Why PCI Compliance is a Strategic Issue for Hotels

Growing data breaches, hacks, and ransomware attacks demand significant action from hoteliers to reinforce cybersecurity & data protection measures at their properties. Although hotel owners are waking up to the concepts of technology and digital applications to manage assets, they severely lag behind prevailing hospitality trends. 

POS data breaches are a very common attack on hotels conducted by hackers. In October 2012, Hyatt Hotels Corp. reported a data breach into their guest payment card information servers across 41 assets in 11 countries. 

Similarly, the Galt House hotel faced one of the most severe credit card hacks during December 2016 and April 2017. The Galt House hotels had its credit card readers that targeted cardholder names, account numbers, expiration dates and verification codes. 

To counter this common issue, the PCI Security Standards Council has established a comprehensive set of benchmarks to enhance data protection and operational security at hotels. We have already summarized the 12 standards set out by the PCI-SS Council in our very popular article.   

Understanding PCI Compliance Standards

PCI or payment card industry compliance is a set of 12 rigorous policies designed by the PCI security standards council for businesses to comply with and enact at their assets. These 12 rules are categorized under 6 control objectives including:

  1. Build and Maintain a Secure Network and Systems
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

The rules are primarily reinforced by the merchant (VISA, MasterCard, UnionPay etc.) and the hotel owner, ensuring compliance across all POS and digital payment systems. 

PCI Compliance – A Strategic Issue 

The first step to the understanding payment card security and compliance is that breaches are simply unacceptable in our age of digitization. Cybercriminals have upped their game, therefore hoteliers have to literally be “on their toes” when addressing critical issues like payment card security. 

Consider this, Sabre Hospitality Solutions, one of the foremost hotel technology providers’ had their reservations system breached between August 2016 to March 2017. Deployed across hundreds of client hotels, the Sabre registration system breach gave hackers access to card information of thousands of guests across the hotel industry.

PCI compliance has become more of a strategic issue today rather than being a support system for hotels. Hotel managers are fast waking up to the notion of cybersecurity & data management principles. 

The PCI rules are a minimum benchmark to help organizations control & protect their customers’ credit card data. While each credit card issuer (banks) have their own compliance rules in place, it is an excellent strategy to have your own baseline standards for payment card data security. 

“Any company which retains user data has a responsibility to protect it in their own systems, but also by enforcing good security practice on suppliers and partners,” … “Users don’t care how the data is lost – they still pay the price”

Jonny Milliken, Manager Research Team at Alert Logic

Hotel owners & managers are quickly accepting that cybersecurity & data privacy are in fact core aspects of running a hotel business today. Developing a sound compliance strategy and data management guidelines is one of the foremost responsibilities of hotel managers. Hotel managers should consider answering the following:

  1. What data should be protected?
  2. Who should be authorized to process and access data?
  3. What firewall, and, cyberthreat detection & protection systems should be installed?
  4. Should you consider cloud storage?
  5. Who will conduct staff training and how often?  

In their 2018 threat report, Symantec established that a staggering 67% hotel websites & apps share their guest data with 3rd parties. This treasure trove of user data Symantec identified can include full names, postal address, mobile number, email addresses, credit card details (last four digits only) and passport numbers.

To understand the strategic significance of enacting PCI compliance standards at hotels we turn to Candid Wueest, a principal threat researcher at Symantec, who discusses the same vulnerability in his blog, arguing that:

 “While researching possible form jacking attacks on hotel websites recently, I stumbled across a separate issue that could potentially leak my and other guests’ personal data,” … “While it’s no secret that advertisers are tracking users’ browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether … ” 

Both technology managers & security experts repeatedly recommend hotel owners that they have to do a much better job of securing guest data with brilliant regulations like GDPR enacted. The general idea is to make guests feel safe & confident when giving you their financial information.

“Moving forward, it is essential that all businesses begin to understand the full implications of not protecting their customer’s data, and start taking proactive measures to ensure hackers cannot access sensitive information by exploiting outdated websites and unregulated IT systems,” 

Tim Dunton, MD at Nimbus Hosting


In a world of digital business and focus on user personalization, tech-supported operations are the heart & soul of the hotel business. The flow of user data and its security is essential to manage in a world with smart appliances, multiple POS systems, always-connected apps, and constantly evolving customer demands. 

For more information about PCI compliance and data security call one of our expert technology managers. Remember to bookmark our blog and visit us again for more interesting reads, until next time, see you again soon.