Hospitality PCI Myth no.1: Hospitality is different and needs a special (i.e. reduced) set of security requirements

As the initial excuse for not following the PCI regulations, some hospitality professionals keep on emphasising that hospitality is different from other industries in the way it operates and thus requires a special set of requirements issued by the Payment Card Industry (PCI) governing the storage and transmission of the credit card data.

Unfortunately to date, I haven’t found any explanation as to why should hospitality be any different from other verticals in terms of respecting the contractual obligations agreed with the acquiring banks or other general legally stipulated rules and regulations enforcing data security onto companies. The only and actually a shameful argument supporting the statement that “hospitality is different” is  that hotels and restaurants accounted for by far the largest amount (approximately 40%) of credit card breaches in 2010 out of all industries.

The position of the acquiring banks and QSAs is, however, very simple: If businesses don’t need to store or process the credit card data they should avoid doing so. By eliminating storage of sensitive data or its processing through internal systems, hotels can elegantly get around the requirements of implementing strict operating and information technolgy security controls. If however the hotels insist on using credit cards as a guarantee for no-shows or late charges, for simplifying the guest experience by keeping the preferred payment details stored within the guest profile or as a mathing identifier in the loyalty system, then, like any other merchants, they need to work towards conforming to the PCI DSS type D self-assessment questionnaire.

Let’s not see information security and compliance only negative. After all, implementing solid data security practices has also positive sides to it, to name a few:

  1. It gives hotels the opportunity to review and optimise internal processes and systems in use, which consequently leads to an improvement in staff productivity
  2. Better protection of other digital assets, such as company secrets (strategy papers, accounting records) and sensitive data required for compliance with local legal requirements (data privacy protection)
  3. Compliance with data security regulations is an investment that reduces operational risk and thus increases overall company’s market value

Let’s pull the sleeves and pick up the topic of compliance as an opportunity of working towards improved controls and productivity! I am positive we will see positive returns along the way!


About Jan Popovic
Director IT Infrastructure, Operations and Security

Comments are closed.

%d bloggers like this: