Why PCI DSS Compliance Is Especially Crucial for the Hospitality Industry
By ERMProtect Staff
PCI DSS (Payment Card Industry Data Security Standards) is a standard of guidelines for businesses to adhere to if they deal with the accepting, storing, and processing of credit card information. These guidelines, established in 2006, were put in place to protect consumers’ credit card data and other sensitive information - and apply to all merchants that store credit card data, including restaurants, hotels, B&Bs, retail outlets, ecommerce stores, and more.
There are 4 levels of PCI compliance, based on a business’ annual transaction volume and level of risk, ranging from organizations with less than 20,000 annual transactions to more than 6 million annual transactions. Companies are expected to comply with these standards, and non-compliance can attract fines, fees, chargebacks, and investigation costs.
PCI DSS compliance is especially critical for the hospitality industry, including hotels and B&Bs, because not only do they have access to sensitive consumer information such as credit card details, home addresses, phone numbers, passports, dietary preferences and more - they are particularly prone to being hacked.
Why Hotels, B&Bs and Travel Companies Are Vulnerable to Being Hacked
The hospitality industry processes billions of dollars of transactions annually and is a prime target for hackers and financial fraudsters. Hospitality businesses which have been targeted by hackers in the last few years include hotel chains Marriott, The Ritz, Choice Hotels International and Omni Hotels.
Hotels are particularly vulnerable because they often store personally identifiable information and other personal consumer data such as home addresses, phone numbers, and ID cards. In addition, hospitality staff can have low security awareness, especially without specialized training, and end up being weak links in the security chain.
The Consequences of a Data Breach
While a data breach can attract a heavy fine and/or investigation, the consequences to consumers can be far more damaging. Inadvertently exposing consumer information can put them at risk of getting scammed, having their identity stolen, or having personal data exposed and sold to third parties. This can significantly impact the level of trust your customers have in your brand and damage a company’s reputation.
When a data breach occurs, hackers can use the exposed information to:
- Commit Credit Card Fraud: The main reason hotels are prime targets for data breaches is because of the amount of credit card data they store. This information, once exposed, can be used to commit large scale financial fraud.
- Expose Consumers’ Personal Data Online: Hotels tend to store a large amount of personally identifiable information about consumers, such as passports, social security numbers or other ID card data, phone numbers and other contact details. This data could be exposed and published on the internet in case of a breach, violating consumers’ privacy.
- Sell Personal Data to a Third Party: Data exposed in a breach is often sold over the dark web, leaving the victim open to being targeted in the future as well.
What Hoteliers Can Do to Keep Up With PCI DSS Standards
PCI DSS standards define best practices that businesses in the hospitality industry, and other retail businesses, should follow to cut down on the risk of fraud, data theft, identity theft, and other threats.
PCI Compliance is critical, not just to avoid a fine or an investigation, but also to provide consumers the satisfaction of knowing that their financial data is safe with your business.
Here is what hotel owners can do to strengthen their security and comply with PCI DSS standards.
- Securing Network Firewalls: It is critical to have network segmentation and firewalls separating backend systems, where customer data is stored and processed, from the hotel WiFi networks used by guests or staff. Poor network segmentation makes it very easy for guests or other outsiders to hack into internal systems and access restricted data.
- Training Staff: Regular security awareness training sessions can help your staff learn the most secure ways of handling card data and other sensitive data. Many hotel staff members aren’t well-schooled in cybersecurity and may make basic security mistakes such as using the default password for a system or leaving a printout or fax with customers’ card details lying around.
- Securing Physical Data: Ensuring that physical data is as secure as digitally stored data is an important part of PCI compliance. Hotels need to lay out guidelines for the storage and handling of physical documents containing personal information, such as scans, faxes, printouts and hand-written memos or notes. All documents containing credit card data or other personal information must be filed away in a locked room with security cameras - or destroyed.
- Using PCI-Compliant POS and PMS Providers: Even with the most stringent of security practices, your POS (Point-of-Sale) terminal and PMS (Property Management Systems) software can end up being weak links if they are not PCI-compliant. Hotels tend to store data in multiple locations, including POS terminals, PMS systems, the front desk, emails, card authorization forms, third-party vendor databases, and more. It is critical to ensure that all these touchpoints are secure and PCI compliant, not just your internal systems.
- Limiting Access to Data: Many hotels have a large staff of front desk managers, concierges, cooks, cleaners, and waiters. But not every employee needs full access to a customer’s credit card data. Allowing access only to the employees who need to see credit card details for room management purposes, will help cut down on the risk of a data breach.
- Conducting Regular Risk Assessments: Businesses can hire professional agencies to perform an on-site security audit and network scan, or do regular self-assessments using questionnaires that are easily available online. Credit card companies such as Visa often publish lists of Best Practices, which hotels can learn from.
- CVV2: Hotels are not permitted to ask guests for credit card CVV (card verification value) codes unless they are fully PCI DSS compliant. Avoid asking guests for any information you don’t strictly need, as this could become a liability.
Additionally, hotels and other businesses must be cognizant of basic security practices, such as maintaining and regularly updating passwords, maintaining unique user IDs for each staff member, and conducting regular security assessments.
How to Assess PCI Readiness
Getting a professional PCI Readiness Assessment conducted can help you identify and fix weak spots in your PCI compliance, before a final PCI audit is conducted. This can ensure that your hotel or business isn’t found to be non-compliant with PCI DSS standards, which can result in penalties.
ERMProtect can help assess your hotel’s compliance level, identify security issues, and makes fixes before an official audit. We have over25 years of experience in securing payment data and strengthening security systems, which we can leverage to protect your business.
Reach out to Silka Gonzalez at sgonzalez@ermprotect.com or call us at 305-447-6750 for a commitment-free consultation.
Get a curated briefing of the week's biggest cyber news every Friday.
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.
Intelligence and Insights
Tough New Amendments to New York Cybersecurity Regulation Kick in Soon
New FTC Rule Requires Vast New Range of Businesses to Report Data Breaches