When Will Hotels Get Serious About Protecting Guest Information?

Since the days of roman highways, the foremost requirement of the hotel industry has been preserving the safety and welfare of its guests. In modern times, this task applies equally to the guests themselves, their belongings and also, their personal information.

Hotels spend millions convincing travelers to stay with them, but are the underlying systems and processes legitimately worthy of a guest’s trust?

This Guest Post provides some answers. Gary Palgon, is vice president of product management for data protection software vendor nuBridges. An eBusiness security and solutions expert, Gary discusses why hotels and resorts are such an attractive target and most importantly, the steps the hospitality industry must take to protect guest information.

Hotel Cyber Attack

Your credit card numbers are being targeted by increasingly sophisticated hackers preying on the weak links of the hospitality industry
Image Credit: Don Hankins cc|flickr

Ever since Trustwave released its Global Security Report in February, it has been widely understood that hackers are targeting the hospitality industry in a big way. In fact, a whopping 38 percent of all attacks in 2009 were against hotels and resorts. Of these, 98 percent involved credit card numbers.

Why? Because hackers are highly sophisticated and targeted in their attacks, but, truth be known, they’re also lazy. They find what works and repeat it over and over again with the “low hanging fruit”.

Lately that fruit has been hotels and resorts for the simple reason that it’s still a relatively easy job, since by and large the industry’s data protection schemes are weak. This is despite the fact that many of the largest hotel chains comply with the Payment Card Industry’s Data Security Standard (PCI DSS).

The hospitality industry shares many of the same vulnerabilities—accepting and storing cardholder information and volumes of personal information collected through participation in loyalty and rewards programs—as the retail industry. Yet it lags in the adoption of data security practices, which makes it an attractive target for cybercriminals. After several high-profile breaches of retailers that were PCI compliant, merchants realized that compliance doesn’t equate to security and they have taken steps to strengthen their data security programs to go beyond PCI DSS requirements.

The ways hotels do business provide ample opportunity for hackers to steal credit card numbers and other confidential guest information. Consider the number of payment channels used by hotels—web, telephone, in-person and mail order. To compound the problem, hoteliers need to store cardholder data at the point of purchase for days for guests’ convenience—for reservation holds, incidental expenses, loyalty programs and charge-backs—to name just a few examples. Compare this practice to the retail industry, where credit data is typically held at the point of sale only for the duration of the transaction.

Another reason that many hotels and resorts are vulnerable to cyber attacks is because of their associated franchised properties. For example, while the hotel corporation may fall under PCI DSS regulations equal to a Level I or II merchant and are doing a good job of protecting customer credit card data, the company’s franchises may fall under PCI DSS Level 4 regulations, which allow self-assessment. If the franchise owner is not adequately protecting data and consequently suffers a breach, this not only has an effect on the franchisee, but rather the entire hotel brand takes the hit—a reverberating effect because of a single franchisee.

Until cardholder data is protected throughout the enterprise within all applications and databases, data breaches will continue to occur at an alarming rate. Unprotected cardholder and personal data stimulate crimes of opportunity, not only from internal theft and misuse, but also from professional hackers. The most successful CISOs view data security as an ongoing program that protects data from the time it’s collected until it is destroyed and continually adapts to stay ahead of the bad guys and meet evolving compliance and regulatory requirements.

Protecting the Hotel Brand Requires a Unique Approach to Data Security

Complying with PCI DSS is a good first step toward protecting credit card data, but it is not all encompassing. Passing a PCI audit shows that your company was secure at the time of compliance, but it doesn’t ensure security throughout the rest of the year. Rather than taking the “check-list approach” to data security that compliance often fosters, adopt the position that data security is an ongoing process that requires continual adaptations to best practices, technology, and employee and franchisee education.

For many hotels and resorts, the answer is a comprehensive data protection approach that combines data security best practices designed for the unique hotel business environment. At its best, this approach includes strong encryption, centralized key management and what is known as “tokenization” to render the data useless in the event of a breach, as well as employee and franchisee education.

