REPORT FROM THE U.S.—In an industry where credit-card data flows across various companies’ systems and is often stored for weeks or months at a time, simply complying with PCI standards might not be enough for hotels to keep sensitive data out of the hands of thieves.
At least 16 hotel groups have expressed interest in developing an industry-wide solution, and are working with Hotel Technology Next Generation to create a credit-card security framework. Accor, Hilton Worldwide, Mandarin Oriental Hotel Group and Starwood Hotels & Resorts Worldwide are among the 16 groups listed in a HTNG news release that have confirmed their intent to participate.
Doug Rice, CEO of HTNG, said the non-profit organization initiated the process for the industry security framework last June. So far a charter has been created to ensure the hotels and organizations involved are on the same page. The group’s first meeting will take place in November.
The solution HTNG would like to have the industry implement would get hotels' systems completely out of scope of the PCI. “If your systems do not touch a credit card, it means those systems are out of scope,” Rice said.
The main option the group is exploring is tokenization. This method involves taking credit-card data and replacing it with a “token,” which could be any number or phrase that would be worthless to a potential thief. To completely get out of the PCI scope with tokenization, a third-party company would be required to store the credit-card data while the hotel holds on to the token. Once the hotel is ready to charge the customer’s card, they send the token to the third-party company to handle the payment, and the hotel avoids storing any credit-card data throughout the process.
In this case, where an actual credit-card swipe is required at the property, Wallace said coupling tokenization with point-to-point encryption is the ideal solution. This encrypts the data when the credit card is swiped. However, in order for point-to-point encryption to remain out of the PCI scope, the card data decryption must not occur in the hotel and the functionality to decrypt the data must not exist in the hotel.
Technology Ad Will Appear Here
Security first
Bob Russo, general manager at the PCI Standards Council, said the organization is in favor of a credit-card security framework for the hotel industry because of the high volume of transactions that are stored. He said there are many people who look for the easy way out, and comply with PCI standards simply because it’s the law.
“This is about security issues. Once you begin to take care of these security issues, compliance comes as a byproduct,” Russo said.
He wants the industry to keep in mind that security isn’t all about technology: “It’s about people, and the processes they go through.”
Once HTNG and the hotel groups working with the organization develop the security framework, the next step on the list will be to implement the plan across the industry.
Rice said everyone involved in accepting payments in the hotel industry needs to agree on the same framework for it to work effectively. Online travel agencies, distribution partners and payment processors will all need to be on board. The plan is for the major hotel companies to inform their partners of the plan at approximately the same time. Vendors will realize this is what they need to do if they want to meet the needs of the hotel industry, he said.
“That’s the key. There has to be cross-company trust,” Rice said.
Once the partners are on board with the solution, independent hotels will start getting involved, too.
Rice said education will not necessarily be the role of HTNG. However, the group expects to work with organizations such as the Hospitality Financial and Technology Professionals to help implement the solution and spread the word in the industry.
“This is not going to be an overnight solution, it’s a journey, but it’s something that the industry has recognized needs to be addressed,” Rice said.