SlideShare una empresa de Scribd logo

Credit card frauds in hospitality

Vishal Sharma
Vishal Sharma
1 de 25
INFORMATION SECURITY IN HOTELS Credit Card Information Vishal Sharma Information Security Consultant
Tourism is one of the six key locational factors for a country’s Image which gives an idea about a country’s culture & economy Here are some figures relating to nights spend in German Hotels by resident and non-resident over a period from 2010-2011 and the relative expansion of tourism.
Nights spend in Hotels in Germany 2011 (in Millions) total non-residents residents 240.8 51.3 189.5 percentage increase from 2010 in % total non-residents residents 5.40% 6.00% 5.30%
Nights spend in Germany by resident/non-resident non-residents residents
4.80% 5.00% 5.20% 5.40% 5.60% 5.80% 6.00% total non-residents residents % Change in overnight stay after 2010
 But with increasing demand of customers for tourism in Germany, the liability of ensuring customer’s security is also increasing Information Assets of a customer • Personal information (identity, nationality, DOB. etc.) • Payment • Purpose of visit • Duration of stay • Facilities/services availed by customer
Modes of Payment: • Cash • Credit/Debit Cards • Travellers’ Cheques • Vouchers • Company Account • Money transfer to the desired account
Ways of booking a room in hotel: • Via mail • Via hotel’s website • At arrival • Via Phone • Travel agency • Via company
Check in procedure:
NOTE: According to Verizon Data Breach Investigation Report (DBIR) in 2010, hospitality industry was most vulnerable target by hackers following with financial and retail industries respectively. And the most important fact is that 98% of the targeted data was payment card information.
Hotels Hacked the most Hospital ity Financial Services Ret ail Food and beverage Business Services Educati on Technolo gy Manufacturi ng Othe rs 38 19 14.2 13 5 1.4 4 1.4 4
Hospitality Financial Services Retail Food and beverage Business Services Education Technology Education Manufacturing
Types of Credit Cards Fraud
Identity Theft Source: thehackernews.com
Malware
Other means of credit card information breach • Dummy wi-fi / Hotspot: Wireless internet is one of the most basic services offered by many hotels— However, you might be connecting to hotel’s actual network, instead, you may have simply clicked on a dummy Wi-Fi network called “ABC-Free-Wi-Fi”
• Phishing by phone: since the beginning of IP telephone systems, the risk of telephone phishing has always been higher.
• Since in hospitality industry, people are hardly aware of Information Security norms, appliance or governance, so I would like to shed a little light on PCI-DSS requirements: • PCI –DSS Requirements: • Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters • Requirement 3: Protect stored cardholder data • Requirement 4: Encrypt transmission of cardholder data across open, public networks • Requirement 5: Use and regularly update anti-virus software or programs • Requirement 6: Develop and maintain secure systems and applications • Requirement 7: Restrict access to cardholder data by business need to know
• Requirement 8: Assign a unique ID to each person with computer access • Requirement 9: Restrict physical access to cardholder data • Requirement 10: Track and monitor all access to network resources and cardholder data • Requirement 11: Regularly test security systems and processes. • Requirement 12: Maintain a policy that addresses information security for all personnel.
• Network Separation: Isolation of network is not an entity of PCI-DSS but it should be clearly defined that which channel we would use in order to perform various operations in hotels. Network segmentation or separation can be done in various ways at physical or logical level: • Configured internal network firewalls • Routers with strong access control lists • IAM-Identity Access Management or the technologies that restrict access to a particular segment of a network.
• According to PCI-DSS the business needs should be defined, policies, and processes should be defined clearly in order to store individual’s information. So the minimal and only the legitimate information which is highly required should be stored and the retention policies should be strictly followed.
• Wireless: When wireless technology is used to store, process, or transmit cardholder data then we need to consider the following in order to have secure transmission over the channel • Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. • For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. • Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.
• Third Party Outsourcing: According to the business processes defined involved parties needs to involved certain measures • They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance; or If they do not undergo their own PCI DSS assessment, they will need to have their services reviewed during the course of each of their customers’ PCI DSS assessments
THANKS Information security is a ongoing process

