PCI Compliance and Hotels
June 06, 2018
To streamline operations, improve service and remain competitive, hotels use computers to handle numerous tasks. While automation facilitates hotel operations and often makes a better stay for guests, it also opens hotels to digital threats perpetrated by malicious actors.
Hotel operators should be aware of attacks, which can significantly hurt their brand reputation and bottom line, not to mention the safety and welfare of employees and guests.
Why are hotels a target?
According to Statista, the hospitality industry generates a revenue of up to 550 billion dollars globally each year. The industry seems to be one of the most attractive segments accounting for around 40% of all data breaches and credit card theft worldwide.
The forerunner of breaches in hotels, according to Verizon DBIR, are POS breaches. A whopping 96% of the data accessed from the industry was payment data, 2% personal data, and 1% credentials. Most of the POS breaches are opportunistic and financially motivated and involve primarily malware and hacking threat actions. The amount of time it takes for a hacker to compromise is quick, but it often takes hotels months to discover the data breach.
Hackers are targeting hotels because of the type of point of sale (POS) systems utilized. These are often integrated, non-compliant, POS environments running applications that are not as secure as modern, hardened payment terminals designed to capture and encrypt payment data. Hotel systems send the data to the back office instead of directly to the payment processor, adding an additional step that creates weakness in the hotel POS system.
In addition, there are large volumes of payment card transactions between restaurants, on-site shops, spas, parking, and the front-desk, ensuring there is plenty of customer data for a hacker to compromise.
How to protect your hotel's data
One recommended way to cybersecure your hotel's and patron's data is to ensure that you are PCI Compliant.
The Payment Card Industry Security Standards Council (PCI SSC) has put forth a set of stipulations, the Payment Card Industry Data Security Standard (PCI DSS), in response to rapid PCI expansion.
Hotels should make sure they are compliant with these regulations, which require businesses to send credit-card information in a secure environment, to prevent paying heavy fines and losing data, revenue, and customer trust.
"Ultimately, the responsibility for a breach falls back on the individual hotel and not the franchise, so it is important that each entity take responsibility," says Mark Cline, Vice President of Sales, Netsurion.
PCI Compliance starts with the three-step process below:
- Assess your PCI Compliance status and requirements
- Complete questionnaire based on security framework and credit card data risk
- Submission of an official report to the bank and credit card companies
It is difficult to achieve PCI Compliance, especially for small hotels with limited staff and budget.
Focusing on these five areas will help keep customer and credit card data secure:
1. Secure your passwords
According to Verizon, more than 80% of data breaches involved stolen or weak passwords. Every individual dealing with customer data should have the ability to set their password and be prompted to change at least every quarter. Passwords should be required to have a combination of special characters, upper and lower-case letters, and numbers.
2. Conduct regular training and assign a dedicated PCI Compliance officer
Holding training sessions keeps security at top of mind for employees. Training is available on the PCI Security Standards Council website depending on your hotel's needs.
In addition to training, it can be helpful to assign one staff member to take charge of all tasks related to PCI Compliance so important deadlines don't slip through the cracks.
3. Ensure your technology and vendors are compliant
Not every P2PE solution is PCI DSS validated. Any third party that is handling your customer's information including reservation systems, POS systems, and property management systems, should be compliant. Be sure to verify your solutions with the PCI Security Standards Council.
4. Eliminate unnecessary data
Purge any unnecessary digital or hard copy records that include customer information or credit card data that are not essential for business. The more data you store can make your hotel more vulnerable to a data breach.
Your hotel should regularly review its processes and watch for updates to be made to PCI DSS. When those updates are available, ensure that you are taking the proper steps to remain compliant.
Need help with PCI Compliance? Netsurion is here for you.
We've been helping hoteliers with PCI Compliance since its inception by providing affordable managed network security solutions that make compliance easy and efficient. Learn how to simplify the process and be audit-ready at all times, while still focusing on your business.
Take 5 minutes to learn which of the 12 requirements you need to spend extra attention on to gain compliance.
Verizon DBIR 2017
PCI Security Standards