The lodging industry has the highest prevalence of credit card hacking attempts, which is why it’s imperative that hotels protect their guests’ cardholder data.
“When you think about data security and the lodging industry, it is a much more complex environment than a traditional retailer or restaurateur when it comes to credit card processing,” especially at full-service hotels, says William Collins, executive director of vertical marketing strategy for Heartland Payment Systems.
Not only are front desk employees interacting with the property management system when guests check-in, the concierge might take a credit card to book show tickets for a guest, or the sales director could be planning an event and writing credit card information down on a piece of paper. “Every time that they collect that information and store it, there is an opportunity for a hacker or a breach to occur,” Collins says.
If a hotel system is breached, the severity of cost for hoteliers depends on how long it takes to detect the breach and how many credit cards were exposed. Costs include determining what happened and how to fix it, paying credit card companies and banks for the actual data breach, and potential legal issues. There is also the cost of a hotel’s reputation, and finding ways to rebuild customer confidence.
In addition to Payment Card Industry (PCI) compliance, hotels can put additional security safeguards in place to prevent a breach. Solutions offered by payments processors and security/technology providers include end-to-end encryption, which scrambles cardholder data so it can’t be read and assists in protecting the data before it enters the payment system.
“If you’re swiping a card, or keying a card in, that data gets encrypted at the point that you’re entering it,” Collins says. “It doesn’t do any good for you to process a transaction and then encrypt it and store it in your system because that’s where [hackers] are looking for it, as it’s in transit.”
New technologies that are combined with end-to-end encryption, such as tokenization, create a stronger system with which to safeguard data and protect against fraud. Tokenization replaces cardholder data obtained during a card transaction with a “token” in a hotel’s system. “It looks like a credit card, but you cannot tie it back to a credit card,” Collins says. The data is stored so when employees need to access this information, whether to issue a refund or for another reason, they can retrieve it.
In regards to technologies that offer protection against cybercriminals, Collins says hotels are a bit behind other industries. “Part of the reason is, they have so many different systems that they’re interacting with and integrating with, it’s more expensive,” he says. “They might not know everything that’s available and might not know best practices to help collect and control that data, but also they don’t necessarily want to invest in the technology to deliver solutions.”
Overall, Collins stresses that hotels get credit card data out of their environment. “There’s no need for a lodging operator to have credit card data in their systems, on their premises.”