criminals have to probe and potentially steal it. Our hosted payment solution means that we store sensitive card data for you in our secure data centre — so it’s our responsibility to keep it safe.
2. Tokenise where you can
Tokenisation replaces sensitive card data with a token value. You can then use this token across various front-end and back-end systems instead of the real card data, which helps protect you and your guests’ data.
Our tokenisation is format preserving, which simply means that it replaces a 16-digit card number with a 16-digit token, a 19-digit card number with a 19-digit token, so no system changes are required. It works across channels, countries and sub-brands within your group. It also works retrospectively, so if you have card details stored, we can tokenise them without completing a transaction.
3. Encrypt where you can
For face-to-face sales, we’d recommend you encrypt card data directly on the PIN entry device (usually the PIN pad). This type of point-to-point encryption protects data all the way to our secure processing centre. Your terminals and systems never see any sensitive data in the clear, which minimises the impact of a data security compromise.
4. Reduce your scope
Using a hosted solution, tokenising and encrypting card data all help reduce your PCI DSS scope. De-scoping really pays dividends. There’s little need to manage and maintain the activity once it’s out of scope. That means there’s more time, budget and effort to dedicate to being a hotelier, as opposed to a payment security expert.
5. Keep your systems up to date
Security flaws are regularly found in all computer systems, and the vendors provide regular updates to fix these flaws. Make sure you have a program in place to update your systems as soon as the vendor releases a new security update. Criminals are very quick to take advantage of un-patched systems.
6. Keep your antivirus up to date
New malware is being developed every day, and there are many variants that are designed specifically to steal credit card data. Make sure you use a reputable antivirus vendor and configure your systems to check at least daily for definition updates.
7. Use strong passwords
Make sure you use strong passwords for logging on to any of your systems, passwords that are eight characters or longer, and include numbers, letters, and both upper and lower case, are much harder for hackers to crack
8. Change default passwords
Many devices, such as broadband routers and wireless access points, come with a simple default password to make it easy to set up. These default passwords are really easy to find on the internet so be sure to change them to a strong password before introducing into your network.
9. Limit access to card processing systems
It’s possible that not everyone in your organisation will need to access the payment systems. Implement access control measures to ensure that card data, and the payment systems, are only accessible to the people who need to.
10. How to find out more
To find out more about data security within the hotel industry, please just download our free ebook Top tips to ensure you keep your guests' card data safe.
For a free 30-minute consultation on your payments requirements, please complete the form below or call 0844 209 4370.