Ryan Smith – Spring 2016 Article
I think most of us would agree that last year brought many new and unforeseen complexities within our current payment architectures. Some we knew about and others we really had no idea. After months of trying to peel back the many layers of eye-watering information being delivered from POS providers and other vendors about EMV mandates, new compliance and new devices, you still had some gaping holes in your game plan to deliver more security to this part of the business. With each passing day we read about another major breach to Enterprise hospitality companies such as Hilton, Marriot, Starwood, Westin, Sheraton, Mandarin Oriental, and many many more. If Enterprise companies like this are easily breached, protecting your sensitive data should be a top priority for 2016/17.
New threats to the business bring new technology to help mitigate those threats. Anyone in IT knows the heartburn associated with this ongoing challenge and how it affects the business.
I am convinced that the purchase of security products to protect your business is a bit more emotionally charged than the purchase of a printer or a networking switch. And for good reason, right? It’s hard to truly come to the realization that no matter how much hardware, software, policies and procedures your business puts into place, it can never stop a breach from happening. Largely in part due to this statistic: More than 70% of all breaches come from an internal resource to the business. With foreign countries investing millions of dollars to launch cyber attacks, if someone wants access to data within your business, there is often little that can be done to protect it.
If you believe that to be true then you have likely not allocated your entire 2016 IT budget to Security. Maybe just 90%. I look at a breach a bit like riding a motorcycle. Some riders will tell you, it’s not if you’re going to be in an accident, it’s when you’re going to be in an accident. Even so, many will obviously never experience a crash but the ones that do can substantially reduce the damage and injuries they face based on their preparation for that very moment. We could go into the analogies of helmets, leather jackets, riding experience, etc., but I think you get the picture. Unfortunately our reality today is this: Many of you reading this very article are working for a business that is breached right now.
Mitigating the impact and staying power of a breach on your organization is how many CXO’s are approaching security within their business. Not if it’s going to happen, but when it does happen. It’s now known as the assumptive breach analogy. How fast can the business address the breach? What data was compromised? And what short term and long term impact will it have on your business, your brand and your customers?
- The Cyber Threat Defense Report showed that more than 70% of companies reported having been compromised by a successful cyber-attack in the past 12 months.
- 72% of security incidents at financial services organizations involved a current or former employee. (The Global State of Information Security Survey 2015)
- By 2020, enterprises and governments will fail to protect 75% of sensitive data, and declassify and grant broad/public access to it. Near-term Flag: By 2015, at least one more Snowden or WikiLeaks moments will occur, indicating an upward trend in corporations and governments’ acceptance that they cannot protect all sensitive information. (2014 Gartner Top Predictions for IT Organizations and Users, Gartner, October 2013)
- Companies estimate that they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month. Cost to respond and remediate data breach now averages $3.8 million globally. (Ponemon Institute – Cost of Data Breach Study: Global Analysis) With sensitive data existing almost everywhere within an organization, I am going to focus on the data making all of the headlines: Payment Processing Data.
When considering the industry averages rather than the exception to the rule, most hospitality environments reflect a large majority of fixed transactions and a small amount of Card-Not-Present transactions. Some may argue that 16% is still very high within the Enterprise space, given online transactions are often used to hold a reservation and the true transaction happens at the time of check-in/check-out to validate ID and cardholder.
To explore the next generation payment architecture we should consider a few things that we know will impact this environment:
- The adoption of EMV in the US now requires the merchant to have an EMV-compliant device that is capable of accepting a smart chip card. This transaction should be initiated and completed by the customer while the card is present at all times.
- Mobile EMV-certified devices will be required for any environment where smart chip card is currently taken from the customer today to initiate a transaction. Mainly any Food & Beverage environment. Restaurants, Cafes and Bars to name a few.
- Fixed EMV devices will be required at locations like the hotel front desk, retail, and buffet environments to authorize and complete transactions without the card leaving the customer’s hand. Much like what you see at Target and Walmart today.
Hospitality and Mobility continue to evolve to meet the demands of the mobile customer. The Pew Research Center reports that nearly two-thirds of Americans now own a smartphone, which they use to “navigate the world around them”— including following breaking news, staying in touch with friends and family, finding directions, and of course, travel. The trend and data is clear: Mobile users expect hotels to accommodate the many ways they use mobile devices throughout their stay, including payments.
The following graph represents the shift in payment transactions with the adoption of EMV, and the growth in mobility and E-commerce. For Hospitality companies with many types of venues within a property, such as restaurants, cafes, lounges, and bars, the shift to Card-Present Mobile transactions now becomes the dominant method of payment, just as it exists within Europe and Canada today. With the US growth of mobile payments at more than $215B in 2015 from $162B the previous year, it could be said that Card-Present transactions will quickly become the least preferred method of payment. How does this impact security within your business? With the right solutions in place this can and should be a stronger security posture for any business.
