Top 3 Human Factors Affecting PCI DSS Compliance in the U.S. Hotel Industry

News outlets and cybersecurity professionals now agree that hotels are a massive target for cybercriminals. Over the last five years, we have seen some concerning cases of cyberattacks including Marriott Starwood, Trump, Hilton, and Hyatt Hotels. 

Payment card transactions are now an essential facility in U.S. hotels, available at every touch point through POS machines. Card payments deliver great benefits to both guests and hoteliers, however, they accompany considerable threats of data breaches. 

The hotel industry has become very attractive targets for cybercriminals due to their lenient and sometimes non-existent cybersecurity standards. In the USA, more than 55% of credit card fraud was attributed to the hotel industry in 2008, identified by Haley and Connolly in their research paper “The PCI Compliance Process for Hotels, American Hotel & Lodging Association, Washington, DC” published in the same year. 

In their latest cybersecurity research for 2018/2019, IBM established that the total cost of a data breach for hotels can escalate to $350 million in the United States. Today, we look at 3 very crucial factors that are still influencing comprehensive PCI compliance in U.S. hotels. 

Three Human Factors Affecting PCI DSS Compliance in the U.S. Hotel Industry   

Hotel owners & management have a responsibility to protect their guests’, their personal data, and their connected smart devices. Modern travelers demand & expect information security the second they step into a hotel. Therefore, owners should properly address and strategize hotel data security in their assets.

PCI DSS compliance remains the most ideal data security guidelines designed for businesses that accept card payments. VISA Inc. reported well back in 2009 that business owners are still reluctant in enacting these PCI compliance guidelines over their properties. 

In a brilliant classic research paper by Katerina Berezina for Oklahoma State University, Berezina establishes 21 popular factors of the time that hinder PCI compliance in hotels. We chose three human factors that to this day affect PCI compliance at hotels. 

Lack of Qualified Staff 

Even after 10 years since Berezina’s research study, there is a massive shortage of experienced & knowledgeable personnel who are essentially needed to implement PCI DSS compliance standards in hotels. The severe shortage of qualified cybersecurity staff makes compliance difficult and breaches possible.  

Hotel businesses can readily overcome these staff shortages today through education & training, by outsourcing cybersecurity, and consulting with a hotel technology provider. 

Hotels usually delegate information security & cybersecurity to staff who are already responsible for other areas like the front desk or accounts team. Not only does this make it difficult for the employee to manage complex cybersecurity frameworks but it also needs constant training to keep this staff member ready for new threats.

Inadequate Staff Training 

A very popular reason for inconsistent PCI compliance, also linked to our first point, is the inadequate training of staff. Latest and continuous training is essential to keep your hotel staff ready to handle card transactions, secure personal information, maintain access authorizations, and act in response to a breach.  

Leading-edge training tools and online courses are now making it very easy for hotel staff to understand, learn, and apply PCI compliance rules in real-time. Advanced Hospitality Technologies Inc. has always encouraged the training & education of hotel staff. Our leading PCI compliance training program covers:

  • Introduction to PCI Compliance
    • Who developed the PCI compliance rules
    • What are the 12 PCI compliance rules
  • Why is PCI Compliance Necessary for Hotels 
  • The Responsibility of the hotel front desk, back office, and I.T. staff
    • Authorization 
    • Access
    • Distribution 
  • What are data breaches?
  • What are vulnerable network designs 

Lack Of Standardized Procedures For Staff Processing Credit Card Information 

Our final human factor that affects real-time PCI compliance at hotels simply covers every single staff member, management personnel, and even the owners. Not only is this a challenge but a severe threat to the entire property, but criminal to the entire PCI standard.  

Establishing and implementing documentation, policies, and internal procedures for all departments (that process cards) is essential for the survival of any hotel. While this factor is highly attributed to ‘inadequate staff training’, even compliant hotels have staff not following proper procedures. 

Staff members who have not received proper guidelines, training, and SOPs to treat card information, they will eventually mess up. To ensure the development of digital policies & procedures, hotel owners are actively engaging hospitality technology providers to ensure the hands of security of their guests’ data. 

Hotel technology management companies are readily equipped with the latest PCI compliance training, industry developments, new threats to hotels, and the basics to develop lasting digital privacy & information security policies. 


Visit us today or call us to know more about PCI compliance and its importance for hotels in today’s digital world. 

We hope you enjoyed this edition of our blog. For more amazing research, news, and insights remember to visit us again soon. Why not have a discussion with our expert technology management teams for instant assistance for your hotel technology infrastructure. 

Until next time, see you again soon.