Every Hotel Needs Staff PCI Awareness & Training

In their 2018-2022 Hotels Outlook Report (PwC), identify hospitality as the second most breached industry in the world. In the USA the case is the same, with hospitality ranked as the 3rd most breached industry behind retail and finance.   

The great aspect here is that hoteliers and hotel management companies are showing increasing interest in technology. But it’s not just the hospitality industry that has had enough of data breaches, card theft, and identity theft cases. The U.S. FTC (Federal Trade Commission) has taken strict notice of the increasing cases of data breaches & non-compliance from hotels. 

The FTC Takes a Stand on Data Privacy Irregularities

After experiencing a menacing year in terms of data breaches and financial cybercrime, the FTC proceeded to punish several technology providers & businesses for not complying with recommended data security & cybersecurity guidelines. In a January 6, 2020 blog post, the FTC also highlight three additional orders to reinforce data security & privacy at hotels: 

First – the orders are more specific 

They continue to require that the company implement a comprehensive, process-based data security program, and they require the company to implement specific safeguards to address the problems alleged in the complaint.

Examples have included yearly employee training, access controls, monitoring systems for data security incidents, patch management systems, and encryption. These requirements not only make the FTC’s expectations clearer to companies but also improve order enforceability.

Second – the orders increase third-party assessor accountability. 

We still rely on outside assessors to review the comprehensive data security program required by the orders, and now we require even more rigor in these assessments. For example, the orders clearly and specifically require assessors to identify evidence to support their conclusions, including independent sampling, employee interviews, and document review. 

The assessors must retain documents related to the assessment, and cannot refuse to provide those documents to the FTC on the basis of certain privileges. When FTC staff can access working papers and other materials, they are better able to investigate compliance and enforce orders. 

Perhaps most importantly, our new orders give us the authority to approve and re-approve assessors every two years. If an assessor falls down on the job, we will withhold approval and force the company to hire a different assessor.

Third – the orders elevate data security considerations to the C-Suite and Board level. 

For example, every year companies must now present their Board or similar governing body with their written information security program — and, notably, senior officers must now provide annual certifications of compliance to the FTC. This will force senior managers to gather detailed information about the company’s information security program, so they can personally corroborate compliance with an order’s key provisions each year. 

Requiring these kinds of certifications under oath has been an effective compliance mechanism under other legal regimes (e.g., securities law), and we expect it will likewise ensure better year-round governance and controls regarding FTC data security orders.”

Staff Awareness & Training is a PCI Compliance Pre-requisite

The set of 12 PCI compliance rules is the bible for CIOs and technology professionals in the hospitality industry. The U.S. FTC, the PCI Council, and revered academics all agree that that staff training remains a crucial part of delivering highly secure and privacy-enhanced guest experiences in hotels.   

With that being said, the 9th Shred-It Data Protection Report identified that “… 36 percent of hospitality business leaders also agree that breaches are “no big deal” and are “blown out of proportion …”. We can comically claim that ‘some hospitality business leaders are in for quite an expensive privacy lesson in 2020.’

PCI Compliance Rule 12.6 – Formal Security Awareness Programs 

Part 12.6 of the PCI Compliance framework elaborately covers the scope of staff training & awareness in business environments. The rule reads as follows:

“Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.”

Rule 12.6 is further supported by two further sub-clauses 12.6.1 and 12.6.2, which establish the following (respectively): 

“Educate personnel upon hire and at least annually. Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data”, and

“Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.” This applies to all staff members who have physical or logical access to credit cardholder data (CHD) regardless of whether they use that privilege.”

Security awareness and training must be a routine program, regularly conducted to assure the creation of a highly private & security immersed culture at hotels.

Protecting guests’ data & card information must be part of a company-wide information security training program. Ensuring that staff is aware of cardholder data security, their responsibilities, and best practices is a prerequisite of attaining PCI Compliance across hotels.  

In their information supplement “Best Practices for Implementing Security Awareness Program”, the PCI Council has again emphasized three best practices to assure employee awareness at hotels. These are: 

  • Assembling a Security Awareness Team
  • Determining Roles for Security Awareness
    • Identify Levels of Responsibility 
    • Establish Minimum Security Awareness
    • Determine the content of training and applicability based on PCI DSS 
  • Disseminate Security Awareness Throughout the Organization  

There are 3 Rules, Not 1 

In his 2011 blog, Mathieu Gorge explains that the PCI Compliance framework offers not one but three versatile compliance rules to address the management of payments, data, and storage of both types of information at hotels. 

First, are the Payment Card Industry-Data Security Standards (PCI DSS) designed to cover requirements especially designed for banks, payment service providers, payment gateways, and payment merchants to comply with. 

Second, is the Payment Application DSS (PA DSS) designed for the compliance of software vendors who develop & integrate commercial payment applications for hotels. These electronic payment applications are usually installed on POS & EPOS machines, mostly used for eCommerce payments.    

Third and last, is PCI PIN Transaction Security (PCI PTS) designed to cover security for PIN terminals that include POS devices, encryption of PIN pads, and unattended payments (those conducted without human interactions on POS machines).

Training must be designed to ensure that hotel staff is made aware of all three. Effective training will ensure staff knows their roles, responsibilities, best practices of data protection, access & authorization rules, and any new rules established by the PCI council over the year.

Hotel Staff Need Regular PCI Security Awareness Training 

With the evidence presented to us in earlier sections, the PCI council and the US government are collaborating in 2020 to ensure that businesses readily comply with all relevant rules that apply. 

The implications of non-compliance can be severe like those that Marriott Group experienced in 2016. Things can get even worse when your technology vendor’s equipment is hacked, just look back at the Sabre breach of 2017.  

Kaspersky Labs and several other cybersecurity research companies have already established that “untrained & negligent employees are the most vulnerable aspect of any business security strategy.”

Staff are the face of a hotel, they are the first points of human contact. A well-trained staff will ensure they demonstrate all necessary security practices established by the PCI council in real-time. This builds great trust in guests, and their brand loyalty is significantly strengthened. 

An educated staff about PCI best practices will be less prone to errors & negligence in day to day tasks. Staff members should be encouraged to build a culture of security practices to ensure the probability of human error is minimal. 

Regular training will enhance the readiness of hotel staff to counter zero-day vulnerabilities. They will have precise knowledge and a professional modus operandi to instantly quarantine threats and switch to backup systems if necessary. 

Finally, as technology innovates over the years staff will have the capability to review their own knowledge and request additional training for new tech. This regular reinforcement of PCI training will eventually lead to establishing a bottom to the top culture of security & data privacy. 


I hope you enjoyed this edition of our blog. 

For more information about PCI compliance and training, simply fill out the contact us form or join us for a Live Chat now. 

At AHT Inc. we have a leading PCI Compliance training program presented by PCI Certified Professional, Mohammad Shoaib Ziaee. A CHTP, CHE, and PCIP, Mohammad has over 20 years of experience partnering with hospitality companies and hotel groups. 

Our brilliantly structured PCI training program establishes the ground rules for compliance, roles of management & staff, training strategies, encryption tools, secure networks, authorization & access, responsibilities of hotel employees, hardware compliance, and reviewing the entire security program.