Recomendados

Credit card frauds in hospitality
Credit card frauds in hospitalityCredit card frauds in hospitality
Credit card frauds in hospitalityVishal Sharma
 
Unit 3
Unit 3Unit 3
Unit 3abhishek srivastav
 
New generation of Internet Cyber Security
New generation of Internet Cyber SecurityNew generation of Internet Cyber Security
New generation of Internet Cyber SecurityChristian Sauer
 
Datasheet: Security
Datasheet: SecurityDatasheet: Security
Datasheet: SecurityVoIPstudio
 
Cyber security
Cyber securityCyber security
Cyber securityPerfect Training Center
 
Proprietary Information
Proprietary InformationProprietary Information
Proprietary Informationhypknight
 
Digital Forensics Projects Research Topics
Digital Forensics Projects Research TopicsDigital Forensics Projects Research Topics
Digital Forensics Projects Research TopicsMatlab Simulation
 
Retail
RetailRetail
RetailLan & Wan Solutions
 

Recomendados

Credit card frauds in hospitality
Credit card frauds in hospitalityCredit card frauds in hospitality
Credit card frauds in hospitalityVishal Sharma
 
Unit 3
Unit 3Unit 3
Unit 3abhishek srivastav
 
New generation of Internet Cyber Security
New generation of Internet Cyber SecurityNew generation of Internet Cyber Security
New generation of Internet Cyber SecurityChristian Sauer
 
Datasheet: Security
Datasheet: SecurityDatasheet: Security
Datasheet: SecurityVoIPstudio
 
Cyber security
Cyber securityCyber security
Cyber securityPerfect Training Center
 
Proprietary Information
Proprietary InformationProprietary Information
Proprietary Informationhypknight
 
Digital Forensics Projects Research Topics
Digital Forensics Projects Research TopicsDigital Forensics Projects Research Topics
Digital Forensics Projects Research TopicsMatlab Simulation
 
Retail
RetailRetail
RetailLan & Wan Solutions
 
Touch call recording service 2019
Touch call recording service 2019Touch call recording service 2019
Touch call recording service 2019Touch Call Recording
 
Bank security
Bank securityBank security
Bank securityPLN9 Security Services Pvt. Ltd.
 
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)Shandy Aditya
 
E commerce security
E commerce securityE commerce security
E commerce securityShakti Singh
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. VisaInternet Security Auditors
 
Electronic Banking services uses opmanager to manage 1500 devices
Electronic Banking services uses opmanager to manage 1500 devicesElectronic Banking services uses opmanager to manage 1500 devices
Electronic Banking services uses opmanager to manage 1500 devicesManageEngine, Zoho Corporation
 
E commerce security
E commerce securityE commerce security
E commerce securityRoha1234567
 
Fortigate class1
Fortigate class1Fortigate class1
Fortigate class1RanjithKumar428
 
Security environment
Security environmentSecurity environment
Security environmentJay Choudhary
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce securityelmira282
 
Exfiltration slides-v1-release
Exfiltration slides-v1-releaseExfiltration slides-v1-release
Exfiltration slides-v1-releaseEric Koeppen
 
Cybercrime
CybercrimeCybercrime
Cybercrimedeepika28g
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerceBosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Paragon insert i.t. forensic
Paragon insert i.t. forensicParagon insert i.t. forensic
Paragon insert i.t. forensicWilliam Grieve
 
Benefits of IT Outsourcing
Benefits of IT OutsourcingBenefits of IT Outsourcing
Benefits of IT OutsourcingMultiTech IT
 
Cyber intelligence-services
Cyber intelligence-servicesCyber intelligence-services
Cyber intelligence-servicesCyber 51 LLC
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSORohit Kapoor
 
