How Can Hotels Better Secure Credit Card Information to Prevent Data Breaches?

By ERMProtect Staff

The hospitality industry is a frequent target for breaches because hotels collect payment card data, addresses, phone numbers, and other identifiable information sought by cyber thieves. The problem is compounded by the lack of segregation of data that exists within the industry.  One of the most frequent vulnerabilities for hotels is within the public Wi-Fi network. That's because the public network is all-too-often thinly separated from critical back-office systems. All an attacker has to do is book a room and use the hotel network to probe for vulnerabilities, steal data, and spy on guests.

While hospitality companies have fewer transactions than retail organizations — and thus have data on fewer customers — they collect more valuable and varied personal data for each of their guests. Hotels — especially high-end hotels — collect substantial personal information on their guests to give them a more personalized stay. In addition, hotels often share partnerships with other local companies that their guests may frequent (from restaurants to local entertainment options), giving hotels even more expansive profiles on each guest in their databases.

Why Data Risk Is High at Hotels

Hotels collect and store much more information on each of their guests than simply their name and credit card information. Hotels tend to keep card data in several different places: in central reservation systems, with third-party partners, at the front desk, in e-mails, and in card authorization forms - both physical and in virtual Point of Sale (POS) systems and PMS (Property Management Systems), including connected systems. There are simply too many places where card data is vulnerable to theft and intrusion.  This rich vein of personal data is invaluable to cybercriminals. They can use the data to better impersonate each breached customer, leading to additional identity theft and social engineering attacks against other people and companies.

This is why compliance with the Payment Card Industry Data Security Standard (PCI DSS) has become a very important consideration for hotels.  As hotels increase their payment touchpoints across properties, PCI compliance becomes more and more relevant with every growing POS system. Some hotels are not in compliance and do not even know it.  Yet, there are significant penalties associated with non-compliance including lawsuits, audits, fines and even losing the ability to process credit card payments.

Since hotels store, process, and transmit credit card information, becoming compliant with the Payment Card Industry Data Security Standards (PCI DSS) is a strict mandate – no options. These regulations impact a hotel’s actual procedures, activities, and systems such as:

  • POS Compliance – If the hotel is currently using a physical or digital Point-of-Sale terminal that does not meet PCI standards, it will have to be changed. Not all POS Terminals that are sold on the market are PCI compliant, which may require a change in a hotel’s systems in order to provide full customer data protection.
  • PMS Compliance – The same will apply to the Property Management System (PMS) and the Channel Manager. If the hotel is using a PMS to store the credit card data of customers, the hotel will have to adapt the whole network architecture in order to meet the regulations.
  • CVV2 – It is prohibited to ask guests for this security code information unless hotels are complying with the PCI DSS standards. Hotels will need to provide a safe environment before requesting this data from guests.

Less Data, Less Risk

Some may think that PCI compliance is about network and computer security, which it is.  But it is also much more, such as properly securing paper documents, shredding documents, and eliminating unnecessary document retention, just to name a few.

Changing the way credit card data is stored is the first step in defending against cybercriminals for any hotel. Only capturing and storing the payment data when it is absolutely necessary will immediately lower the risk of that data falling into the wrong hands.

PCI compliance goes well beyond having sound security policies on the books. There are 12 rigorous and comprehensive security standards that must be in place. These standards take time to implement. The basic standards:

