Blog Post
Are you staying in a Non-PCI compliant hotel?
When you look for a hotel, the decisive factors are typically things like the price point, the quality of the room, and the ultimate deal maker/breaker: whether they have free WiFi. One of the last things on your mind in the decision-making process is whether or not your prospective hotels are going to handle your personal data with the appropriate level of security. Should it be?
If you’re staying in a hotel for any (legitimate) reason, chances are you’ll be paying with a credit card. Given the number of people who stay in that same hotel in a given year who do the same, you’re looking at a stockpile of guest credit card information being stored in that hotel’s database. And like bees to honey, that hotel will end up attracting the bug-eyed glares of a most unwelcome group of people- hackers.
According to the 2014 Verizon Data Breach Report, the accommodation industry was the 4th industry most often hit by data breaches last year, with a total of 137 incidents reported. It’s not all just some strange coincidence; hackers are learning fast that certain industries are less protected and yield greater rewards.
Hospitality is a $457 billion industry, and it’s hard to imagine a hotel’s cybersecurity system being as airtight as a bank’s. In addition, many hotels are part of global brands which tend to standardize their computer systems, meaning that if you manage to exploit a vulnerability and hack into one location, you’ve just hacked into every other hotel in the group too.
Every year Ground Labs sponsors HITEC, which is the largest single gathering of technology and revenue experts from the hotel industry. Our team always has very interesting discussions with hotel property managers who are still trying to figure out data security across their fleet of hotels, often spanning multiple different brands. Needless to say, security of credit card information is a real challenge and something the hospitality industry hasn’t solved yet.
Dell Secureworks states that hackers can make between $4-28 per stolen credit card record, depending on the issuing card brand, country of origin, and amount of personal information included. The extra personal information can be procured in a variety of ways, such as by using RAM scraping malware to steal data every time a card is swiped for a transaction, or if your personal data is being illegally collected by the hotel when they double swipe your credit card.
Using Enterprise Recon, a well-respected hotel group in London found a non-compliant application supplied by their payment processor was storing a full copy of every credit card transaction processed on their Windows desktop computers. This was occurring even after their payment processor had given assurances that the software was PCI compliant. This is just one story, and there are dozens more we know of, and probably thousands more we don’t know about.
So what can you do about it? Unfortunately, aside from paying in cash, there are no proactive measures available; you can’t exactly call up a large brand and ask the front desk for a copy of their PCI Report On Compliance (ROC).
For cardholders, it’s a matter of keeping an eye on your credit card statement every month for fraudulent transactions. In the event that credit card data is stolen without your knowledge, you are not liable for those transactions and will be entitled to claim the money back from your issuing bank.
In the hopes that it doesn’t have to come down to that, it’s every hotel’s responsibility to safeguard sensitive guest data. The PCI DSS offers a set of guidelines for building a secure system, which covers all aspects of operational and tactical security including encrypting or deleting cardholder data that is being stored in the hotel’s network. Many hotels have shown compliance to the standard at some point in time, but it’s up to the hotels to stay vigilant and constantly monitor their systems for vulnerabilities and threats. There are over 17,500,000 hotel rooms in the world which equates to 6,387,500,000 room nights to sell - and that’s a lot of potential credit card numbers being stored.
It’s the same task faced by every company that deals with sensitive customer data, and although the cost and effort required to stay secure is not small, you’ll find that it heavily outweighs the penalties suffered by becoming the next big data breach.
After all, who wants to stay in a hotel that doesn't look after your personal information?