Wireless Security Audits
Wireless Security AuditsWireless Security Audits
Wireless Security AuditsCyber 51 LLC
 
How To Prevent Cyber crime|E-Commerce
How To Prevent Cyber crime|E-Commerce How To Prevent Cyber crime|E-Commerce
How To Prevent Cyber crime|E-Commerce Chargeback Expertz
 
Using Network Security and Identity Management to Empower CISOs Today: The Ca...
Using Network Security and Identity Management to Empower CISOs Today: The Ca...Using Network Security and Identity Management to Empower CISOs Today: The Ca...
Using Network Security and Identity Management to Empower CISOs Today: The Ca...ForgeRock
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
Authentic Assessment Project (AAP) Jan 2017Background Informat.docx
Authentic Assessment Project (AAP) Jan 2017Background Informat.docxAuthentic Assessment Project (AAP) Jan 2017Background Informat.docx
Authentic Assessment Project (AAP) Jan 2017Background Informat.docxrock73
 

Más contenido relacionado

La actualidad más candente

E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)Shandy Aditya
 
E commerce security
E commerce securityE commerce security
E commerce securityShakti Singh
 
Electronic Banking services uses opmanager to manage 1500 devices
Electronic Banking services uses opmanager to manage 1500 devicesElectronic Banking services uses opmanager to manage 1500 devices
Electronic Banking services uses opmanager to manage 1500 devicesManageEngine, Zoho Corporation
 
E commerce security
E commerce securityE commerce security
E commerce securityRoha1234567
 
Security environment
Security environmentSecurity environment
Security environmentJay Choudhary
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce securityelmira282
 
Exfiltration slides-v1-release
Exfiltration slides-v1-releaseExfiltration slides-v1-release
Exfiltration slides-v1-releaseEric Koeppen
 
Paragon insert i.t. forensic
Paragon insert i.t. forensicParagon insert i.t. forensic
Paragon insert i.t. forensicWilliam Grieve
 
Benefits of IT Outsourcing
Benefits of IT OutsourcingBenefits of IT Outsourcing
Benefits of IT OutsourcingMultiTech IT
 
Cyber intelligence-services
Cyber intelligence-servicesCyber intelligence-services
Cyber intelligence-servicesCyber 51 LLC
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSORohit Kapoor
 
Wireless Security Audits
Wireless Security AuditsWireless Security Audits
Wireless Security AuditsCyber 51 LLC
 
How To Prevent Cyber crime|E-Commerce
How To Prevent Cyber crime|E-Commerce How To Prevent Cyber crime|E-Commerce
How To Prevent Cyber crime|E-Commerce Chargeback Expertz
 
Using Network Security and Identity Management to Empower CISOs Today: The Ca...
Using Network Security and Identity Management to Empower CISOs Today: The Ca...Using Network Security and Identity Management to Empower CISOs Today: The Ca...
Using Network Security and Identity Management to Empower CISOs Today: The Ca...ForgeRock
 

La actualidad más candente (20)

Touch call recording service 2019
Touch call recording service 2019Touch call recording service 2019
Touch call recording service 2019
 
Bank security
Bank securityBank security
Bank security
 
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
 
E commerce security
E commerce securityE commerce security
E commerce security
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
 
Electronic Banking services uses opmanager to manage 1500 devices
Electronic Banking services uses opmanager to manage 1500 devicesElectronic Banking services uses opmanager to manage 1500 devices
Electronic Banking services uses opmanager to manage 1500 devices
 
E commerce security
E commerce securityE commerce security
E commerce security
 
Fortigate class1
Fortigate class1Fortigate class1
Fortigate class1
 
Security environment
Security environmentSecurity environment
Security environment
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce security
 
Exfiltration slides-v1-release
Exfiltration slides-v1-releaseExfiltration slides-v1-release
Exfiltration slides-v1-release
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
 
