Share | |
Mr. Filsinger

Security & Safety

Protecting Guests, Protecting Reputations: The Risks of Not Securing Guest Transactional Data

By James Filsinger, Chief Executive Officer, EZYield

In a world where everyone is increasingly engaged with online transactional systems, it is readily apparent that the convenience afforded by live information sharing and online payment services must be balanced and underscored by a solid security framework. In the hotel sector, where card payment technology to book rooms and for actual transactions during guest stays is common, it becomes a much higher priority. Smart hoteliers can combat this risk by adhering to the Payment Card Industry Data Security Standard (PCI DSS).

PCI compliance is a hot issue especially in the world of reservation processing. As the online travel industry moves away from manual data entry towards automated reservation delivery, many hotels and vendors are finding themselves having to comply with data protection standards that rival those that need to be met by governments and international banks.

The need for security compliance in the hospitality sector was recently highlighted by Trustwave, a Visa Qualified Forensic Investigator (QFI), who stated, “research investigated more than 210 card compromise incident investigations, of which 38% occurred in the hospitality sector.”(1) This figure is alarming, and highlights the particular vulnerabilities the hotel sector faces around guest data security and how attractive the sector is to hackers.

Protecting Vulnerabilities

For too long, the hotel sector has been viewed as a soft target by hackers seeking to steal guest data. While some hoteliers are taking guest data security seriously, there are still too many operators using inadequate technology and processes to fully protect data. Indeed, even in sectors where it is thought that a PCI DSS would be level one, this isn’t always the case, and we’ve seen fairly simple security flaws highlighted earlier this year with attacks on Citigroup, Sony and security company, Lockheed Martin.(2)

Any breach of data security is serious, and can have severe consequences in terms of loss of revenue, but also for the business’s reputation and customer loyalty. It goes without saying that no guest wants to risk staying at a hotel if they are not confident that their personal information is safe. As a result, it is more important than ever to reassure customers that there are solid security measures in place to protect their information through online booking tools and when using credit cards within the actual hotel.

Minimizing Fear is as Important as Eliminating Risk

Research put out by the US Federal Trade Commission has stated that “six times as much revenue is lost each year to fear of fraud than to actual fraud.”(3) Credit card fraud is a growing concern for customers, with a CyberSource survey conducted in 2009 revealing that “71% of consumers are concerned with the level of risk when shopping over the web, an increase of 5% over 2008”(4). These concerns are not surprising considering there are several factors that can undermine security efforts, including weak default system passwords, inadequate firewalling and insecure remote access applications. Hoteliers have to recognize the concerns of customers around the risk of fraudulent activity and make it a priority to focus on developing trust and loyalty. This is often done by ensuring they operate at the highest level of security compliance.

To adequately protect guest data, it is not enough to simply purchase new technology. Software, hardware, firewalls and encryption programs are important, but without proper staff training, constantly monitoring of transactions and data access, and ensuring that all hotel vendors operate with proper security systems themselves, guests can still be left at risk.

Understanding Regulations

To protect the viability of a hotel business and manage customers’ interests, it is imperative that hoteliers understand how the payment card industry is regulated. The chief body in charge of monitoring and assessing security in the field is the PCI Security Standards Council. This body was established by the major credit card companies in September 2006 as an independent organization to manage the Payment Card Industry Data Security Standard (PCI DSS). According to the Council, “compliance with the PCI Data Security Standard (PCI DSS) is vital for all merchants who accept credit cards, online or offline, because nothing is more important than keeping your customer’s payment card data secure.”(5) While security compliance (and non-compliance penalties) ultimately come under the banner of individual payment brands’ protocols, rather than the Council, the guidelines established by the Council provide a firm framework for hotel businesses to operate within. While most hoteliers realize some level of security compliance is necessary for effective operation, the decision as to what level of security is provided still comes back to the individual hotels and vendors. The compliance process is assessed and adhered to at a particular level depending on the needs and priorities of these individual businesses. There are four levels of compliance outlined by the Council, each with specific adherence requirements. Level one merchants are those that process over six million Visa or Mastercard transactions per year. The levels are tiered to down to four, where the merchant processes no more than 20,000 e-commerce transactions annually.(6) Therefore, the size of the business will determine which level it falls under, as self-evidently a larger hotel is likely to process more transactions. Until a vendor is processing several million credit card transactions per year, the level of compliance they are expected to meet is rather subjective.

