If you’ve been to Hershey Park recently, you may no longer be amused. That’s because you could end up paying more than the price of entrance to the Pennsylvania resort and theme park.
According to published reports, Hershey Entertainment and Resorts has hired a firm to investigate a possible security breach. Financial institutions apparently discovered a pattern of fraudulent charges on customer credit cards that link back to Hershey. Park ownership also confirmed some of its guests are reporting fraudulent charges on their payment cards after they visited the property.
“We take reports like this very seriously,” the company said in a statement. “While our company does have security measures in place designed to prevent unauthorized access to our network, we immediately began to investigate our system for signs of an issue and engaged an external computer security firm to assist us. The investigation is ongoing.”
The Inherent Risk
We asked Mark Bower, global director of product management for HP Security Voltage, for his reaction to the possible credit card data breach at the popular amusement park. He told us resorts and hospitality service providers have additional challenges to deal with with respect to payment card security.
“Card on file transactions are common, meaning card data is often stored longer than typical retailers to maintain customer bookings and for resort service charges after check-in,” Bower said. “Feeds from online booking systems often channel card data from various sources and third parties over the Internet, creating additional possible points of compromise.”
Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information, Bower explained. However, resorts and hospitality organizations can avoid the impact of the advanced attacks common in the retail segment, he said.
Advice for Hospitality Sector
“Proven methods are available to neutralize this data from breaches either at the card reader at the POS in person or via web booking platforms,” Bower said. He pointed to leading travel related organizations, airlines, and travel booking aggregators that have adopted these data-centric security techniques with huge positive benefits.
Those benefits include reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement aimed at making data security a “business as usual” matter for any organization handling card payment data, according to Bower.
“It is always a good practice for consumers to review their payment card account statements,” according to Hershey. “If there are signs of unauthorized charges, they should immediately report them to the bank that issued the card because payment card network rules generally state that individuals are not responsible for unauthorized charges that are reported in a timely manner to their bank.”