Blog
Data Security
Front Desk Security: Eliminate Internet Browsing on Check-In Machines

Front Desk Security: Eliminate Internet Browsing on Check-In Machines

Can customer service and front desk security co-exist?

Gary Glover
Updated
December 7, 2022
Posted
July 31, 2014
Cybersecurity
PCI
Security Tools
Security Training
Front Desk Security: Eliminate Internet Browsing on Check-In Machines

Can customer service and front desk security co-exist?

At virtually every hotel security audit I’ve ever conducted, and at every hotel I’ve ever stayed at, front desk computers are used to both browse the Internet and accept credit card transactions. That is a serious violation of security protocol.

It doesn’t matter if a desk clerk is helping a customer print off their afternoon boarding pass, or check their personal email. Internet browsing on point-of-sale (POS) or property management machines that have the capability to take credit cards is a one-way ticket to data compromise.

Hackers are lurking

What happens if the innocent employee, with no formal security training, accidentally clicks on a malicious link while browsing the Internet? That malicious link could secretly download malware or install a virus onto the machine. Depending on the malware installed, every single customer credit card transaction made on that computer (and perhaps on the entire network) could be at risk.

The whole point of malware is to gain access to valuable and sensitive information, such as credit card numbers, so cybercriminals can reproduce cards or sell the stolen data on the black market.

See also: Auditing Archives: The Case of the Overly Helpful Front Desk Clerk

Common types of malware that may infect your front desk computers include:

  • Keylogger: malware that secretly records every keystroke a user makes on a computer or mobile device. In such a way, malware authors can easily harvest typed information like passwords or credit cards.
  • Memory Scraper: designed to capture, or ‘scrape’ sensitive information from system memory (RAM) and return it back to the attacker. Some can morph into newer versions to avoid detection, or automatically reinstall in different locations if deleted.
  • Rootkit: type of malicious software activated each time a system boots up. They are difficult to detect because they reside at the system’s kernel level, and are activated before a system's operating system has completely booted up.
  • Packet Sniffer: malicious software that can intercept incoming and outgoing network traffic. Most sniffers are able to decode and analyze the data found, reporting it back to the owner.

See also: SecurityMetrics PCI Guide

Can customer service and front desk security coexist?

The solution to hotel front desk dilemma is simple. Segment.

Most hoteliers don’t segment the POS and property management systems from other systems with access to the Internet. Segmentation is the act of compartmentalizing network areas that contain sensitive information (like customer credit cards) from those that don’t. Segmentation is a very secure practice because, if set up correctly, it is nearly impossible for sensitive data to leak outside of its allotted area.

It may sound complicated, but it’s not. All you need to do is dedicate one machine to taking credit cards, and dedicate any others for customer service use.

That way, even if employees aren’t properly trained, it’ll be extremely difficult to mess up.

For example, if a customer pays with a credit card on the dedicated machine while checking in, then asks about restaurants in the area, the front desk clerk would physically need to move to the other computer placed on a separate network segment at the front desk used for Internet browsing. Remote desktop connections to a dedicated ‘browsing’ computer on another network segment could also be used.

Please note that the computers used to browse the Internet are just as vulnerable as before, but if infected, do not have access to credit card data on the more secure network segment. Also, don’t forget the concierge desk…they often have similar access to front desk computers.

I’m convinced that if this simple practice were put into place at hotels around the world, the risk of compromise in the hospitality industry would significantly decline. Not to say this is the only way hospitality industry systems are being compromised. Best practice is always to implement all controls contained in the PCI Data Security Standard.

This article was also featured in Hospitality Upgrade Tech Talk.

Join Thousands of Security Professionals.

Subscribe Now

Get the Guide To PCI Compliance

Download

Get a Quote for Data Security

Request a Quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000