Three Keys to Protecting Guest Credit Card Data

As the hospitality industry prepares to usher in the new year, hoteliers around the world are hoping that momentum from 2014, which included notable Revenue per Available Room (RevPAR) gains for many, will continue into 2015. Cloud, analytics and big data will remain top-of-mind for most organizations, as will security, particularly in relation to both the cloud and protecting guest credit card information.
 
With the increasing frequency of data breaches across the U.S., the hospitality industry is taking extra precautions to ensure the protection of guest credit card data. One method of protection, among many other options, is chip-and-pin technology. Already widely utilized throughout Europe and Canada, chip-and-pin technology will replace the standard magnetic strip scanning and receipt signing process that credit cards have relied on for years in the U.S. card readers can now detect a small embedded chip, which must also be accompanied by the cardholder’s entry of a personal identification number (PIN) for a transaction to be authorized.
 
This system is much more secure in preventing fraudulent purchases because it greatly reduces the likelihood that a stolen or cloned card will be accepted by a merchant due to the unique chip, and the fact that potential thieves must know the PIN in order to utilize it. According to the United Kingdom Payments Administration, in-store credit card fraud fell from 218.8 million pounds in 2004 to 98.5 million pounds in 2008 due to the use of this technology.
 
Following in the U.K.’s footsteps, American banks and credit card companies who issue chip-and-pin cards will no longer bear sole liability for fraudulent charges by October of 2015. Hoteliers should take steps now to improve data security and ensure preparation for this transition, as companies are expected to invest in solutions that read the chip and capture the guest’s PIN for validation.
 
Infor offers the following tips to help hoteliers prepare for chip-and-pin technology and enhance overall credit card security:
 

1.  Start with a foundation of secure data.

Before taking advantage of options to keep newly acquired data more secure, hotels must recognize that they most likely already have a great deal of customer credit card data that could be monetized by a thief. This means that a guest could be entitled to compensation from the hotel or casino if their information was compromised through one of the organization’s systems. Hoteliers should make certain that security investments are first on the priority list for technology resource allocation in 2015 to ensure they are not held as the responsible party.  
 

2. Ensure that business applications have the functionality to “tokenize” data.

Hotels and casinos should check with vendors to determine if existing systems have the ability to completely separate credit card information from transactions, storing only a “token” alongside other data. This reduces the likelihood that guest information will be misused, as credit card numbers cannot be stolen from the system if it is breached by an outside party. Keep in mind, chip-and-pin technology alone is not sufficient to prevent data theft. Information can still be accessed and cloned, and used at another merchant that does not employ chip-and-pin credit card readers, if the data is not tokenized. Organizations in the process of implementing new applications that may store credit card information should include this as a primary selection criterion when choosing the new system.
 

3. Take extra precautions if data is stored in the cloud.

According to Hospitality Technology’s 2014 Lodging Technology Study, migration to the cloud continues to increase in popularity for the hospitality industry, with 35 percent of hotel and gaming companies planning to move their property management system off-premise within the next eighteen months.¹ For companies that choose this route, even more steps should be taken to ensure the security of guest data. Hoteliers should question their vendor’s security strategy, development methods, infrastructure requirements, and ISO-27001 compliance before moving to the cloud or if their system is already hosted by a technology provider. Ensuring the necessary precautions are in place prior to the occurrence of an incident can save companies from the unforeseen expense of reimbursing a guest in the event of compromised security.
 
The shift to chip-and-pin technology is beneficial for both guests and hoteliers in the long run, as it is designed to protect both parties from liability. It also encourages organizations to take a closer look at how to improve data security as a whole. Rather than viewing technology as something that creates potential security threats, the U.S. hospitality industry can rely on technology to protect both its companies and its customers by following the three guidelines outlined above.