How Hotels Can Improve PCI DSS Compliance and Data Security
How can hotel teams be more proactive with data security?
VENZA'S Co-Founder and Partner Daniel Johnson, and CIO David Christiansen on why hotels are an easy target for cybercriminals, what specific areas can hotels reduce their risk of being breached, and what’s the future for PCI DSS standards with these emerging alternative payment methods.
It seems like every day we hear about another major data breach occurring, and lately, the hotel industry has been a prime target. Data breaches have become the “new norm” and anyone can be vulnerable if they aren’t educated.
While all businesses that handle credit card information and other sensitive data are expected to adhere to the PCI DSS standards, it’s become more challenging to stay ahead of cybercriminals while still maintaining a positive guest experience. However, part of shaping that guest experience includes protecting their personal information.
1. Why are hotels such as easy target for hackers?
DJ – Hackers, identity thieves, stalkers and any other degenerate that preys on the personal information of the good people of the world place hotels high on their list of potential targets. In fact, hospitality is perennially in the top three most targeted industries. Why? For starters, there is a lot of data, like credit card data, of course. However, beyond financial information, hotels have access to and process a veritable treasure trove of personal information. And in some luxury locations that offer extras such as spa treatments, they may even have sensitive health-related information. And hospitality is labor-intensive; it takes a lot of people to run a hotel. And to run the hotel with excellence via the kind of personalized attention that today’s guests expect, the hotel must equip hotel staff with a plethora of technological tools. So, these are the ingredients to the recipe for a data protection challenge in the hospitality industry; there are loads of data with multiple points of access to multiple systems that are utilized by teams of people whose primary objective is to be open, welcoming, and accommodating.DC -
2. What specific areas can hoteliers focus on to better protect their customers’ data?
DJ – Most data breaches are the result of human error. Equipping a hotel staff with the tools to identify suspicious behavior as well as competently follow data protection protocol is vitally important. Conducting an inventory of their information landscape is another way to better protect customer data. How and why? By identifying what information the organization has and who has access to it is a key first-step in the pursuit of a data strategy. Such an effort is also recognized as a must-do activity for organization seek compliance against data privacy laws such as the European Union’s GDPR.
3. How can a hotel team make a case to their executive team to invest more resources into data security and maintaining PCI and PII compliancy?
DJ – Making a case for compliance should be relatively straight-forward; establishing compliance to standards such as PCI DSS and laws such as GDPR must be seen, quite simply, as a cost for doing business. Compliance for many organizations may be conceived as a cost-center initiative, however. Such a conversation rarely ignites the imaginations of company executives. Smart businesses, however, recognize that formulating and following a data strategy that leverages their data assets while building a relationship of trust with those individuals that they’d like to make or maintain as their customers is the winning approach in today’s world.
4. If a hotel experiences a data breach, what steps should a business should take going forward to prevent this from occurring again?
DJ – SEE my response to the question two (2) regarding “specific areas to better protect” above.
5. With all the data breaches that seem to be occurring, how can hoteliers demonstrate to customers and potential customers that they are PCI and PII Compliant?
DJ – Completed and attested SAQs along with results from quarterly network scans are essential elements to demonstrating PCI DSS compliance. David Christiansen, VENZA’s CIO, can explain this further better than anyone I know. As for compliance to PII legislation, this becomes a little more involved and potentially more complicated. While individual US states may have statutes that are aimed to protect personally identifiable information (PII), there is no uniform federal law within the US. A recently proposed Data Care Act in the US Senate might mean a change to that. Regardless, while not the only accountability-based privacy law on Planet Earth, the European GDPR has emerged as something of the gold standard. Compliance to GDPR requires organizations to demonstrate that they’ve implemented the principle of privacy-by-design in all activities (processing, storing, etc.) relating to personal data. Attaining a state of compliance typically requires a largescale coordination of multiple departments from legal to IT to operations to marketing and, of course, human resources.
6. Do you see PCI compliancy standards expanding to include alternative payment methods such as virtual cards and digital wallets?
DC - For new payment types, the PERMANENT identifying number (account or ID) that is tied to the money or credit source will have to be protected no matter what. For the midterm, when it comes to maintaining its relevance, the PCI Council must address alternative payments as they come and weigh the risk associated with it and its underlying technology. As technology and payment methods advance, the use of cards will decrease and the PCI DSS standard will eventually become obsolete and be replaced by newer standards or regulations.
Download your FREE GUIDE PCI Compliance and Beyond - "How Hotels Can Take a Security- First Approach" by Sertifi and VENZA