Share | |
Mr. Carr

Finance & Investment

Guarantee Secure Credit Transactions Before you Swipe that Card

By Bob Carr, Chairman & CEO, Heartland Payment Systems

There's no denying that credit card fraud is on the rise. A 2007 report from the Association for Payments Professionals found 72 percent of 3,000 members surveyed had been victims of actual or attempted fraud in 2006. That's up from 68 percent in 2005.

Unfortunately, 80 percent of data compromises originate through small merchants-those generating less than 20,000 e-commerce transactions or a million total transactions annually-according to Visa USA.

These smaller merchants - such as independently owned hotels -- don't always have the technology to provide the secure systems needed in today's increasingly risky financial world. Worse, many hotel owners dismiss the problem because they think they are protected by their merchant acquirers. But they are not.

Indeed, as payment technology becomes more sophisticated, so do hackers' and thieves' methods for stealing sensitive information. And the results can be disastrous for any business, regardless of size.

For example, Massachusetts-based TJX Companies Inc., the world's leading off-price apparel and home fashions retailer, experienced a major customer credit and debit card data breach last January. It turned out to be the most expensive cybercrime ever recorded, with over 45.6 million customer credit and debit card numbers stolen.

Besides $150 million in breach costs, the company now faces FTC investigations, over a dozen lawsuits, with some litigation seeking tens of millions of dollars in damages. Analysts project the breach could ultimately cost TJX anywhere from $500 million to nearly $1 billion in expenses.

Beyond monetary loss, security breaches can also tarnish a hotel's reputation. While security is the responsibility of both the hotel and its merchant acquirer, cleaning up after a breach falls on the hotel, as it is its name that will make headlines and ultimately pay the price of the fraud.

In addition, to ensure that security is a priority, the Payment Card Industry (PCI) Security Standards Council -- an independent organization formed by Visa, MasterCard, American Express, Discover Financial Services and JCB International -- is cracking down on business owners with its new Data Security Standards (DSS) - a move that could cost hotel owners big bucks.

The PCI DSS contains steps to protect organizations, customers, and the card processing system from fraud. The steps include requirements for security management, payment policies, data storage procedures, network architecture, software design and other payment system measures.

While the Council develops and maintains these standards to tighten security, each card company independently implements and enforces those standards.

Now, hotels that don't comply with PCI regulations face stiff fines. In 2006, the card companies leveled fines totaling some $4.6 million to card processors of non-compliant merchants around the country -- and these fines were passed directly to the businesses.

For hoteliers accepting credit or debit cards branded by any of the five major card companies, the message is simple: You are required to uphold and comply with the PCI DSS. Failure to do so may result in fines, even without evidence that your system was compromised.

In the past, card companies have not enforced PCI DSS equally across the board, so it has been overlooked by some businesses and their card processors. However, that is no longer the case. In fact, Visa recently announced a five-phase approach to eliminate the use of non-secure payment applications for all merchants. In short, this means all hoteliers, regardless of size, need to address security issues immediately.

The good news is that it's not hard to avoid fines. You simply need to understand the PCI DSS's six core principles and work with your card processor and other technology providers to meet the standards.

Here is an overview of the six tenets of PCI DSS.

  1. Build and Maintain a Secure Network. Choose, install and maintain an up-to-date network firewall, antivirus and anti-spyware programs. And always change the default password for your programs, firewall, routers, computers and other systems. This ensures only authorized persons can log on to your various network resources. Hackers know every product's default password. Their first line of attack will be to try to access your network using these well-known logon credentials. If you change all of your passwords, this type of attack will fail.

  2. Protect Cardholder Data. Encrypt all transmissions across open, public networks. Encryption software is required for point-of-sale (POS) systems connected to the Internet for cardholder data transmission. Also, it's imperative you only store guest data that's essential to the business, such as receipts and reports. Sensitive information, such as magnetic stripe data or card validation codes, should never be stored beyond what is required for business, legal, or regulatory purposes.

  3. Maintain a Vulnerability Management Program. If you're using a credit card payment software application or a point-of-sale terminal with a debit card PIN pad, you should ask your card processor to verify the compliancy and request an upgrade on outdated equipment or applications. Dated systems without proper software face an exponentially higher risk for network breaches and data theft.

  4. Implement Strong Access Control Measures. Only allow the most senior company employees to have access to cardholder data. Protect access by issuing user IDs and passwords and assigning access control rights through your network.

  5. Regularly Monitor and Test Networks. This includes computers, POS systems and anything storing or processing cardholder data. Maintain tracking records to demonstrate your security systems and processes are regularly tested and validated.

  6. Maintain an Information Security Policy. Document and maintain an enforceable policy that addresses details of information security. All employees handling sensitive information should know and understand the rules.

If it sounds daunting, consider this: it's less overwhelming than a six-figure fine. As a first step, find out if you're compliant by taking the required PCI DSS Annual Self-Assessment Questionnaire available online at http://tinyurl.com/2ayk9w. Next, make sure your merchant acquirer is serious about the security of your business and your customers.

Many hotel owners also depend on their merchant acquirers to supply them with the tools that help monitor transactions and flag suspicious activity. Yet many merchant acquirers have not implemented the required technology. If they have, they may not have made the full financial investment required for the most up-to-date technology that will completely protect their systems.

This lack of transaction and fraud monitoring leaves hotels exposed and vulnerable to hacking. And once hacked, they often don't have the resources to effectively recover from the security breach.

