Planning for a Future Beyond PCI: Risk-Based Security for Hotels

Man pays with a credit card at the front desk of a hotel

When you mention the “Payment Card Industry Data Security Standard (PCI DSS)” to people in the hospitality industry, you usually get one of three reactions:

  1. “The cost and complexity associated with PCI DSS is so overwhelming, we’re just not doing anything and crossing our fingers.”
  2. “We’re compliant; we’ve checked the boxes on all 12 requirements.”
  3. “We’re compliant; in fact, we think PCI is great because it gives us our security framework.”

The first reaction generally comes from organizations that would rather risk being fined than spending the time and money complying with PCI. And if this approach seems shocking, it shouldn’t. According to Verizon’s The State of PCI DSS Compliance 2018 report, only 38.5 percent of hospitality organizations comply with PCI.

Yet, the latter two reactions are just as risky as the first. Many organizations take a “check the box” approach to compliance, where their goal is to “get this off their plate” rather than to implement proper security. The third reaction is especially troubling because PCI is not a security framework—it is simply a baseline regulation targeting a single risk factor: credit card data. All three reactions have separate but equally disastrous consequences both for the organization and its customers.

  • Ignoring PCI puts cardholder data at an increased risk of being compromised by malicious actors, while simultaneously making the organization subject to fines.
  • The checklist approach may very well protect customer credit card data, but it neglects to safeguard customers’ personally identifiable information (PII) collected through online booking platforms, customer loyalty programs and other marketing initiatives.
  • Lastly, using PCI as an entire security framework gives organizations a false sense of security, because it only addresses credit card data security.

PII in the Crosshairs

Risk in the hospitality industry is moving away from PCI-governed data and toward PII. The adoption of EMV chip cards in the United States has made credit card transactions more secure at the point of sale, and PCI has put basic safeguards in place to protect card data. As a result, cyber-criminals, who are always looking for the “easy score,” have moved on and are now targeting loyalty programs and other sources of PII.


What’s the value in PII? With PII, cyber-criminals can steal guests’ identities for any number of fraudulent activities. One relatively common scam is for a malicious actor to use stolen PII to drain hotel customers’ loyalty points by purchasing various goods and services. Because people tend not to pay much attention to loyalty programs until it’s time to use the points, they rarely notice this fraudulent activity until it’s too late. When customers do notice the fraud and complain to the hotel, the hotel loses on several fronts: first, on the rooms that were booked from the fraud; second, on restoring the lost points to the customer; and third, reputational damage and a loss of customers.

Worse yet, if the hotelier wasn’t PCI compliant, the hackers could compromise credit card information. The hotelier would then be responsible for charge-backs on any credit card fraud and subject to potential PCI fines.

Shifting Waters

While PCI has been a positive first step in inspiring hospitality organizations to provide at least some security for customer data, it’s only a baby step. Today’s adversaries have wide-ranging fraud schemes where PII is just as, or more, valuable than credit card data.

The hospitality industry must understand this trend and plan for a future that extends beyond PCI, and into comprehensive risk-based security. The goal is to implement a comprehensive, risk-based security program that treats PCI and other regulations as a component of the program, rather than the architecture for the program. The fundamentals of the program should center around data governance:

  • Understanding where important data is and how it should be used, as well as who is likely to attack it, and how they’re likely to do it.
  • Implementing the appropriate controls to protect and manage that data so it not only complies with relevant regulations, but also becomes a very difficult target for the bad guys.

Understanding that regulatory compliance is not security will free hospitality organizations to move beyond “PCI tunnel-vision” and into a more holistic, effective, and risk-based approach to security.


Want more industry news and tips?

Subscribe to LODGING

Previous articleUpgrading Hotel Game Rooms with Virtual Reality
Next articleTurnberry Isle Miami To Become JW Marriott Miami Turnberry Resort & Spa
Dustin Owens is the vice president/general manager of risk and compliance advisory at Optiv Security. Prior to joining Optiv, Owens was the director of security advisory services at DXC Technology. Before that, Owens held security leadership positions at companies such as Hewlett Packard Enterprise, BT, and International Network Services (INS).