Everything Hotels Need to Know About PCI Compliance

Data security is a big deal no matter your industry. According to IBM Security, the global average cost of a data breach is $4.35 million. 

‍

The smaller-scale impacts of fraud — like the cost of a data breach for a small hotel chain — could be disastrous. This is why your hotel’s PCI DSS compliance is a small price to pay for protection for yourselves and your guests. 

‍

In this blog we’ll explore PCI compliance, what it is, why it’s important, and how you can stay within the guidelines. 

What Is PCI Compliance?

Before we jump into the exact definition of PCI compliance, here’s something to take note of: When asked by Skift how concerned travelers were about the privacy and security of their personal data provided to hotels, 55.6% said they were somewhat concerned. Twenty percent said they were very concerned.

‍

For this reason, Payment Card Industry Data Security Standard (PCI DSS) Compliance exists to protect payment card holders’ information. It comprises a detailed set of regulations for businesses managing payment card data.

‍

It was established by the Payment Card Industry Security Standards Council (PCI SSC), an alliance of the five major credit card companies: Visa, MasterCard, American Express, Discover, and JCB. 

‍

Every business that handles payment data — including hotels — must comply with PCI DSS. If you don’t, the penalties associated with falling short could be enormous. 

‍

What’s the Difference Between PCI Compliance and PCI Certification?

‍

PCI Compliance

PCI compliance, created by the PCI SSC, is a set of guidelines businesses must follow when accepting, storing, processing, and transmitting payment cards. 

‍

It’s important to note that it isn’t illegal to be non-PCI compliant. However, if a breach occurs and you aren’t compliant, then you are liable and may incur large penalties. 

‍

Being PCI compliant is critical to protect your guests and yourself. 

‍

PCI Certification

PCI Certification refers to a full-scale audit of a company to ensure they are following the correct procedures and guidelines to protect data. The audit must be performed by a third-party qualified security assessor (QSA) for you to be considered compliant. 

‍

This is a long process, often lasting up to six months. During this time, the assessor will look at how your hotel’s software was developed, how the developers are trained, and your technical/procedural controls.

‍

Why Is PCI Compliance Important for Hotels?

Data breaches can be detrimental to a business's finances and reputation. Should your hotel experience a breach, you could be liable for lawsuits from guests, lose loyalty, and up having to pay big penalty fees ranging from $5,000 to $100,000 per month. 

‍

PCI compliance helps you prevent data breaches and build your guests’ trust in you and your ability to process their sensitive data. This is why it’s important to let guests know that you are PCI compliant.

As a hotel, you are most vulnerable in the following areas:

‍

• eCommerce
• Point-of-Sale
• Corporate/internal network
• Interconnected systems 
• Physical attacks

‍

Reasons a Hotel May Be PCI Non-Compliant

Believe it or not, you could be PCI non-compliant without even knowing about it. Which makes it all the more important to make yourself an expert on PCI DSS compliance and what it means for your business.

As we mentioned previously, if you realize you are non-compliant, don’t panic (too much). It’s not illegal — just risky. The good thing is that you recognize the non-compliance and can fix it. Here are a few reasons you may be non-compliant:

‍

• You’re still using paper and PDF credit card authorization forms: This is a very common reason for PCI non-compliance and it’s surprising how many hotels aren’t aware that paper or PDF authorization forms are non-compliant. 
• Your physical security is lax: Your physical security plays a big role in protecting your guests’ credit card data. Whether you have a security team or not, ensure staff members are always present and trained on what to look out for when it comes to thieves or questionable behavior. 
• You have a weak password policy: Overly common or shared passwords pose a huge risk for your networks. Ensure that your company operates a tight password policy to prevent fraudsters from guessing or hacking into accounts. Some businesses require that employees change their passwords regularly, for example. 
• You lack regular security assessments: When it comes to PCI compliance, a lack of regular security assessments can result in a breach. Vulnerabilities in your network or software do crop up and the longer they’re left unattended, the more likely you are to experience fraud. 
• Your employee training is insufficient: Speaking of vulnerabilities, fraudsters may target your employees. Without proper training, staff members could miss signs of foul play.
• Your software or hardware is outdated: It’s possible that older software or hardware may not meet current PCI DSS standards and therefore be considered non-compliant. 

‍

5 Ways to Stay PCI Compliant 

Fortunately, there are multiple ways to stay PCI DSS compliant and most come down to being proactive, investing in secure technology, and taking a security-first approach. Here are seven ways you can prevent data breaches (thereby saving a lot of money):

‍

Get Rid of Paper or PDF Authorization Forms

Paper and PDF authorization forms are non-compliant. There are no two ways about it. Switching to secure digital solutions like Canary’s Digital Authorizations and Contactless Check-In will help prevent fraud and improve your guest experience. Not only that, these solutions help you win chargeback cases should they occur. 

‍

This is how Digital Authorizations work: A unique link to a secure form is sent to each guest. Your team is sent an email once the guest has entered their credit card information. Then, you can track each authorization in Canary’s web dashboard. 

‍

Canary uses their own set of tools — amount verification, ID verification, IP flagging, and fraud detection algorithm — to detect fraud and stop it in its tracks.

