PCI rules have been the ruling standard for payment card security, vendor compliance, and data management guidelines for business since 2006. It has however been difficult for businesses including hotels & resorts to adopt these rules in everyday operations.
Over the past 4 years, both the US Federal Trade Commission and the PCI Council have emphasized the critical importance of the 12 rules. In January 2019, the FTC took stern measures to ensure businesses were enacting PCI rules.
Like many of its core elements, the PCI rules offer an efficacious safeguard for hotel staff. PCI rule 12.6 comprehensively guides hotel owners & management to address the training, retraining, access, authorization, and data management for hotel staff.
“We can’t emphasize this enough; PCI awareness training is not a “one and done” situation. In fact, the more you teach your employees about PCI credit card data security, the more secure your business will be.
Employees generally want to understand the risk associated with the mishandling of credit card data. Encouraging employees to treat customer data as they would want their own data treated is a great start for PCI training.”
- The Center for Information Security Awareness (CFISA)
Training & Education for Personnel – PCI Rule 12.6.1
The PCI rules dictate that hotel staff are educated when they are initially hired and retrained at the end of the year. The absence of a rigorous training program for hotel staff can result in severe business risks for payment and personal guest data.
This training can be different for varying departments, depending on their access to data. Usually, a PCI assessor reviews the hotel security program and interviews personnel to determine the required level of training.
Awareness of Policy & Procedures – PCI Rule 12.6.2
Following 12.6.1 immediately in 12.6.2 which dictates that once hotel staff has received adequate PCI awareness training, they must acknowledge that they have understood the subject matter. At AHT Inc. our experienced PCI assessor and trainer, Mohammed.S. Ziaee interactively tests staff and interviews candidates to assure they understand the training.
One of the most important elements of your security training & awareness program is to ensure it is easily understandable for hotel staff. Loading the policies with HR and technical jargon will reduce the efficacy of the entire program.
The PCI Staff Training Program
A well-structured PCI staff training program should be built around the PCI rules and should deliver the following knowledge to employees:
- Understanding the structure of PCI Data Security Standards
- Defining the 12 PCI rules, categorized into 6 control groups
- How credit card transactions are performed
- Role of hotel personnel & other people involved in the credit card payment process
- Overview of key standards & control defined by the hotel security policy
- The Dos & Donts of handling guest card data
A well-organized PCI staff awareness training program for hotels should usually begin with explaining what the PCI DSS standard actually is. This includes the reason PCI rules were set up and what they stand for.
Going over the 12 rules is not relevant for all the hotel staff. Like I mentioned above, only selective information is delivered to guests, while the management must be aware of the complete training.
Due to growing threats and events, the hotel staff must understand how credit card transactions are conducted. This also requires them to know the role of all the people involved in the credit card payment chain to clearly pinpoint issues if they occur.
Hotel staff must be rigorously trained and tested for their understanding of the entire security policy of the hotel. Delivering the latest knowledge on policy up-gradation and changes is a must to keep staff secured against prevailing liabilities.
Staff must also be given relevant access and authorization to perform credit card transactions and revisit the data if necessary. The hotel staff must understand their responsibility, and know the Dos & Dont’s of the payment process.
Why Should Hoteliers Invest in a PCI Staff Security Awareness Training Program
There are several reasons hoteliers should consider investing in an effective staff security awareness training program.
Kaspersky, the famous cybersecurity giant, explains in their brilliant blog how employees have been the most vulnerable factor amid data breaches. Hotels are at risk from within due to untrained and irresponsible staff, with almost 52% of surveyed businesses claiming employees are the major reason for security risks.
“52% of businesses admit that employees are their biggest weakness in IT security, with their careless actions putting business IT security strategy at risk.”
Statistically, the untrained staff is the second most likely cause for a data breach in hotels, the first being malware. When the staff does not have the relevant knowledge to manage sensitive data and perform critical processes, liabilities will occur.
Another very important reason hoteliers should have a comprehensive security training program is the increase of cybercrime and data breach events since the COVID19 pandemic began. The famous MageCart attack has already taken victims in hospitality, with other industries reporting constant attacks on their cybersecurity infrastructures.
The third reason that a staff security training program is essential for hotels is simple, it builds trust with guests and travelers. A compliant hotel that cares deeply about guests’ data and payment information will be highly regarded by loyal customers. Especially in a time when contactless tech is lining up in hotels, guests will be concerned about how the hotel is securing their online privacy and data.
The growing number of contactless payment and service technologies now require hoteliers to enact strict security regimes. Have a sound training program for hotel staff has vast advantages for the hotel owner in the long run.
Get in touch with AHT Inc.’s PCI assessment and training team today to know more about training and compliance. I hope you enjoyed this edition of our blog, until next time, see you again soon.