The Unwelcome Guest

Merchants using hospitality point-of-sale systems face a relentless onslaught by wannabe hackers coveting their payment data. What can put an end to it?

Hospitality merchants, such as restaurants, bars, and entertainment venues, know that an effective point-of-sale system can help them operate their businesses better. They can glean valuable information from their transactions about which products are selling best, the average ticket value, and other data.

The bad thing, however, is that criminals know this. They have only one mission: Steal the payment data and anything else that might help them plunder merchants and consumers.

Indeed, the point of sale is the number-one avenue hackers use to get to payment data among hospitality merchants. Point-of-sale intrusions represent 96% of all data breaches in the accommodation and food-services segment, according to Verizon Communications Inc.’s latest breach study.

Data like this is not unique to a single breach investigator. Trustwave Holdings Inc. said 11.9% of the breaches it investigated in 2017 were in the hospitality segment. Among the breaches in the hospitality segment, 78% sought card track data, the highest percentage among nine segments included in the 2018 Trustwave Global Security Report.

Few envision a quick abatement of the onslaught. “The hospitality market is a big focus area for the cybercriminals, especially from the data we’re seeing,” says Michael Aminzade, vice president of the global compliance and risk service at Chicago-based Trustwave. “Criminals deem the hospitality vertical a weak area from the mature cybersecurity space.”

‘Hacker Folklore’

Criminals see hospitality POS systems as easier targets than some other sectors because there often is a lack of investment in upgrading systems. Legacy operating systems continue to be used, and many merchants extend the upgrade cycle as long as possible, Aminzade says.

Part of the reason for the delayed action or inattention by merchants is that they often are more focused on upgrading their POS systems to improve the customer experience, he says. The costs of upgrading, and adding such measures as integrated EMV acceptance, increases the complexity for merchants, Aminzade says.

Overall, security is not top-of-mind. Says Erick Kobres, chief technology officer at Revel Systems Inc., a San Francisco-based tablet POS system provider: “Until you get to the enterprise customers, frankly, [merchant awareness] is pretty poor. Merchants are focused on running their businesses. Security is highly technical, not very exciting, and tends to [rank] low on priority lists until they’ve been breached.”

Like many POS system providers, Revel Systems provides education to merchants. It tries to hammer on the importance of security, Kobres says, but sometimes the message doesn’t come through as hoped.

The lack of security best practices among hospitality merchants exists “across the board,” says Marc Punzirudu, director of security consulting services at ControlScan Inc., an Alpharetta, Ga.-based data-security provider. “There are some organizations over the last couple of years that have broken the mold, but generally speaking, it’s still not where it should be,” he says.

In Punzirudu’s estimation, one key best practice is to avoid ranking the information technology director below the chief financial officer. Following that practice “really shows the executives’ prioritization of security in the [profit and loss] statement,” he says.

Merchants continue to have antiquated remote-access protocols, fail to patch software, and run multiple functions from the point-of-sale server. “One email is all it takes to put malware on a POS server, which most likely has clear-text payment card data in memory—or at least has access to a POS terminal.”

Criminals favor hospitality POS systems for another reason beside the appeal of the payment and customer data: the ease of getting the data out of the systems. “Exfiltration of the data is easy for a criminal, as typically the firewall rules are not specifically preventing communications to sources which are not required for operations,” Punzirudu says.

Locking down what goes in and comes out of a device handling payments is one reason why Revel Systems uses Apple Inc. iPads for its POS service. “Our products are turnkey,” Kobres says. “We take a number of measures to protect ourselves and our cloud infrastructure.” Among them, of course, are PCI compliance and EMV acceptance, to help with fraud mitigation, and point-to-point encryption.

“Hospitality is such a big target because historically it’s been a lucrative environment, especially for organized crime, to target,” Kobres says. “Not that many years ago, it wasn’t uncommon for criminals to break in and get access to a PC at a manager’s workstation and have access to tens of thousands of card numbers.”

The advent of the PCI Security Standards Council’s data-security standard helped reduce the amount of clear-text payment data stored in POS systems, but that takes time. “Breaking and entering to steal a PC wasn’t uncommon five to six years ago,” Kobres says. It often involved low risk with a high rate of payback, he says. “That’s the story that hacker folklore is made of.”

Attitude Adjustment

So what can be done? EMV and the advent of point-to-point encryption have had a major impact. “Getting that deployed has probably been the best thing to happen from a card-fraud perspective,” Kobres says.

Another tactic, which many have advocated and practiced for years, is educating merchants about the perils of poor security practices. But with scores of other business needs demanding attention, merchants, especially smaller ones, lack the time and financial or staffing resources to properly manage POS-system security.

But for those who take the time, there are some elements to look for when evaluating POS system vendors. “Protect the data that is important to you,” says ControlScan’s Punzirudu. “Payment card data is almost always a concern, so encrypt it using a [point-to-point encrypted] validated card-acceptance method where possible.”

Use tokenization services, which mask the actual card number with a string of unrelated digits. This is especially important when card data needs to be stored, which Punzirudu recommends not doing unless it’s necessary, such as for adding a gratuity or other batch-processing actions.

“Your POS server is only your POS and payment-application server,” he says. “It is not there for managers and others to check email, read Word or Excel documents, and other administrative tasks.”

The rationale for that is simple. “Being that almost every security-research firm and individual will agree that malware is an issue, why would you permit two of the most likely candidates (email and untrusted files) to be opened on those systems in the first place?” Punzirudu asks.

Kobres urges merchants to use a Wi-Fi network solely for its POS system. “You never want to have the POS terminal on the same network as the customer Wi-Fi,” he says. “That’s an easy one for smaller merchants to overlook.”

Security comes down to using multiple layers to protect the data. It’s important to make sure computer ports are not open for surreptitious services to exploit. “By default, an iOS device has no services running on it, unlike Windows or a Linux workstation,” says Kobres. A lot of software that operates on Windows, the popular computer operating system from Microsoft Corp., rely on services to function, he says.

Protecting hospitality POS systems also depends on staffing, says Trustwave’s Aminzade. Not having a trained person in charge of safeguarding the integrity of the system or failing to use a trusted vendor does the merchant no favors.

Getting past that might require a change in mindset, Aminzade says. “It’s just that they need to adjust their attitude and embrace some of the concepts like security by design, privacy by design, and investment strategies that support these over the next three to five years,” he says. “They’re very quick to support digital innovation, like Wi-Fi in hotel rooms, but they need to put cybersecurity on an equal priority.”

Relentless Attacks

All of these best practices will only grow in importance as criminals seek out ways to validate the scads of stolen personally identifiable information and payment data.

Ransomware is especially malicious because, when activated, it places the infected devices in lockdown until a fee is paid. Many times, the ransomware is part of an email or file an employee unknowingly opens.

In 2017, according to Trustwave, two high-profile ransomware worms were WannaCry, which exploited unpatched computers and those using older Windows operating systems, and NotPetya, which spreads across a network using shared folders and legitimate Windows components and tools.

“I still see a general lack of best practices in hospitality across the board,” says Punzirudu. “Adoption of general data-security best practices is still miles off within many restaurants and restaurant chains. There has been a steady increase in [point-to-point encryption] and [end-to-end encryption], which is great for protecting payment card data, but there is still a mountain to climb.”

Not only do payments providers and security vendors continue to get more secure POS systems deployed, they, like merchants, have to contend with the relentless and evolving criminal attacks.

“I don’t know if we’ll see a drop-off in attacks,” says Kobres. “The attacks have gotten easier to launch and criminals have better access to hacking tools. The good news is that information is not there to be disclosed. If someone breached our system, there’s no card data there.”