The Definitive Guide to Hotel PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a detailed set of regulations for businesses managing payment card data to follow. It was established by the Payment Card Industry Security Standards Council (PCI SSC), an alliance of the five major credit card companies: Visa, MasterCard, American Express, Discover, and JCB. The guidelines ensure that a minimum set of security requirements are met in order to protect cardholder data and accommodate emerging payment methods.

If your hotel accepts, stores, processes, or transmits cardholder data – regardless of transaction amount and volume – then you’re expected to comply with PCI DSS.

Fraudsters looking for easy points of entry find hotels to be particularly vulnerable and therefore easy targets, increasing the number of attacks occurring in the hospitality industry.

The five common areas hotels are vulnerable to attacks are:

• Corporate/Internal Network
• eCommerce
• Point-of-Sale
• Physical Attacks
• Interconnected Systems

When a security breach occurs, you:

• Become liable to lawsuits by your guests
• Risk your reputation
• Can lose guest loyalty and business
• Suffer fees from the PCI SSC

Penalties for non-compliant hotels can be anywhere in the range from $5,000 to $100,000 per month.

Your guests need to feel that their credit card information is safe with your hotel. One way you can put your guests at ease is by letting them know that you’re PCI compliant. It should be immediately obvious that you’re compliant whether a guest is on your website or at your front desk. Something as simple as including a verification seal at the front desk or online when a guest makes a reservation goes a long way to ensuring your guest’s trust.

When a breach occurs, it can take a business an extended period of time to detect and resolve it, during which the affected data records remain exposed. According to a report by Trustwave, a data breach, from the day of the initial intrusion to the day the breach is contained, can be broken down into three categories:

• Intrusion: the date the hacker gained unauthorized access to the victim’s systems.
• Detection: the date when the victim or another party identifies a breach occurred.
• Containment: the date when the hacker no longer has access to the victim’s systems and the records are no longer exposed.

Overall, it takes an average of 46 days to resolve a cyberattack and costs a total of $973,130. For a mega breach (breaches of more than 1 million records), the average time to detect and resolve the breach is 365 days.

Multifactor authentication is one of the simplest and most effective methods to defend against breaches. Companies should make sure this is something they are implementing in their everyday business processes.

PCI Compliance

PCI compliance is a set of requirements that serve as guidelines for businesses to operate safely while managing customer data, and has become the standard for accepting, storing, processing, and transmitting credit cards. Compliance is achieved by consistently adhering to the requirements set by the PCI SSC. While PCI compliance is not legally mandated, and therefore businesses who fail to become compliant won’t face criminal charges, if a breach occurs and you're not compliant, you could face steep fines and other fallout.

PCI compliance is achieved by completing a self-assessment questionnaire that states that your company is following all the necessary guidelines and that the proper requirements are being met. Typically, attaining compliance takes less than a month; however, maintaining PCI compliance involves the development and daily maintenance of cardholder data protection policies and procedures.

PCI compliance is a necessity when it comes to keeping your customers’ data safe from hackers and fraudsters. When you’re PCI compliant, your customers know that you have taken the steps to help protect their data.

Core requirements for PCI compliance includes the following:

• Build and maintain a secure network and systems
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy
  
  

PCI Certification

PCI certification refers to the comprehensive process by which a full-scale audit of a company is conducted to ensure the business is in fact following the proper procedures to protect data. The assessment is much the same as the one conducted in the self-assessment; however, to reach PCI certification, the audit must be performed by a third-party, trusted qualified security assessor (QSA). The QSA will review and validate all aspects of your business that touch cardholder data.

Achieving PCI certification is an intensive process, lasting up to six months and examining and authenticating hundreds of aspects of a business, including:

• How the software was developed
• How the developers are trained
• Technical and procedure controls

Ensuring you're not only PCI compliant but also PCI certified adds an extra layer of trust for your customers. The investment shows not only your dedication and commitment to protecting your customers but how much you value them and appreciate their trust in your company.

Cybersecurity laws are continuously changing to accommodate the evolving landscape of hotel technology and cybercriminal activity. However, the laws can only react and keep up, not predict and proactively defend. Hoteliers need to rely on their own skills and team members to remain protected and safe.

If you aren’t yet PCI compliant, you can use our checklist to get started. Here are some tips to keep in mind:

1. Perform a formal risk assessment and determine what weaknesses your hotel may have.
2. Review what resources you already have available and look for outside solutions that can provide better security for your hotel.
3. Reduce the risk of a breach by implementing a security awareness training program for your employees on the importance of data security and PCI compliance.
4. Know which individuals in your business have access to critical systems and keep access limited to a trusted few using the principle of least privilege.
5. Create a cyber incident response plan and make sure your employees are aware of what to do in various situations and respond as efficiently as possible.
6. Implement the necessary security systems and test them frequently to ensure effectiveness against a multitude of attacks, and consider implementing monitoring systems to alert you of potential breaches.
7. Install security patches on all applicable systems within a month of release to prevent breaches.
8. Regularly review your PCI compliance status and make sure your validation is still current.
9. Run periodic penetration tests and vulnerability scans to detect weaknesses and exploits in your critical systems.
10. Remediate all weaknesses and exploits found in the penetration tests and vulnerability scans and double down on securing your infrastructure.

If you haven’t already, work toward implementing EMV chip readers at your property. EMV (Europay, Mastercard, and Visa) is a global standard for cards equipped with computer chip technology, as well as the terminals used to authenticate chip card transactions.

