The Definitive Guide to PCI Compliance for Hotels

The Payment Card Industry Data Security Standard (PCI DSS), is an information security standard that encompasses a detailed set of regulations for businesses to manage and secure payment card data. It was established by the Payment Card Industry Security Standards Council (PCI SSC), which is an alliance of the five major credit card companies – VISA, American Express, JCB, Discover, and MasterCard. These card providers created the guidelines to ensure that a baseline of security requirements was established to protect cardholder data and to accommodate emerging payment methods.

If your hotel accepts, stores, processes, or transmits cardholder data – regardless of the size and transaction volume – then you’re expected to comply with PCI DSS.

PCI compliance and PCI certification are not interchangeable. PCI certification refers to the process of conducting a full-scale audit of a company via third party to ensure it is following proper procedure necessary to become compliant. PCI compliance is the set of requirements which a business uses as guidelines for safe operation while managing customer data, and adherence to these requirements can be self-assessed.

PCI Compliance

PCI compliance is a set of requirements that serve as guidelines for businesses to operate safely while managing customer data, and has become the standard for accepting, storing, processing and transmitting credit cards. Compliance is achieved by consistently adhering to the requirements set by the PCI SSC. While PCI compliance is not legally mandated, and therefore businesses who fail to become compliant won’t face criminal charges, if a breach occurs and they were not compliant, they could face steep fines and other fallout. PCI compliance is achieved by completing a self-assessment questionnaire that states that the company is following all the necessary guidelines and that the proper requirements are being met. Typically, attaining compliance takes less than a month, however, maintaining PCI compliance involves the development and daily maintenance of cardholder data protection policies and procedures. PCI compliance is a necessity when it comes to keeping your customers’ data safe from hackers and fraudsters. When you’re PCI compliant, your customers know that you have taken the steps to help protect their data.

Core requirements for PCI compliance includes the following:

• Build and maintain a secure network and systems
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

PCI Certification

PCI certification refers to the comprehensive process by which a full-scale audit of a company is conducted to ensure the business is in fact following the proper procedures to protect data. The assessment is much the same as the one conducted in the self-assessment, however, to reach PCI certification, the audit must be performed by a third party, trusted qualified security assessor (QSA). The QSA will review and validate all aspects of the business that touch cardholder data.

Achieving PCI certification is an intensive process, lasting up to six months and examining and authenticating hundreds of aspects of the businesses, including:

• How the software was developed
• How the developers are trained
• Technical and procedure controls

Ensuring your company is not only PCI compliant, but also PCI certified, adds an extra layer of trust for your customers. The investment shows not only your dedication and commitment to protecting your customers, but also shows how much you value them and is a way to repay their trust in your company.

It’s important to understand the requirements for the self-assessment questionnaire involved in PCI compliance and the audit performed to achieve PCI certification are essentially the same. The main difference is the verification process for certification is done by a third party, trusted QSA. Essentially, PCI compliance is a claim, whereas PCI certification is proof that a business is doing everything in their power to protect valuable data.

While the self-assessment for achieving PCI compliance is a good practice, it’s even better to get an audit done by a professional.

By achieving PCI certification, you’re assuring your customers that you’ve taken greater precautions to protect them and their personal information, thereby instilling a greater sense of trust. This, more than anything, will show your customers how much you care and will go a long way in creating loyal customers for life.

The Definitive Guide to PCI Compliance for Hotels

Download the Guide

While all three deal with security and managing personal information, GDPR and CCPA are separate from PCI compliance. Compliance with each set of guidelines for the GDPR and CCPA varies based on your hotel’s location in the world and how you collect and use guest data. Expand the next two questions to learn the details of each program and rules, and to determine if these compliance standards apply to your property.

While they both deal with issues of security and personal information, they are two separate entities. GDPR, which stands for General Data Protection Regulation, provides a set of rules for safeguarding personal information within the European Union (EU).

