PCI Compliance and Hotels

To streamline operations, improve service and remain competitive, hotels use computers to handle numerous tasks. While automation facilitates hotel operations and often makes a better stay for guests, it also opens hotels to digital threats perpetrated by malicious actors.

Hotel operators should be aware of attacks, which can significantly hurt their brand reputation and bottom line, not to mention the safety and welfare of employees and guests.

Why are hotels a target?

According to Statista, the hospitality industry generates a revenue of up to 550 billion dollars globally each year. The industry seems to be one of the most attractive segments accounting for around 40% of all data breaches and credit card theft worldwide.

The forerunner of breaches in hotels, according to Verizon DBIR, are POS breaches. A whopping 96% of the data accessed from the industry was payment data, 2% personal data, and 1% credentials. Most of the POS breaches are opportunistic and financially motivated and involve primarily malware and hacking threat actions. The amount of time it takes for a hacker to compromise is quick, but it often takes hotels months to discover the data breach.

Hackers are targeting hotels because of the type of point of sale (POS) systems utilized. These are often integrated, non-compliant, POS environments running applications that are not as secure as modern, hardened payment terminals designed to capture and encrypt payment data. Hotel systems send the data to the back office instead of directly to the payment processor, adding an additional step that creates weakness in the hotel POS system.

In addition, there are large volumes of payment card transactions between restaurants, on-site shops, spas, parking, and the front-desk, ensuring there is plenty of customer data for a hacker to compromise.

How to protect your hotel's data

One recommended way to cybersecure your hotel's and patron's data is to ensure that you are PCI Compliant.

The Payment Card Industry Security Standards Council (PCI SSC) has put forth a set of stipulations, the Payment Card Industry Data Security Standard (PCI DSS), in response to rapid PCI expansion.

Hotels should make sure they are compliant with these regulations, which require businesses to send credit-card information in a secure environment, to prevent paying heavy fines and losing data, revenue, and customer trust.

"Ultimately, the responsibility for a breach falls back on the individual hotel and not the franchise, so it is important that each entity take responsibility," says Mark Cline, Vice President of Sales, Netsurion.

PCI Compliance starts with the three-step process below:

  1. Assess your PCI Compliance status and requirements
  2. Complete questionnaire based on security framework and credit card data risk
  3. Submission of an official report to the bank and credit card companies

It is difficult to achieve PCI Compliance, especially for small hotels with limited staff and budget.

Focusing on these five areas will help keep customer and credit card data secure:

1. Secure your passwords

According to Verizon, more than 80% of data breaches involved stolen or weak passwords. Every individual dealing with customer data should have the ability to set their password and be prompted to change at least every quarter. Passwords should be required to have a combination of special characters, upper and lower-case letters, and numbers.

2. Conduct regular training and assign a dedicated PCI Compliance officer

Holding training sessions keeps security at top of mind for employees. Training is available on the PCI Security Standards Council website depending on your hotel's needs.

In addition to training, it can be helpful to assign one staff member to take charge of all tasks related to PCI Compliance so important deadlines don't slip through the cracks.

3. Ensure your technology and vendors are compliant

Not every P2PE solution is PCI DSS validated. Any third party that is handling your customer's information including reservation systems, POS systems, and property management systems, should be compliant. Be sure to verify your solutions with the PCI Security Standards Council.

4. Eliminate unnecessary data

Purge any unnecessary digital or hard copy records that include customer information or credit card data that are not essential for business. The more data you store can make your hotel more vulnerable to a data breach.

5. Review

Your hotel should regularly review its processes and watch for updates to be made to PCI DSS. When those updates are available, ensure that you are taking the proper steps to remain compliant.

Need help with PCI Compliance? Netsurion is here for you.

We've been helping hoteliers with PCI Compliance since its inception by providing affordable managed network security solutions that make compliance easy and efficient. Learn how to simplify the process and be audit-ready at all times, while still focusing on your business.

Take 5 minutes to learn which of the 12 requirements you need to spend extra attention on to gain compliance.

Sources:
Statista
Verizon DBIR 2017
PCI Security Standards

  • Changes to PCI DSS and What It Means for You

    February 20, 2018

    Are you compliant with PCI DSS Version 3.2? Restaurants, retailers, hotels, doctors' and lawyers' offices, and many more, all need to watch for PCI DSS updates to remain compliant.

    Read More
  • A haunting tale, just in time for the fall: Don’t let what happened to them, happen to you…

    October 09, 2017

    The old Haunted Hotel with squeaky wood floors, welcomed all guests who dared enter the front doors. Guests arrived from every nation – every corner of world – ready to spend money and explore.

    Read More
  • The Top Five Cyber Threats Hotel Brands and Franchisees Need to Know About

    June 19, 2017

    While automation facilitates hotel operations and often makes a better stay for guests, it also opens hotels to digital threats perpetrated by malicious actors. Consequently, hotel operators should be aware of the types of cyber attacks, which can significantly hurt their brand reputation and bottom line, not to mention the safety and welfare of employees and guests.

    Read More