A primer on cyber security and PCI compliance for hotels

The threat of cybercrime from sophisticated hackers is an inescapable issue all businesses face, especially if the business takes credit cards or runs any sort of e-commerce on their website. But there’s a particularly strong case for the hospitality industry to take the threat seriously. According to the American Hotel and Lodging Association (AH&LA), the hospitality industry represents upwards of 55% of credit card fraud. And more than 85% of these incidences come from the smallest merchants. It’s a number that simply can’t be ignored. To ensure that hotels are safeguarding themselves against the ever-present threat of data fraud, it’s essential that they are PCI compliant.

What is PCI Compliance?

According to AH&LA, PCI compliance refers to:

“… the extent that a given merchant (such as a hotel, restaurant or retailer) complies with the Data Security Standard.”

The PCI Data Security Standard (PCI DSS) provides a minimum level of security measures to ensure credit data remains as safe and secure as possible around the world. Every business that handles credit card information in any way (processing, transmitting or storing card data), must comply with these standards.

While these standards are set by the PCI Security Standards Council (PCI SSC), they’re enforced by the issuing credit card brands: MasterCard, Visa, American Express, Discover and JCB (the founding members of the PCI SSC).

Not only is PCI compliance a contractual agreement with acquiring banks, some states have introduced elements of PCI compliance into their laws. As such, compliance isn’t something to be considered as optional but an absolute necessity for all hotels dealing with credit card data.

Individual credit company requirements

It’s important to note that each credit company has its own adherence requirements. Different credit cards have their own “merchant levels,” which are determined by the number of transactions over a 12-month period. Not only do these levels differ between companies, each card company also has their own compliance validation requirements. Hotels will need to contact the relevant card brands in order to find out the specific information. After establishing the criteria they need to follow, hotels can then take the necessary measures to achieve compliance.

Compliance procedures

According to the Security Standards Council, compliance involves a 3-step process. Firstly, an assessment of the merchant needs to take place. This involves compiling an inventory of IT assets, assessing business processes, and looking for potential vulnerabilities in data security.

Following assessment, the business must then fix any vulnerabilities that have been identified. Finally, an official report must be submitted to the relevant acquiring bank and card company. Smaller merchants may not be required to file an ROC (Report On Compliance) or have an on-site assessment. Instead, they may need to file a self-assessment questionnaire as a form of self-validation for the security of cardholder data.

Ultimate responsibility for any breaches in security falls back on the hotel, so it’s essential that this process be carried out with the utmost care and attention.

Simple measures to meet compliance

While larger hotel organizations may have a dedicated officer or department for this task, many smaller hotels will not have the resources to do so. But the majority of hotels can achieve PCI compliance by focusing on several key measures to keep data secure.

Conduct regular training with staff. Anybody in your hotel dealing with credit card information should be informed about the risks of data fraud. Conducting comprehensive training will allow you to reinforce this message, educate your staff on your hotel’s procedures, and lay out the standards that need to be met to maintain best practice. AH&LA recommends training should take place annually and include testing trainees on subject matter.

Assign a dedicated PCI Compliance Officer. As well as training your team, you could firm up security even further by assigning one staff member as the dedicated PCI Compliance Officer. This individual could be tasked with assessing ongoing data handling processes within your hotel, acting as a form of quality control, while also keeping you informed on any changes to regulations.

Ensure technology vendors are compliant. Any third-party vendor that handles sensitive customer data, including the property management systems (PMS), customer relationship management platforms (CRM), central reservation system (CRS), and booking engine technology, should also meet compliance standards.

Eliminate unnecessary payment card data. Take the time to review how much data you’re storing unnecessarily—both on your computer systems and paper copies. The more data you store, the more exposed you are to data fraud. Wherever possible, get rid of information that you no longer need, or look to consolidate it so it’s not so easily accessible.

Secure your password regularly. Every individual dealing with sensitive customer data should have their own unique password. Each password should feature a combination of letters, numbers and special characters, and they should also be changed regularly—at least every 90 days.

Constantly review. Data protection is an ongoing process and a job that can never be classed as “done.” As such, your hotel should regularly review its processes to make sure everything is being done to protect data wherever possible. Consider holding regular PCI meetings to discuss security issues, changes in policy, or training needs that need to be addressed within your hotel.

Risks of non-compliance

Of all the risks of non-compliance, long-term damage to brand reputation is perhaps the biggest threat. If a leak in data security becomes public knowledge, it can instantly undermine all customer trust. The repercussions of this can’t be overstated. As well as being reported in local or even national media, any customers who have had their details accessed at your hotel may very well take to social media to air their grievances.

There are also financial penalties for non-compliance. These can be severe, potentially resulting in fines that run into the hundreds of thousands. As well as the fines issued by the merchant or acquiring banks, the banks issuing the cards have also been known to successfully file for compensation following a security breach.

But the financial penalties don’t stop there.

A data breach can lead to a substantial increase in payment processing fees. A hotel might also end up having to pay for increased PCI DSS compliance obligations; these include having to spend on additional security measures such as system upgrades, internet scans, and audits of information security. Card brands may also issue a hotel with higher interchange rates if they’re not classified as compliant.

Beyond the financial penalties, there are also legal repercussions to consider. As already mentioned, hotels are contractually obliged to comply with PCI. By not doing so, they can be stripped of their right to accept credit card payments altogether.

Unfortunately, data breaches inevitably happen, even to the biggest of companies. Hotels can protect themselves from the fallout with cyber liability insurance, which would cover any costs related to the security breach. Hotels can lower their insurance premiums, however, if they have shown that they’ve taken the above precautions to insulate themselves as much as possible from cyber attacks.

Nancy Huang

Nancy Huang

Nancy is the Senior Marketing Director at Pegasus and expert in strategic communication, brand development, and content marketing. She is an admitted travel junkie and loves finding amazing hotel deals when booking direct. Contact her at nancy.huang@pegs.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay on top of hotel distribution and marketing trends.

Sign up for Travel Tripper's newsletter to get the latest news, tips, and resources delivered to your inbox.

subscribe
Travel Tripper Logo

Request a Demo