PCI DSS Compliance: Just Whose Responsibility is It?

Every hospitality organization globally, regardless of location size or business type, that accepts credit and/or debit cards is required to comply with the Payment Card Industry's (PCI) Data Security Standard (DSS). The PCI Standard covers the collection, storage, transmission, and use of customer and account information embedded in these cards. The first PCI question organizations face is to whom should the compliance responsibility fall?

A shared responsibility
Unfortunately, to many hospitality business executives, PCI compliance is viewed solely as a technology-related matter, which fails to take into account the bigger picture. While it is true that the information technology (IT) team should be actively involved, the responsibility must be shared throughout the organization and owned by the firm's top executives. Here's why:

  • Hospitality organizations have a duty to their guests to provide reasonable care in protecting them. Given the importance of IT in the hospitality industry today to manage operations and process guest transactions, it seems only logical to assume that this duty should also extend to protecting guest data passing through the organization. In many respects, one should view information security as an invaluable and expected guest service. Although not specifically requested by guests, they reasonably assume that a hotelier will exercise reasonable care to make sure that any information collected about them will be properly handled and secured, including PCI data.
  • Successful hotels establish a culture of guest service in the hotel enterprise. Management needs to create and reinforce a culture of information security as a component of the service ethic. This leadership needs to start at the top of the organization and accepted across the company. Deploying information security vertically by the IT department will not drive a culture change.
  • Becoming compliant is much more involved than securing systems, tightening up password control, encrypting data and adding firewalls to the company's computer network. These are all necessary information security precautions and part of compliance, but these represent only a subset of the compliance requirements. It also covers data stored in paper-based files, such as credit card imprints on the back of registration cards. Simply put, all data, regardless of format, used throughout the organization must be safeguarded, and the compliance manager needs to reach across the company.
  • Many security breaches are the result of manual processes, poor business practices, insufficient training, lack of policies, human misconduct, and sometimes just plain staff carelessness (for example, writing a password on a Post-It note and sticking it on the computer monitor).
  • Failure to comply fully can result in significant financial costs, legal battles and catastrophic business consequences, which could lead to business failure and career termination, and not just for the IT staff.
  • Your reputation is at risk. Consumers want to do business with organizations in which they can trust. PCI compliance is about managing reputation and reducing risk, two topics important to every business executive. Should a hospitality operator experience a payment card breach of any scale, the media will broadcast the failure to protect customer data to the world. Just ask Best Western, where an alleged breach in a single hotel was inflated by screaming media into broad statements that every guest from past and future had their data stolen.
  • It's the smart thing to do! The core elements of the PCI are simply good business practices that every hospitality merchant should accept as common sense. Securing a firm's assets, no matter the type, should be a high priority of every top business executive.
The very essence of PCI compliance involves knowing the business; that is, understanding what sensitive guest and payment card data are collected, where they are collected, by whom, how they are used and processed, the storage and transmission of these data, and how these data are disposed of after they have outlived their business usefulness. PCI compliance is about protecting and securing every facet of one's business and should focus on people, processes, and technology, not just the technology. Perhaps the best way to get a handle on how your organization works and its information flow is to follow the money!

All said, one must view security and PCI compliance as an important business function and not simply as a task for one's IT department, even though IT can be both part of the problem and part of the solution. Information security is the responsibility of the entire management team and staff in every hospitality organization, so make it so. Remember, your brand reputation depends on it.

Daniel J. Connolly, Ph.D. ([email protected]) is an associate professor of information technology at the University of Denver's School of Hotel, Restaurant and Tourism Management. Mark G. Haley, CHTP ([email protected]) is a partner at The Prism Partnership, a hospitality technology consulting firm based in Boston, MA. This article was adapted from a primer they recently authored entitled The Payment Card Industry Compliance Process for Lodging Establishments, published by the American Hotel & Lodging Association. Copies are available through the American Hotel & Lodging Association (