Card-Present Transactions: The adoption of certified EMV-compliant devices to accept the new smart chip card technology will provide full encryption at the device level along with a point-to-point encrypted gateway to ensure your customer’s sensitive data is never vulnerable in flight and never stored in your environment. Unfortunately, many of the mainstream POS companies in the hospitality vertical have been slow to adopt the integration and compatibility with gateway companies that have these EMV-compliant devices. All of these different components are what create a full EMV-compliant architecture for the fixed locations I mentioned above. Traditional check-in/check-out requirements can create more complexities around storing customer data to charge for services. Solutions to this complexity are available today.
Card-Present-Mobile Transactions: There is not a plethora of EMV-compliant mobile devices on the market today, although many are on the roadmap for 2016. If you have seen some already you might agree that many are less than appealing for quality table side customer service. There are a few device manufacturers that have done a good job combining functionality with aesthetics such as the Clover mobile by First Data. A hardened state device, 8-inch tablet-based display, Android IOS with EMV dunk, traditional swipe and NFC for Google Wallet or Apple Pay; it has all of the things you should be looking for in a compatible and compliant mobile device. We specifically like this device due to the built-in redundancy for Wi-Fi and Mobile 3G. This works well for indoor and outdoor areas where wireless infrastructure is not available; something to consider within Hospitality. Other devices from Verifone and Ingenico offer more basic mobile features and are a bit less appealing for table side service.
Many early adopters have seen an increase in table turns by 5-8 minutes and increased tips by 3%. Mobile payment platforms also allow you to elicit dinner feedback to increase your current customer satisfaction ratings and continue to build on creating better customer profiles. Many restaurants are also turning their point-of-payment device into a point of engagement by integrating it with their own loyalty programs.
There is one major drawback with a new mobile payment architecture: Most Hospitality environments have an existing enterprise POS system already. This is often very integrated to the business and not something the business has in the budget to replace, nor do they want to replace it. You are now introducing an EMV pay-at-the-table device to properly close a transaction. How do I get the order I entered into my existing POS system to mirror up with the transaction I just closed on my mobile device? You don’t. You essentially have two separate transactions and two separate architectures that will need to be reconciled.
Our team took a proactive approach to partner with industry experts like First Data, MiCamp Solutions and eTouch Menu to help bridge this gap with full integrations between these two architectures by developing our own middle-ware that fully integrates to Enterprise POS Systems like Micros, Agylisis, POStouch, NCR and many more. The goal, to create a solution that allows Enterprise companies to operate as usual with one fully EMV compliant architecture.
Card-Not-Present Transactions: CNP transactions come to the Hospitality industry in many different forms and will likely evolve into many more. Call Center over-the-phone transactions, online web bookings, business-to-business faxing/emailing, business-to-customer reservations, mobile payments, etc. CNP also offers the most security risks to any hospitality business. Sensitive customer data can reside in software systems for manual entry, credit card paper forms, email messages, text messages and any other method of communication.
Unfortunately many businesses are engaged in some example of CNP transactions listed above. This not only poses serious security risks, but it also poses serious PCI violations, which often result in fines.
The adverse effect of the US’s adoption of EMV for in-person transactions will more than double the amount of online fraud within the US over the next few years. Securely eliminating as much of this sensitive data from your environment is paramount in mitigating your risk and exposure to a breach and fines. Industry products like paymentLOCKprovide a secure way to collect customer- encrypted data for authorization and charging of services without exposing your business to cyber threats.
Conclusion: Every business in the US will be responsible for adopting new technology to provide greater protection to the customers you do business with today. Breaking down your current payment architecture to understand where your business takes on the most risk is a good first step in this process. It is then key to understand how you can eliminate the majority of this sensitive data from your corporate environment for fixed, mobile and CNP transactions. It will always be a challenge to eliminate all sensitive cardholder data from your environment, but remember what our goal was at the beginning of this article. How do you mitigate the impact a breach can have on your business? It’s extremely hard to steal sensitive data that isn’t there. Showing willful compliance with the adoption of EMV and tools in place to remove and encrypt sensitive data will substantially reduce your current PCI scope and greatly reduce any fines associated to any potentially data theft.
Ryan Smith has spent most of his IT career supporting the Gaming & Hospitality market. First as an integrator for Cisco Systems, EMC and VMware and then as a Global Enterprise Account leader for Hewlett Packard. Ryan has helped build Enterprise architectures to support the world’s largest Gaming & Hospitality companies in more than a dozen countries. Ryan is the Founder and CEO of LCG, Inc. An IT Security Company with a core focus of helping companies address how new security standards and new payment architectures will impact their business. The team at LCG is focused on addressing the latest in breach and threat mitigation with IT Security Solutions and Software that remove liability from the customer.