The main goals of the GDPR are to:

• Provide more control over personal data and give individuals the right to access, correct, erase, or port their personal data.
• Strengthen the minimum requirements for ensuring protection of personal data.
• Establish standardized practices for data protection across the EU and ensure the legitimate transfer of personal data within and beyond the EU.

The new rules have expanded the definition of personal data to include location data, IP addresses, and more. Under the new law, hotels would need to explain to all guests the ways in which they are being surveilled or recorded, and the guest would need to give their consent to be surveilled.

The GDPR will effectively end the “implied consent” businesses have been practicing for years. Businesses will have to get consent every time they deal with personal information, whether storing emails, collecting information from online behavior tracking, etc. Almost every company collects some kind of personal data, but no longer will companies be able to sell customer’s data without their consent or knowledge. Individuals will also have the right to withdraw their consent at any time even if they’ve already given it.

Rules and regulations for the GDPR apply to any business that sells a good or service to, or monitors, anyone in the EU, regardless of whether the business has a physical presence in the EU. Noncompliance can cost companies up to €20,000,000 in fines, or 4% of the company’s total global revenue.

The California Consumer Privacy Act (CCPA), is a new law in California aimed at protecting customers from having their data sold without their consent or knowledge. Modeled after the GDPR, the law was formed to protect consumers’ personal data and give them more control/rights over the information companies collect, store and share. The law was established due to growing concern after Cambridge Analytica gained access to private information from Facebook.

Any company that does business in California and has a global revenue of more than $25 million is subject to the CCPA. It also affects companies that collect or receive data of 50,000 or more California consumers, electronic devices, households, or those who get at least 50% of their revenue from selling personal information.

The CCPA gives consumers the right to know what information businesses are collecting from them as well as what they do with it – be that sharing, selling, or transferring the data. The law also gives consumers the ability to have their information erased from any database where it’s been stored.

The types of data protected by the law are wide in scope and include names, addresses, Social Security, passport, email, internet browsing histories, purchasing histories, health information, employment information, education records, data from GPS, and more.

Fraudsters looking for easy points of entry are finding hotels to be particularly vulnerable, thus increasing the number of attacks occurring in the hospitality industry.

While protecting yourself against every possible risk can prove an impossible task, prioritizing which threats are the most critical can help you focus your security efforts on what matters the most. Creating a comprehensive security plan and performing regular penetration tests and vulnerability scans will go a long way in protecting your hotel from breaches.

Additionally, being aware of your weaknesses will help you understand potential threats that are putting your hotel in danger and where they are coming from.

Not only is it important to understand why PCI compliance is necessary, knowing the cost of noncompliance and the consequences is perhaps even more important.

When a security breach occurs you:

• Become liable to lawsuits by your guests
• Risk your reputation
• Can lose guest loyalty and business
• Suffer fees from the PCI SSC

Penalties for non-compliant hotels can be anywhere in the range from $5,000 to $100,000 per month.

Following a security breach, your revenue can take a drastic hit from a multitude of directions. In addition to the financial aspect, and perhaps even more damaging in the long run, is the loss of guests and trust. Your guests need to feel that their credit card information is safe with your hotel.

We all know the devastating effect a data breach has on a hotel’s reputation and business. Once a hotel is compromised, gaining back the trust they lost is an uphill battle. And in the meantime, your previously loyal guests will turn to a hotel who they believe is more able to protect their data.

You need to show your guests that their personal and financial information is going to be safe. One way you can put your guests at ease is by letting them know that you’re PCI compliant. It should be immediately obvious that you’re compliant whether a guest is on your website, or at your front desk. Something as simple as including a verification seal at the front desk or online when a guest makes a reservation goes a long way to ensuring your guest’s trust.

And if you aren’t yet PCI compliant, you can use the checklist on page 10 to get started on becoming PCI compliant. Set your business on the right track by assessing your current situation and looking for ways to increase your security and your customers’ confidence in you.

