The Hilton Settlement and Payment Card Security

The What and When

Hilton Hotels & Resorts has reached an agreement for a $700,000 fine. Settlement details state that New York will receive $400,000 and Vermont will receive $300,000. Hilton Hotels & Resorts suffered two data breaches in 2015 that resulted in the theft of 350,000 credit card numbers. The joint investigation by the attorney general from New York, Eric Schneiderman and the Vermont attorney general T. J. Donovan found that Hilton Hotels & Resorts didn’t provide customers with a timely notice of the breach and lacked reasonable security. Other than the monetary portion of the settlement Hilton Hotels & Resorts must immediately send a notification to consumers, maintain an information security program, and conduct information system risk assessments.

The pinky promises made between state attorney generals and companies after a data breach rarely comes to fruition to the fullest extent intended by the agreements. There might be some initial follow up on the agreed terms over six months to a year, but from the sound of the settlement terms, Hilton Hotels had little security in place. A company as large as Hilton Hotels takes 2 to 3 years to fully implement a standardized and thoroughly document security program because it’s not merely a matter of fulfilling the requirements, it’s about changing a culture that doesn’t take security seriously.

Individuals in the company should be held responsible by a demotion or firing, and, in my opinion, a fine or jail time if the person’s actions or lack of actions are willful and approach egregious.

I reached out to Hilton Hotels & Resorts for information about anyone being fired or demoted, and at time of publication, I hadn’t received a response.

The “huh?”

Did you know that there isn’t a law that stipulates that if you handle card payment data, whether transmitting or storing, you must adhere to specific security guidelines? Personal medical information has a law called HIPAA and HITECH that contain security guidelines to protect you from accidental information disclosures and hackers. With as much damage that can be done with payment card information, one would think there would be a law requiring compliance with the Payment Card Industry Data Security Standard (PCI DSS or PCI for short). Taking into account all of the data breaches that are discovered on a daily basis, Hilton should have learned from the failure of others and adhered to the security requirements outlined in PCI DSS.

The PCI Security Standards Council makes compliance mandatory through being able to prohibit access to the payment card system making the business cash only. The PCI Security Standards Council was established by the major credit card companies, and there is a multitude of rules within 12 specific requirements under three categories you must meet before you can accept payment cards, store payment card data or transmit payment card data. The three PCI DSS categories are assess, remediate, and report. Each payment card brand has additional rules, validation, and enforcement aside from what is required by PCI DSS.

What is important to point out is that compliance is mostly self-reported through a self-assessment questionnaire. The requirements and rules listed below are standard in the security world whether you have compliance requirements or not.

PCI DSS Requirements:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors

A sample of the security rules in the requirements:

1. Build firewall and router configurations that restrict all traffic from “untrusted” networks and hosts,
   except for protocols necessary for the cardholder data environment.
2. Encrypt using strong cryptography all non-console administrative access such as browser/web based
   management tools.
3. Protect any keys used for encryption of cardholder data from disclosure and misuse.
4. Use strong cryptography and security protocols such as SSL/TLS, SSH or IPSec to safeguard
   sensitive cardholder data during transmission over open, public networks (e.g., Internet, wireless
   technologies, Global System for Mobile communications [GSM], General Packet Radio Service
   [GPRS]). Ensure wireless networks transmitting cardholder data or connected to the cardholder
   data environment use industry best practices (e.g., IEEE 802.11i) to implement strong encryption
   for authentication and transmission. The use of WEP as a security control is prohibited.
5. Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs
6. Ensure that all system components and software are protected from known vulnerabilities by
   having the latest vendor-supplied security patches installed. Deploy critical patches within a
   month of release.
7. Limit access to system components and cardholder data to only those individuals whose job
   requires such access.
8. Render all passwords unreadable during storage and transmission, for all system components, by
   using strong cryptography.
9. Maintain strict control over the internal or external distribution of any media. Classify
   media so the sensitivity of the data can be determined.
10. Using time synchronization technology, synchronize all critical system clocks and times and
    implement controls for acquiring, distributing, and storing time.
11. Perform external and internal penetration testing, including network- and application-layer
    penetration tests, at least annually and after any significant infrastructure or application upgrade
    or modification.
12. Ensure that the security policy and procedures clearly define information security responsibilities
    for all personnel.