‍

‍

Want to start eliminating fraud and chargebacks? Demo Canary's Digital Authorizations solution today! 

‍

Create an Internal Data Security Policy

An internal data security policy is a set of guidelines and procedures for your employees. They should outline how to handle sensitive information. Having a good internal data security policy helps you in a few key ways:

‍

• Defines roles and responsibilities: A well-constructed policy should outline all payment and processing roles and responsibilities allocated to staff members. This makes it easier to ensure that each employee understands what is expected of them.
• Establishes security protocols: When it comes to PCI compliance, high standards should be the norm. Having a set of security protocols like encryption standards ensures that sensitive data is always protected. 
• Provides an opportunity for employee training: A security policy helps you train staff and consequently avoid mishaps. Your policy could state that all new staff members must be trained on data security standards in their first month. It’s also a good idea to refresh current staff members yearly on how to properly handle sensitive information. 
• Creates a culture of security: An up-to-date policy can help you create a culture where the security of customer data is prioritized. This will help ensure that staff members remain vigilant at all times. 

‍

The key thing to remember is that security measures should be regularly reviewed and updated. This will help you stay PCI compliant. 

‍

Create a Cyber Incident Response Plan

No matter how secure you think your hotel is, having a cyber incident response plan in place is important and a PCI requirement. It also demonstrates due diligence to your regulators and customers.

‍

Having a plan in place will help you act quickly in the event of a data breach, identify the cause of the breach, and minimize its impact on your hotel and its reputation. Here’s an example of a response plan:

‍

1. Establish an incident response team: Gather a group of individuals with different areas of expertise such as IT security, legal, and communications to take the lead should a breach happen.
2. Assess the incident: Conduct a preliminary assessment of the incident to determine the scope and severity of the breach, including what data was affected, how it was accessed, and how long the breach went undetected.
3. Contain the breach: Take immediate action to contain the breach. Disconnect affected systems from the network, disable user accounts, and change passwords for example. 
4. Notify parties: Let your customers, credit card companies, and regulatory authorities know of the breach.
5. Preserve evidence: Preserve all relevant evidence related to the incident, including logs and system images for example.
6. Conduct an investigation: Conduct an investigation to find out the cause of the breach. This stage will help you prevent future breaches. 
7. Implement remediation actions: Restore systems from backups, install security patches, and improve security controls. 
8. Review and update your incident response plan: Incorporate lessons learned from this breach into your response plan and internal data security policy. 

‍

Perform Risk Assessments 

A risk assessment simply means evaluating potential risks to the security of payment card data and putting measures in place based on the results. Here’s an example of a risk assessment for you to implement at your hotel:

‍

1. Identify assets: Identify all payment card data-related assets in your hotel such as payment card terminals, servers, and databases.
2. Identify threats: Identify all potential threats like data breaches, malware infections, insider threats etc.,
3. Evaluate vulnerabilities: Assess each asset and determine its vulnerabilities. This could be weak passwords or outdated software for example.
4. Determine likelihood and impact: Assess the likelihood and impact of each threat, taking into consideration the value of the payment card data and potential harm to your hotel and customers.
5. Prioritizer risks: Rank risks based on the likelihood and impact you determined and resolve the most serious ones first. 
6. Develop risk management strategies: Add new security controls, conduct employee training, or hire external experts to conduct penetration testing.
7. Implement and monitor controls: Implement, then continuously monitor and test the effectiveness of the controls you have in place. 

‍

Implement a Security Awareness Program 

One of the best ways to prevent breaches at your hotel is to educate your workforce. When staff members are aware of potential risks, they’ll be quicker to flag issues and avoid falling victim to fraud. Here are a few ways to construct your security awareness program:

‍

1. Develop your internal data security policy: This should outline expectations for your employees and the consequences of PCI non-compliance. This policy should be regularly reviewed and updated. 
2. Conduct training regularly: Educate your workforce on security threats like phishing emails, social engineering, and physical security risks. Scammers are getting clever so it’s always useful to demonstrate more unique security threats on the off chance they might occur.
3. Provide resources and tools: Give your employees the power to protect the hotel with password managers, anti-virus software, and secure messaging apps. Give them downloadable ebooks and notices in the back-of-house too. 
4. Encourage reporting: Provide a clear, easy-to-use reporting process should an employee spot suspicious activity. Employees should know who to report to or where to make a report. 
5. Conduct phishing simulations: A great way to test your employees’ ability to detect scams is to regularly send fake phishing emails. Knowing who falls victim and who reports will give you a good idea of who might need extra training.
6. Evaluate and improve: Take feedback from employees regularly on the effectiveness of your security awareness program and continuously improve it.

‍

Final Thoughts

PCI compliance is extremely important for all hotels. Not only does it help prevent fraud and data breaches at your property, but it also helps you recover quicker, avoid PCI non-compliance penalties, and give your guests peace of mind. 

‍

Stay PCI compliant by switching from paper or PDF authorizations to digital, creating an internal data security policy, creating a cyber incident response plan, performing risk assessments, and implementing a security awareness program.