Outside Insights | November 2012 | By Bob Russo

Target: Restaurants

How to fight back against data thieves.

Operators must protect their restaurants against data thieves.
ISTOCKPHOTO.COM
Bookmark/Share this post with:
Email this story Email this story
Printer-friendly versionPrinter-friendly version

Read More About

For the last couple of years, the hospitality and restaurant industries have been plagued by data theft, credit card breaches, and hacking attempts made to steal payment card data.

The two biggest global reports on data breaches, Trustwave’s Global Security Report and Verizon’s Data Breach Investigation Report (DBIR), both show hospitality and restaurants continuing to struggle in this area. Trustwave notes for the second year in a row that the food and beverage industry made up the highest percentage of breach investigations, at nearly 44 percent. Franchise outlets like hotels and restaurant chains have increasingly come under attack by cybercriminals because, according to Trustwave, more than a third of 2011 investigations occurred in a franchise business.

Verizon, meanwhile, reports that the accommodation, food, and lodging industries made up nearly 54 percent of their caseload. Why is this?

Standardization of computer systems among the franchise (and hospitality) models is common and, in the event a security deficiency exists within a specific system, deficiencies will be duplicated among the entire franchise base. In 2011, cybercriminals took full advantage of this vulnerability, targeting specific franchised businesses and exploiting common points of failure across franchisee properties, according to Trustwave’s 2012 Global Security Report.

A typical cybercrime works something like this.

A hacker scans the Internet looking for systems that it knows belong to a certain restaurant or hotel chain. When they find them, they attempt to use default and common passwords, knowing, as the Trustwave report shows us, that weak passwords are a real problem in the industry. In fact, the most common password used in business today is Password1. So in many cases, we are leaving the front door keys under the doormat.

After these systems are compromised, the bad guys go in for the credit cards and sell them on the black market. Then they go back to scanning the Internet for another likely victim.

The food and beverage industry makes up the highest percentage of breach investigations, at nearly 44 percent

In its 2012 Global Security Report, Trustwave reports that 76 percent of the breaches investigated in 2011 were a result of security vulnerabilities introduced by a third party responsible for system support, development and/or maintenance of business environments. Errors introduced during implementation, configuration, and support of validated payment applications by third parties into merchant environments were identified as a significant risk to the security of cardholder data.

The hospitality and restaurant industries that rely heavily on outsourcing are particularly vulnerable, as they made up the bulk of the compromises.

What this means is, quite simply, the various pieces that were purchased and implemented in your environment may not have been put together correctly. To be honest, it isn’t necessarily the integrators fault. It is tough to be the master of all of these solutions and the hundreds of ways they can be implemented. And when you combine the multiple systems from different manufacturers (or even certain solutions from the same manufacturer), they don’t always work together in a manner that promotes thorough security. The simple fact is that there hasn’t been the training available for these integrators to understand how to put together these disparate parts in a cohesive fashion—until now.

Recently, the PCI Security Standards Council announced plans to train and certify payment software integrators and resellers on the secure installation and maintenance of validated PA-DSS applications into merchant environments to support PCI DSS compliance. The PCI Qualified Integrators and

Resellers (QIR) program rolled out earlier this year.

The QIR program will provide integrators and resellers that sell, install, or service payment applications on behalf of software vendors or others the opportunity to receive specialized training and certification on the secure installation and maintenance of validated payment applications into merchant environments in a manner that supports PCI DSS compliance. The PCI SSC will maintain a global list of QIRs, ensuring merchants a trusted resource for selecting PCI approved partners. A global list of PCI Qualified Integrators and Resellers will be available soon.

At the PCI Council, it has always been our goal to help create resources that help merchants of all sizes develop strong security programs that aid in their ability to protect the integrity of the entire payment process, and help organizations minimize their ongoing risk of experiencing a data breach.

That’s where we ask for your help. We call upon folks in the restaurant industry to get involved with the Council as a Participating Organization. There are a ton of benefits for getting involved, not the least of which is our strong ties to expert peers in your industry.

You can also take advantage of PCI training, like our Internal Security Assessor program, to help you in your PCI security journey and to maintain ongoing compliance. Check out our PCI training opportunities for more details.

Be our partner, be our ally. Together we can continue this fight and reduce the amount of credit card fraud in the hospitality and restaurant industries in the coming years.

Bob Russo is general manager of the PCI Security Standards Council.