Hotel Data Security – PCI Compliance and PII Security Explained

The integration of technology in hotels is quickly becoming a popular standard in global hospitality thanks to growing guest demands. As it happens technology has proven to attract new guests, significantly reduce costs, and improve staff efficiency in hotels. The downside, however, is the threat to these hospitality technologies.

With an array of digital touchpoints including POS, websites, local hotel databases, signage systems, robot concierges, mobile apps and other tech integrated into hotels comes increased risk. Prominent names including Marriott International, Hilton, Hyatt Hotels Corp., and Intercontinental Hotels Group have already been victim to massive cyberattacks compromising terabytes of sensitive guest data.

A sound cyber security infrastructure is now essential for hotels that deploy technologies across their properties. Kevin Davis Insurance mentions the three most common cyber security threats that hotels experience namely Point of Sale Attacks, Ransomware, Personal Information Theft over WIFI.

PCI (Payment Card Industry) Compliance Standards

PCI compliance standards are one of the most comprehensive and robust frameworks governing the security of guest payment data in hotels. Payment data theft affects the integrity of the global card payment ecosystem, as the official PCI security standards website establishes. So what exactly is PCI compliance?

“PCI or PCI-DSS (Payment Card Industry Data Security Standards) are a comprehensive set of principles & rules for any company that accepts cards for transactions.”

A significant payment card data breach leads to loss of customer trust in banks, loss in merchant credibility & revenue, and the resulting liabilities for all parties involved. The standards ensure the greatest security when processing card payments and handling this data.

Since 2006, the PCI security standard council has administered PCI-DSS compliance and management. PCI compliance is built on 12 rigorous guidelines to achieve 6 goals for highly secure payments.   

How We Assist Your Hotel Achieve PCI Compliance

Advanced Hospitality Technologies has offered expert PCI compliance & training services to clients, providing them a ‘Simple Secure Solution’ to protect payment data. Our vast experience and in-house best practices lay the foundation of an adamantine security infrastructure assuring ironclad protection of guest payment data.

Apart from integrating the 12 core PCI standards, we test payment gateways with our own security protocols ensuring robust payment security. As an added measure we constantly monitor hotel card payment services to assess their security, remediate systems for improvements, and present them in meaningful reports.

Protection of P.I.I or Personally Identifiable Information

Today, hotels carry a mass of information about their guests, everything from names & addresses to their card payment information. The protection of this information is the responsibility of the hotel, as I mentioned earlier that theft of personal information is one of the most common cyber threats for hotels.

Before we move onto the ramifications of losing such information, let’s quickly go over what exactly PII is.   

What is Personally Identifiable Information?

Personal Identifiable Information (PII) is defined as sensitive information that can be used to contact, identify, or locate a particular person. The US National Institute of Standards & Technology (NIST) define it as:

“… any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

Examples of personally identifiable information include:

  • Names (e.g. full name, maiden name, mother‘s maiden name, or aliases)
  • Personal identification numbers (e.g. social security number (SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, and financial account or credit card numbers)  
  • Addresses (e.g. street address, office address, email address)
  • Asset information (e.g. Internet Protocol (IP), Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or a small well-defined group of people )
  • Telephone numbers (e.g. mobile, business, and personal numbers )
  • Personal characteristics (e.g. photographic image, x-rays, fingerprints, biometric images or template data (e.g., retina scan, voice signature, facial geometry))  
  • Information identifying personally owned property, such as vehicle registration number or title number and related information  
  • Information about an individual that is linked or linkable to one of the above (e.g. date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).

The Importance of Securing P.I.I.

Hotels are required to proactively protect this information and are bound to take security measures to secure it from unauthorized access, theft, and loss. Any compromise on personal information can lead to dire circumstances which can be both financial and reputational. Take the case of Marriott International’s massive data breach in November 2018.

After the data of close to 500 million guests who had stayed at properties of the global hospitality giant since 2014 was breached and stolen the company is now facing multiple lawsuits. Irrespective of how the data was breached the financial consequences can be huge and can accompany severe reputation damages.

How Advanced Hospitality Assists in Securing Personal Information at Your Hotel

With over two decades of experience, a team of professional security analysts, and an array of cyber security technologies at our disposal, we design state-of-the-art security infrastructures at hotels.    

Following a standardized procedure we:

  • Identify all types of P.I.I. your hotel must secure
  • Prioritize personal information security
  • Identify & prioritize where your guests P.I.I. is stored
  • Create an Acceptable Use Policy (A.U.P.) for guests  
  • Educate your employees about your A.U.P. & Data Access Policies

For more information and how we can help reinforce your cyber security infrastructures, contact one of our expert consultants on call at 510.900.5990, over live chat on our website, or email us at info@advhtech.com.