By: Markus Witcomb
Home / PCI DSS
Comments: No Comments.
The hospitality industry is a notoriously easy target for cyber criminals and attackers, who are lured by the lucrative rewards offered by taking advantage of point-of-sale (POS) systems, the high volume of transactions, hotel loyalty programmes and booking databases.
Point-of-sale devices are a common target for cyber criminals. According to the Report, 38% of POS hacking attacks involved stolen credentials, and 31% of confirmed data breaches over the last three years involved POS intrusion.
The attack pattern on POS devices can simplistically be described as follows: compromise the POS device, install malware to collect magnetic stripe data in process, retrieve data, and cash in.
There is ample room for an attack in a hotel via its hospitality management system (HMS), POS devices, Wi-Fi network, hotel network infrastructure or online booking system, but the same equally applies to any hospitality business.
Hoteliers must be able to demonstrate PCI compliance across all IT systems that store, transmit or process credit card data. This generally includes POS and back-office systems. Failure to comply with PCI requirements can result in penalties or sanctions from members of the payment card industry.
Many businesses believe that they are compliant just because they purchased a POS system (hardware & software) from a company that specialises in the provision of these devices.
What they fail to realise, is that the data they transmit over there own network (wired or wireless) also needs to comply with the regulations as set out by Requirements 1 (‘Install and maintain a firewall configuration to protect cardholder data’) and 4 (‘Encrypt transmission of cardholder data across open, public networks’) of the PCI DSS V3.1 regulations.
Whilst network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS
requirement. However, it is strongly recommended as a method that may reduce:
Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment.
Whilst there are requirements within the regulations that no IT provider can completely fulfill, ensuring you have a properly configured, managed and secure network is.
DaisySentry from QAIST provides a comprehensive and cost effective way of providing;
For your business network security is not only the sensible action to take, but it is also what’s required by UK Data Protection Legislation and Payment Card Industry Data Security Standards (PCI DSS).
Our service is Level 1 compliant which means it not only addresses a large part of the users PCI requirement’s, but also helps to protect from breach fines, something non-certified solutions can’t do.
Our solution is delivered as a fully managed subscription based service so there is no need for you to invest in software, hardware or additional personnel. The system will watch over your business day and night, monitoring all network activity and acting proactively to block threats.