PCI certification: How to ensure vendors secure your guests’ data

September 29, 2011 | Hotel Marketing

Mail article Print article Facebook Twitter

More than half of all credit card fraud is tied to transactions from the hospitality industry, the AH&LA estimates. Non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirement puts hoteliers at great risk of legal liability to the customer and financial penalty.

By Michael Miller, Chief Technology Officer EZYield

In the travel industry, meeting and exceeding data security requirements is critically important, in terms of both liability and guest satisfaction. With the advent of automated reservation delivery in this sector, hotels are facing the reality that inadequate data security can be disastrous, resulting in lost revenue and a damaged reputation. More than half of all credit card fraud is tied to transactions from the hospitality industry, the American Hotel & Lodging Association estimates. Non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirement puts hoteliers at great risk of legal liability to the customer and financial penalty, with possible fines of $500,000 or more. Maintaining stringent data security is an expectation of your guests, but don’t assume your technology vendor complies. Know what to look for from prospective vendors and understand how PCI compliance—or lack thereof—can impact your hotel’s bottom line.

Demand certification, not just compliance

Some hospitality technology vendors claim to be PCI-compliant, but such an assertion is largely meaningless because it lacks independent confirmation and amounts to simply checking a few boxes on a form questionnaire. Instead, seek out products that have achieved third-party Payment Card Industry Data Security Standard (PCI-DSS) certification by an unbiased auditor. PCI-DSS is a series of requirements designed to ensure that companies that process, store or transmit payment card information maintain a secure environment. Furthermore, ensure that the audit was conducted by a Qualified Security Assessor certified by the PCI Security Standards Council, the international umbrella organization that governs security standards for the payment card industry.

Confirm a committed corporate culture

Using a certified vendor is a critical step toward ensuring that guest data is safe, but that only goes so far. True data security requires a corporate culture committed to keeping private information private—it should be a mission embraced by all ranks within an organization and its partners. When evaluating a vendor partner, establish a firm understanding of what steps the vendor takes to create a culture of data security. Several layers of security should shield sensitive data and multiple steps should be required when accessing data in its raw, unencrypted form. Ask about data transfer processes, system/server security, along with explanation of the company's internal processes to confirm ongoing employee compliance with PCI standards.

Cover the basics

Third-party PCI certification is the only way to know for certain that your vendor partner is meeting adequate data security standards, but there are a few simple criteria that, if not met, should be cause for immediate alarm. Verify that:

- Cardholder data and verification codes should be masked or encrypted within the database
- Any printed or digital records—including receipts and guest folios—should display no more than six digits of the card number
- Vendor software should be programmed to automatically log off users after 15 minutes or less of inactivity, to help prevent unauthorized access to the system

Finally, it is important to remember that while PCI certification is critically important for vendor partners, the hotel has a major role to play in securing guest data as well. PCI-DSS contains more than 200 individual requirements, many of which must be actively undertaken by hotel staff. For a complete list of PCI-DSS requirements, visit www.pcisecuritystandards.org.

In the event of a security breach involving guest data, consumers won’t care whether the fault lies with your hotel or with your vendor partner. It can have a devastating impact on public perception of your brand, your service reputation and overall guest satisfaction. Make sure your vendor understands risk management and takes data security seriously, lest you end up apologizing on their behalf to angry customers who have had their identities stolen and ultimately hold your hotel at fault.

Michael Miller is the Chief Technology Officer at EZYield. He leads the development and global implementation of advanced enterprise-level infrastructure for the company’s Fuzion Hospitality Suite of distribution management and connectivity solutions. Contact him at mmiller (at) ezield.com.