Support Skift’s Independent JournalismMake a Contribution Now
Today’s cyber-criminals are finding new and increasingly-sophisticated ways of stealing sensitive customer data from hotel websites, systems, and mobile platforms – even at a hotel’s front desk.
And what could a security breach of a hotel’s systems or that of their partners lead to? Investigations, serious damage to their reputation, and loss of consumer trust, to name but a few immediate consequences – not to mention thousands of dollars in penalties and fines.
Hotels need to ask themselves: What if it was my hotel guests’ data that was hacked into?
Let’s look at the stats
More than 148 million travellers today use the Internet to make reservations for their hotels, tours and activities – totalling 57 percent of all travel reservations made each year. A whopping 74 percent of travellers from the U.S., alone, make use of credit cards while travelling – citing convenience, theft protection and easier tracking of purchases as the top reasons.
According to data from payment systems industry information provider Nilson, credit card use in the U.S. will jump by 42 percent from 2012 to 2018, accounting for $120 billion in transactions.
Hotels, in particular, are an active hotspot for credit card fraud. A study by Trustwave’s SpiderLabs showed that of 218 data breach investigations from 24 countries, 38 percent of the attacks occurred on hotels and, of the data stolen, 98 percent was credit card information.
For a hotel, it’s not enough to have an SSL certificate on their website nor can they rely solely on third-party payment services such as Paypal or Google Checkout to handle their guests’ credit card security. They need security at every level of their systems – from their website, booking engine and channel management platform, to their front desk.
Payment Card Industry Data Security Standard (PCI DSS) has changed the way the travel industry approaches safety standards relating to how credit card payments are handled and processed. While not a legal requirement per se, the Standard is mandated by the major card brands – including Visa, MasterCard, American Express, Discover and JCB – as part of their merchant agreements.
The Standard, designed to help prevent payment card fraud, applies to any business involved in the processing, storing or transmitting of cardholder data, regardless of the transaction volume or dollar value involved. Should a guest use their credit card to pay for something at a hotel, for example – be it a room reservation, spa treatment or coffee – PCI DSS applies to that purchase.
Case study: Wyndham Hotel Group
Fines are steep, but they’re not all a hotel should worry about. A security breach can tarnish their reputation in a very public way.
Take the case of Wyndham Hotel Group. From 2008 to 2009, Wyndham suffered two major data breaches, affecting more than 600,000 customers who suffered losses of $10.6 million. In addition to having to make reparations to each customer individually, the company has been subject to two lawsuits.
For the industry, one of the main challenges is the lack of awareness among hotels that their mere ‘touch’ of credit cards means they must be PCI DSS compliant – even if that ‘touch’ simply involves taking down a credit card number over the phone once a year.
Keeping your guests’ data secure
Ironically, too many businesses today expend millions of dollars in marketing and guest entertainment, only to ignore the most basic of business requirements: security.
Protecting sensitive customer data can be a huge task, requiring vast amounts of time, resources and technical know-how. One of the first things a hotel should do is select the right technology partners who can assist them in the process.
If they’re not sure, they should ask: Are they 100 percent PCI DSS compliant across all their products? Can they provide documentation to prove compliance?
Their security and that of their customers should feature on the checklist of every hotelier. If they are not actively protecting their guests’ credit card data they are putting their business and customers at serious risk.
While no technology guarantees 100 percent protection from hacking threats, a partner that can offer you best-in-breed technology, combined with the security that comes with PCI DSS compliance, provides hotels and their customers the highest level of assurance possible.
This content is created collaboratively in partnership with our sponsor SiteMinder.