Protecting Cardholder Data for Hospitality Businesses Accepting

Document Sample
Protecting Cardholder Data for Hospitality Businesses Accepting Powered By Docstoc
					      Protecting Cardholder Data for
     
    Hospitality Businesses Accepting
    Payment Cards Through Multiple
Channels: Hotels, Motels and Lodging




 70 W. Madison Street, Suite 1050 Chicago, IL 60602   www.trustwave.com   1.888.878.7817
                         Protecting Cardholder Data for Hospitality Businesses Accepting
                                                                                                                      2
                    Payment Cards Through Multiple Channels: Hotels, Motels and Lodging



  Introduction
  The scenarios vary:

            — An executive assistant secures a room for a vice president over the phone
            — A newlywed couple makes reservations online for their honeymoon suite
            — A grandmother purchases a T-shirt for her grandson at the casino gift shop
            — A bellboy on break orders a sandwich at the bar
            — A man buys his father a beer from the drink cart during a round on the links
            — Girlfriends treat themselves to facials and manicures at the spa during a long weekend


  However, they occur simultaneously; and in each the consumer pays with a payment card for products or
  services provided under the roof of one facility.

  At one time, consumers expected little more from a hotel than shelter, a bed and a TV. Today’s consumer
  demands more. To differentiate themselves, businesses—especially those in the hospitality industry—
  continue to expand their offerings, and each offering adds another payment card acceptance channel to
  that merchant’s network environment. Many times these additional offerings also bring a third party into
  a merchant’s facility to provide a service. For guests’ convenience, that third party will need network
  access to process payment cards, further complicating the network architecture and the technical controls
  required to protect it.

  In addition, many merchants in the hospitality industry operate multiple properties. Insecure network
  connections between these properties in conjunction with poor security controls, can allow a single-site
  compromise to easily spread to additional properties.

  The goal of this paper is two-fold: to address recent threats to the hotel industry observed by Trustwave
  over the past six months, and lay out actionable steps for businesses that accept payment cards through
  multiple channels to begin working toward compliance with the Payment Card Industry Data Security
  Standard (PCI DSS).

  In this paper, channels are defined as methods by which a merchant accepts payment cards. These
  include:

       • MOTO transactions
              o Mail order or telephone orders
       • Card‐present transactions
              o Such as those processed through a payment application or Point-of-Sale system (POS) in a
                face‐to‐face environment such as a restaurant
       • E‐commerce transactions
              o Web‐based transactions through shopping carts or other online payment applications that allow
                   consumers to pay via credit card by entering payment card information over the Internet

  While this paper focuses on multi‐acceptance channel merchants, the information below applies to all
  merchants that accept payment card transactions because the payment card brands mandate that any
  entity that processes, stores or transmits payment card data comply with the PCI DSS.




70 W. Madison Street, Suite 1050 Chicago, IL 60602              www.trustwave.com                    1.888.878.7817
                         Protecting Cardholder Data for Hospitality Businesses Accepting
                                                                                                                3
                    Payment Cards Through Multiple Channels: Hotels, Motels and Lodging


  Issues Unique to Multi-Channel Merchants

  A merchant wants to keep their assets and their customers’ assets protected. A hotel without deadbolts
  on its doors elicits a definite reaction from a potential customer—they will choose another hotel.
  Consumers patronize merchants they believe are concerned about their safety and the security of their
  property. A hotel should not treat their customers’ payment card information any differently than they do
  a guest’s suitcase.

  The first concern unique to multi-channel merchants is their use of a variety of payment applications and
  acceptance methods. They may have a hotel, restaurant and golf course on the premises. Reservations
  and payments are accepted online for their hotel through an e-commerce channel. The restaurant
  accepts payment cards through a software-based payment application that includes dining management
  software and a back-of-house system. The golf course uses wireless PDAs fitted with card-swiping
  hardware to accept payment at drink carts patrolling the course. The hotel may also provide an automatic
  recurring payment system for golf memberships. Each of these acceptance methods brings with it unique
  risks and configurations.

  While these issues inject more complexity into a network, they do not preclude a merchant from
  achieving full PCI DSS compliance. The card associations do not want to inhibit a merchant’s ability to do
  business. The PCI Security Standards Council (PCI SSC), created by the card associations to manage the
  PCI DSS, states its mission as maintaining and improving the PCI DSS and reducing costs and time
  associated with its implementation.