  1. Network Firewalls – Install and maintain a firewall configuration to protect cardholder data. Whenever possible, practice network segmentation to ensure the credit data is limited to a protected section of the overall network. Not only it is a best practice, but this reduces the scope for PCI compliance.
  1. Stronger Custom Passwords – Do not use vendor-supplied defaults for system passwords and other security parameters. Devices, such as routers, come straight from the vendor with factory settings including default usernames and passwords. Defaults make device installation and support easier, but also mean every model originates with the same username and password. When those defaults are not changed, hackers have the keys into your system. 
  1. Cardholder Security – Protect stored cardholder data. All forms, documents, folders, and machines that store private credit card data, and are easily accessible at the reception desk, must be moved to a restricted area with security cameras. All cardholder information should be secured and kept out of hotel visitors’ reach. 
  1. End-to-End Data Encryption – Encrypt transmission of cardholder data across open, public networks. Private data from all electronic systems, such as Virtual POS and catering systems, must be encrypted. Otherwise, it becomes extremely vulnerable to hackers and cybercriminals. 
  1. Threat Detection & Protection – Use and regularly update antivirus software. A system without an antivirus is just like a house with an open door. An open and unprotected door will attract all the intruders and burglars into your home. Similarly, an unprotected computer will end up inviting all the viruses to the system. An antivirus will act as a closed door with a security guard for your computer, fending off intruding viruses.
  1. Compliant Hardware & Software – Develop and maintain secure systems and applications. PCI-DSS calls for systems and applications to have all appropriate security patches implemented within an appropriate period of time in order to protect the cardholder data environment. This requirement is directed toward all applications in the environment, not just applications bought commercially or ones developed internally. 
  1. Staff Authorization & Access Controls – Restrict access to cardholder data by business need-to-know. Only employees who need credit card information to do their jobs should be able to access it. Many hotel managers are under the wrong impression that only digitally stored credit card information must be protected, but this is not true. In fact, under PCI compliance and an increasing number of privacy laws, all paper documents containing personal data must be physically secured and adequately restricted at all times.
  1. Certified Access IDs – To have greater control over specific card incidents, hotels should assign a unique user ID to every member of the staff who was access to credit card information.
  1. Secure Storage – Restrict physical access to cardholder data. Take a look around your hotel’s front reception desk. Do you have credit card information written down on sticky notes, torn-out pieces of paper, or any other random paper note? PCI compliance does not only regulate official documentation. Storage of private information in any written form without protection is prohibited.
  1. Network Monitoring – Track and monitor all access to network resources and cardholder data. Extra attention should be paid to any wireless transactions. Wireless technology is considered the least secure by the Payment Card Industry Security Council. Therefore, wireless hospitality applications that carry credit card information such as a wireless point of sale terminal should be monitored very carefully.
  1. System Maintenance & Testing – Regularly test security systems and processes. Vulnerability scanning, both internal and external, is an excellent tool for identifying threats and other problems within your network. Penetration testing is also an excellent tool as ethical hackers try to actually exploit and penetrate your network to see if it can be compromised or even brought down. Regardless of whether required by PCI, scanning and penetration testing are two important initiatives all businesses must be performing.
  1. Information Technology Security Policy Development – There are approximately fifty (50) different policies, procedures, forms, checklists, and other supporting documents that need to be in place to achieve PCI DSS compliance certification. This can be an incredibly time-consuming process, which is why many hospitality groups turn to experts such as ERMProtect for industry-leading PCI policies and procedures to facilitate rapid compliance. Policies and procedures must be current, mapped to the existing PCI DSS standards, and reviewed for accuracy.

PCI Certification Enhances Security

Establishing and maintaining a correct PCI DSS program within the IT department is crucial not only to demonstrate compliance to acquirers and payment brands but primarily to challenge and improve the internal IT security process. The PCI Standard forces IT managers to verify if the current technologies and processes are appropriate or not and if all critical data store locations are necessary. The smaller the card data environment (as long as protections are implemented properly), the more difficult it will be for criminals to target and steal it.

The primary focus for any entity dealing with credit card data should be: “if you don’t need it, don’t store it.”  Do everything possible to eliminate data, train staff, create processes, and find technologies that help with this effort. Purge any unnecessary digital or hard copy records that include customer information or credit card data that are not essential for business. The more data you store, the more vulnerable you make your hotel to a data breach.  Often it is possible to replace the data currently stored or transmitted by encrypting or tokenizing the data. This will help reduce the scope of a PCI assessment and simplify compliance.

When possible, outsource the whole credit card managing process to a PCI-compliant service provider. Outsourcing not only reduces the risk associated with credit card management but also dramatically reduces the effort to achieve PCI DSS certification.

Get a Readiness Assessment

Finally, before undergoing a PCI compliance audit, hotels should consider contracting for a PCI Readiness Assessment. That way, problems in the security environment are exposed and remediated before the PCI Qualified Security Assessor (QSA) begins his or her work.

ERM Protect can help ensure PCI compliance.  Give our team a call today to have your hotel evaluated for PCI compliance standards. Our expert team will assist you with all necessary requirements and provide you with all the latest industry best practices.  As one of the original PCI QSA firms, we are experts at payment card compliance, IT security, and data protection.  We leverage almost 30 years of experience to secure your payment data, protect your business and manage costs and risk. Reach out to Silka Gonzalez at [email protected] or call us at 305-447-6750 for a commitment-free consultation.

Get a curated briefing of the week's biggest cyber news every Friday.

Intelligence and Insights

How Merchants Can Become PCI-DSS Certified

Follow These 4 Steps to Achieve PCI DSS Certification

For all organizations that process payment cards, the Payment Card Industry Data Security Standard (PCI-DSS) certification is high up the data security and compliance priority list …
ai in penetration testing

How Will AI Change Penetration Testing?

There’s a strong application of AI in penetration testing on the horizon, but the future of penetration testing will be a hybrid approach of human brain & AI …
Vetoes Cybersecurity “Safe Harbor” Bill

Florida Governor Vetoes Cybersecurity “Safe Harbor” Bill

Florida Governor Ron DeSantis vetoed HB 473, a bill that would have extended “safe harbor” from data breach litigation to businesses compliant with certain industry-recognized cybersecurity standards …