How Smart Hoteliers Can Keep Hotel Guest Data Safe

Payment innovation and security remain top of mind for hoteliers as they eye 2018 and 2019 investment plans. Here Christian McMahon, Director of Product Management, Merchant Link, offers insights on how hotels can take steps to remain ahead of the curve in both advancements and security.

Roughly 29% of hotels are planning on adding or making changes to mobile payment software in 2018. As hotels roll out mobile payment initiatives, what precautions should they take to safeguard their guests? How does enabling mobile payments differ from regular payments?

CHRISTIAN MCMAHON: In an effort to speed up the check-in process, connect with the mobility generation, and keep pace in the technological arms race, hoteliers have been trying to increase their mobile payment footprint. Mobile solutions can take the form of mobile PMS hardware peripherals, customer mobile apps that are downloaded, and alternative payment methods (such as PayPal and AliPay).

In order to support mobile payments, hoteliers should understand the requirements these technologies and methods need to support and how they affect their business processes and operations. For example, mobile devices should support the ability to accept EMV chip reads, support encrypted messaging, and be fast. Customer downloadable apps need to be delivered securely.

New payment methods should be evaluated on how they affect current business processes and operations. Many of these new payment methods support prepayment of stays very well, however, some may not support incremental authorizations very well, present challenges to guest loyalty data requirements, or affect current end of night reconciliation processes. A change of handling of these products may be necessary to avoid any process disruption.

Less than half of hotels (42%) have yet to implement EMV terminals. What is holding hotel companies back from rolling out EMV, and how would you recommend hotels and vendor partners address this?  

MCMAHON: Hotels have similar challenges as other business with deploying EMV, however, there are some unique challenges. As part of the pre-deployment process, most businesses have to choose the right equipment and payment entry device (PED), potentially have to change banking information, choose EMV processing options, make network and wiring changes, ensure partner installation resources are available, and define the day of transition processes.

Hotels, however, typically have very complex system and physical environments that make these challenges more difficult. One of the simplest issues revolves around choosing which PED is right to support hotel operations. One device likely will not meet these needs. Hotels with property management systems typically have front desk, back office accounting, call centers, catering, and outside venues, that take credit cards. Some may need to process the EMV chip, some may not. Prior to installing EMV, hotels should educate and document the card entry needs and which devices are required at each outlet. Accurate information at the start of the process will make transitions easier.

Improving data and payment security remains a top strategic goal for technology, which is understandable as hotels remain a soft target for hackers. What makes hotels such a prime target for breaches and how should operators respond to modern threats?

MCMAHON: In general, and by no fault of their own, hotels handle and store more credit card data than most businesses. The simple act of checking in and checking out over multiple days requires that hotels and the computer systems that manage operations retain credit card data longer than most businesses. Furthermore, credit card secured reservation bookings can often be made days, weeks, or months in advance. Customer loyalty profiles also often require a credit card for identification as well as a payment credential.

Finally, hotels often personalize their customer's stay by keeping information on past stays. One of the identifying pieces of information can be the credit card number. It is important to identify these and other sources of credit card data to properly secure the networks, systems, and databases this data traverses. Once identified, hoteliers can then deploy the requisite security measures and create the processes needed to reduce vulnerability.