  However, multi-acceptance channel merchants must use caution when considering the unique aspects of
  their environment. For example, with a recurring payment system, a merchant needs to store cardholder
  data for business reasons. The PCI DSS does not prohibit this, but the merchant must institute a data
  retention policy that protects that data and calls for the secure disposal of that information after a
  specified period of inactivity on the account. The same is required for wireless devices used to accept
  payment cards. After a period of inactivity, the wireless connection must disconnect and require its user
  to log-in to refresh it.

  Regarding wireless acceptance systems, because of widespread mis-configurations, the technology is
  vulnerable to “eavesdropping.” A merchant must use a Virtual Private Network (VPN) for connections
  between remote devices and the facility’s grounded network. They must also institute two-factor
  authentication to ensure that the device is authorized to access the area of the network that stores
  cardholder data. In addition, a merchant must implement appropriate barriers between this area and
  open areas of the network.

  The open areas of a network, or what should be considered “untrusted” networks extend beyond just the
  Internet. Networks that should not be trusted include site-to-site connections, wireless access points and
  areas that allow guest-access to the Internet. Segmentation allows a merchant to provide secure
  connections between sites that will not allow an attacker to leap from one site’s network to another’s.
  Proper segmentation creates open networks for guests while protecting critical assets contained within
  the same infrastructure. In addition, segmenting the network limits the areas of a merchant’s network
  that apply to the PCI DSS. This reduces a merchant’s risk because cardholder data is accounted for, and
  the processing, storage or transmission of that data is limited to one area of the network. This also
  reduces cost because security controls specific to the protection of cardholder data need only be applied
  to areas of the network where that information resides.




70 W. Madison Street, Suite 1050 Chicago, IL 60602         www.trustwave.com                   1.888.878.7817
                         Protecting Cardholder Data for Hospitality Businesses Accepting
                                                                                                                    4
                    Payment Cards Through Multiple Channels: Hotels, Motels and Lodging


  Merchant Levels

  A merchant’s acceptance channel(s) determines the specific actions they must take to validate their
  compliance, and the card associations determine merchant levels based on acceptance channel and
  transaction volume. Each card brand defines merchant level and validation requirements independently,
  though many acquirers defer to Visa Inc. and MasterCard Worldwide’s definitions (updated on July 18,
  2006). However, acquirers remain accountable for defining their merchants’ levels and determining
  validation actions. While the Visa and MasterCard definitions listed below can serve as a guide, merchants
  must confirm their level with their acquirer.

  Visa and MasterCard Definitions:
       • Level 1 merchants: Those merchants that process over 6 million Visa or MasterCard transactions
          per year, regardless of their acceptance channel
                o Or, any merchant that has suffered a payment card breach or hack
                o Or, any merchant they determine must meet the level one merchant validation requirements
                o Or any merchant defined by any other payment card brand as Level 1
       • Level 2 merchants: Any merchant that processes 1 million to 6 million Visa or MasterCard
          transactions per year, regardless of their acceptance channel
       • Level 3 merchants: Any merchant that processes 20,000 to 1 million Visa or MasterCard e‐
          commerce transactions per year
       • Level 4 merchants: Any merchant that processes less than 20,000 Visa or MasterCard e‐commerce
          transactions per year
                o Or any merchant that processes less than 1 million Visa or MasterCard transactions,
                  regardless of their acceptance channel
  Visa and MasterCard require that Level 1 merchants undergo an annual on-site PCI Data Security
  assessment performed by a Qualified Security Assessor (or, if the merchant opts to complete an internal
  assessment, it must be accompanied by a signed letter from an officer of the company) and quarterly
  network vulnerability scans. Level 2 and 3 merchants must complete the PCI Self-Assessment
  questionnaire each year and also undergo quarterly network vulnerability scans. Visa recommends that
  level 4 merchants also complete the PCI Self-Assessment questionnaire and undergo quarterly network
  vulnerability scans, but leaves validation requirements to each individual acquirer’s discretion.

  It is paramount that multi‐channel merchants work with their acquirers to determine their merchant level.
  With multiple points accepting payment cards within one network architecture (or multiple architectures),
  defining the levels of these multi‐channel vendors is complex. In some cases, an acquirer may have
  assigned a multi‐channel merchant multiple merchant IDs. For purposes of reporting, processing and
  billing, an acquirer assigns a merchant ID number to an entity that accepts payment cards. A merchant
  must account for all merchant IDs assigned to them by their acquirer and the transaction volume for
  each.




