Hotels may deter breaches by finding accommodations in the cloud

All business categories are vulnerable to breaches, but hotels seem to attract the most attention.

The problem stems from long-held practices of asking for customers to provide credit card information but not having modern systems in place to protect that data. And fraudsters have definitely taken notice.

"Hotels are late to the game in terms of complying with PCI standards, and many of the chains are coming around to how extensive the risk is," said Jason Harper, founder and CEO of CeloPay, a payments technology company that serves hospitality, health care and other industries. "Just the simple process of getting a card number from a fax machine needs to be addressed."

CeloPay sells a web-based, SaaS delivered product that's designed to replace faxes and emails as a way to submit, store and process payment information. For consumer payments much of this information has already been removed or automated, but it still lingers in some business sectors including hospitality, according to Harper.

"With many hotels, it's tough to get them to fund new technology, particularly in security," Harper said. "There are intangible things that are very expensive to update, so it's hard to get them to make an investment."

CeloPay recently entered a collaboration with AlienVault, which combines threat detection, incident response and compliance for cloud, hybrid cloud and on-premise businesses. AlienVault will help CeloPay handle payment data and aid in CeloPay's accelerated release schedule. CeloPay publishes a new web-based app every 60 days, then destroys the production servers in an effort to save IT resources.

But CeloPay still needs to access historical information beyond that 60-day window, which is where AlienVault comes in, enabling the company to remove manual work for reviewing and logging data through a lower-cost cloud delivery model.

"There's a lot of care that goes into that, a lot of time," said Ryan Leatherbury, a product manager for AlienVault.

The companies hope the recent spat of hotel breaches, plus lingering concerns consumers have over using mobile payments technology at the point of sale, will push hotel chains off of the fence to adopt a cloud-based, centralized security system.

A centralized approach makes sense to the extent that sensitive data is stored in the cloud environment, encrypted en route and — ideally — tokenized as well, said Julie Conroy, a research director for Aite Group.

"The challenge lies in making sure the environment is holistic," Conroy said. "All too often merchants, particularly those that are omnichannel, have a piecemeal approach to security, and while they have one aspect locked down, there are many separate endpoints where sensitive data is handled that are still exposed."

Tales of hotel security troubles abound, particularly given the ability of malware to spread throughout a hotel chain after it attaches to a hotel's point of sale system. Card data also resides inside a hotel's system for longer than most other retailers because travelers charge services to their hotel room during a stay.

InterContinental reported a large breach in the past year that affected more than 1,000 locations after fraudsters installed malware designed to lift card data from the point of sale. HEI Hotels reported a large breach last year, and security issues caused challenges for Marriott's acquisition of Starwood around the same time. And Donald Trump's hotel network in Chicago, New York, Hawaii, and Florida was hit by a breach about two years ago.

These breaches have led to calls for hotels to improve their security technology.

"The sector is slowly coming around, but it's taken some very high profiles breaches to get them to see the need for improvement," Harper said.