At least five major hotel brands announced security breaches last year—with Hyatt, Starwood, and Hilton all opening up about credit card security problems in the last six weeks of the year. In fact, 54 percent of all credit card breaches and fraudulent activity worldwide occurred within the accommodations and food & beverage industry.1
PCI compliance for the hospitality industry is much different than other industries, according to a report from the HFTP. Not only are hotels one of the largest targets for security breaches, but they also have unique situations that credit card companies don’t necessarily understand. PCI Compliance in the hospitality environment requires an infinite number of processes to review and modify, and hefty fines for non-compliance. They recommend you manage the task by distinguishing what is important.
Hotels and vacation rental managers often do not realize that due to the credit card merchant agreement they are liable for all security breaches, even those of their technology providers. A security breach is not only very costly (in 2009 the average cost of a breach was $6.5 million) it also negatively impacts brand reputation, consumer trust, and guest loyalty.
It’s important to realize that becoming compliant is just the first stage— maintaining compliance is really what the initiative is about. Ensuring your technology partners are fully compliant with security regulations is paramount to protecting your company and your guests. Among the ways to gauge technology partners and the security of your guest’s payment data is PCI (Payment Card Industry) Compliance. PCI Compliance is the international benchmark for secure business practices. It includes compliance in an array of areas: network security, computer security, securing paper documentation, proper document shredding, and document retention. Other requirements include more secure networks, logins and restricting what personnel accesses certain systems.
In addition to the standard list of questions, you would ask a potential vendor, incorporate the following questions that will ensure your guest data is fully secure and regularly tested for potential issues. Strongly consider surveying your existing vendors for compliance.
1). Is the vendor certified as PCI DSS compliant by a Qualified Security Assessor? What level is the certification? (Level 1 is the highest.)
2). Dig deeper. If they are compliant, request a statement of the scope of the assessment.
3). Do they have regular testing in place?
4). How do they encrypt online, on-site, and over the phone credit card transactions? How is cardholder data encrypted across public networks?
5). Where is payment data stored?
6). What happens if an attempted breach in your or their system occurs?
7). Are they available 24/7/365 if there are security questions?
If the answers to these questions come up short of your expectations, especially with existing vendors, determine if they have the intention of pursuing PCI Compliance and on what timeline. If they do not, it is time to consider other vendor options so that you can avoid the damaging scenario where your guests’ payment information is compromised.
1). Verizon Enterprises. 2012 Data Breach Investigations Report.
2). Bottom Line. PCI Compliance and the Hospitality Industry HFTP.