70 W. Madison Street, Suite 1050 Chicago, IL 60602            www.trustwave.com                    1.888.878.7817
                         Protecting Cardholder Data for Hospitality Businesses Accepting
                                                                                                                   5
                    Payment Cards Through Multiple Channels: Hotels, Motels and Lodging


  Today’s Critical Data Security Issues in the Hospitality Industry

  The results of Trustwave’s investigations indicate common deficiencies within the hospitality industry that
  contributed significantly to the compromise of payment card data. The combination of default/weak
  system passwords, insecure remote access applications and improper firewalling allowed attackers access
  to multiple systems within the hospitality network.

  Trustwave also found that many of the systems analyzed in these investigations stored magnetic stripe
  data due to the use of non-compliant processing systems. Many of the breaches involved the use of
  malware that allowed attackers to steal cardholder data even when that data was not written to disk (i.e.,
  stored or saved). This is concerning because it allows for the theft of cardholder data even from
  organizations that use payment applications that comply with Visa’s Payment Application Best Practices
  (PABP) or the Payment Application Data Security Standard (PA-DSS). Though in the cases seen by
  Trustwave, those PA-DSS compliant payment systems were not configured in accordance with the PCI
  DSS.

  The technique— called RAM parsing—was discovered by Trustwave in November of 2008, and involves
  an attacker accessing a computer system that hosts a payment application. The attacker then installs an
  unauthorized application (malware) onto the system. The malware collects unencrypted/plain-text track
  data via the Random Access Memory (RAM) used by the payment application to interact with the host
  computer. Again, even if the payment application used by a merchant complies with the PA-DSS and
  does not write track data to disk, an unauthorized individual can access that data by parsing it from RAM.

  However, it’s important to note that the organizations that fell victim to this technique lacked certain
  controls needed to comply with the PCI DSS. Below are eight actions that Trustwave recommends
  businesses in the hospitality industry take immediately to protect their networks from this technique.

       1. Establish a firewall configuration that properly filters ingress and egress traffic
           between the processing environment and untrusted networks: An untrusted network is
           not limited to just the Internet. As stated in the PCI DSS version 1.2, “An ‘untrusted network’ is
           any network that is external to the networks belonging to the entity under review, and/or which
           is out of the entity's ability to control or manage.”

       2. Upgrade to a PA-DSS validated payment application and ensure that it is configured in
           accordance with the PCI DSS: While a PA-DSS validated application does not ensure full PCI
           compliance, a properly configured PA-DSS approved payment application does provide the
           foundation for compliance.

       3. Periodically re-boot payment systems to clear volatile memory: Many malicious programs
           today are memory-resident (i.e., evidence of the program’s presence does not exist on disk). A
           simple reboot will potentially deactivate malicious memory-resident programs from the system.
           Also, consider implementing a secure-wiping application to routinely clear the contents of the
           page file (also referred to as the swap file).

       4. Enforce a strong username/password policy for system access: Review all processing
           systems to ensure default vendor-supplied credentials are not in use. Trustwave also
           recommends that usernames and passwords be unique to each local site to prevent the potential
           spread of a breach to multiple locations.

       5. Properly secure remote access applications: Remote access applications should be disabled
           when not in use or secured using two-factor authentication. Remote access permissions should
           only be granted to specific accounts as required.




70 W. Madison Street, Suite 1050 Chicago, IL 60602           www.trustwave.com                    1.888.878.7817
                         Protecting Cardholder Data for Hospitality Businesses Accepting
                                                                                                                  6
                    Payment Cards Through Multiple Channels: Hotels, Motels and Lodging



       6. Ensure system activity logs are reviewed daily: The proper review of system activity logs is
           instrumental in the detection of malicious events. Breaches often go undetected because system
           activity logs were not reviewed on a consistent basis.

       7. Disable Windows file sharing if not required. If required, grant access to shared folders
           only to specific user accounts with strong passwords: Malicious software often spreads via
           insecure system shares. The disabling of insecure system shares can help with containment.

       8. Ensure anti-virus/anti-malware software is installed and updated consistently: In order
           to properly protect the processing environment, anti-virus/anti-malware software must be
           installed and maintained on all systems within the processing environment.

  What follows is more general information about instituting a PCI DSS compliance program at a business
  within the hospitality industry. However, the seven steps outlined above should be considered high
  priority action items for these merchants and should be addressed immediately.


