Image via Shutterstock
Hotels face “extraordinary challenges” with customer data security at point of sale, an expert has claimed after Hilton Worldwide revealed it had been hit by unauthorised malware that targeted payment card information.
Hilton immediately started an investigation and further strengthened its systems.
“Hilton Worldwide worked closely with third-party forensics experts, law enforcement and payment card companies on this investigation, and determined that specific payment card information was targeted by this malware,” the hotel giant confirmed.
“This information includes cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs).
“As a precautionary measure, customers may wish to review and monitor their payment card statements if they used a payment card at a Hilton Worldwide hotel over a 17-week period, from November 18 to December 5, 2014 or April 21 to July 27, 2015.”
Mark Bower, global director of product management, enterprise data security for HPE Security, said: “Once again with last night’s news of a payment card data breach at Hilton Hotels, we see that hospitality service providers face extraordinary challenges with customer data security at point of sale.”
He added: “Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in.
“Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise.
“Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information.
“However it’s important to note, especially going into the busy holiday season, that hospitality organisations, as well as retailers and any businesses using POS systems, can avoid the impact of these types of advanced attacks.
“Proven methods are available to neutralise this data from breaches either at the card reader, at the POS, in person, or via web booking platforms.”
According to Bower, leading travel organisations, airlines and travel booking aggregators have adopted datacentric security techniques with “huge” positive benefits.
But Bower warned: “Point of sale systems – what consumers often call the checkout system – are often the weak link in the chain and the choice of malware.
“They should be isolated from other networks, but often are connected. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.
“Risks of theft from point of sale malware is totally avoidable. The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit.”