I tell people all the time that it is insane to continue to hand credit cards (inherently sensitive information) over to merchants and then to expect the handling of those credit card numbers to be secure. Don’t get me wrong, handing a static card number over to a merchant is not insane because merchants don’t want their systems to be secure or that they haven’t complied to the latest PCI mandates. Rather it is insane because it is very difficult, if not impossible, to eliminate all credit card data theft threat vectors.
Case in point – A couple of weeks ago, a news article broke regarding a new Remote Access Trojan (RAT) apparently targeted towards the hotel industry. A variety of methods, including social engineering (can PCI solve this problem?), can be used to introduce the virus into a system and then the virus acquires credit card numbers, expiration dates and other customer information. Apparently in this particular case, the virus works by capturing screen shots rather than trolling through databases or capturing streaming data. If the virus is indeed stealing data via screen shots, then this same security threat could be facilitated with a wireless web cam behind the operator transmitting data to a rogue computer.
So how does a merchant solve this problem? Point of entry encryption. By encrypting the card number in a Tamper Resistant Security Module (TRSM) before it is ever presented to a networked machine with a user interface, a merchant significantly reduces the exposure of non-encrypted cards. In this case, an encrypting reader could be used to handle swiped (mag-stripe), tapped (NFC), inserted (EMV) or manually entered (bad mag-stripe or phone based reservations) card numbers. Further, through the use of Format Preserving Encryption (FPE), the cards numbers could still be displayed in the current system and within the current fields without exposure to the screen shot or web cam attacks described above. FPE would also allow the customer service agent the ability to validate the last four digits of the card number.
To be clear, the magnitude of the insanity only increases with the complexity of card holder environment. It is a fact that few other industries have as many touch points and data usage scenarios as the hospitality industry. With that in mind, it isn’t surprising that the hospitality industry, and hoteliers specifically, are the target of large number of attacks.
P.S. – EMV doesn’t solve this problem. In an EMV scenario, the static Primary Account Number (PAN) would end up being displayed in the user interface and the screen shot attack would still work.