Freely subscribe to our NEWSLETTER

Commenting on this, Mark Bower, global director, product management at HPE Security said: “Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in. Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information.

According to the latest information, it appears a good portion of breached data came from the restaurant side of the hotel chains facilities. These are often integrated POS environments running applications in an environment that is not as secure as modern hardened payment terminals designed to capture payment data and implement encryption independent from the POS itself.

Such POS systems are thus a target for payment specific malware. Many quick service and restaurant organisations have implemented newer data-centric security in these platforms by the addition of new card reading systems which encrypt the data before it arrives into the POS itself. Given the need to update the POS to handle EMV chip cards, the addition of encryption to protect the sensitive data from all forms of payment card is a no-brainer. If the POS is compromised with this approach, the attackers get nothing. This data-centric approach is realistically the only way to avoid POS malware impact. Traditional approaches of monitoring and anti-virus will only be effective until the next undetectable malware arrives.”