This entry was also posted on the Hospitality Lawg—a Baker Hostetler blog featuring commentary on hospitality law, news, and developments. 

It should no longer come as a surprise that the hospitality and food and beverage industries are favorite targets of hackers.  Indeed, some commentators have suggested that hackers view these industries as the low-hanging fruit.  The 2011 Global Security Report released by Trustwave’s SpiderLabs shows that 67% of the data breach incidents Trustwave investigated in 2010 were from the food and beverage (57%) and hospitality (10%) industries.  According to the Verizon-Secret Service 2010 Data Breach Investigations Report, the hospitality industry, which included “Food & Beverage,” joined financial services and retail as part of the “Big Three” of industries affected by data breaches. 

“While a reduction of breaches within the hospitality industry was observed from the prior year, hospitality businesses should remain on high alert. At this time, it appears that the organized crime group responsible for the majority of hospitality breaches in 2009 expanded their target list. Instead of focusing exclusively on the hospitality industry, this group became active within the food and beverage and retail markets as well.”  2011 Trustwave Global Security Report     

The factors that make these industries particularly vulnerable to hackers include: (1) the use of vulnerable point-of-sale devices (“POS”) and wireless networks; (2) the difficulty of enforcing compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) in a franchise network where franchisees all use a centralized payment processing network; (3) the volume of card transactions; and (4) the retention of card data for reservations and other personal information for use in loyalty programs. 

Complying with PCI DSS is the right initial step toward protecting credit card data.    But compliance alone is not a guarantee against a breach.  Passing a PCI assessment only means your company was PCI DSS compliant on that date.  Indeed, 21% of the breached entities investigated by Verizon in 2010 had been validated as PCI DSS compliant during their last assessment.  Rather, companies must be committed to actively maintaining the security of their system on an ongoing basis.  Common best practice recommendations for the unique challenges facing the hospitality and food and beverage industries include:

(1) Restrict physical access to confidential information and adopt new encryption and/or tokenization technologies designed to render data useless to unauthorized persons, in addition to only storing encrypted payment card data in a centralized vault;

(2) Use complex passwords (not vendor-supplied default passwords) for all access to payment applications, including POS and wireless access; install and update anti-virus and anti-spyware software; regularly scan for malicious software; and set appropriate firewall rules; and

(3) Educate employees and franchisees on the company’s data security practices, and require franchisees to comply.

The PCI Security Standards Council published version 3.0 of the PIN Transaction Security (PTS) Point of Interaction (POI) security requirements in May 2010.  The updated standard and detailed listing of approved devices are available on the Council’s website.  The Council’s website also contains a list of Validated Payment Applications.