EMV chip readers are better suited at preventing criminals from using “skimmers” to replicate cardholder data and create false credit cards. Skimmers can be installed easily over existing payment terminals and are used to collect information from the cards used in transactions.  With advances in technology, many skimmers are now Bluetooth enabled and can transmit data without the need to physically extract the information from the device.

To combat this, anyone who works with physical card readers must be trained on what to look for and how to detect a skimmer that’s been installed over the terminal. Additionally, it’s easier to collect data from swipe cards than the more secure chip card, since the magnetic strip on swipe cards holds all the information for the cardholder, including the PAN, name, address, and CVV, and is easily stolen by criminals using a skimmer.

Beginning in 2015, there was a liability shift and merchants who haven’t switched to a chip cards are now liable for fraudulent card use. Previously, the issuing bank was liable.

The shift has had a huge impact (as reported by Visa):

• Counterfeit fraud has dropped by 76% for merchants who completed the chip upgrade.
• Over 2.9 million merchants now accept chip cards, representing 63% of US storefronts.
• In March 2018, 97% of card-present Visa transactions involved EMV cards

However, this doesn’t prevent card-not-present (CNP) fraud. In fact, there has been an increase in CNP because criminals are shifting away from physical transactions due to EMV terminals, and because online systems have no way to tell if it’s a stripe or chip card. To protect yourself against CNP fraud, implement

Merchants like the check-out process to be as seamless as possible, often prioritizing this over data security. This is especially true of the hospitality industry where the guest experience is the highest priority. Many choose not to perform many or any validations at check-out and will take the risk of fraud over the risk of losing a guest.

The EMV liability shift doesn’t protect you from card-not-present (CNP) fraud. However, 3-D Secure (3DS) can.

3DS is a newer security standard you can adopt to secure online payment transactions and reduce the risk of unauthorized charges. The best part: most cardholders are automatically enrolled for 3DS by their card issuer, so taking advantage of 3DS is easy for merchants. 

3DS adds a layer of protection to a payment transaction by requiring cardholders to authenticate their identity before the transaction can be completed. It protects merchants like you, too. That’s because 3DS shifts payment liability back to the card issuer – so if fraudulent chargebacks occur, they’re responsible for mitigating the problem. This is a valuable tradeoff for implementing payment authentication. Chargebacks result in lost revenue and lost time, so fewer chargebacks means spending more time closing business and taking better care of your customers. Plus, you’ll avoid potential chargeback fees.

Aside from increasing revenue, the implementation of a payment authentication step shows that you care about protecting your customers and their information. As e-commerce activity inevitably increases, it’s important to implement the strongest security measures possible, including authentication measures, so your customers find you reliable and trusting.

Local payment methods offer significant improvements in security since the merchant never sees the card information, just a token. Therefore, liability for the merchant is effectively removed.

Not only does this improve your security; it can make your guest's check-in process more convenient. Giving guests the freedom to pay how they want is more important than ever, and something they’ll expect as apps and features, such as PayPal and Apple Pay, become an everyday integration into people’s lives.

Here are some local payment methods to keep in mind:

• Americas: Bancario, Santander, Citibanamex, Apple Pay, Google Pay, PayPal
• Europe & Middle East: Giropay, SEPA, Sofort/Klarna, Paysafecard, IDEAL
• Asia/APAC: WeChat Pay, Alipay, China, UnionPay

It’s important to note that technology is constantly evolving, and as new innovations emerge, the security of these developments should be carefully considered before implementing them in your hotel.

General Data Protection Regulation (GDPR) provides a set of rules for safeguarding personal information within the European Union (EU).

The main goals of the GDPR are to:

• Provide more control over personal data and give individuals the right to access, correct, erase, or port their personal data.
• Strengthen the minimum requirements for ensuring protection of personal data.
• Establish standardized practices for data protection across the EU and ensure the legitimate transfer of personal data within and beyond the EU.

The new rules have expanded the definition of personal data to include location data, IP addresses, and more. Under the new law, hotels would need to explain to all guests the ways in which they are being surveilled or recorded, and the guest would need to give their consent.

The GDPR will effectively end the “implied consent” businesses have been practicing for years. Businesses will have to get consent every time they deal with personal information, such as storing emails and collecting information from online behavior tracking. Almost every business collects some kind of personal data, but no longer will businesses be able to sell customer data without their consent or knowledge. Individuals will also have the right to withdraw their consent at any time even if they’ve already given it.

Rules and regulations for the GDPR apply to any business that sells a good or service to, or monitors, anyone in the EU, regardless of whether the business has a physical presence in the EU. Noncompliance can cost companies up to €20,000,000 in fines or 4% of the company’s total global revenue.

The California Consumer Privacy Act (CCPA) is a new law in California aimed at protecting customers from having their data sold without their consent or knowledge. Modeled after the GDPR, the law was formed to protect consumers’ personal data and give them more control and rights over the information companies collect, store, and share. The law was established due to growing concern after Cambridge Analytica gained access to private information from Facebook.

Any company that does business in California and has a global revenue of more than $25 million is subject to the CCPA. It also affects companies that collect or receive data of 50,000 or more California consumers, electronic devices, households, or those who get at least 50% of their revenue from selling personal information.

The CCPA gives consumers the right to know what information businesses are collecting from them, as well as what they do with it – be that sharing, selling, or transferring the data. The law also gives consumers the ability to have their information erased from any database where it’s been stored.

The types of data protected by the law are wide in scope and include names, addresses, Social Security numbers, passport information, emails, internet browsing histories, purchasing histories, health information, employment information, education records, data from GPS, and more.