Tokenization is a relatively new but proven data security model that not only protects credit card numbers but can also protect any type of personally identifiable information (PII) collected from guests for loyalty and rewards programs. Unlike traditional encryption methods where the encrypted data or “cipher text” is stored in databases and applications throughout the enterprise, tokens—or surrogate values—take the place of the original data.

When a token is generated, certain portions of the data, such as the last four digits of a credit card number, can be maintained to provide a business context of the original value so that applications work the same as when full credit numbers are displayed. The encrypted data the token represents is then locked in a central data vault. Because a token is not mathematically derived from the original data, it cannot be reversed using an algorithm like cipher text. Authorized applications that need access to encrypted data can only retrieve the data using a token issued from a token server. The entire credit card number or other protected information can only be viewed by authorized employees, who have the encryption key.

The Payment Card Industry recommends that to minimize risk companies should first get rid of any stored payment card data that isn’t truly required for the business. By limiting occurrences of encrypted data to a central vault, hotels can reduce the number of systems, applications and processes where payment card numbers are stored and have the added advantage of reducing the scope and costs for compliance audits. Tokenization takes that “footprint reduction” concept one step further while also adding another level of security; key reasons why the technology is gaining traction with CISOs in the retail industry and with industry analysts who follow security technology. It offers the hotel industry the same benefits.

What’s more, in a new variation of tokenization, called Format Preserving Tokenization™, the token uses the same amount of storage as the original clear text data instead of the larger amount of storage required by encrypted data. This reduces data storage requirements and preserves storage space on point-of-sale systems. Format Preserving Tokenization can also be used to protect any type of personal information required by hotel loyalty programs or by other countries, such as passport numbers, without modifying data fields.

Localized encryption is the default when hotels in the chain are not always connected to a central data vault. In instances where hotels are electronically connected to the data vault, tokenization may be the best solution. For many hotel companies, using a combination of localized encryption and tokenization along with centralized key management is the most practical approach for protecting cardholder and personal information.

Data Security Best Practices for Hotels and Resorts

With over one-third of all cyber attacks on hotels and resorts last year, it is clear that the hospitality industry offers a fertile hunting ground for cybercriminals looking for an easy score. For this reason, many hotel companies are instituting data protection policies throughout their corporate and franchised properties. (Note: To guide hoteliers in setting up data security programs, Hotel Technology Next Generation (HTNG), a nonprofit industry association, recently published a data security standard.)

To restore consumer faith, it’s imperative that hotel companies leapfrog the industry in better securing consumer data to protect guests and their brands. Here are a few best practices to consider:

  1. Go beyond PCI DSS — PCI compliance is an important first step to an effective data security program, but even PCI compliant companies can be breached. Go beyond PCI DSS compliance by taking a strategic approach to data security that protects both cardholder information and PII across the enterprise on a daily basis.
  2. Educate — Develop a program to educate employees and franchisees on corporate data security. This program should be given to new employees and franchisees with mandatory periodic refresher courses. Investigate services that create and offer Web-based custom courses to make education easier to conduct and manage.
  3. Revise Franchise Contracts — Consider revising franchise contracts to require adherence to the corporate data security program.
  4. Restrict Access — Take steps to restrict access to physical confidential information and render data useless to unauthorized employees by using encryption or tokenization, or both, and centralized key management.
  5. Audit, Audit, Audit — Security is an ongoing problem. Audit your security practices frequently to identify potential vulnerabilities so they can be remediated quickly.

Hotels and resorts have unique data security challenges that often extend across geographic borders. Setting up a comprehensive, ongoing data protection program that goes beyond PCI DSS compliance to secure all types of confidential guest information—from the instant it’s collected until it’s destroyed—and extends throughout the enterprise to include franchises is imperative to keeping your hotel from becoming a breach statistic.

About Robert Cole

Robert Cole is the founder of RockCheetah, a hotel marketing strategy and travel technology consulting practice. He also authors the Views from a Corner Suite Blog and publishes the Travel Quote of the Day. Robert speaks regularly at major travel industry conferences, authors articles for leading travel industry publications, advises travel-related startups and the equity investment community. He is an evangelist for the global travel industry.