With hotel booking channels adjusting to the mass adoption of smartphones, mobile payment providers like Apple Pay, Google Wallet, Square, and PayPal are on the upward trend, particularly with millennials. Since 2012, mobile channels have gone from handling 5 to 20 percent of all rooms booked. With the explosion of mobile pay capabilities in the latest phones, more hotel customers are looking for places to stay that seamlessly handle what, for them, is becoming as common as good old cash.
While mobile payments can increase a hotel’s efficiency and enhance guests’ experiences, a breach in security on this level could prove devastating to the brand. “In terms of security, everything always comes down to how well you’re securing the data,” adds Hogan. “If you don’t have transaction data stored safely, cyber criminals will be able to find it. Have a layered approach around EMV technology that also includes encryption and tokenization. Also, continually educate yourself, invest in upgrades, and stay ahead of the cyber criminal.”
Biometrics (voice recognition, fingerprint or retina scanning) is quickly becoming another method of user authentication. Apple’s TouchID reads fingerprints on an iPhone 6 screen. ApplePay, available on iPhone 6 and introduced last fall, involves the creation of a unique, device-specific token and security code at each transaction, which validates the user and purchase at the merchant level. Actual credit card data is exchanged only within the bank and payment network, not directly tied to the customer’s interaction with the merchant, removing the merchant from handling that data.
In Europe, MasterCard and Zwipe introduced a credit card that holds the user’s biometric data, and instead of entering a PIN, the merchant scans cardholder’s fingerprint on the payment terminal. Like the chip and PIN, biometrics represents another step in the authentication process, another layer of security. Cracking this biometric technology and cloning new EMV cards is an expensive and time-consuming proposition to the would-be cyber criminal. But also for him, this represents the new frontier. Because these new “mobile wallets” hold the key to more user information, it’s safe to assume everything will become more desirable to steal.
CONNECT THE DOTS
“There’s no one-size-fits-all way to implementing EMV,” says Dave Hogan. “Talk to whoever does your processing. They’re at the forefront of all this and are the best resource to learn what’s available and suited for your business.” He also suggests a few other steps to take.
1. Implement EMV and develop a written protocol. “Understand what your risks are and have a plan in place,” says Hogan. How secure are you processing now? How are you auditing the success and failure of your network? “If you upgrade your POS and maintain protocol, then you’re ultimately minimizing the cost of PCI compliance,” he adds.
2. Make sure your PMS system is PA-DSS certified. Meet all PCI benchmarks and perform network security scans to avoid breaches, which could lead to penalties and fines from card issuers, card replacement costs, increased transaction fees, costly forensic audits, and damage to your brand.
3. Investigate both contact and contactless EMV. Be sure to ask questions and know what you’re paying for. “Processors and terminal manufacturers like to add on data encryption fees and other charges,” says Hogan. Heartland developed a Merchant’s Bill of Rights, which includes the right to fairly priced equipment and knowledge of all related fees.
4. Investigate encryption and tokenization. Heartland uses a three-step method to ensure the safety and security of customer data. First, EMV electronic chip card technology is used to authenticate that a consumer’s card is genuine. Then, Heartland’s E3 end-to-end encryption technology immediately encrypts card data as it is entered so that no one else can read it. Finally, tokenization technology replaces card data with “tokens” that can be used for returns and repeat purchases, but are unusable by outsiders and have no value. Heartland’s model protects cardholder information throughout the life cycle of the transaction and eliminates merchant storage of cardholder data for card-on-file recurring usage.