AUSTIN, Texas—Legislation currently on the books in several states could force businesses to go public with credit-card breaches that occur in their company, so experts say hoteliers should study and monitor changes to the reporting procedure.
After all, hotels are one of the most frequently targeted businesses for data security breaches, said panelists at the Hospitality Industry Technology Exposition and Conference.
“You need to address laws surrounding the notification of data breaches,” said David Bleser, president of Bleser & Associates. Bleser said the creation of a National Breach Notification System is a real possibility. If enacted, it would help hoteliers by alerting them more quickly if their guests’ information is compromised while in the hands of a third party. But it also would affect the perception of hotels if a breach were to occur on property and more people were alerted.
David Wallace, group manager of security-standards compliance for Chase Paymentech, said it will probably take a major event to trigger enactment of those laws. He said governments getting involved might not be the best idea.
“Having a uniform set of frameworks is a desirable thing, but (payment-card industry) compliance is doing a good job,” he said. “I’d prefer to have a set of industry guidelines instead of government regulations that 30 years from now wouldn’t be that relevant.”
PCI awareness
Legislation aside, panelist said large challenges remain surrounding credit-card data security in the hospitality industry. First and foremost are awareness and education.
PCI isn’t really a technology issue; it’s a business-process issue, panelists said. Organizations that reduce scope and footprint, and focus on evolving their business processes to meet PCI, dramatically reduce their efforts to get and stay compliant.
“Compliance is easy. What is hard to do is understand where your data is,” said Howard Glavin, director of technology for K3DES, speaking from the audience.
“You can’t prevent a data breach but you can give them the impression that they’re going to get caught,” Bleser added.
The basic concern with securing guest data lies with how credit-card numbers are stored on property or within systems. Certain procedures should be followed to assure credit-card numbers are stored minimally and in the right places. Wallace illustrated the need for locking down that data by comparing it to a residential breach.
“If they broke in to your house to get your gold and all your gold was in a safety deposit box, how much of your gold did they get?” he said. “Yeah, they got your TV, but they didn’t get your gold.”
He said the responsibility, even if data is stored with a third-party partner, ultimately falls on the hotelier.
“If your service provider to whom you’ve trusted your data drops it on the floor, I’m sorry but you’re still responsible,” he said. Therefore, panelists suggested paying close attention to data security terms in supplier contracts.
Best practices
The panelists offered several basic suggestions for securing guests’ credit-card data:
• Most importantly, work with the IT staff at the brand, management company and property level to ensure data is consolidated to limited systems and then segmented off. If data is stored in segmented areas, other systems will be deemed compliant and won’t be bogged down with monitoring testing.
• Also, because the same list merchants use to ensure systems are PCI compliant are available from the PCI Data Security Standard 2.0, hotels can do preventive maintenance by reviewing and acting on this list.
• Realize the common misnomers, such as PCI compliance does not end at the credit card swipe. More important is where the data is stored.
• Inform the employees on the front line, particularly to ensure they aren’t writing down guest credit card numbers.
PCI Data Security Standard
The PCI DSS is constantly evolving. Unfortunately, panelists said, the council has become reactionary to breaches. When standards don’t cover new types of breaches, the standards are amended.
But no company that has been breached during the past few years has been PCI DSS compliant at time of breach, Wallace said. He said the companies that were breached weren’t just missing one or two steps in the compliance recommendations; rather, they were making little effort to be PCI compliant at all.
“It’s, ‘Wow, if we would have even tried we would have dodged that bullet,’” he said.
In fact, Glavin said, there are companies that have been taken to court even when a breach never occurred, but because the way the company was storing data they were not in compliance with the Fair Credit Reporting Act.
As a key takeaway, Besel said, “If you pursue security, compliance will come. If you pursue compliance, you’ll never be secure.”