1
Hard Rock Hotel data breach: Lessons to be learnt by Ben Oguntala As CEO of our newly acquired cloud based payment compliance platform Payments & Co (www.paymentandco.com) & frequent traveller due to our Tourism project www.africantourismmarket.com , the data breach at Hard Rock Hotel is something every hotel needs to pay attention to and this article is a guide to every Hotelier on how to avoid the ticking time bomb.
Ben.oguntala@paymentsandco.com +447812039867 Ben Omoakin Oguntala is a PCI Technical Design Authority and Author of the new initiative for the payment card industry titled, ‘reducing the likelihood of a breach occurring’, as opposed to the checkbox exercise of simply becoming PCI Compliant. The PCI compliance documents are worthless if you don’t secure each of your payment channels and reduce the likelihood of a breach occurring.
The Hard Rock Hotel Source – http://www.chicagotribune.com/business/ct-hard-rock-hoteldata-breach-0708-biz-20170707-story.html Some Hard Rock Hotel guests may be singing the blues after the company revealed a payment card data breach Thursday spanning seven months and 11 properties, including the Hard Rock Hotel Chicago.
www.paymentsandco.com
2
The Florida-based hotel chain learned in June that hackers gained access to unencrypted payment card information for a "small subset" of customers who booked reservations through a platform provided by third-party vendor Sabre Hospitality Solutions The data breach took place between Aug. 10 and March 9 and affected an undisclosed number of guests at the Chicago hotel and other properties including: Hard Rock Hotel & Casino Biloxi in Mississippi, Hard Rock Hotel Cancun in Mexico, Hard Rock Hotel & Casino Las Vegas, and Hard Rock Hotel Palm Springs and Hard Rock Hotel San Diego in California.
I am certain that the Hotel would have spent a lot of money on PCI Compliance and right now, all of the people they paid for that compliance will not stand up to defend the hotel. That is a major issue I have with the industry right now. The Attestation of compliance means nothing when there is a breach and as a result, I tell my clients why waste money on PCI Compliance when for a fraction of the cost, you can invest in rearchitecting your payment channels and reduce the likelihood of a breach occurring.
www.paymentsandco.com
3 There are 3 key items that jump out at me in this breach that we can help other Hotels avoid ever falling into the same situation and they are: 1. Unencrypted payment card information a. This indicates the Hotel does not have a PCI Compliance strategy that reduces its likelihood of a breach occurring b. It shows that there are 3rd party service providers that acting on behalf of the Hotel in a manner that this allowing this breach to take place. c. This also indicates that some of the payment channels that the Hotel has are not secure d. The hotel may have wrongfully relied on the 3rd party 2. Booking reservation a. A 3rd party software that clearly stores card data in the clear. b. In our solution, this is an absolute ‘no-no’. This is the reason why we define your compliance strategy first so that you are given an opportunity to determine how you would like each payment channel to be secured. This is then passed and enforced on all suppliers. 3. Platform provided by a 3rd party vendor a. A 3rd party vendor with a solution that ought to be registered as PA DSS b. A 3rd party taking card payments in the clear shows either the Hotel has no strategy for securing card data or the 3rd party ill-advised the Hotel. c. There may have been historical reasons for keeping card data, however, right now, none of them are justifiable. d. The 3rd party is not a bank and was needlessly taking that card payment data, all it would be with it is simply forward it to the payment processor. e. This means, this breach was completely avoidable and Hard Rock Hotel has needlessly been dragged into this breach.
