When it comes to securing POS systems, a large proportion of hotel industry resources are spent on compliance with the Payment Card Industry (PCI) security standard because major credit card companies require it, said Greg Buzek, president of IHL Group, a global research and advisory firm specializing in technologies for the retail and hospitality industries. Focusing too much on PCI, however, can cause hoteliers to miss important details.
“The issue has been that there’s such a focus on PCI cardholder security and their rules, that there’s a burden from that that could really be used for overall security,” Buzek said. “The security pie is only so big, so by card companies saying ‘You won’t be able to accept our cards if you’re not compliant,’ that money goes to compliance.”
Targeting PCI compliance to the exclusion of other security measures can leave hotels vulnerable because security holes can exist in systems not part of PCI requirements, Buzek said. “The perfect example is what happened in the Target data breach. There was a vendor who had access to a portal that had nothing to do with the stores whatsoever. That system was vulnerable, and once the hackers got in there, they found out how to get to other systems that were related to the POS. PCI wouldn’t touch that—PCI would only touch all the systems that were directly involved with handling cardholder data.”
Once a hotel system has been breached, it is often too late to track the criminals responsible and prevent data theft, said Todd Seiders, director of risk management at hospitality insurance brokerage Petra Risk Solutions and former director of loss prevention at Marriott International.
“We had a client that got infected with a special malware that collected data but didn’t send it out until it saw that it had been detected by the antivirus software,” he said. “Then at that point it dumps all of the data out and the crime is over—it’s already come and gone.”
The Rise of Mobile
The explosive growth in POS systems that use mobile devices poses security challenges of its own.
Last September, InterContinental Hotels Group, in its “Mobile POS: Hype to Reality” study, estimated that the mobile POS market would surpass $2 billion in North American hardware and software sales in 2013.
“One of the challenges of mobile POS security is dealing with wireless devices in general,” said Wendy Mertz, senior director of applications and strategy at Hard Rock Hotels and Casinos. “You have multiple points of entry, so you have to make sure that those are secure.”
Mobile POS systems can also be challenging because as of now, vendors must often write software for both mobile and non-mobile platforms, which is resource-intensive, said Buzek.
Despite these challenges, there are still a few best practices hoteliers can keep in mind for securing their POS. Education, for example, can go a long way toward avoiding problems, said Mertz.
“People in the hotel industry are hospitable,” she said. “They’re constantly trying to serve the guest, so you have to make sure your staff is constantly educated on the requirements of PCI security and what it means to be secure.”
Additionally, practices like whitelisting apps and making sure devices aren’t tampered with can keep mobile devices from becoming a security risk, said Mertz.
Physical security also plays a key role, said Seiders. “I’ve solved a billion employee issues by putting a security camera over the POS spot, computers and desk registers,” he said. “You can see who did it if there is a breach.”
“The key is maintaining a high level of vigilance,” said Steven Heselius, director of hotel technology at Hard Rock Hotels and Casinos. “The industry and standards are changing, so it’s about maintaining vigilance toward where the industry is pushing. It’s not something you do today and it’s secure forever.”