面向未来的商户投资安全选项:酒店业升级.pdf
面向未来的商户投资安全选项:酒店业升级.pdf
Payment Security By Tia D. Ilori SECURITY OPTIONS To Future-proof Merchant Investments nline reservations made though hotel websites and Point-to-point Encryption online travel agencies represent the largest and Point-to-point encryption, also called end-to-end encrypfastest-growing channel for hotel bookings according tion, protects card information from the initial card holder to TravelClick. The trend is extending beyond the desktop to swipe until it reaches the acquiring bank or credit card mobile. According to market research firm IDC, by 2015 more processor. It applies both to transactions initiated over the users will access the Internet through their mobile devices than Internet and with the card physically present. One of the attracany other device. tions to hotel operators is that there is no need for the hotel The growing sophistication of Web solutions and proliferato process or transmit payment card data in the “clear.” The tion of mobile technologies is opening up new frontiers in the fact that it eliminates any clear text data either in storage or in hospitality industry. Enterprising hotels are using the Internet flight means that it would render payment card data useless not only to facilitate guest booking, but also to better engage to criminals in the event they successfully penetrated a hotel’s customers in loyalty programs and guest services during their payment system. stays. With all the promise that lies ahead, hotels need to In an effort to enhance overall data security in the ensure that they are taking steps to properly secure these new payment industry and to further the development of pointpayment channels. to-point encryption, Visa developed best practices to assist Some hotels are evaluating forward-looking investments merchants in evaluating encryption solutions emerging in the in encryption and tokenization as measures to protect and marketplace. Point-to-point encryption, where implemented even eliminate sensitive payment card data. The two security in accordance with these best practices, may help simplify technologies can work together harmoniously or even indepen- PCI DSS compliance. Merchants should work with their qualidently. Although they should not be regarded as a substitute for fied security assessor to determine the impact of a point-tothe Payment Card Industry Data Security Standards (PCI DSS), point encryption solution. encryption and tokenization are complementary solutions Several companies offer encryption services, and Visa is that provide an additional layer of security. Beyond the added planning to launch its own point-to-point encryption service security benefits, they may also help reduce a company’s PCI later this year. DSS compliance scope, by reducing or eliminating the sensitive payment card data present in its environment. Tokenization While hotel booking trends underscore the need to secure Another security solution hotels should consider is tokenionline channels, it is important not to forget point-of-sale zation. Tokenization is the process through which a payment transactions. A third security technology for hotels to consider card’s 16-digit primary account number (PAN) is replaced by is EMV chip technology. The trifecta of encryption, tokenizasurrogate values. Hotel operators using tokens in accordance tion and chip can work together in conjunction with one another to form a strong Tokenization is the process through which a payment defense to protect payment card data in the card’s 16-digit primary account number (PAN) is replaced online and point-of-sale channels. O by surrogate values. In an effort to enhance overall data security in the payment industry and to further the development of point-to-point encryption, Visa developed best practices to assist merchants in evaluating encryption solutions emerging in the marketplace. http://corporate.visa.com/_media/best-practices.pdf Visa plans the launch of its own point-to-point encryption service. http://pressreleases.visa.com/phoenix.zhtml?c=215693&p=irol-newsarticlePR&ID=1727178&highlight= encryption Tokenization best practices to avoid common implementation pitfalls http://usa.visa.com/download/merchants/tokenization_best_practices.pdf 114 Hospitality Upgrade | Spring 2013 www.hospitalityupgrade.com Payment Security with best practices will limit PAN storage, significantly decreasing the risk that sensitive payment card data may be stolen by data thieves. Tokenization may also simplify compliance with the PCI DSS requirements. It’s a versatile security technology in that it can be implemented by itself or as a complement to point-topoint encryption. Encryption protects data in flight from the swipe to the acquirer processor and tokenization protects data stored in the merchant’s environment. Tokenization is an effective anti-fraud technology when implemented correctly. To help merchants, Visa has released tokenization best practices to avoid common implementation pitfalls. Chip-enabled, Dualinterface Terminals dual-interface chip chip terminal terminal (shown) (shown) can can accept accept AA dual-interface contactless contactlesscard cardand andNFC NFCpayments. payments.They Theyalso alsoinclude includea a slot slotwhere wherethe thechip chipcard cardcan canbebeinserted. inserted. In the course of the regular replacement cycle, savvy hospitality industry operators should deploy dual-interface terminals (which support both contact and contactless chip acceptance) in order to accept EMV chip-enabled cards, contactless payments (including mobile) and other emerging payment technologies. While bookings through online channels are growing, it is important to remember the importance of securing the point of sale. The human touch is an important part of the hospitality experience and hotels are likely to move away from in-person check-ins and payment. An important advancement coming to the United States is the migration to EMV chip technology. EMV adds an extra layer of security to point-of-sale payments by introducing dynamic authentication values that change with each transaction. This means even if payment card data is compromised, a counterfeit card would be unusable at the checkout counter because the authentication data stolen will no longer be applicable. In the course of the regular replacement cycle, PC savvy hospitality industry operators should deploy duI-D SS al-interface terminals (which support both contact and Fa ct contactless chip acceptance) in order to accept EMV chip-enabled cards, contactless payments (including mobile) and other emerging payment technologies. Merchants with at least 75 percent of their Visa transactions originating from dual terminals that support both contact and contactless chip acceptance will no longer be required to undergo annual revalidation of their PCI DSS compliance as part of Visa’s Technology Percentage of Data Breaches Occurring in Innovation Program (TIP). Additionally, using these Accommodation and Food Service Organizations terminals provides protection under the counterfeit fraud liability shift, which will become effective in the United States in October 2015. Emerging technology is providing a new wave of opportunities for the hospitality industry. Point-to-point encryption, tokenization and EMV chip technology are Through PEAK™, the Venza Group offers off-the-shelf courses three harmonious security solutions hotels should conon compliance and workforce effectiveness ... especially crafted sider when evaluating their payment security approach. for hoteliers. They work together to form a strong defense that builds » PCI Compliance for Hoteliers (Employees) on the foundational security layer provided by PCI DSS » PCI Compliance for Hoteliers (Managers) compliance. By making shrewd investments in these » PCI Compliance for Hoteliers (IT) security solutions, hospitality industry operators can Contact us at (770) 685-6500 or visit www.venzapeak.com to help protect their guests’ personal information across learn more. payment channels. 54 % Compliance in the Cloud ® 116 Hospitality Upgrade | Spring 2013 PEAK Tia D. Ilori is a business leader in the Americas Payment System Security for Visa Inc. ™ www.hospitalityupgrade.com