Sachin Varghese
How hospitality chains can halt POS hacking
, December 24, 2018
By Sachin Varghese
The hospitality industry’s basic tenet is being nice to people. But when it comes to cyber security and point of sale (POS) systems specifically, the ‘nice guy’ approach no longer applies. Hotels and restaurants have become targets of choice for cybercriminals.
As they rapidly digitize and offer patrons a new, connected hospitality experience, they inadvertently create vulnerabilities that attackers can exploit. Security risks quickly follow, and POS hacking is amongst the fore runners.
A recent point of sale breach in the B&B Hospitality Group restaurants in New York showed how POS vendor lapses can expose businesses and their customers to cyber threats. Third party systems like POS software bring with them both end user convenience and business risk.
There’s More at Risk than You Think
Cybercriminals attacking via POS systems are not just after card payment data. As we explained in a recent article on cybersecurity in hospitality, the stakes can be much bigger. Hotels increasingly collect and store comprehensive information about their guests. They use this information to tailor their services to their clients and make targeted special offers. Restaurants are following this trend too. This rich personal data can be used by cybercriminals for whaling email attacks to complete identity theft.
POS hacks can therefore be just the tip of the iceberg. Once cybercriminals access payment terminals, they may find ways into the rest of the digitally interconnected environments that are now developing in the hospitality sector. An initial POS hack in a local hotel or restaurant may spread throughout a chain and up to the headquarters.
Boosting Your POS Security
What should hospitality chains do to boost their cybersecurity? Measures should be taken to protect all data, systems, customers, and users; although in this article we focus on the potential entry points of POS equipment. Both general and specific security measures apply.
First, hospitality establishments must also assume that sooner or later a breach will happen. They need the capability to detect and respond to such breaches before severe damage can occur. To do this they need a solution that continuously monitors for threats, both internal and external. Secondly the service should be able to investigate and respond before a threat escalates and is contained. This advanced form of threat detection and response is what the industry calls MDR or Managed Detection and Response.
Second, hospitality businesses should implement the Point-to-Point Encryption (P2PE) standard. This protects credit card data in transmission through merchant systems and encrypts data at the Point of Interaction (POI). It can be implemented by a third party P2PE solution expert for P2PE-validated applications at the point of interaction, secure management of encryption and decryption of devices, advanced security testing, and more.
Third, hotels and restaurants should make sure they comply with the specific security standards (PCI DSS) relating to point of sale activities and credit and debit card handling. PCI DSS defines a more detailed 12 requirements structure for securing card data. PCI V3.2.1 specifically will give you a prioritized approach to protect against the highest risk factors and escalating threats.
Managed Detection and Response (MDR) for Hotels, Resorts and Restaurants
The managed security industry is fast moving from a static rules-based threat detection and manual incident response to a math driven model of high speed detection and automated response. This technological advancement in managed security is changing the way hotels and restaurants can very cost effectively leverage AI-driven security solutions to protect from cyber threats including POS hacks. Hospitality chains adopting MDR will be giving their customers a good night’s sleep in more ways than one.
About the author
Sachin Varghese is EVP Americas & CMO at Paladion