Two hospitality technology players are concerned that the industry is not applying sufficient urgency to its adoption of PCI DSS payment processing standards. They got together to voice their disquiet.

Nigel Allport of Agilysys and Andrew Brooks of Servebase see too many hotels and hospitality operators paying lip-service to the need to put PCI DSS at the heart of their business. By operating in a way that is not fully compliant, these operations put their valuable brand capital in jeopardy. It's a risk no hospitality business can afford to take.

Nigel: I recently read that only 11% of retailers are fully PCI DSS compliant. I was struck by that and found myself wondering what the equivalent is in hospitality. We're certainly not yet seeing any clear consensus about how the sector addresses compliance.

Andrew: I don't have an equivalent statistic but I was at the HTNG event in Berlin recently and PCI DSS was one of the topics, as it was at HOSPACE. It's clear that security breaches are widespread in hospitality and it's an issue of great concern.

Nigel: The hospitality side of payment may not generate the same pain as retailers go through but it's equally important and almost more dangerous as it's less visible.

Andrew: I agree. Although the standards are the same, the risk in hospitality is fraud. Security breaches are pretty widespread, with hackers stealing card data to use elsewhere.

Nigel: Hospitality operators need to ask themselves "what does this mean to my business?" If news gets out that guest card data is not secure, people will simply take their business elsewhere. This can be very damaging to a hospitality brand.

Andrew: It's important for hotel managers to get their directors or owners bought into PCI DSS compliance, but too often they see costs as an obstacle. It's not just a case of buying the right technology. There are other costs such as training, which can be quite high in hospitality given staff turnover and the need for frequent password changes and policing of security processes. And then of course there's the cost of employing a Quality Security Assessor (QSA)
accredited by the PCI Security Standards Council.

Nigel: That's true, but those costs need to be balanced out against the risk of a breach and the damage it can do to a hospitality business. If card data is taken and the situation snowballs, hotels will face fines and damage to their reputation; in short, a loss of brand capital.

Andrew: In Germany for instance, it's obligatory to publish news of a security breach and the theft of card data. That's not yet the case in the UK but, even so, compared to potential business damage and loss of revenue, the costs of PCI compliance are insignificant. We have got to change mindsets to get across the true cost and value of security.

Nigel: We find that many in hospitality see this as an IT problem not a business problem. I think that attitude needs changing. It's a boardroom issue and we must get the concept across to the most senior people in any hospitality business, and win their buy-in.

Andrew: Absolutely. It's a problem that the industry thinks of PCI DSS as an IT issue, because it's affected by the general reluctance to invest in IT that still exists. At the risk of being controversial, a hotel group will spend £1million re-carpeting its properties but won't spend £100K to keep its brand secure. We need to stress that this is a business issue, one that puts the brand capital that's been created over years, if not generations, at risk if not protected. Nothing is more important than reputation, especially in the current climate where consumers are better informed and better equipped to make choices and assert their buying power.

Nigel: I am surprised there isn't more of a sense of urgency. There are lessons to be learnt from the experience of larger players yet some in hospitality are still asking themselves the blunt questions - why do we need PCI DSS and what are the risks of us not adopting the standards?

Andrew: More education is definitely needed. At Servebase, we tend to focus on the practical side, on providing a payment gateway coupled with solutions from partners such as Agilysys to alleviate the pain in card handling. Customer retention is the key to any successful hospitality business and we stress that our secure payment solutions enhance the overall customer experience.

Nigel: Some businesses still don't realise that - whether they conduct a few payment processes or millions of transactions every year - they need to be compliant. Even if their data is processed and stored manually, they need to follow standards. We must convince them they cannot afford not to be compliant.

Andrew: It's quite a complex issue to tackle in hospitality. Retail has different channels, processing 'customer present' or 'customer not present' transactions, but the procedure is similar. In the case of a mid to large hotel, a myriad of systems accept card data. You have prepayment bookings, call centres taking bookings with card data, and something that's unique to hospitality – accepting card data to guarantee a booking, where no charge is made unless there's a no-show.

Nigel: There are certainly many touch areas for card data as we see with our Agilysys InfoGenesis™, a point-of-sale solution and Agilysys Visual One™, a property management solution. These touch areas all need to be secure, which is why we partner with a company such as Servebase.

Andrew: There's another issue too. For those that adopt PCI DSS, it's tempting to achieve the required level of security then mentally put it in cupboard. Compliance has to be an ongoing process. It needs to be one of the everyday things that need to happen in the business. Just as a hotel wouldn't dream of not cleaning rooms each day, so it needs to ensure its PCI DSS processes are being followed.

Nigel: Yes, active daily management is critical. Secure payment processes need monitoring and logs maintained to make sure there are no breaches. A proactive approach is needed, everyday, because fraudsters are certainly not going to take a day off. They are constantly trying to get hold of valuable guest data.

Andrew: Once processes are in place, they need to be tested and recertified each year by an accredited QSA or via self-assessment, dependent upon the number of transactions taken. It's not a case of "I've got the certificate so I can relax". All it needs is for a member of staff to let someone unauthorised into an area that needs a security pass, or someone to send you an email containing card data, and you have a problem. However, if you can prove that you have followed the procedures agreed with your QSA, then you are protected if there is a breach.

Nigel: There is no silver bullet, but technology can make this a lot easier. EPoS and PMS suppliers such as ourselves need to ensure our software is always compliant and specialists such as Servebase take as much of the process out of the hands of the user by automating it securely.

Andrew: At the end of the day, it's difficult to assess the true cost of PCI DSS compliance. It's individual to the business. There are lots of variables and it's complex. It all comes down to doing as much as you can to protect the business.

Nigel: The hospitality industry needs to have complete focus on the issue of security breaches and brand security. Not only do operators risk fines if there is a security lapse but, more importantly, they risk devaluing their brand by putting customers at risk and, ultimately, losing the ability to take card payments. We need to keep banging the drum that just six letters - PCI DSS – protect more than card data; they protect the brand capital of a hospitality business.

Agilysys (Europe) Limited provides specialised IT solutions to the hospitality sector, for hotels, restaurants, casinos, resorts, condominiums, cruise lines, sporting stadia, arenas, conference centres and tourist venues. Visit www.agilysyseurope.com

Servebase is a global, multi-channel payment processing provider, delivering secure card processing covering all payment environments, from single solutions to multi channel combinations of mail order, e-commerce and 'customer present' Chip and PIN. Visit www.servebase.com

The Facts

Does PCI DSS apply to me?

PCI DSS applies to you if you are involved in storing, processing or transmitting any cardholder data. What's more, the standard doesn't just apply to storing data electronically; it also covers manual processing and storage. Whether you conduct a few payment processes or millions of transactions every year, you need to operate in a compliant fashion.

What are the requirements?

  • You must not use card and verification details for any purpose other than completing the card transaction.
  • You must not pass card details onto anyone else, except for the purpose of helping them to complete the card transaction, ie. authorisation and/or settlement.
  • You must not store the card security code (last three digits on signature strip
  • You are only permitted to keep a separate record of the card number and expiry date if both of these conditions apply:
    • You have the specific agreement of the card holder,
    • You are only going to use this information to help with future transactions, such as recurring payments or new orders if further orders are likely.
  • In short, you shouldn't store card data if you don't need to

The standards

It's important to know the standards, as you may be storing cardholder information (such as receipts from terminals or emails that contain cardholder details) in a way that the standard does not allow. The standard is broken down into these sections:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management programme
  • Regularly monitor and test networks
  • Maintain an information security policy