Just when it seemed that the fear of fraud with online card transactions was unfounded, we once again find ourselves faced with the need to check our security protocols when it comes to payments, even when it comes to something as routine as hotel bookings.
Hosteltur, Spanish leading magazine in Tourism, reported last week, that in the last few months, various cyber attacks have been carried out against large hotel chains. The last known case affected the Hyatt chain, which sent out an alert relating to their payment systems: they had detected malware in the servers that process their client payment data that affected over 300 hotels.
But the Hyatt case is not an isolated incident, other large chains such as the Hilton, have also recognised a breach in security that led to the theft of client credit card data. Other renowned hotel chains such as the Mandarin Oriental, Starwood and Trump Collection suffered almost identical faults relating to client payment information during 2015.
Because of the amount and constant feed of data into the database of this type of establishment, reservation websites are a continual source of new, attractive data for cyber thieves.
In today’s world, information is power and when it comes to bank data, cyber pirates are even more interested, but, even though hackers’ techniques have become more sophisticated over the years, protection systems have progressed too. Today there are international safety standards that regulate the transfer of information, such as ISO 27001 that guarantees the safety of such information, as well as Data Protection legislations, such as the LOPD in Spain, that establish security measures for files containing personal data.
Transaction safety has become a highly valued asset, so to guarantee a website’s safety a series of protocols must be met that will guarantee the security of the stored data.
One of the protocols that guarantees this safety is the PCI-DSS (Payment Card Industry–Data Security Standard) International Standard that certifies that a company deals with account payment data efficiently.
What is PCI DSS?
Since 2006 the aim of the PCI Security Standards Council has been to protect account payment data more efficiently by promoting training and awareness of the PCI (payment card industry) safety regulations. This organization was founded by American Express, Discover Financial Services, JCB International, MasterCard and Visa, Inc.
The great advantage of applying PCI regulations is that they have reached a unified criterion when it comes to protecting card data, based on 12 essential requirements:
1) Install and maintain a secure firewall configuration
2) Avoid using default parameters
3) Guarantee the safety of stored data
4) Encrypt card data through public, open networks
5) Constantly update antiviruses
6) Develop and maintain applications and secure systems
7) Restrict client access to certain data
8) Assign each client a unique ID
9) Limit physical access to the data
10) Trace and monitor all data
11) Constantly evaluate the security systems
12) Opt for a solid safety policy; including employee’s data as well as that of the clients.
Additionally, to obtain the PCI-DSS certification, various vulnerability scans must be carried out by authorised security experts (ASV).
– Vulnerability scans and possible corrections at a medium-high level.
– Technical evidence that we meet the 12 requirements regarding answer protocols that the company has in place in case of an incident, as well as the possible solutions.
Ernesto Jaunico, Chief of Security of System Information Management at Idiso, highlights how passing the PCI audit is an expensive process: “keeping the PCI DSS certification takes a lot of work. It is a constant process. Every year we learn from the year before, and this year there have been some changes due to a new version of the regulation” he explains.
Our expert additionally points out that this certificate is not a passing trend, it has become well established. “Large companies such as Microsoft or Amazon and Banks such as BBVA, Santander or La Caixa, all meet these regulations in their TPV payment services”, he concludes: “safety is never a whim, it is a need, as proved by many cases”.
Some of the main benefits that Idiso offers its clients by holding this certificate are:
1) Protection of client card data for the hotels they offer services to.
2) Fostering consumer trust through a higher level of data protection.
3) Providing a stand out factor, always an advantage in this competitive market.
4) Protection of a brand’s reputation.
5) Decrease in possible financial loss and loss of image due to security risks
Idiso’s Chief of Information Systems, Aurelio Palmer, explains the vital importance of possessing this standard for a technological company within the tourist sector. He claims that “For yet another year, this is the fifth, Idiso has passed the yearly audit to obtain the PCI DSS certificate. With the help and collaboration of all the departments. All these essential, specific tests serve no purpose if the staff who handle the card data are not careful and do not fully comply with the regulations. We are all involved in security. Therefore, we need to unite all the teams involved (Call Centre, Back Office, technical teams, etc.…) so that their day to day work and commitment become proof of excellence.”
At Idiso we feel safety to be a must and therefore commit to maintain the PCI DSS certificate year after year.