We live in a world where electronic commerce has become THE way to make purchases for most users, and information is more valuable, and delicate, then ever. The PCI-DSS protocol –most hoteliers will have heard of this at some stage- protects the safety of client’s data when they make their payments using the hotel’s electronic facilities, like for example, their website.
Large chains, such as Hyatt, Hilton and Marriot have recently suffered infiltrations in their safety systems that affected the data of hundreds of clients. No matter the size of the hotel, data protection is essential nowadays to ensure client trust. One leak in safety can lead to large fines and a loss in consumer trust and their subsequent future loyalty.
The standard developed by the PCI Security Standards Council, and created by the main credit card companies, looks out for the safety of data related to said cards, whether in physical POS or online payment gateways. Unfortunately, no system is 100% fool proof, the certificate does not guarantee that information theft will not occur, but in the near future, banks will require this from hotels of any size..
Is it mandatory for hotels to be up to date?
The law does not demand hotels meet with PCI DSS validation, but it will be essential for them to do so soon, to carry on correct operations. Until now, the requirement to meet this regulation only affected hotel providers (booking engines, PMS producers, channel managers, etc.) But soon banks will demand that hotels keep up to date with the regulation too, and no bank will work with a hotel that does not comply. They will also demand that hotels always work with external providers that scrupulously meet the standard.
What must hotels do to obtain the certificate?
It is very laborious and expensive to obtain and keep the PCI DSS certificate up to date. Both in the management, that involves scanning the whole infrastructure to correct possible vulnerabilities or overhauling all the security policies, and in the process, making it absolutely essential to use a qualified certification company. It is important to highlight that it is a recurring process that must be renewed yearly to guarantee the safe environment that is required. In any case, the hotel will need to put aside a significant investment, one from which there is no real financial benefit.
What does the PCI DSS validation require from hotels?
You can download the complete manual regarding procedures and requirements to adapt your hotel to the regulation here, but in brief, there are twelve elements:
1) Install and maintain a safe configuration of the firewall.
2) Avoid using default parameters.
3) Guarantee protection of the stored data.
4) Encode card data through public open networks.
5) Constantly update all antiviruses.
6) Develop and maintain secure applications and systems.
7) Restrict client access to certain data.
8) Assign a unique ID to each client.
9) Limit physical access to data.
10) Trace and monitor all data.
11) Constantly evaluate system security.
12) Opt for a solid security policy; from staff data to client data.
Generally, adapting to the PCI DSS standard does not just imply an investment of time and money, it also makes hotel management more complicated in certain aspects.
To start with, any hotel employee who has access to client data must have a unique user profile, so any use of said data can be monitored and any procedural errors traced. In many cases it will be important to enable separated areas for the logistics that manage user data, starting with the fax machine, and install surveillance cameras in said areas as well as controlling entrances and exits.
And of course, when it comes to hotel staff, it will be necessary to plan a series of training for all those who come into contract with client data. This training must be continual as the validation has to be renewed yearly.
How should hotels treat client’s card data?
Apart from extremely strict protection when it comes to storage and transporting the data, the regulations only allow storage of the full card number, name of the cardholder and expiry date. Storing any card security codes is forbidden, as is storing the full number in any non-approved system. The card data must be encrypted with robust encryption algorithms, and can only be stored during the set time, when deleted this must also be done securely.
Benefits of having the PCI DSS certification
It may seem that obtaining the PCI DSS certification is a very complicated and expensive process, and to be fair it is, but once set into motion, every year it will be a little easier to renew, bearing in mind that the regulation does evolve and there may be new requirements in the future. In any case, activating this procedure will soon not be an option, but an obligation all hotels must meet. So it’s best to start as soon as possible.
Apart from this, the hotel must see this effort as a way of standing out and showing better service to their clients, mainly because of the following four points:
1) Client card data protection.
2) Maintaining client trust because of the higher level of data security.
3) Protection of brand reputation.
4) Decrease in possible financial and image loss derived from security breaches.
For the sixth year running, Idiso has passed the Payment Card Industry Data Security Standard, and on the 27th of June received the Attestation of Compliance for storage of credit card data when managing bookings and customer care. At Idiso we know that for any business to excel, the security of its client’s data is essential.