  Action Items: Moving Toward Compliance

  Survey
  Working with their acquirer to determine their merchant level aids a multi-channel merchant in the first
  step of a PCI DSS compliance program: assessing the location and volume of payment card transactions
  on the network. To get started, a merchant must identify all the locations on their network where
  cardholder data is processed, stored or transmitted. A complicated network often includes multiple
  payment card acceptance points. The payment applications used at each of these points may be
  configured differently. As discussed, a centralized system for payment card acceptance that streamlines
  payment system configurations can launch an organization toward compliance. If an organization does
  not know where its data is or how it enters the network, they cannot possibly protect it.

  As a part of this initial process a merchant should survey their entire organization to determine:
       • Business units accepting payment cards
       • Technology used to accept payment cards
                o Hosted order pages
                o Point‐of‐Sale (POS) systems
                o Interactive Voice Response (IVR)
                o Over the phone
                o Through postal mail
       • Whether this technology stores cardholder data and how
       • Location(s) of acceptance technology on the network
       • If applicable, units using merchant IDs
       • If applicable, outside entities (such as a spa that rents space within the establishment) connected
          to the network

  With this preliminary information, a merchant can begin to comprehend what parts of their network fall
  within the scope of the PCI DSS.




70 W. Madison Street, Suite 1050 Chicago, IL 60602          www.trustwave.com                    1.888.878.7817
                         Protecting Cardholder Data for Hospitality Businesses Accepting
                                                                                                                7
                    Payment Cards Through Multiple Channels: Hotels, Motels and Lodging


  Segment
  Once the merchant knows where cardholder data resides on their network, they can secure it.
  Centralizing all cardholder data into one location that is then segmented from the network at large is
  optimal, although not always possible. Segmentation eases the enforcement of various security policies,
  allows for the implementation of boundaries to protect the data and condenses the areas of your network
  that must adhere to the PCI DSS.

  The merchant should consider the following when segmenting their network:
     • Separate sensitive information from the rest of the network. Sensitive information includes:
                        Personally identifiable information
                        Customer cardholder data
                        Employee records
             o Separate sensitive information from:
                        Guest networks
                        Wireless networks
                        Access points, wireless or not, used by other businesses within a building
     • Ensure this area is not accessible from the Internet
     • Implement appropriate boundaries and sensors
             o Firewall
             o Intrusion Detection Systems or Intrusion Prevention Systems (IDSs/IPSs)
     • Wherever the data is stored (paying special attention to areas storing recurring payment
        information), ensure it is rendered unreadable
             o Hashed
             o Truncated
             o Encrypted
     • Never store full track data
     • Explore outsourcing e‐commerce payment acceptance to an outside party to limit scope
             o Hosted Order Pages, etc.

  The card brands developed the PCI DSS explicitly to protect the information located within the area of the
  network that cardholder data is processed, stored or transmitted. Many of the requirements and sub-
  requirements of the PCI DSS deal with technological controls to protect the network from outside attacks.
  However, merchants must also mitigate internal threats. One of the tenets of internal risk mitigation is
  managing which employees have access to specific assets and monitoring that access.

  Manage Access
  Just as a groundskeeper rummaging through a golf course manager’s office should raise eyebrows, so
  should a concierge copying files from a hotel server. First, the groundskeeper has no need to access the
  manager’s office, and if they are seen inside the office without the manager present, appropriate parties
  need to know. The same principle applies to network access. Three of the twelve PCI DSS requirements
  deal with restricting access to data by business need-to-know and assigning user IDs and passwords for
  the monitoring of their access. In their investigations of over 400 payment card compromises, Trustwave
  finds that more than 60 percent of compromised merchants do not comply with requirement 8 from the
  PCI DSS version 1.2, “Assign a unique ID to each person with computer access.” Without unique IDs and
  passwords for each user, an administrator cannot assign log-in credentials and permissions to properly
  limit access.




70 W. Madison Street, Suite 1050 Chicago, IL 60602         www.trustwave.com                   1.888.878.7817
                         Protecting Cardholder Data for Hospitality Businesses Accepting
                                                                                                                         8
                    Payment Cards Through Multiple Channels: Hotels, Motels and Lodging


  A merchant instituting an access management program should, at the least, do the following:

       • Ensure all users have unique user accounts
       • Regularly review user accounts and eliminate those no longer needed
               o Employee turnover
       • Allow access to various areas of the network based on business need to know
               o Implement technology to alert appropriate parties if a user exceeds the parameters
       • Configure systems to log events and assign them to individual users
               o Including administrators
       • Limit and monitor access to paper materials that display credit card numbers or systems that store
          or handle cardholder data
               o Require authorization for physical access
               o Monitor physical access

  Implementing an access management program can take time. However, the permissions and access
  controls inherent in such a program simplify a great amount of logging and monitoring requirements
  found throughout the PCI DSS.

