Can customer service and security co-exist?

Gary Glover, Director of Security Assessments
By: Gary Glover
This article was also featured in Hospitality Upgrade Tech Talk.
At virtually every hotel security audit I’ve ever conducted, and at every hotel I’ve ever stayed at, front desk computers are used to both browse the Internet and accept credit card transactions. That is a serious violation of security protocol.
It doesn’t matter if a desk clerk is helping a customer print off their afternoon boarding pass, or check their personal email. Internet browsing on point-of-sale (POS) or property management machines that have the capability to take credit cards is a one-way ticket to data compromise.


Hackers are lurking

What happens if the innocent employee, with no formal security training, accidentally clicks on a malicious link while browsing the Internet? That malicious link could secretly download malware or install a virus onto the machine. Depending on the malware installed, every single customer credit card transaction made on that computer (and perhaps on the entire network) could be at risk.

The whole point of malware is to gain access to valuable and sensitive information, such as credit card numbers, so cybercriminals can reproduce cards or sell the stolen data on the black market.

SEE ALSO: Auditing Archives: The Case of the Overly Helpful Front Desk Clerk

Common types of malware that may infect your front desk computers include:
  • Keylogger: malware that secretly records every keystroke a user makes on a computer or mobile device. In such a way, malware authors can easily harvest typed information like passwords or credit cards.
  • Memory Scraper: designed to capture, or ‘scrape’ sensitive information from system memory (RAM) and return it back to the attacker. Some can morph into newer versions to avoid detection, or automatically reinstall in different locations if deleted.
  • Rootkit: type of malicious software activated each time a system boots up. They are difficult to detect because they reside at the system’s kernel level, and are activated before a system's operating system has completely booted up.
  • Packet Sniffer: malicious software that can intercept incoming and outgoing network traffic. Most sniffers are able to decode and analyze the data found, reporting it back to the owner.


Can customer service and security coexist?

The solution to hotel front desk dilemma is simple. Segment.

Most hoteliers don’t segment the POS and property management systems from other systems with access to the Internet. Segmentation is the act of compartmentalizing network areas that contain sensitive information (like customer credit cards) from those that don’t. Segmentation is a very secure practice because, if set up correctly, it is nearly impossible for sensitive data to leak outside of its allotted area.

It may sound complicated, but it’s not. All you need to do is dedicate one machine to taking credit cards, and dedicate any others for customer service use.
Machines used to take credit cards should have no access to the public Internet (browsing, etc.), and machines that have access to the Internet should not have access to the point of sale system.
That way, even if employees aren’t properly trained, it’ll be extremely difficult to mess up.

For example, if a customer pays with a credit card on the dedicated machine while checking in, then asks about restaurants in the area, the front desk clerk would physically need to move to the other computer placed on a separate network segment at the front desk used for Internet browsing. Remote desktop connections to a dedicated ‘browsing’ computer on another network segment could also be used.

Please note that the computers used to browse the Internet are just as vulnerable as before, but if infected, do not have access to credit card data on the more secure network segment. Also, don’t forget the concierge desk…they often have similar access to front desk computers.

I’m convinced that if this simple practice were put into place at hotels around the world, the risk of compromise in the hospitality industry would significantly decline. Not to say this is the only way hospitality industry systems are being compromised. Best practice is always to implement all controls contained in the PCI Data Security Standard.

Was this post informative? If so, please share!


Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.