Paragon insert i.t. forensic
Paragon insert i.t. forensicParagon insert i.t. forensic
Paragon insert i.t. forensic
 
Benefits of IT Outsourcing
Benefits of IT OutsourcingBenefits of IT Outsourcing
Benefits of IT Outsourcing
 
Cyber intelligence-services
Cyber intelligence-servicesCyber intelligence-services
Cyber intelligence-services
 
Logincat MFA and SSO
Logincat MFA and SSOLogincat MFA and SSO
Logincat MFA and SSO
 
Wireless Security Audits
Wireless Security AuditsWireless Security Audits
Wireless Security Audits
 
How To Prevent Cyber crime|E-Commerce
How To Prevent Cyber crime|E-Commerce How To Prevent Cyber crime|E-Commerce
How To Prevent Cyber crime|E-Commerce
 
Using Network Security and Identity Management to Empower CISOs Today: The Ca...
Using Network Security and Identity Management to Empower CISOs Today: The Ca...Using Network Security and Identity Management to Empower CISOs Today: The Ca...
Using Network Security and Identity Management to Empower CISOs Today: The Ca...
 

Similar a Credit card frauds in hospitality

PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
Authentic Assessment Project (AAP) Jan 2017Background Informat.docx
Authentic Assessment Project (AAP) Jan 2017Background Informat.docxAuthentic Assessment Project (AAP) Jan 2017Background Informat.docx
Authentic Assessment Project (AAP) Jan 2017Background Informat.docxrock73
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Precisely
 
PCI 3.0 Compliance and Security for Retailers
PCI 3.0 Compliance and Security for RetailersPCI 3.0 Compliance and Security for Retailers
PCI 3.0 Compliance and Security for RetailersAerohive Networks
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf3Columns
 
PCI Solna EDB 101020 FortConsult
PCI Solna EDB 101020 FortConsultPCI Solna EDB 101020 FortConsult
PCI Solna EDB 101020 FortConsultJolin Löf
 
Background Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docxBackground Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docxikirkton
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfssuserbcc088
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low CostDonald Malloy
 
WWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docxWWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docxericbrooks84875
 
How To Sell PCI Compliance (External)
How To Sell PCI Compliance (External)How To Sell PCI Compliance (External)
How To Sell PCI Compliance (External)Greg Naderi
 
101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)Greg Naderi
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White PaperRaz-Lee Security
 

Similar a Credit card frauds in hospitality (20)

PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
Authentic Assessment Project (AAP) Jan 2017Background Informat.docx
Authentic Assessment Project (AAP) Jan 2017Background Informat.docxAuthentic Assessment Project (AAP) Jan 2017Background Informat.docx
Authentic Assessment Project (AAP) Jan 2017Background Informat.docx
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
 
PCI 3.0 Compliance and Security for Retailers
PCI 3.0 Compliance and Security for RetailersPCI 3.0 Compliance and Security for Retailers
PCI 3.0 Compliance and Security for Retailers
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf
 
PCI Solna EDB 101020 FortConsult
PCI Solna EDB 101020 FortConsultPCI Solna EDB 101020 FortConsult
PCI Solna EDB 101020 FortConsult
 
Background Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docxBackground Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docx
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low Cost
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
WWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docxWWTC Office Layout Diagram.htmlBackground Information for Wo.docx
WWTC Office Layout Diagram.htmlBackground Information for Wo.docx
 
How To Sell PCI Compliance (External)
How To Sell PCI Compliance (External)How To Sell PCI Compliance (External)
How To Sell PCI Compliance (External)
 
101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)101007 How To Sell Pci Compliance (External)
101007 How To Sell Pci Compliance (External)
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White Paper
 

