The governing guidelines of the PCI compliance framework, cybersecurity & data privacy are now strategic aspects for hoteliers to proactively manage. On January 6th, 2020 the U.S. FTC’s (Federal Trade Commission) Consumer Protection Bureau released an updated SOP for “orders and settlements” of data breach enforcement.
The FTC revised its routine enforcement procedures ensuring that affected hospitality businesses conduct FTC recommended audits, investigations, and monitoring of data security practices. The FTC has also demanded a documented “information security program”, that must be submitted to the FTC board or another governing body, for oversight and review.
The new changes enacted by the FTC address the growing responsibilities & roles of hoteliers in identifying, analyzing, and managing data security threats. This brings us to the growing role of technology including social media, robotics, touch payments and smart devices in the hospitality industry.
PCI Compliance Foundations for Cybersecurity & Data Privacy
The PCI Council established the 12 PCI guidelines in great detail, emphasizing some of the most robust cybersecurity and data protection technologies. Among the 12 rules, eight rules concentrate on the cybersecurity of systems and the protection of guest data. The twelve PCI rules are as follows:
- Safeguard cardholder data by implementing and maintaining a firewall.
- Create custom passwords and other unique security measures rather than using the default setting from your vendor-supplied systems.
- Safeguard stored cardholder data.
- Encrypt cardholder data that is transmitted across open, public networks.
- Anti-virus software needs to implemented and actively updated.
- Create and sustain secure systems and applications.
- Keep cardholder access limited by need-to-know.
- Users with digital access to cardholder data need unique identifiers.
- Physical access to cardholder data needs to be restricted.
- Network resources and cardholder data access needs to be logged and reported.
- Run frequent security systems and processes tests.
- Address information security throughout your business by creating a policy.
Every hotel today carries at least one POS payment touchpoint and high-speed internet for its guests. Simply having these two technologies creates a necessity to deploy ideal & effective tools to protect devices and data across the hotel.
While these rules are limited to hospitality businesses that accept card payments, they are an excellent starting point for any organization that seeks to reinforce their technology security. The great aspect of PCI compliance rules is their emphasis on both the correct tools and on the correct SOPs & practices handle data security.
Possibly the most important measure that any hotel should look to accomplish is to develop a comprehensive information security plan that addresses the entire attack surface across the property. These policies should identify:
- all the areas of vulnerabilities,
- authorized personnel who should access card & user data,
- identification & access rules for databases,
- hardware & software to be deployed for technology security,
- technology testing & maintenance routines, and
- creation of a logging process for the hotel network
The U.S. Center for Internet Security – 20 Critical Security Controls
Established in 2008 by the SANS Institute, the 20 CIS Critical Security Controls were developed to counter the growing epidemic of cybercrime in the USA. In 2013, the Council for Cybersecurity transferred rights to the controls to itself and, later transferred to the Center of Internet Security in 2015.
The 20 CIS controls are developed with an end to end security framework in mind. Broken into three major sections, namely basic, foundational & organizational, the controls establish a comprehensive actionable strategy to protect technology-powered businesses.
Basic CIS Controls
‘Basic’ CIS controls are made up of six common rules that every organization must adhere to. These controls are the prerequisite for every organization that retains customer data and accepts card/digital payments. The six basic rules include:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Maintenance, Monitoring, and Analysis of Audit Logs
Foundational CIS Controls
The second section of CIS controls focuses on everyday aspects or ‘foundational’ aspects to maintain business continuity. From email to account control, the foundational rules establish a culture of security across the entire hotel. There are ten foundational controls in total, with different areas of concern that hotels should manage on a daily basis.
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
Organizational CIS Controls
Finally, the organizational section of the CIS controls is directed towards organizational policy-making and strategy to manage technology security. Exactly the same as the 12th PCI compliance rule, this section is where hotels answer critical questions regarding their cybersecurity framework and response strategies. There are four organizational CIS controls recommended:
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
Due to the significant amount of data that hotels collect today, it is essential for both hotel owners and staff to be aware of cyber threats. Hotel experiences are highly dependant on the trust guests instill in a brand.
Now that the FTC has made hotels & hospitality companies responsible for data privacy, it becomes imperative for hotels to improvise. The first responsibility of hotel owners is to embrace the effects of technology on the industry.
Ideally, a great way to understand hospitality technology applications is by hiring a professional hotel technology provider to handle the task. These professional technology & cybersecurity companies are specialists who have ready insights, vendor contacts, hotel technology solutions, and recommendations to actively prepare hotel infrastructures for security integrations.
Data privacy and cybersecurity remain a popular discussion in the world of hospitality. The 2019 HITEC conference was also dominated by some brilliant debates on the state & innovation of hotel technology security.
With the absence of a standard cybersecurity and data privacy framework, hotels have to take assistance from the next best source. The PCI rules and CIS 20 are two of the most notable set of guidelines that hospitality businesses can take advice from.
For more interesting reads and insights, remember to follow us. Until next time, see you again soon.