Cape Town - Card payments and data sharing within the travel and tourism industry are heavily under scrutiny as cyber-attacks, phishing scams and data breaches become more frequent and sophisticated.
According to PCI Security Standards Council General Manager Stephen Orfei, South Africa’s blossoming entrepreneurial landscape has unfortunately seen it become "one of the top ten markets targeted for cyber security weakness".
Orfei caught up with Traveller24 during the Cyber-security PCI Middle East and Africa Forum held in Cape Town last week on 29 March, which was intent on educating the market on the risks associated with these cyber-attacks and data breaches.
As cyber-criminals continue to threaten the safety of payments, cyber-security skills are critically important to the payments industry used in all spheres as well as how data is securely stored, he says.
WATCH: Cyber-attacks: What's putting SA's travel industry at risk
SEE:#eHomeAffairs: Have your say on 6 key changes coming from the DHA's 'repositioning'
“Cyber-criminals are increasingly targeting the hospitality industry, using stolen data from hotel systems to commit acts of fraud. Cyber-crime has moved to full-time, highly sophisticated, persistent attacks.
“The median time that it takes an organization to detect compromise and subsequent breach was more than 100 days, and more than 80 percent of the time, the detection was not made by internal teams.”
According to Orfei, a major hotel collection case study shows a hack affected customers who used their credit or debit cards at several locations, including both national and international locations.
“The credit card systems at several hotels in the US and Europe were hacked in 2015 with malware that infected sales systems at several properties, and revealed the personal information of guests who used credit or debit cards for dining, beverage, spa or other products and services. Many were US-based properties, with London, Hong Kong, and Geneva locations also affected by the breach.”
What should local companies be aware when it comes to safeguarding payment data against cyberattacks?
Orfei says SA lacks qualified installers when it comes to securing this sensitive information, with similar challenges seen in the US and Europe. He says the key purpose of the conference was to educate the market on what the threat landscape is and how they can defend against that.
Highlighted the risks associated with the Hospitality and Aviation industries
Orfei specifically highlighted the risks associated with the Hospitality and Aviation industries, as the global trend sees these industries as particularly vulnerable - due to the large amounts of payment data being moved in and out when making online purchases for air tickets, car rentals, hotels as well as payments made at kiosks and terminals.
Case studies show the challenge lies around qualified installers and resellers, “these are the technicians who come in and install payment applications - one of the common points is the client thinks they are more secure when they’re not”.
“All default passwords are left in place, services are left on as the install was not done properly and they are more vulnerable than they were yesterday. We have to take risk off the table and train these individuals properly,” says Orfei.
WATCH: Cyber-attacks: What should travellers be aware of?
Things to be aware of when it comes to Cyber-attacks:
Orfei warns to be aware of what sort of information you share or make public on social media, using Linked-In as an example which leaves individuals open to blackmail or even cyber ransom attacks.
“Think before you click on anything, ask yourself can you trust the source,” he warns.
How SA’s tourism industry can safeguard themselves?
Andrew Henwood, CEO of SA-based QSA Company Foregenix also told Traveller24, “The risk is largely due to SA having leapfrog in terms of technology and innovation.”
“Data breaches are occurring across the board in SA,” says Henwood.
“We went from landlines to mobile, causing a lag in the ability to secure systems.”
According to Foregenix, “the hospitality is not fully appreciating the value of the data that they’re handling, which means it’s not necessarily secured opening it up to exploitation by criminals”.
While SA has no official certified standard at the moment, the General Data Protection Regulation’s (GDPR) has been in place since 24 May 2016.
Added to this, the Protection of Personal Information Act, No 4 of 2013 promotes the protection of personal information by public and private bodies. POPIA will see organisations large and small having to comply with both the POPI Act and the GDPR.
But what can be done and how can travellers and consumers protect themselves?
Henwood advises, “Reach out to your banks, service providers, online or offline merchants - question where you’re sharing your data.
“Watch where your card goes. If you are giving that card information across the phone, ask them what will be done with the data and how long it will be stored.
"Know the risk factors, as most common scams include phishing, have become extremely sophisticated and convincing," warns Henwood.
SEE: Home Affairs modernised: Data intelligence with far reaching effects
No matter the size of the merchant SA business owners are going to be potentially liable for what they do with the personal information of South Africans, warns Henwood.
Rollout of a PCI Qualified Security Assessor (QSA) program
PCI Security Standards Council says it also plans to evolve the PCI Qualified Security Assessor (QSA) program to attract new cyber talent globally and ensure its sustainability and quality in a changing payment environment.
“The Associate QSA initiative will broaden the abilities for security specialists to leverage their skills, expand our delivery capabilities and maintain our high level of service.”
Cybersecurity firm Symantec has estimated the demand for the global cybersecurity workforce will rise by 6 million by 2019, with a projected shortfall of 1.5 million.
PCI Security Standards Council says it will be rolling out its program in phases, beginning in 2017 with a dedicated industry task force focused on the development of an Associate QSA certification.
A QSA Company is a data security firm certified by the PCI SSC to perform on-site assessments of a company’s PCI Data Security Standard (PCI DSS) compliance to ensure that robust policies and procedures are in place to safeguard payment data against cyberattacks. The QSA program plays a critical role in the adoption of PCI Security Standards.
The PCI SSC plans to begin accepting applications for Associate QSAs in early 2018. Updates on the development of the Associate QSA certification and future changes to the QSA program will be discussed at the 2017 PCI Community Meetings in Bangkok, Orlando and Barcelona.
What to read next on Traveller24:
- Top 10 travel scams as told by a travel expert
- Holiday Scams: Top tips for a fraud and worry-free break
- #AfriTravel: Come be inspired to travel Africa with our Twitter chat this Friday!