  Make Third Parties Accountable
  Trustwave finds that more than half of all payment card compromises occur due to a fault in the
  technology or service provided by a third party to a merchant. Additionally, almost three out of four
  compromises also occur because of weak software-based payment applications. These statistics illustrate
  that a merchant cannot stop at protecting their own network. They must ensure that the third parties
  they contract with also operate in a PCI DSS-compliant manner. Third parties include service providers
  (providers that provide payment-related services), payment application developers, payment application
  integrators and IT firms.

  When dealing with third parties, merchants should:
       • Choose service providers from Visa Inc. or MasterCard Worldwide’s list of compliant service
         providers
              o Visa:
                     http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_tools_faq.html
                o MasterCard:
                     http://www.mastercard.com/us/sdp/serviceproviders/compliant_serviceprovider.html
       • Ensure the payment application they use adheres to the Payment Application Data Security
         Standard (PA-DSS)
              o See: https://www.pcisecuritystandards.org/security_standards/vpa/
              o Confirm with the vendor that the application stores no more than:
                        Cardholder name
                        Expiration date
                        Primary Account Number (PAN)
                               PAN must be encrypted, hashed or truncated. Merchants cannot store the full
                               magnetic stripe data (i.e., track data), card validation codes (e.g., CVV2 code),
                               or PIN block information
       • Require PCI DSS compliance in contracts with third parties that will handle cardholder data
              o Obtain proof of the third party’s PCI DSS compliance




70 W. Madison Street, Suite 1050 Chicago, IL 60602              www.trustwave.com                       1.888.878.7817
                         Protecting Cardholder Data for Hospitality Businesses Accepting
                                                                                                                  9
                    Payment Cards Through Multiple Channels: Hotels, Motels and Lodging


              o Stipulate that the party is responsible for handling cardholder data in a PCI DSS compliant
                   manner
       • Maintain strict policies and procedures for remote access to the network
              o Only allow remote support when authenticated

  In today’s Internet-connected world, working with third parties becomes necessary. However, a merchant
  allowing these third parties access to their facilities and network opens their assets to risk. Through
  strong contracts, the business community can hold its members accountable and show its concern for
  consumers’ safety and security.

  Conclusion

  This paper does not provide merchants an exhaustive PCI DSS compliance program. Its
  recommendations to survey, segment, manage access and make third parties accountable are general
  introductory steps toward PCI DSS compliance. For merchants that accept payment cards through
  multiple, distributed channels, these are only the first steps. A merchant with a complex network needs
  experienced, detailed, informed guidance to ensure that their network is protected.

  Additionally, a merchant must not consider PCI DSS compliance an annual checklist. Criminals continue to
  develop new methods to exploit merchant networks and steal cardholder data. A merchant must stay
  informed of data security issues and vulnerabilities in their network. Data security and risk mitigation is a
  continual, cyclical process. One way of continually reassessing a network’s risk and staying up to date on
  its vulnerabilities is through regular vulnerability scans procured from an Approved Scanning Vendor
  (ASV). See https://www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm for a list of
  approved vendors.

  Trustwave is one such approved vendor. Trustwave works with thousands of merchants, from mom-and-
  pop shops to global operations, and guides them through the PCI DSS compliance process. Trustwave’s
  TrustKeeper® is an easy-to-use Web portal that helps merchants complete the PCI Self-Assessment
  Questionnaire, schedule required scans, remediate vulnerabilities, manage onsite assessments and
  answer the questions they have about their network environment and PCI DSS compliance. Please visit
  http://trustkeeper.net.




  About Trustwave
  Trustwave is the leading provider of on-demand and subscription-based information security and
  payment card industry compliance management solutions to businesses and government entities
  throughout the world. For organizations faced with today's challenging data security and compliance
  environment, Trustwave provides a unique approach with comprehensive solutions that include its
  flagship TrustKeeper® compliance management software and other proprietary security solutions.
  Trustwave has helped thousands of organizations—ranging from Fortune 500 businesses and large
  financial institutions to small and medium-sized retailers—manage compliance and secure their network
  infrastructure, data communications and critical information assets. Trustwave is headquartered in
  Chicago with offices throughout North America, South America, Europe, Africa, China and Australia.




70 W. Madison Street, Suite 1050 Chicago, IL 60602           www.trustwave.com                   1.888.878.7817

				
DOCUMENT INFO