The hospitality industry has long been an attractive target for cybercriminals since the last decade. There is a great motivation for hackers to breach a gold mine of personal & card payment data, mostly left without adequate security by hotels.
From HITEC 2019 to Cybersecurity Asia 2019, the global business sector is constantly refining its ability to adapt to prevailing data security standards and best practices for active data security. Every hotel needs to upskill its staff with the latest cybersecurity best practices including the handling, storage, access, and sharing of sensitive guest data.
In an interview with the Khymer Times, cybersecurity researcher Doron Sivan established that:
“I think the first step is not technology, it’s education,” he said. “Most threats begin with the mistake of humans, human error. People don’t really believe in the threat of cybercrime and only if you educate them all the time can you prevent it.”
Hospitality data breaches are on the rise, and the methods & sophistication of attacks are evolving every year. The National Association of Federally-Insured Credit Unions informed that data breach figures projected in 2015 have escalated an alarming 40% in 2018.
IBM reported in a 2019 news release, that staff remain the most prone and vulnerable touchpoint for hospitality businesses. Inadequate staff training, authorization, and access to the tools to counter modern cybercrime are the major reasons hotels experience data breaches.
PCI Compliance Training Remains Paramount for Hotel Data Security
The absence of organized bodies and standards to manage data security in the hospitality business leaves us with a single light of hope, the PCI Security Council Standards.
The 12 rigorous data management standards comprehensively cover every core aspect of card payments and merchants security. The standards detail specification frameworks, tools, measurements, and support resources to help organizations assuring the security of cardholder information at hotels.
The PCI security council was established by the 5 major credit card vendors Visa, MasterCard, American Express, Discover, and JCB in 2016 to counter the growing concern over credit card payment data security.
In an interesting conversation with Mohammed Shoiab Ziaee, Director of Information Technology ADHT Inc., he established that:
“PCI compliance is by far the most effective and only framework that currently addresses card payment security in hotels. The current standards we adopted back in 2013 and are now set to expire in 2022. They’re so effective that a new upgraded framework will replace the current one to address the growing technological changes in hospitality.
PCI training session by Advanced Hospitality Technologies Inc. at Aloft Silicon Valley
We prioritize and highly encourage all our client hospitality companies to embrace the standards. The great thing here is not every hotel will need to satisfy all 12 guidelines either, if the attack surface (payment touchpoints) of a hotel is minimum then there will be fewer standards to implement.
As a certified PCI trainer, I emphasize the responsibilities of staff when processing payments, and I also try to instill the habit of upgrading their knowledge through popular threat reports & publications.”
Upgrading the Human Factor
The untrained staff remains the biggest and most overlooked threat to the information systems of a hotel. From processing card payments to handling personal guest, data employees are attractive targets for cybercriminals.
Hotel staff must be taught how to protect against threats and respond to incidents. It is the responsibility of hotel owners to ensure their staff has adequate training and tools to manage daily data security events at hotels.
“… by promoting employee awareness of security, organizations can improve their security posture and reduce risk to cardholder data,”
The PCI standards also call for clear and robust security policies to manage different aspects of data security. These policies are an excellent way to give staff relevant responsibilities and SOPs when processing handling, and storing card data.
PCI compliance and training is also an ongoing process that routinely refreshes the skills, knowledge and responsiveness of staff. All stakeholders including management, executives, and staff members who play a part in the payments or data collection process must go through PCI training to understand the critical nature of their role.
One of the more crucial practices that PCI standards teach, is the handling of user card data. It’s not a combination of numbers, but a critical piece of information, the loss of which can have significant liabilities for the hotel. Understanding and being aware of general payment security rules ensure all stakeholders understand the critical nature of card data processing.
Another important part of PCI compliance is to let staff clearly understand the consequences of non-compliance. Financial liabilities are imminent in every data breach event, but it is the repercussions on the brand name that will hurt most.
While most hotels outsource their technology, compliance, and training to professional hotel management companies, many also have in-house staff for convenience. It is simply necessary to constantly upgrade I.T. staff through in-depth training and compliance practices. Not only do I.T. staff understand these rules but also most likely to follow them.
All staff members who are authorized to process payments need to be aware of their responsibilities. Identifying suspicious activity, reliability of POS machines, identifying cardholders and following SOPs are all compulsory for hotel staff engaged with guest data processing.
As technology evolves in the hospitality industry, we will notice a series of changes that will address the security of guest data. New compliance guidelines, better security tools, and more robust practices will emerge to make the guest experience even better.
For more interesting reads and insights remember to visit us again. Until next, see you again soon.