Luxury hotel chain owned by Donald Trump has been fined $50,000 for negligent cybersecurity practices after two separate attacks on its payment processing systems exposed more than 70,000 customer credit card numbers.
In light of this news, Jose Diaz believes that, as the hospitality industry becomes more of a target for POS-based malware, more has to be done to protect customers’ payment information. Jose Diaz, director of payment strategy at Thales e-Security commented below.
Jose Diaz, Director of Payment Strategy at Thales e-Security:
“The accommodation industry has been particularly vulnerable to POS-based malwares, with reports citing it as the sector with the highest number of POS breaches. And Donald Trump’s luxury hotel chain was no exception after two separate attacks on its payment processing systems exposing more than 70,000 customer credit cards. This can be largely attributed to the fact that most locations swipe your payment card on a simple mag-stripe reader attached to the POS system itself, and encrypt the data using software within the POS system, rather than on a payment terminal.
Here is the crucial difference – payment terminals are certified under PCI, and can encrypt the data ‘at point of capture’ – the very first opportunity you have to protect it – rendering it unreadable as it flows through the merchant’s POS and IT systems to the payment processor. Without this protection ‘from swipe to acquirer’, cleartext payment data is left vulnerable and open to attack. The migration to EMV is certainly helping update payment acceptance systems with certified terminals that support the use of PCI P2PE for protection of sensitive data. This, combined with the use of tokenization for payment data that merchants may need for their operation, will help address the ongoing major breaches we continue seeing at a variety of merchants.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.