Save to Read Later or Share with Your Team. Use the link below to access your copy of a PCI compliance checklist for hotels:

View the Checklist

1. Perform a formal risk assessment and determine what weaknesses your hotel may have.
2. Reduce the risk of a breach by implementing a security awareness training program for your employees on the importance of data security and PCI compliance.
3. Install security patches on all applicable systems within a month of release to prevent breaches.
4. Implement the necessary security systems and test them frequently to ensure effectiveness against a multitude of attacks, and consider implementing monitoring systems to alert you of potential breaches.
5. Create a cyber incident response plan and make sure your employees are aware of what to do in various situations and respond as efficiently as possible.
6. Review your PCI compliance status (compliance level, which questionnaire applies to your environment, if you’re a merchant vs. a service provider, etc.) and make sure your validation is still current.
7. Know which individuals in your business have access to critical systems and keep access limited to a trusted few using the principle of least privilege.
8. Run periodic penetration tests and vulnerability scans to detect weaknesses and exploits in your critical systems.
9. Remediate all weaknesses and exploits found in the penetration tests and vulnerability scans and double down on securing your infrastructure.
10. Review what resources you already have available and look for outside solutions that can provide better security for your hotel.

Hoteliers have to be conscious of the possible points of entry into their property because even a single breach can cause irreparable damage to their reputation.

Unfortunately, the potential for a breach in the hospitality industry is exponentially higher than other industries. Multiple entry points and the knowledge that hotels hold sensitive data for millions of people lead criminals to target hotels.

Expand the questions below to learn what’s involved in a data breach for a hotel and the average duration of a compromise.

Hoteliers have to be conscious of the possible points of entry in their property because even a single breach can cause irreparable damage to their reputation.

Unfortunately, the potential for a breach in the hospitality industry is exponentially higher than other industries. Multiple entry points and the knowledge that hotels hold sensitive data for millions of people lead criminals to target hotels.

Being aware of where your weak spots are is critical in preventing attacks from occurring. Continued training for employees on how to spot criminals and what behavior to look for will be key in stopping attacks before they happen. And staying ahead of data security trends will give you a leg up against cybercriminals who view your hotel as an easy mark.

Knowing where your hotel is vulnerable to attack and keeping a watchful eye out for criminals is critical in protecting yourself from those who would try to take advantage of potential weaknesses.

5 areas hotels are vulnerable to attack:

• Corporate/Internal Network
• eCommerce
• Point-of-Sale
• Physical Attacks
• Interconnected Systems

When a breach occurs, it can take a business an extended period of time to detect and resolve it, during which, the affected data records remain exposed. According to a report by Trustwave, a data breach, from the day of the initial intrusion to the day the breach is contained, can be broken down into three categories:

• Intrusion: the date the hacker gained unauthorized access to the victim’s systems.
• Detection: the date when the victim or another party identifies a breach occurred.
• Containment: the date when the hacker no longer has access to the victim’s systems and the records are no longer exposed.

Overall, it takes an average of 46 days to resolve a cyberattack and costs a total of $973,130. For a mega breach (breaches of more than 1 million records), the average time to detect and resolve the breach is 365 days.

Multifactor authentication is one of the simplest and most effective methods to defend against breaches. Companies should make sure this is something they are implementing in their everyday business processes.

Cybersecurity laws are continuously changing to accommodate the evolving landscape of hotel technology and cybercriminal activity. However, the laws can only react and keep up, not predict and stay ahead. Hoteliers will need to rely on their own skills and team members to remain protected and safe.

A good idea for any hotel is to run an audit to detect unusual activity. Doing so can help to prevent attacks from happening in the first place and it creates a safe environment to store data.

Human error is also a huge factor and something you must always account for. You can’t expect employees to be on high alert and watchful over every aspect of the hotel. It always pays to be proactive. Don’t wait until a breach happens to make changes to your security plan and implement measures to keep your guests’ information safe.

Expand the next two sections to gain insight into actionable things you can do at your hotel to be more compliant.

