Credit card hackers are using the coronavirus pandemic as an opportunity to target more online transactions and, because hotel businesses have traditionally been a hot target for hackers, it’s never been more important to ensure your guest data remains safe.
According to Yahoo! Finance, attempted debit and credit fraud transactions rose 35% in April from a year earlier.
While the hotel industry has stepped up its efforts to make data security a top strategic goal over the last few years, is it doing enough? When was the last time your company audited its own practices to ensure compliance?
If you haven’t, consider the cost of not doing so. Hotels are contractually obliged to comply with PCI guidelines as per merchant agreements, but many are dropping the ball on the simplest of security components. Fines for breaches that result from non-compliance can be severe, ranging from $5,000 to $500,000. What’s more, banks and processors have been successfully filing for compensation from hotels after breaches.
How do you avoid that dreaded call from your bank? Here are three things that you can add to your PCI compliance strategy that hoteliers often overlook.
1. Verify that partners are PCI compliant
While PCI compliance encompasses many parts of a hotel, much of it is covered by the property management system and networking vendor. Check with your technology vendors to make sure the solutions you have running at your property are up to par. Blind trust isn’t a virtue here. If your vendors aren’t compliant, you could be the one holding the bill should a breach take place.
Understand the difference between PCI Compliance levels and work with partners who are at least Level 1 compliant, meaning they participate in yearly on-site reviews by an internal auditor and a required network scan by an approved scanning vendor.
2. Ensure credit card information is secure
How does your company acquire and store credit card authorization forms? If your hotel is still using paper or PDF versions for third-party authorizations, sales contracts and other forms, you are not PCI compliant and your company is at risk.
A secure, digital solution can bring you into compliance and help to manage that risk. Ease of use for your customers is another benefit of such a system. No longer will they need to fill out paper forms, sign, scan, and email or fax back to you. Then, you won’t need to find ways to store these paper files that are then left vulnerable for anyone to see. Ask yourself: What’s more secure — a binder filled with credit card numbers and personal information locked away in a filing cabinet, or a password-protected system that only certain employees have access to?
3. Implement password policies — and make sure employees follow them
Many vulnerabilities happen simply because employees set weak passwords — the reason cited for 63% of all breaches, according to Verizon’s Data Breach Investigations Report. To set your company up for success, you need to execute a strong policy that requires employees to change their passwords after a few months. Then, multi-factor authentication adds another layer of protection. This system requires more than one method of authentication to verify someone’s identity for login purposes. Those could include fingerprints, facial recognition, codes and the like.
Of course, rules are meaningless unless they are followed. As a leader, it’s your job to be certain that policies are being followed as written. Consider conducting an audit throughout the year to ensure all procedures are enforced. A little time now can save you a lot of money and heartache in the long run.