Credit card frauds in hospitality

  • 1. INFORMATION SECURITY IN HOTELS Credit Card Information Vishal Sharma Information Security Consultant
  • 2. Tourism is one of the six key locational factors for a country’s Image which gives an idea about a country’s culture & economy Here are some figures relating to nights spend in German Hotels by resident and non-resident over a period from 2010-2011 and the relative expansion of tourism.
  • 3. Nights spend in Hotels in Germany 2011 (in Millions) total non-residents residents 240.8 51.3 189.5 percentage increase from 2010 in % total non-residents residents 5.40% 6.00% 5.30%
  • 4. Nights spend in Germany by resident/non-resident non-residents residents
  • 5. 4.80% 5.00% 5.20% 5.40% 5.60% 5.80% 6.00% total non-residents residents % Change in overnight stay after 2010
  • 6.  But with increasing demand of customers for tourism in Germany, the liability of ensuring customer’s security is also increasing Information Assets of a customer • Personal information (identity, nationality, DOB. etc.) • Payment • Purpose of visit • Duration of stay • Facilities/services availed by customer
  • 7. Modes of Payment: • Cash • Credit/Debit Cards • Travellers’ Cheques • Vouchers • Company Account • Money transfer to the desired account
  • 8. Ways of booking a room in hotel: • Via mail • Via hotel’s website • At arrival • Via Phone • Travel agency • Via company
  • 10. NOTE: According to Verizon Data Breach Investigation Report (DBIR) in 2010, hospitality industry was most vulnerable target by hackers following with financial and retail industries respectively. And the most important fact is that 98% of the targeted data was payment card information.
  • 11. Hotels Hacked the most Hospital ity Financial Services Ret ail Food and beverage Business Services Educati on Technolo gy Manufacturi ng Othe rs 38 19 14.2 13 5 1.4 4 1.4 4
  • 12. Hospitality Financial Services Retail Food and beverage Business Services Education Technology Education Manufacturing
  • 13. Types of Credit Cards Fraud
  • 14.
  • 17. Other means of credit card information breach • Dummy wi-fi / Hotspot: Wireless internet is one of the most basic services offered by many hotels— However, you might be connecting to hotel’s actual network, instead, you may have simply clicked on a dummy Wi-Fi network called “ABC-Free-Wi-Fi”
  • 18. • Phishing by phone: since the beginning of IP telephone systems, the risk of telephone phishing has always been higher.
  • 19. • Since in hospitality industry, people are hardly aware of Information Security norms, appliance or governance, so I would like to shed a little light on PCI-DSS requirements: • PCI –DSS Requirements: • Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters • Requirement 3: Protect stored cardholder data • Requirement 4: Encrypt transmission of cardholder data across open, public networks • Requirement 5: Use and regularly update anti-virus software or programs • Requirement 6: Develop and maintain secure systems and applications • Requirement 7: Restrict access to cardholder data by business need to know
  • 20. • Requirement 8: Assign a unique ID to each person with computer access • Requirement 9: Restrict physical access to cardholder data • Requirement 10: Track and monitor all access to network resources and cardholder data • Requirement 11: Regularly test security systems and processes. • Requirement 12: Maintain a policy that addresses information security for all personnel.
  • 21. • Network Separation: Isolation of network is not an entity of PCI-DSS but it should be clearly defined that which channel we would use in order to perform various operations in hotels. Network segmentation or separation can be done in various ways at physical or logical level: • Configured internal network firewalls • Routers with strong access control lists • IAM-Identity Access Management or the technologies that restrict access to a particular segment of a network.
  • 22. • According to PCI-DSS the business needs should be defined, policies, and processes should be defined clearly in order to store individual’s information. So the minimal and only the legitimate information which is highly required should be stored and the retention policies should be strictly followed.
  • 23. • Wireless: When wireless technology is used to store, process, or transmit cardholder data then we need to consider the following in order to have secure transmission over the channel • Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. • For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. • Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.
  • 24. • Third Party Outsourcing: According to the business processes defined involved parties needs to involved certain measures • They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance; or If they do not undergo their own PCI DSS assessment, they will need to have their services reviewed during the course of each of their customers’ PCI DSS assessments
  • 25. THANKS Information security is a ongoing process