How Accor Ensures Its Properties are PCI DSS-Compliant

With more than 5,000 properties globally, Accor trains and educates hotel staff on the importance of securing credit card data via a partnership with VigiTrust.
Michal Christine Escobar
Senior Editor, Hotels
Michal Christine  Escobar  profile picture
PCI DSS Compliance

With 5,000 properties in more than 100 countries, Accor’s VP of Compliance – Marie-Christine Vittet – has her hands full ensuring that all properties are PCI DSS-compliant. But Vittet has been successful due to her close partnership with Integrated Risk Management provider VigiTrust.

“PCI applies everywhere around the world,” Vittet explains. “Without, tools, processes, people, and management, we would not be able to successfully do it. So, the first thing we needed to do was to find a partner to assist us.”

That’s exactly what happened when Vittet and Mathieu Gorge, CEO and Founder of VigiTrust, first met in 2012 during a PCI Community Meeting in Paris.

“When we first met, we started talking about the education of hotel staff,” Gorge said. “Then we moved on to looking at how do we manage policies and procedures and looking at how do we make it easier for hotels to prepare for and validate compliance with PCI. Then over the years, we realized that validating PCI was not enough. We needed to maintain PCI, and we needed to make sure that this was an ongoing process and that the training was being updated on a regular basis.”

Why is there such a need for ongoing training?

“A hotel manager is not a cybersecurity expert or a payment expert,” Vittet explains. “She is a hospitality expert.”

Thus, a large part of Vittet’s job and partnership with Gorge is to figure out how to simplify cybersecurity terms and PCI jargon into a training module that uses language that hotel staff will understand. In particular, Gorge and Vittet have worked to create training modules that mimic areas within the hotel where payments are processed: the lobby, the bar, the spa, the restaurant, the gym, etc. And the training modules are branded to ensure that Accor employees feel that the training their receiving is meant specifically for them and their business.

Of course, most employees aren’t a fan of change which is why the training modules are so important.

“We used to receive copies of credit cards by fax or scan, which as you might imagine, isn’t exactly secure,” Vittet explains. “But our job is to explain why it isn’t secure and provide real world examples of how that payment data can be compromised and how that breach can affect the Accor brand. It’s also our job to provide them with a safer alternative such as a secure webpage.”

Gorge agrees noting that staff members often need to be educated that the credit card data is just as valuable to a bad actor whether it’s accessed as a photocopy of the card sent in the mail or if it’s a picture of the card emailed to the hotel or if it’s stored on the PMS.

“When we’re able to get hotel staff to understand the value of that information and why it needs to be protected, it makes a real difference. Even if a guest has an amazing experience at the hotel, if their credit card ends up getting compromised, they may not ever return to that brand,” Gorge adds.

So to ensure that her team’s hard work is being taken seriously by hotel staff, Vittet has created a series of Key Performance Indicators (KPIs) to measure the hotel’s progress and provide statistics for internal stakeholders.

Accor also provides risk assessments for hoteliers to fill out. The questionnaire is generally about 15 questions long. Based on the responses each hotelier provides, Vittet’s team will respond with areas where the hotel can improve. And, Vittet’s team asks hoteliers to check their payment terminal equipment every two days. Each time they check it, that get’s recorded and counts toward their KPI.

“My motto is: ‘We work hard to protect customer data because we would rather prevent the data breach from happening than have to repair the damage caused by a possible attack,’” Vittet says.