Hotel Data Security: Understanding the difference between PCI and PII compliance

July 13, 2017

Data security is becoming an increasingly important issue in the digital age. In the past few years, companies such as Facebook, Amazon, and Yahoo have all suffered from high-profile breaches that have involved personal details of their users being leaked.

When it comes to data security, the hospitality industry has proven to be especially vulnerable to attack. A 2016 report by Trustwave revealed that the hospitality sector had the second largest share of data incidents by industry at 14%. In February 2017, InterContinental Hotels Group announced a series of unauthorized charges had been carried out on payment cards of their guests.

These increasing attacks are both a sign and a natural outcome of how much hotels have increased connectivity and digital services to guests. Alongside online bookings, mobile check-in services, public Wi-Fi, and messaging apps all involve guests handing over personal details.

As such, hotels have a heightened responsibility to protect this information at all costs. In the digital age, safeguarding digital data means adhering to strict guidelines that fall under two categories: PCI (payment card industry) and PII (personally identifiable information) compliance. The two terms are often used together and in conjunction with each other though each is a vast area of compliance in itself. Let’s decode and differentiate the two and understand how they vary in different geographies.

What is PCI compliance?

Every business that handles credit card information (including storing, processing, and transmitting cardholder data) must be PCI compliant.

To ensure credit data remains as secure as possible, the PCI Data Security Standard (PCI DSS) offers a guideline with 12 central security areas—these are identified as the minimum level of security measures organizations need to take.

PCI compliance involves a contractual agreement with acquiring banks, and some U.S. states have introduced elements of PCI compliance into their own laws. Ultimately, responsibility for any breaches falls upon the hotel.

While smaller hotels might not have the luxury of a dedicated officer or department to deal with compliance, the majority of properties can still meet PCI compliance by following a few simple measures.

What is PII compliance?

PII (personally identifiable information) relates to any form of information that could be used to reveal a specific person’s identity. This extensive list includes details such as:

• A person’s name
• Email address
• Date of birth
• Phone number
• IP address
• Passport number
• Bank account number

While PCI compliance only applies to protecting details relating to credit card data, PII is a much bigger area. It’s also one that hotels need to be especially aware of given the surge in guest data now being collected through various sources such as online bookings, loyalty programs, and social media profiling.

As with PCI compliance, any business that fails to protect personally identifiable information risks facing a significant financial penalty, not to mention a big hit to its brand reputation.

Differences between US and EU requirements

There are also distinct differences between data laws in the U.S. and the European Union. For hotels that collect any form of identifiable data from overseas guests, understanding the nuances of these regulations is essential.

So what are the main differences that hotels need to be aware of?

In the U.S., PII regulations are fragmented and regulated by state and federal laws. They’re also often industry-specific and dealt with on a case-by-case basis that considers the level of risk that a person might be identified.

Compared to Europe, U.S. companies have far more freedom over how they use data. For instance, U.S. consumers must opt to stop their information being shared, rather than the company actively gaining their approval.

Things are markedly different in Europe. Instead of fragmented PII regulations, there’s a  single privacy law known as the data protection directive. This overarching law is far more comprehensive in scope than regulations in the U.S. and gives consumers a greater level of protection. For instance, the definition of personal data in Europe extends to a range of information, including photos, social media posts, and lifestyle preferences. (It’s important to note that the EU uses the more broad term of “personal data” as opposed to the U.S. accepted definition of “PII.”)

As of May 2018, the new General Data Protection Regulation (GDPR) will see even stricter consent laws come into place, with heavy financial penalties for organizations that are found to be non-compliant.

One key change is the increased scope of the law. The GDPR does not just apply to EU companies, in fact every company around the world that does business with EU consumers is required to adhere to these regulations. Data usage consent forms can no longer be illegible pages filled with legalese, but rather “intelligible and easily accessible” forms with “clear and plain language,” and consent should be as easy to withdraw as it is to give.

Security implications for hotels

While PCI compliance involves adhering to a global standard, the differences in how PII is defined in the U.S. and Europe presents an obvious challenge for hotels conducting business overseas. Not only must domestic but also overseas regulations be followed.

This is arguably a tougher challenge for U.S. hotels when dealing with the more stringent European laws, especially with the impending changes set to come about under GDPR.

While understanding the different boundaries and definitions of personal data might seem daunting, there are some vital reasons that hotels must educate themselves in this area.

The risks of not adhering to compliance

Perhaps most significantly, non-compliance to data protection regulations can lead to a huge impact on brand reputation. If a data breach becomes public knowledge, it could rock customer trust and loyalty.

There are also potentially severe financial penalties to consider. When it comes to non-PCI compliance, the fines can run into the hundreds of thousands of dollars. In Europe, organizations that breach GPDR could face a fine of up to 4% of their annual global turnover or €20 million.

Beyond the financial implications, there are also legal repercussions to consider.

For instance, hotels are contractually obliged to comply with PCI. The risk of non-compliance includes losing their right to accept credit card payments. Not only would this prevent a hotel from receiving online bookings, guests would also have to use cash for everything they bought during their stay. Clearly, this kind of experience could lose a hotel countless future bookings from dissatisfied guests.

A call to action: How to work with your tech vendors on data security

Since most hotels outsource their technology systems, it can be easy to think that the responsibility for data protection passes on to the tech vendor itself. But ultimately it’s the hotel that will be responsible should something happen. The recent data breach at Sabre, for example, affected a number of well-known hotel brands, who were then required to notify potentially affected guests.

When implementing tech systems within your hotel, be sure to provide your technology vendor with a list of security requirements from the start—keep communication open and clear about what features are expected, how data is protected on the hotel side and the vendor side, and what protocols to follow in the event of a cyber attack or breach.

Consistent security audits and staff training are also important to ensure that your hotel stays up-to-date with the latest regulations. By doing so, you can avoid getting caught up in sticky compliance issues and reduce the risk of potential data breaches and the legal fines and repercussions that go with it.