Skip to main content

How Hotels Can Improve PCI Compliance and Data Security

How can hotel teams be more proactive with data security?

It seems like every day we hear about another major data breach occurring, and lately, the hotel industry has been a prime target. Data breaches have become the “new norm” and anyone can be vulnerable if they aren’t educated.

While all businesses that handle credit card information and other sensitive data are expected to adhere to the PCI DSS standards, it’s become more challenging to stay ahead of cybercriminals while still maintaining a positive guest experience. However, part of shaping that guest experience includes protecting their personal information.

What can hotel teams do to reduce the potential of a data breach at their property?

Our Marketing Director, Jessica Hughey, spoke with VENZA’s Co-Founder and Partner Daniel Johnson, and CIO David Christiansen on why hotels are an easy target for cybercriminals, what specific areas can hotels reduce their risk of being breached, and what’s the future for PCI DSS standards with these emerging alternative payment methods.

Why are hotels such an easy target for hackers?

Daniel: Hackers, identity thieves, stalkers, and any other degenerate that preys on the personal information of the good people of the world place hotels high on their list of potential targets. In fact, hospitality is perennially in the top three most targeted industries. Why? For starters, there is a lot of data, like credit card data. However, beyond financial information, hotels have access to and process a veritable treasure trove of personal information. And in some luxury locations that offer extras such as spa treatments, they may even have sensitive health-related information. And hospitality is labor-intensive; it takes a lot of people to run a hotel. And to run the hotel with excellence via the kind of personalized attention that today’s guests expect, the hotel must equip hotel staff with a plethora of technological tools. So, these are the ingredients to the recipe for a data protection challenge in the hospitality industry. There are loads of data with multiple points of access to multiple systems that are utilized by teams of people whose primary objective is to be open, welcoming, and accommodating.

What specific areas can hoteliers focus on to better protect their customers’ data?

Daniel: Most data breaches are the result of human error. Equipping a hotel staff with the tools to identify suspicious behavior as well as competently follow data protection protocol is vitally important. Conducting an inventory of their information landscape is another way to better protect customer data. How and why? By identifying what information the organization has and who has access to it is a key first step in the pursuit of a data strategy. Such an effort is also recognized as a must-do activity for organizations seeking compliance against data privacy laws such as the European Union’s GDPR.

How can a hotel team make a case to their executive team to invest more resources into data security and maintaining PCI and PII Compliance? 

Daniel: Making a case for compliance should be relatively straight-forward; establishing compliance with standards such as PCI DSS and laws such as GDPR must be seen, quite simply, as a cost for doing business. However, compliance for many organizations may be conceived as a cost-center initiative. Such a conversation rarely ignites the imaginations of company executives. Smart businesses, however, recognize that formulating and following a data strategy that leverages their data assets while building a relationship of trust with those individuals that they’d like to make or maintain as their customers are the winning approaches in today’s world.

With all the data breaches that seem to be occurring, how can hoteliers demonstrate to customers and potential customers that they are PCI and PII compliant?

Daniel: Completed and attested SAQs along with results from quarterly network scans are essential elements to demonstrating PCI DSS compliance. As for compliance to PII legislation, this becomes a little more involved and potentially more complicated. While individual US states may have statutes that are aimed to protect Personally Identifiable Information (PII), there is no uniform federal law within the US. A recently proposed Data Care Act in the US Senate might mean a change to that. Regardless, while not the only accountability-based privacy law on planet Earth, the European GDPR has emerged as something of the gold standard. GDPR compliance requires organizations to demonstrate that they’ve implemented the principle of privacy-by-design in all activities (processing, storing, etc.) relating to personal data. Attaining a state of compliance typically requires large-scale coordination of multiple departments from legal to IT to operations to marketing and, of course, human resources.

Do you see PCI Compliance standards expanding to include alternative payment methods, such as virtual cards and digital wallets?

David: For new payment types, the PERMANENT identifying number (account or ID) that is tied to the money or credit source will have to be protected no matter what. For the midterm, when it comes to maintaining its relevance, the PCI Council must address alternative payments as they come and weigh the risk associated with it and its underlying technology. As technology and payment methods advance, the use of cards will decrease and the PCI DSS standard will eventually become obsolete and be replaced by newer standards or regulations.

We partnered with VENZA to bring you a guide that explains what areas in hotels cybercriminals are infiltrating and what steps you can take to reduce the risk of a data breach.

Download the guide to “PCI Compliance and Beyond – How Hotels Can Take a Security First-Approach” today.