EMV Chip Readers

If you haven’t already, work toward implementing EMV chip readers into your property. EMV, which stands for Europay, Mastercard, and Visa, is a global standard for cards equipped with computer chip technology as well as the terminals used to authenticate chip card transactions.

EMV chip readers are better suited for preventing criminals from using “skimmers” to replicate cardholder data and create false credit cards. Skimmers can be installed easily over existing payment terminals and are used to collect information from the cards used in transactions. Criminals can then use the data to create fake credit cards.

And with advances in technology, many skimmers are now Bluetooth enabled and can transmit data without the need to physically extract the information from the device. To combat this, anyone who works with physical card readers must be trained on what to look for and how to detect a skimmer that’s been installed over the terminal.

Additionally, it’s easier to collect data from stripe cards than the more secure chip card – the magnetic stripe on cards holds all the information for the cardholder, including the PAN, name, address, and CVV, and is easily stolen by criminals using a skimmer.

How EMV chip cards and terminals help reduce fraud:

• Much harder to duplicate a chip card
• Minimizes the use of swipe for chip compatible cards (which would be fake)
• Minimizes the ability for thieves to use stolen cards in-store

While this should be more than enough incentive, as of 2018 less than half of hotels (42%) had yet to implement EMV terminals.

Beginning in 2015, there was a liability shift and merchants who haven’t switched to a chip card are now liable for fraudulent card use. Previously, the issuing bank was liable.

The shift has had a huge impact (as reported by Visa):

• Counterfeit fraud has dropped by 76% for merchants who completed the chip upgrade.
• Over 2.9 million merchants now accept chip cards, representing 63% of US storefronts.
• In March 2018, 97% of card-present Visa transactions involved EMV cards

However, this doesn’t prevent card-not-present (CNP) fraud. In fact, there has been an increase in CNP because criminals are shifting away from physical transactions due to EMV terminals, and because online systems have no way to tell if it’s a stripe or chip card.

Merchants like the check-out process to be as seamless as possible, often prioritizing this over data security. This is especially true of the hospitality industry where the guest experience is the highest priority. Many choose not to perform many or any validations at check-out and will take the risk of fraud over the risk of losing a guest.

Hotels may want to consider offering alternative payment options. By embracing the technology age, including local payments, hoteliers can offer their guests a better experience.

Accepting local payment methods will go a long way in preventing payment fraud. These types of payments offer significant improvements in security since the merchant never sees the card information (they can only see a token). Whereas before, the merchant had full access to the card information including the PAN and even stored it in their system.

Therefore, by offering local payments, liability for the merchant is effectively removed. Not only does this improve your security, local payment methods can serve to speed up the check-in process and boost guest satisfaction. Giving guests the freedom to pay how they want is more important than ever, and something they’ll expect as apps and features such as PayPal and Apple Pay become an everyday integration into people’s lives.

Local payment methods and where they’re popular:

• Americas: Bancario, Santander, Citibanamex, Apple Pay, Google Pay, PayPal
• Europe & Middle East: Giropay, SEPA, Sofort/Klarna, Paysafecard, IDEAL
• Asia/APAC: WeChat Pay, Alipay, China, UnionPay

It’s important to note that technology is constantly evolving, and as new innovations emerge, the security of these developments should be carefully considered before implementing them in your hotel.

When a breach occurs, it can take a business an extended period of time to detect and resolve it, during which, the affected data records remain exposed. According to a report by Trustwave, a data breach, from the day of the initial intrusion to the day the breach is contained, can be broken down into three categories:

• Intrusion: the date the hacker gained unauthorized access to the victim’s systems.
• Detection: the date when the victim or another party identifies a breach occurred.
• Containment: the date when the hacker no longer has access to the victim’s systems and the records are no longer exposed.

Overall, it takes an average of 46 days to resolve a cyberattack and costs a total of $973,130. For a mega breach (breaches of more than 1 million records), the average time to detect and resolve the breach is 365 days.

Multifactor authentication is one of the simplest and most effective methods to defend against breaches. Companies should make sure this is something they are implementing in their everyday business processes.