Hotel Management ha+d The International Hotel Investment Forum Russia + CIS Central Asia +Turkey HOTEC North America Hotel & Tourism Investment Conference North Asia Investment Conference Asia Pacific Tourism Destination Conference

 


   Log in
  
Home > Operations/Management > Grounds and Maintenance > Property Security and Safety
Related topics: Property Security and Safety,Grounds and Maintenance, Operations/Management
Property Security and Safety

PCI update: It’s about encryption

19 Oct, 2011 By: Gina LaVecchia Ragone
 


One of the most damaging things that can happen to any business is a compromise of customers’ credit card information.

The challenge of course, is that there exists a sophisticated criminal element that is constantly looking for new ways to breach the many safeguards put in place by companies to protect guests’ information. Sadly, legitimate operations can have a difficult time keeping up with the bad guys lurking just beyond their networks. This, of course, is where PCI compliance comes in. Compliance with standards set forth by the Payment Card Industry Security Standards Council (PCI SSC) is the best way to protect one’s guests and its reputation. With input from 650 of the nations largest merchants, banks and retailers (including several hospitality groups), “the council puts standards in place, updates them, and trains the assessment community” to evaluate compliance, says Bob Russo, general manager of the PCI Security Standards Council.

Since Hotel Management last addressed the issue of PCI compliance, the latest and most significant development in payment card industry security standards is the development of a point-to-point encryption standard—released just last week—that would make the interception of encrypted data useless to hackers who may succeed in obtaining it. The document, “PCI Point-to-Point Encryption Solution Requirements,” provides the first set of requirements for hardware-based P2PE solutions. The standard will provide the criteria for manufacturers to implement in its next generation of encryption and decryption technology.

Russo says the new technology “protects not only PINs but also the encryption of those PINs and protects [the merchant] from the skimming of credit card information and authorization codes.”

Gary Glover, director of security assessment at SecurityMetrics says, “Point-to-point encryption is not a panacea or a silver bullet, but it goes a long way down the road to solving this problem.” Assume a merchant has only one network segment—a fairly common—and not ideally secure—situation. The new technology encrypts the data on the actual device on which the guest’s credit card is swiped. The data can then only be decrypted by the provider performing authorization and settlement services for the merchant.

Glover explains that such “asymmetric” systems utilize both public keys and private keys: One is used to encrypt data and the other is used to decrypt it. Because there are different strings for encryption and decryption, the hotel operator or other merchant has only one part of the key. With point-to-point, encryption takes place with the public key inside the swipe device, “before it ever leaves that plastic box,” Glover explains, “so even if the information accidentally gets deposited on the hotel system, hackers can’t do anything with it. The private key is held only by the bank or processing service. The bad guys can have that data all day long and would not be a problem because they have no way to decrypt it.”

He adds, “When those solutions are vetted and validated, then a merchant can greatly reduce risk.” And, while there will exist a capital investment in replacing the hardware, “your PCI compliance will consist of one little device. This will definitely be the direction in which most merchants will go in the next five to seven years,” Glover says. The simplification will be dramatic and maintenance will include little more than the periodic updating of keys. Most dramatically, hotel operators and other merchants will see the difference in their self-assessment questionnaires, “which will go from 236 questions to 30 questions, and this will certainly be worth it to most merchants,” he said.

The PCI SSC will release a list of validated P2PE solutions in 2012.

“This is all coming down the pike this year,” says Glover, “which is really a step in the right direction.” Finally, Russo is quick to remind merchants that point-to-point encryption is not a cure-all and that data protection is still necessary. He also reminds merchants that while adherence to any of the PCI SSC standards is always voluntary, “compliance with the standards is simply everyone’s best defense against a breach, which is always the goal.”
 


What do you think of this Newswire?
 

Related Links :

Safety + Security: In-room safes gain favor

Legal Tip: Stay current on neighborhood security news

Outsourcing security: Balancing costs and safety

Safety + Security: Training tips from the pros

About the Author: Gina LaVecchia Ragone





HotelWorld Network Quick Links
Magazines
Hotel Management
HA+D
Subscribe to Magazines
Events
The Distressed Hotel Summit
IHIF Berlin
Russia & CIS Hotel Investment Conference
HotelWorld Food & Beverage
HOTEC Design
HOTEC Operations
IHIF Asia Pacific
Industry Events List
Industry Calendar
Contact Us
Sales Staff
Editorial Staff
Contact Us/Feedback
Submit Press Releases
Industry Research
Opinion Polls
Trends/Stats
HotelWorld Network Surveys
Resources

Newswire
Articles
Ad Specifications
Blog
Forums
Multimedia
Online Columnists
Trade Assoc. & Organizations
Trends/Stats
Bookstore
Topics A-Z
Media Kit
Subscribe to E-Newsletters
Supplier Directory
List in Supplier Directory

Home | Contact | Advertise | Subscribe | Terms of Use | Privacy Policy
© 2010 Questex Media Group LLC. All rights reserved
Reproduction in whole or part is prohibited
Please send any technical comments or questions to our webmaster