By: Andrew Carey
As hoteliers, we spend our days focused on providing a safe, comfortable refuge for our guests while meeting the challenges of the day. We provide beautiful common areas to gather and commune; we design rejuvenating guestrooms; we care about our customers’ wellbeing. But, at the present, we are leaving our sensitive data out for the taking.
Over the past 20 years, the hotel industry has gone through a tremendous evolution with regard to its product offerings. We now have hundreds of brands across numerous segments in response to our customers’ highly diversified range of interests. Yet many of us have not changed how we handle data collection and management, and this presents a security risk. I do not believe that this is due to a lack of desire, however, but rather a lack of understanding.
We need to adapt our traditional practices to protect all data – guest, associate/employee and property. Gone are the days of imprinting reg cards with credit card data or other personal information. Our old authorization forms filled with personal and financial data are in dire need of a massive revamp. The current tools at our disposal have been adapted to allow for a more secure means of handling data, but many of our daily practices have not been updated.
Case in point, in the past 18 months, numerous hospitality companies have fallen prey to cyber-crime. Notably, Hyatt, Hilton and White Lodging have been cited in the news for having data breaches. As you can imagine, the impact of a data breach can be devastating to both the individual as well as your firm.
Specifically, if your company suffers a data breach, you are then liable for a long series of investigations, notifications and restitutions that can run into the millions of dollars, not including the impact to your brand image. Cyber security is a topic that cannot be brushed aside.
Despite these dire outcomes, we can mitigate the exposure and improve our overall business practices. Our policies and procedures need to be updated around two primary items – physical security and digital security, or Paper and PC in layman’s terms.
To protect your guests, associates and business, you must have a fully detailed plan describing how to securely manage all information that your hotel processes as well as how your business will address any breach. Equally critical, your associates all need to be trained on these policies – it’s a practice that must permeate every department.
From a paper standpoint, we are best served by never taking or retaining paper copies of credit cards or other personal data. Take information over the phone and enter it directly into a secured PMS or POS. Do not provide forms where associates or guests have the option of writing down credit card numbers. In the event that forms are received with sensitive data, transcribe the information and shred the originals.
I know that many consider this advice impractical. How do we resolve chargebacks or other financial disputes? My first response is to not fight these items. The impact of a breach far exceeds anything won in a dispute.
If necessary, however, all sensitive data must be locked in a safe location with highly restricted access. Preferably, the lock is digital so it can show who has accessed the data.
Furthermore, we can no longer leave binders with sensitive data lying on our desks, book shelves or front desks as they are too easily stolen. Build a protocol and train your staff so that all written records are monitored at all times.
For digital security, the prescription is easier to understand yet harder to implement. The systems we use in Newport Hospitality Group-managed properties must be cleaned and monitored end-to-end, from keyboard to USB port to card swipe.
As a credit card vendor, you must fill out a complex and lengthy PCI Self-Assessment Questionnaire annually. We are experts in the guest experience, not technology architects, so how do we know where to start? Just as you would not act as your own attorney in a lawsuit or compile your own CPA reports, you do not need to take this task on unassisted. Leave it to the experts.
The Payment Card Industry Security Standards Council has a very detailed website to guide you planning. Type PCI SSC into any web search and you will find their site. Spend time reading through their literature to understand how you can secure your business.
You owe this research time to your guests and associates. Your company is already liable for any loss of data, so ignoring the issue will not make it go away. The best approach to mitigating your exposure and securing data is to become educated. You and your associates work hard to provide a safe, welcoming and secure home to your guests…doesn’t their data deserve the same respect?
(Published in eHotelier on May 11, 2016)