The Data Breach Threat: How Small Hoteliers Can Protect Their Guests

Data breaches are a concerning and damaging threat to all kinds of industries and businesses worldwide.

In a cyber attack, hackers take all types of sensitive information from hotels – anything from email addresses to home addresses and credit card data.

Bob Russo, GM of the PCI Security Standards Council, said in recent years the hotel industry has been particularly vulnerable to cyberattacks.

As a small accommodation provider, here’s what you need to know to protect your guests’ sensitive data.

Why are hotels being targeted for data breaches?

Hotels and bed and breakfast properties have been key targets of data breaches for many years – and there is one main reason for this; that is, credit card payments.

A study by Trustwave’s SpiderLabs showed that of 218 data breach investigations from 24 countries, 38 percent of the attacks occurred on hotels and, of the data stolen, 98 percent was credit card information.

The security breach happens online, because that’s where your guests are making their bookings, or where your front desk staff are making bookings on their behalf.

Unfortunately, going ‘off the grid’ isn’t a feasible solution to the issue – the online space is too big to ignore. According to data from payment systems industry information provider Nilson, credit card use in the U.S. will jump by 42 percent from 2012 to 2018, accounting for $120 billion in transactions.

Seeing as hotels process countless credit card payments every day, it’s important to protect all the transaction details of each payment. If the correct systems aren’t in place, there is potential for a security breach to occur.

How can you protect your guests’ data from cyber attacks?

It’s not enough to have an SSL certificate on your website, or rely solely on third-party payment services such as Paypal or Google Checkout to handle your guests’ credit card security. Each program you use must be securely locked down.

After all, sensitive data can be intercepted at any point in your guests’ booking process. For example, if your online booking system vendor is not PCI compliant, one of their wayward employees could easily decide to steal credit card data. This is why PCI DSS standards were invented.

The PCI Compliance Guide define PCI DSS (Payment Card Industry Data Security Standard) as “a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment”.

PCI DSS has changed the way the travel industry approaches safety standards relating to how credit card payments are handled and processed. The Standard is enforced by major credit card companies – including Visa, MasterCard, American Express, Discover and JCB – as part of their merchant agreements.

The Standard, designed to help prevent payment card fraud, applies to any business involved in the processing, storing or transmitting of cardholder data, regardless of the transaction volume or dollar value involved. Should a guest use their credit card to pay for something at a hotel, for example – be it a room reservation, spa treatment or coffee – PCI DSS applies to that purchase.

PCI DSS compliance is not a ‘nice-to-have’, but an absolute necessity. A security breach not only damages your reputation, but it could potentially wreak havoc on the lives of your guests, and cost you a significant amount in the way of data breach fees.

Furthermore, allowing your guests to pay securely helps to stop abandoned website bookings. Worldpay reports that nearly one in five online shoppers have dropped out of an online travel bookings because of security concerns around payment.

The first thing to do is ask your booking system provider if they are 100% PCI DSS compliant across all their products. Secondly a small hotel should ask for documentation that would prove compliance with PCI DSS standards.

If you are not actively protecting your guests credit card data, you are putting your business and customers at serious risk.