In order to be classed as a Level One PCI compliant vendor, an independently authorized auditor must assess the vendor annually. As part of this process, an auditor will perform several independent scans of the vendor's environment and will require regular internal and external scans. These people verify that all requirements have been met by collecting documented evidence for each and every requirement. They also verify that the vendor has regular reviews of its compliance procedures throughout the year and has mechanisms in place to detect and respond to potential threats both from the outside world, and from within the company itself. Since it requires the most rigorous monitoring, Level One compliance constitutes best practice and makes sense that businesses that operate at the highest security level are expected to be more reputable and yield higher profits.

The PCI Security Standards Council offers training and advice to hoteliers to assist with ongoing compliance within the business framework and there are self-assessment questionnaires readily available that hotels and vendors can engage with to assess compliance. What this means for hotels that rely on vendors to handle their most sensitive data is clear: a vendor can claim PCI compliance by filling out a self-assessment questionnaire and performing an automated software scan every three months. This level of compliance may just be suitable for a small e-commerce store but it could mean disaster for hotels that rely on secure processing of sensitive data and who process thousands of credit card transactions on a daily basis. Using a Level One compliant vendor such as EZYield for critical business needs is the smartest way to ensure that the data is safe.

Building a Secure Culture

The risks and reputation damage to the business in the event of a security breach should be weighed up as significant motivation for engaging with security processes of the highest level. However, a culture of security awareness at all levels of a hotel business will go a long way towards counteracting breaches. The risk to reputation and revenue should provide the incentive for large (and ultimately all sizes) businesses to operate at the highest level to ensure security best practice. However, true security is not only about having a seal of approval: it also demands the establishment of a culture of protecting your customers and your data. To have real peace-of-mind, data security should not just be an annual or quarterly review but instead a mission embraced by all ranks within an organization and its partners. Several layers of security should shield sensitive data and multiple steps should be required when accessing data in its raw unencrypted form.

Practical Advice

There are a series of steps that hoteliers should look to take to maximize security around guest data (that doesn’t involve turning your facility into Fort Knox) and these are:

• Create a proactive security protocol: It’s important to ensure that there are the right supporting protocols to complement the technical aspects of compliance. Ensuring that your staff is aware of not only how things work, but how it is implemented at a practical level, and how it affects their roles will ensure that the system is easily integrated into the operation.
• Know your vulnerability points: Whether it’s making sure that all your web transactions and connections are secure, or simply ensuring that the brand website is as protected against hacking as possible, get across it. Additionally, with external providers and in-house operations such as CRS/PMS; CRM systems and connections between OTAs and PMS, ensure that they’re as secure as you are.
• Ensure PCI level one security from all transaction vendors: While this seems to make sense, if you’re only finding out that your transaction vendors are level two or below after an event, it’s far too late.
• Periodic reviews: While it’s a step in the right direction to implement these processes, it’s just as important to maintain them. Just because you’ve bought the car, doesn’t mean that you shouldn’t take it in for a service to keep it running at its best.

The hotel sector is particularly at risk because there are often outside vendors involved in the card payment process. If security guidelines are adhered to across every department of the business, and a security conscious culture is reinforced, then a comprehensive approach to maintaining appropriate compliance will be achieved. The benefits of utilizing online payment methods are clear. However, to be truly competitive and safeguard a reputation for being secure, hotels need to actively engage with credit card security compliance measures (or at lease employ partners who do) and make an effort to keep updated on the current standards that are in place. For the hospitality industry, the jump to automating data delivery to property-level systems means sharing critical data across multiple vendors. This leap, however, does not have to mean greater risk for hotels and their customers. By utilizing PCI certified partners, hoteliers around the world can be confident that not only is guest data protected, but their own hotels reputations are safeguarded against the growing threat of fraud in the hotel sector.

References:
1. “Protecting Cardholder Data for Hospitality Businesses Accepting Payment Cards Through Multiple Channels: Hotels, Motels and Lodging”
2. http://www.theregister.co.uk/2011/06/14/citigroup_website_hack_simple/
3. http://www.ethoca.com/fraud-intel/bid/36951/Fear-of-Online-Credit-Card-Fraud-Shrinks-Pool-of-Good-Customers
4. http://www.ethoca.com/fraud-intel/bid/36951/Fear-of-Online-Credit-Card-Fraud-Shrinks-Pool-of-Good-Customers
5. https://www.pcisecuritystandards.org/merchants/
6.“Protecting Cardholder Data for Hospitality Businesses Accepting Payment Cards Through Multiple Channels: Hotels, Motels and Lodging” https://www.trustwave.com/whitePapersRequest.php

A veteran of more than 14 years in the travel industry, James Filsinger was appointed CEO of EZYield in November 2010. EZYield is the originator and industry leader of automated online distribution management solutions for the worldwide hospitality industry. More than 3,500 hotels in 92 countries utilize EZYield’s advanced channel management software to streamline the distribution of rates and inventory to 500 forward distribution channels in multiple languages and 168 currencies. Prior to joining EZYield, Mr. Filsinger served as CEO and General Manager for Moneydirect Ltd., an international joint venture between Sabre Inc. and Amadeus IT. As launch CEO, he successfully led the company through an aggressive global expansion to proactively address changing market conditions and anticipate client needs and requests for future product and service capabilities. Mr. Filsinger can be contacted at 321-765-8486 or jfilsinger@ezyield.com Extended Bio...

HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.

Receive our daily newsletter with the latest breaking news and hotel management best practices.
Hotel Business Review on Facebook
RESOURCE CENTER - SEARCH ARCHIVES
General Search:

MAY: The Hotel Spa
High Value Marketing

Jason Guest

Wireless Internet is changing the way business gets done in the hotel industry. There's a tremendous demand for wireless access - for overnight guests and even for conferences and trade shows. It's not just for email and Web surfing anymore. Video streaming, audio streaming and voice-over-IP are all competing for the same Internet pipe. This is compounded by the growing trend for trade shows and conferences to offer high-speed wireless data service to their attendees, which can slow Internet traffic to a crawl. This demand means opportunities for new revenue streams. Wireless has also created new ways for hotels to connect with their guests to generate loyalty. READ MORE

Derek Wood

In today’s ever increasing ‘digital age’ the importance of providing a quality High Speed Internet Access system for your guests is more important than ever. The recent huge increase in mobile wi-fi devices has just added a new dimension to the problem. And yet to many hotels this service is seen as cumbersome, expensive non-revenue generating and does not rank highly at senior management level when increasing guest satisfaction is being discussed. This article examines some of the issues facing the hotelier today and suggests a few ways to overcome the problems. READ MORE

Roger Crellin

Much to the chagrin of property owners, free WiFi has become a guest expectation rather than a perk. Since the free WiFi model was introduced, hotel operators have faced the rapid adoption of bandwidth-hungry mobile devices such as tablets and smartphones. Not only do guests expect free WiFi, but they also expect ease of use and constant connectivity, similar to what they experience at home. What was once a means to improve satisfaction and engender loyalty, free WiFi that underperforms can actually have the opposite effect, causing dissatisfaction and frustration with a property that doesn’t provide a positive experience. READ MORE

Terence Ronson

As mentioned in a previous article, prior to the birth of IOS (Apple’s operating system), truthfully, we only scratched the surface and played around with implementing Wi-Fi in Hotels. But now, four years later with millions and millions of IOS devices in the hands of millions and millions of our loving guests, this has become the most disruptive of technologies in the modern era. That along with the creation of the smartphone and its Big Brother - the TAB – where there are sales predictions of 153 million units next year, and climbing to 232 million by 2016. This has set loose a tsunami of unparalleled demand - for a strangely invisible service! No wonder CIO’s call Wi-Fi a four-letter word. For the sake of repeating myself, today’s Hotel Wi-Fi network (and more critically tomorrow’s) is one of the principal areas in which your hotel will be judged. READ MORE

Coming Up In The June Online Hotel Business Review

"Hotel Business Review offers weekly articles for hotel management and operation and discussion on emerging growth markets."
Feature Focus
Hotel Sustainable Development: Principles and Best Practices
Sustainability is now a daily topic that affects every facet of hotel development and operations. As hotelier Hervé Houdré recently noted "The goal of Sustainable Development is clearly to secure economic development, social equity, and environmental protection. As much as they could work in harmony, these goals sometimes work against each other". In the June Hotel Business Review, some of the industry's most recognized sustainable development experts come together to identify emerging trends and discuss how sustainability is currently affecting the hotel industry. Each author presents the most important aspects of sustainable development of much interest to hotel owners, operators, investors and developers. We include perspectives and case studies on best practices from leading hotel groups and other industry players.
INSIGHTS FOR INDUSTRY LEADERS BY INDUSTRY LEADERS
"300,000 Rooms Complete, 15,700,000 to Go"
By Larry Mogelonsky, President and Founder, LMA Communications
"Destination Earth: A Customized Approach to Sustainability"
By Mark Hickey, Senior Vice President of U.S. Hotel Operations, Destination Hotels
"Why This New Standard is Going to change Hotel Energy Management Forever?"
By Robert Allender, Managing Director, Energy Resources Management
"How Two Major Hotel Companies are Turning Sustainability into Tangible Business Advantage"
By Christopher Wood, Director of Social Responsibility, ASAE Convene Green Alliance
PLUS: Green Certification - Development & Investment Outlook - Case Studies - Green Design – Sustainable Development Strategies - Green Luxury - CSR Programs - Green Facility Management