The report went on "Not all of our hotels leverage Sabre Hospitality Solutions SynXis, so only a small subset were affected. Customers have been notified and Sabre has contacted the FTC," the company said in a statement. "Hard Rock Hotels & Casinos is in the process of notifying the attorneys general's offices as required by law."
www.paymentsandco.com
4
The report above states: Secure - The connection is based on you not having to be PCI secure. Besides that, it contains holistic fraud tool and 3-D Secure. This is clearly untrue, the breach went on for months so how effective was a fraud tool and 3-D Secure did not prevent the breach, yet they sold the product as PCI secure solution. That is misleading. The Merchant ID belongs to Hard Rock Hotel as well as the risk of reputational damage, if Sabre’s statement were to be true, then the title of the Chicago Tribune article would have been ‘Sabre Hospitality software has been breached’, but clearly that is not what has happened. The press are more interested in the big brand names than tech companies. Every merchant needs to know that. Hard Rock Hotel of course needs to be PCI Compliant and even if they outsourced 100%, they will still be required to complete some control requirements.
www.paymentsandco.com
5
Sabre revealed the breach in May and on Wednesday concluded an investigation that determined an "unauthorized party" accessed payment card information through the company's reservation system. Some reservations included the payment card security code, but no Social Security, passport or driver's license numbers were accessed, according to the company. From this quote, Sabre has broken the golden rule in PCI DSS, which is not to store the security code. It seems the whole process was managed without the involvement of the Hotel and as a result, the 100% liability of the 3rd party. As aforementioned, Sabre had no competence in taking the card details and the security code as they are incapable of doing anything with the data. So why take it?
www.paymentsandco.com
6
"Less than 15 percent of the average daily bookings on the SynXis reservation system during that time period were viewed," Sabre spokesman Timothy Enstice wrote in an email Friday. The platform was reported PCI Compliant and had all the paperwork to prove it, all of which now count for nothing, primarily because and to my point, they have failed to consider the architecture of the merchant’s payment channel. If you fail to do this, it is only a matter of time before you get breached.
Do Hotels need to keep card data? Many of my Hotel clients’ state that they need to keep card data to cover incidentals, well in answer to your questions, how many incidentals can justify such a breach? The answer is no. The reality is most Hotels charge customer present and of course the customer is never present after they have left the Hotel. This of course, creates a further chargeback problem for the Hotel.
It is understandable that the Hotels don’t want to increase their debt and be forced to be chasing debt. The problem is completely avoidable and we have series of solutions that prevents the risk in a secure manner.
www.paymentsandco.com
7
How we make Hotels reduce their likelihood of a breach occurring. https://paymentsandco.com/services/
1. Definition of your Hotel’s PCI Compliance strategy – our definition of your Payment compliance strategy will list all the merchant IDs and systems you use to take card payments, including those from your 3rd party suppliers. This will allow us to:
a. Define of your current Acquiring Banks, merchant IDs and payment channels b. Create a risk register as it relates for each payment channels and here we would have identified the situation with Sabre Hospitality software c. We would then formulation of a strategy defining i. How you wish each payment channel to operate – Architecturally. This is where we design each payment channel to reduce the likelihood of a breach occurring. ii. What SAQ would you like for each payment channel 1. Cardholder present would be SAQ B – using P2PE tokenisation would in place 2. E-commerce would be SAQ A – card data would be entered directly into the Acquiring Bank’s system 3. Determine who will be responsible for generating the controls for each payment channel 4. Pre-approved all your suppliers for your PCI products and services 5. Implement an approval process for changes your PCI estate 6. Managing your PCI controls and reporting
www.paymentsandco.com
8
In conclusion We are not simply a managed service, we design your estate to ensure every entry of card data into your system is done surely. Regardless what Sabre Hospitality or any other software provided says, they are unable to do anything with the card data other than pass it on to the Bank and if that is the case, our position is why don’t you architect a solution that allows the card data to go directly to Bank and not via a 3rd party that is not secure enough to hold on to the card data in the first place.
We manage every single payment channel and risk assess all changes to them
We track every asset and make sure each one is audited and compliant
www.paymentsandco.com
9
All requests are managed and risk assessed
So, do not be shy, get in touch with me today and in 12months your Hotel or organisation will not only be PCI compliant but would have also reduced the likelihood of a breach occurring. Ben Omoakin Oguntala, ben.oguntala@paymentsandco.com Tel: +44 7812039867
www.paymentsandco.com