2012 Hospitality Industry Security Trends
Wireless Handheld Devices
Due to tightening requirements from the PCI Security Standards Council, FishNet Security has seen a significant increase in the number of Hospitality clients seeking guidance for securing legacy wireless handheld devices. The biggest question we have received is, “Should we replace this technology? Or, how do we segment our environment to reduce the risk of these types of devices?” Moreover, most organizations seem resistant to the idea of replacing these devices considering the initial investment, and they are more likely to implement compensating controls in order to comply with the PCI Data Security Standard. It has been FishNet Security’s recommendation to reference the PCI DSS Wireless SIG for guidance surrounding securing wireless handheld devices. If this document is not sufficient, then FishNet Security has also offered to engage the PCI Council, as well as Acquirers and Processors, with our clients to assist in identifying a solution.
Patch Management is a very challenging task for any organization. If you throw in blackout windows during the holiday season patching becomes even more challenging in the face of PCI. A vast majority of our Hospitality clients have blackout windows between November the end of January. Considering the PCI requirement for applying critical patches within 30 days of their release, rolling out patches seems impossible during the blackout window and can put a company at risk and out of compliance very quickly.
In talking with FishNet Security's Jeff Foresman, previously a trainer with the PCI SSC, he states that the best way to address patching during holiday blackout periods to reduce risk and maintain compliance is to implement a patch classification program that addresses how patches are implemented in an environment according to their criticality. For instance, categorizing assets by Server, Workstation, then Laptop, and then patching these systems according to a very regimented patch process will meet the intent of the PCI Requirements.
Of course, with this strategy employed, all patches released during the holiday blackout window must be implemented as soon as possible in order to reduce risk and maintain compliance.
On a high note, we are seeing an uptick in Hospitalities’ adoption and implementation of tokenization in their environments. In hopes of reducing the impact PCI, Hospitalities have begun rolling out various tokenization technologies that not only shrink the scope of their PCI environment, but also reduce risk by removing credit card data from the environment.
It is important to recognize the misconception that tokenization actually removes all credit card data from an environment. While it is possible to remove all credit card data in some very basic environments, removing all credit card data in transit and being processed is a challenge faced in more complex environments. None the less, tokenization is a technology that is gaining considerable ground, and we expect to see organizations using this technology as it matures.