Skip to main content

2012 Hospitality Industry Security Trends

May 30, 2012

Wireless Handheld Devices

Due to tightening requirements from the PCI Security Standards Council, FishNet Security has seen a significant increase in the number of Hospitality clients seeking guidance for securing legacy wireless handheld devices. The biggest question we have received is, “Should we replace this technology? Or, how do we segment our environment to reduce the risk of these types of devices?” Moreover, most organizations seem resistant to the idea of replacing these devices considering the initial investment, and they are more likely to implement compensating controls in order to comply with the PCI Data Security Standard. It has been FishNet Security’s recommendation to reference the PCI DSS Wireless SIG for guidance surrounding securing wireless handheld devices. If this document is not sufficient, then FishNet Security has also offered to engage the PCI Council, as well as Acquirers and Processors, with our clients to assist in identifying a solution.

Patch Management

Patch Management is a very challenging task for any organization. If you throw in blackout windows during the holiday season patching becomes even more challenging in the face of PCI. A vast majority of our Hospitality clients have blackout windows between November the end of January. Considering the PCI requirement for applying critical patches within 30 days of their release, rolling out patches seems impossible during the blackout window and can put a company at risk and out of compliance very quickly.

In talking with FishNet Security's Jeff Foresman, previously a trainer with the PCI SSC, he states that the best way to address patching during holiday blackout periods to reduce risk and maintain compliance is to implement a patch classification program that addresses how patches are implemented in an environment according to their criticality.  For instance, categorizing assets by Server, Workstation, then Laptop, and then patching these systems according to a very regimented patch process will meet the intent of the PCI Requirements.

Of course, with this strategy employed, all patches released during the holiday blackout window must be implemented as soon as possible in order to reduce risk and maintain compliance.


On a high note, we are seeing an uptick in Hospitalities’ adoption and implementation of tokenization in their environments.  In hopes of reducing the impact PCI, Hospitalities have begun rolling out various tokenization technologies that not only shrink the scope of their PCI environment, but also reduce risk by removing credit card data from the environment. 

It is important to recognize the misconception that tokenization actually removes all credit card data from an environment.  While it is possible to remove all credit card data in some very basic environments, removing all credit card data in transit and being processed is a challenge faced in more complex environments.  None the less, tokenization is a technology that is gaining considerable ground, and we expect to see organizations using this technology as it matures.

    6Labs Experts

By: 6Labs Experts

Research and Industry thought leadership

See More

Related Blogs

June 01, 2012

2012 Healthcare Industry Security Trends

Many healthcare organizations are struggling with meaningful use. A key area of confusion is the risk assessment. Properly conducting a risk assessmen...

See Details

May 30, 2012

2012 Finance Industry Security Trends

Consumer confidence continues to be impacted by the many waves of phishing, and high profile data breaches. With the adoption of breach notification ...

See Details

December 08, 2017

PCI Requirement Changes Coming in 2018

The end of 2017 is quickly approaching, and we thought we should remind you of the PCI requirement changes that are coming next year. Some of these de...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

March 26, 2014

Mobility & PKI - A Match Made in InfoSec Heaven

Companies are beginning to embrace Public Key Infrastructure - or PKI as it is known in our three-letter-acronym-filled industry - as an alternative t...

See Details

April 02, 2010

Enterprise Management - Network Security Threats | Optiv

I visit lots of customer sites each year and see many security-related commonalities amongst them. At the top of this list, from a network security pe...

See Details

September 20, 2017

PCI Compliance

Go beyond the PCI compliance checklist.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.