That's why The Merchant Bill of Rights -- developed in 2006 by Heartland Payment Systems in conjunction with trade associations in several states - educates merchants on how to help protect their businesses from the ravages of cyber crime.

By knowing the risks, you can take the necessary steps to prevent fraud. The Merchant Bill of Rights calls for the knowledge that every company-no matter how small-has the right to the same real-time fraud and transaction monitoring systems as large companies. And every business has the right to the most up-to-date technology to keep its customers' credit, debit, and PIN numbers safe.

The bottom line: No hotel can afford a security breach, and every company has the right to stop it. Although updating systems with the most current security measures and monitoring transactions for fraud can be costly, the price for security is ultimately much cheaper than the alternative.

Bob Carr is chairman and chief executive officer of Heartland Payment Systems ¯ the nation’s fifth largest payments processor and the official preferred provider of card processing, gift marketing, check management, payroll and tip management services for the American Hotel & Lodging Association and 38 state lodging associations. In line with Heartland’s commitment to merchant advocacy and education, Mr. Carr spearheaded The Merchant Bill of Rights (www.merchantbillofrights.org) to promote fair credit and debit card processing practices for all business owners. He has also been a driving force in the enhancement of payment card security with E3™ (www.E3secure.com), Heartland’s end-to-end encryption technology. Mr. Carr can be contacted at Bob.Carr@e-hps.com Extended Bio...

HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.

Receive our daily newsletter with the latest breaking news and hotel management best practices.
Hotel Business Review on Facebook
RESOURCE CENTER - SEARCH ARCHIVES
General Search:

MAY: The Hotel Spa
High Value Marketing

Jason Guest

Wireless Internet is changing the way business gets done in the hotel industry. There's a tremendous demand for wireless access - for overnight guests and even for conferences and trade shows. It's not just for email and Web surfing anymore. Video streaming, audio streaming and voice-over-IP are all competing for the same Internet pipe. This is compounded by the growing trend for trade shows and conferences to offer high-speed wireless data service to their attendees, which can slow Internet traffic to a crawl. This demand means opportunities for new revenue streams. Wireless has also created new ways for hotels to connect with their guests to generate loyalty. READ MORE

Derek Wood

In today’s ever increasing ‘digital age’ the importance of providing a quality High Speed Internet Access system for your guests is more important than ever. The recent huge increase in mobile wi-fi devices has just added a new dimension to the problem. And yet to many hotels this service is seen as cumbersome, expensive non-revenue generating and does not rank highly at senior management level when increasing guest satisfaction is being discussed. This article examines some of the issues facing the hotelier today and suggests a few ways to overcome the problems. READ MORE

Roger Crellin

Much to the chagrin of property owners, free WiFi has become a guest expectation rather than a perk. Since the free WiFi model was introduced, hotel operators have faced the rapid adoption of bandwidth-hungry mobile devices such as tablets and smartphones. Not only do guests expect free WiFi, but they also expect ease of use and constant connectivity, similar to what they experience at home. What was once a means to improve satisfaction and engender loyalty, free WiFi that underperforms can actually have the opposite effect, causing dissatisfaction and frustration with a property that doesn’t provide a positive experience. READ MORE

Terence Ronson

As mentioned in a previous article, prior to the birth of IOS (Apple’s operating system), truthfully, we only scratched the surface and played around with implementing Wi-Fi in Hotels. But now, four years later with millions and millions of IOS devices in the hands of millions and millions of our loving guests, this has become the most disruptive of technologies in the modern era. That along with the creation of the smartphone and its Big Brother - the TAB – where there are sales predictions of 153 million units next year, and climbing to 232 million by 2016. This has set loose a tsunami of unparalleled demand - for a strangely invisible service! No wonder CIO’s call Wi-Fi a four-letter word. For the sake of repeating myself, today’s Hotel Wi-Fi network (and more critically tomorrow’s) is one of the principal areas in which your hotel will be judged. READ MORE

Coming Up In The June Online Hotel Business Review

"Hotel Business Review offers weekly articles for hotel management and operation and discussion on emerging growth markets."
Feature Focus
Hotel Sustainable Development: Principles and Best Practices
Sustainability is now a daily topic that affects every facet of hotel development and operations. As hotelier Hervé Houdré recently noted "The goal of Sustainable Development is clearly to secure economic development, social equity, and environmental protection. As much as they could work in harmony, these goals sometimes work against each other". In the June Hotel Business Review, some of the industry's most recognized sustainable development experts come together to identify emerging trends and discuss how sustainability is currently affecting the hotel industry. Each author presents the most important aspects of sustainable development of much interest to hotel owners, operators, investors and developers. We include perspectives and case studies on best practices from leading hotel groups and other industry players.
INSIGHTS FOR INDUSTRY LEADERS BY INDUSTRY LEADERS
"300,000 Rooms Complete, 15,700,000 to Go"
By Larry Mogelonsky, President and Founder, LMA Communications
"Destination Earth: A Customized Approach to Sustainability"
By Mark Hickey, Senior Vice President of U.S. Hotel Operations, Destination Hotels
"Why This New Standard is Going to change Hotel Energy Management Forever?"
By Robert Allender, Managing Director, Energy Resources Management
"How Two Major Hotel Companies are Turning Sustainability into Tangible Business Advantage"
By Christopher Wood, Director of Social Responsibility, ASAE Convene Green Alliance
PLUS: Green Certification - Development & Investment Outlook - Case Studies - Green Design – Sustainable Development Strategies - Green Luxury - CSR Programs - Green Facility Management