The hospitality industry and hotels in particular are leveraging the latest in technology to establish a competitive brand advantage. Many see this as hotels step up their development of mobile applications to engage consumers and leverage social media and mobile booking applications to improve RevPAR. The rush to market with these cutting-edge technologies opens the brand, property and consumer to growing risks associated with a breach of privacy related to lax or non-existent security controls. Luckily, tools are now coming to market that make it is easier for consumers to see how well a property protects consumer data.
The bigger issue is that until very recently there has not been an advocate for the consumer or a process that validates the security posture of the hotel. Missing from the marketplace was an organization who would report the status of the properties’ data security standards and report that information to the consumer. The responsibility for compliance has been left to the brand, payment acquirers and banks to independently determine what an acceptable level of risk can be. Far too often hotels take a non-scientific approach and simply weigh the risk against the potential revenue to determine whether the risk is acceptable. Is it the brands’ right to put the consumer at risk without even notifying them that their idea of security is a revenue approach?
Those responsible for policing compliance have been reticent to make the status of smaller merchants’ compliance public or to enforce a lack of compliance. Banks and acquirers instead have focused their attention on big box merchants. Because of the shadow cast by the Staples, Neiman Marcus and Michaels stores’ breaches, little light has been shed on the smaller merchants. A breach of card data at a property in Orlando, Fla., for example, will unlikely make it to the national press while tens of millions of cards lost garners front page coverage. The reality is a loss of a million cards or one card does the same damage to the individual consumer.
There is a change coming and we can see it right around the corner. As a result of action taken by the FTC against Wyndham Worldwide Corporation, we are certain to see greater transparency and accountability for merchants and hotels in particular. If the FTC prevails in its case against Wyndham it could have far-reaching implications for franchise owners.
In its filing the FTC alleges Wyndham’s “failure to maintain reasonable security; allowed intruders to obtain unauthorized access to the computer networks of Wyndham Hotels and Resorts, LLC, and several hotels franchised and managed by Wyndham.”
This should fuel an interesting debate since the industry is currently polarized in its opinion of who maintains responsibility for compliance. The brands have done a good job putting distance between them and franchised/managed properties.
Several hotel brands have recently provided quotes on this subject. Every brand takes the same position, that the brand is not responsible for the compliance of the individual locations in the brand. Many expect the brands to break ranks with this thinking very soon. Wyndham has gone on the record with a similar position stating that the independent owner/operator is responsible for payment card compliance. However, Jay Patel, spokesman for an owner’s association representing approximately 1,500 franchised hotels, states that the parent brand and not the individually owned and operated property is the responsible party.
PCI compliance at the franchise is a shared exercise. We can look to the Payment Card Industry guidelines and try to decipher where the responsibility falls and how the franchise and franchisor can better protect the customer.
The PCI Security Standards Council is an open global forum launched in 2006, that is responsible for the development, management, education and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.
The Council's five founding global payment brands – American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. – have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council.
Note that enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the individual payment brands and not by the council.
As if the Wyndham story needs any additional color, recently a shareholder initiated a derivative lawsuit against certain directors and officers of the company, as well as against the company itself as nominal defendant, related to the three data breaches the company. The suit alleges Wyndham “failed to take reasonable steps to maintain their customers’ personal and financial information in a secure manner.” The complaint alleges further that the individual defendants “failed to ensure that the Company and its subsidiaries implemented adequate information security policies,” and that the Company’s property management system server “used an operating system so out of date” that the company’s vendor “stopped providing security updates for the operating system more than three years prior to the intrusions” and allowed the company’s software to “be configured inappropriately.”
The PCI requirements are applicable to merchants or service providers that process, store or transmit cardholder data. There is no doubt that every hotel meets this definition and is required to assess its computer environment per the PCI framework.
The significance of this suit is that it attempts to hold directors and officers liable for the loss of consumer data. So can we make the assumption that an owner of a hotel that is still running Windows XP at the front desk and who suffers a data breach can be held personally liable for the loss? I am not sure if this is a stretch and the outcome of both cases will be interesting.
The responsibility for compliance actually falls on both sides of the fence. The independent operator is responsible for the way customer data is handled. When a customer checks in he automatically assume his data is safe and will not end up in the wrong hands. There is an implied agreement that the merchant will do everything in his power to protect the data and all of the necessary controls are in place to ensure the implied agreement is enforced. The property is responsible to train every employee in security best practices including risk mitigation and what to do in case a consumer’s card is compromised. The property is also responsible to ensure all systems that store, process or transmit credit card data are patched and protected from vulnerabilities. This includes but is not limited to all front desk systems, those systems that connect to the property management system, restaurant point-of-sale systems and any other systems that sit on the same network segment. Remember systems are only as safe as the weakest link.
The property also has an obligation to ensure the property management system and point-of-sale systems are compliant according to the PA-DSS. Additionally, it is responsible to know whether its PMS vendor has had a qualified payment assessor validate the software as being compliant. It doesn’t end here. The PMS and POS system must also be installed and maintained in a compliant manner. Research has shown that less than 20 percent of property management systems have been installed according to the security guidelines. Research also suggests that a very small number are currently operating according to the manufacturers’ guidelines for PCI compliance, and indicates that many of the PMS/POS systems are not being patched in accordance with security best practices and are vulnerable to attack.
More often then not the brand is instrumental in procuring and provisioning the PMS on the property’s behalf. Therefore, compliance with all security requirements is shared between the entities.
Any third party such as the parent brand or hosting facility must have submitted its systems and facilities to an assessment and can attest to its own compliance. It is not enough to say the systems are secure and yet leverage the services of a third party that may not be. For the most part, third parties that host central reservation systems, whether the brand or a third party like Sabre Hospitality, are more than likely compliant. However, the important part is that the property is entitled to ask for and receive the executive summary.
Now here is where compliance becomes a little murky, bluring the lines between the property and the brand. The depth of the effort is dependent on the size of the property. The front desk systems are the primary focus of compliance. These are the systems that interact with all of your customer’s data.
The question security professionals always ask is “Does the front desk have connectivity to the Internet?” And when the hotel owner says, “yes,” you can hear the sighs of disappointment and the fear of risk wash over them. Why in this day and age and are systems that process cardholder data and customer records connected to the Internet? Have we not learned enough lessons?
Remove Internet access from the front desk segment. That doesn’t mean block access; it means remove Internet access from the whole network segment. The list of recommendations and requirements goes on and on. Hotel owners need the assistance of the brands to protect themselves, the brands and their customers. Compliance needs to be a joint effort and neither party will benefit from a hands-off approach.
There is a tremendous amount of good press that can be garnered from doing the right thing for the customer. As soon as a brand embraces it and begins marketing InfoSec safety as a feature it will be a game changer.
David Durko is the CEO of Security Validation LLC, a security advisory company focused on the hospitality industry. He is also the CEO and founder of PrivacyAtlas, a consumer friendly registry of PCI Compliant Merchants.