Major Hotel Groups Join Forces to Secure Credit Card Data
At least sixteen major hotel groups from around the world plan to work together to develop an industry security framework for handling sensitive credit card data. Intended to dramatically improve the security of credit card processing by and for hotels while significantly reducing costs, the effort has been chartered as a working group of the non-profit trade association Hotel Technology Next Generation (HTNG).
A Unique Security Challenge Requiring an Industry Solution
Hotel credit card transactions are more difficult to secure than in other industries. During the hotel reservation process, sensitive data must often flow across systems controlled by several different companies -- and must be stored for weeks or months, until the guest departs and the final bill has been settled.
Each company in the reservation process typically uses a different approach to securing sensitive credit card data. As a result, standard security approaches such as tokenization, which can provide excellent security when a single company controls the systems, cannot easily be used for transactions that move across systems controlled by multiple companies, as routinely occurs with hotels. Tokenized (secure) card numbers typically cannot be deciphered by anyone other than the company that created them. This means that systems must transfer actual credit card data instead, exposing systems at both ends of each transfer to increased risk of hacking and theft.
Outline of the Solution
While major hotel companies have invested heavily in security within their own systems, they have no control over the hundreds of third-party systems that may touch their reservations prior to guest arrival.
Top hotel security executives met several times to discuss this problem as the HTNG Secure Payments Framework effort took shape during August and early September. Early discussions indicated a broad agreement that a single industry framework is needed, and that the framework needs to work with existing security approaches in place at major hotel companies and in commonly used systems. There was also agreement on the key elements needed for the industry framework. The group intends to document this framework conceptually in a white paper that will form the basis for subsequent standards development.
Top hotel security executives met several times to discuss this problem as the HTNG Secure Payments Framework effort took shape during August and early September. Early discussions indicated a broad agreement that a single industry framework is needed, and that the framework needs to work with existing security approaches in place at major hotel companies and in commonly used systems. There was also agreement on the key elements needed for the industry framework. The group intends to document this framework conceptually in a white paper that will form the basis for subsequent standards development.
“Every major hotel company is working to get as many of their systems as possible out of the scope of the Payment Card Industry Data Security Standards (PCI-DSS),” said Douglas Rice, CEO of HTNG. “Most of these companies have focused on solutions based on tokenization, and many have implemented them or are in the process of doing so.” Tokenization is a process whereby sensitive card data is stored in a single secure location, which may be operated by a hotel brand, a payment gateway or another third party, and replaced in hotel systems by substitute “tokens.” The tokens can be used to complete the transaction, but are useless if intercepted electronically by a thief.
This new effort will leverage hotel companies’ prior investment in tokenization efforts, adding a layer of security that will enable those solutions to be extended to unrelated parties that may be involved in transactions, such as online travel agencies, global distribution systems, switches, channel management systems, central reservation systems, management companies, independent hotels, payment gateways, swipe devices, and other parties. “The approach is intended to enable the tokenization of card data by the first system that touches the reservation,” said Rice. “The sensitive data will remain stored in a secure vault, and all of the other systems will simply pass along the token in place of the credit card. The hotel itself can then submit the token to its token provider or gateway to complete the card transaction. The card data itself need never touch a hotel system.”
Once defined, the Secure Payments Framework for Hospitality can be communicated by supporting hotels to their technology and distribution partners, management companies, franchisees, payment gateways, tokenization providers, and other parties. Interoperability standards will be developed (or existing standards enhanced) to support the framework. A key design consideration is that the framework should augment rather than replace existing tokenization approaches in use or in the process of implementation at several major hotel brands and in commonly used hotel systems.
Hotel Participation
Many of the world’s largest hotel companies have indicated their intention to participate in the effort to define the framework; others are now invited to join as the workgroup formally launches. Technology providers, distribution partners, and payment processors will not be able to participate directly in the framework development phase, but may engage with their customers who are represented on the workgroup to ensure that their interests are considered. They will also have the opportunity to participate in the actual development of solutions and standards in subsequent phases.
The Secure Payments Framework effort was created at the request of HTNG’s board of directors, which consists of CIO, CTO and similar senior-level IT executives from leading hotel groups in the Americas, Europe, Asia, and the Middle East. These executives coordinated the involvement of their company’s senior IT security executives and their teams, many of whom collaborated to create the workgroup’s charter. Key IT security executives from the following companies have confirmed their intention to participate to date:
- Accor
- Delaware North Companies
- Fairmont Raffles Hotels International
- Hilton Worldwide
- Hyatt Hotels Corporation
- InterContinental Hotels Group
- Jumeirah Group
- Kempinski Hotels
- The Marcus Corporation
- Mandarin Oriental Hotel Group
- Marriott International
- Maybourne Hotel Group
- MeliÁ Hotels International
- Omni Hotels
- Starwood Hotels & Resorts Worldwide
- Taj Group of Hotels
Additional hotel companies are invited to join the effort, and other HTNG members may subscribe to the workgroup’s mailing list to monitor progress. During an initial 30-day period, signup will be open for any HTNG member hospitality company. Technology and payment service providers will not be eligible to participate in the development of the framework, but will have the opportunity to join during later phases to help develop the necessary standards.
Timeframe and Deliverables
The effort will be structured as an HTNG workgroup, which will meet on a weekly basis to develop and document the framework in a white paper within approximately four months. The project will include the identification of specific efforts that may be needed to develop or adapt interface standards to support the framework. HTNG expects that these standards will be developed during the first half of 2012.
For More Information
Visit HTNG’s Credit Card Security page at http://www.htng.org/credit-card-security for more information about how to join this effort or monitor proceedings, and for other information on hotel credit card security.