News headlines recently have been filled with increasing reports of hotel brands falling victim to data breaches. Intercontinental Hotels Group (IHG) revealed that a credit card data breach compromised the financial and personal data of guests across 1200 of its properties in the U.S. and Puerto Rico. Other high-profile breaches have included Kimpton Hotels, Starwood Hotels, Hyatt, Hilton, Trump Hotels and many more. In fact, according to a 2016 global security research report, the hospitality industry is now one of the most favored targets among cybercriminals and hackers, second only to the retail industry in terms of the number of data breaches.
What many people may not realize is that the nation’s recent migration to EMV chip-enabled payment cards is one of the reasons hotels are now increasingly targeted by cybercriminals. That’s because prior to the introduction of chip-enabled payment cards, fraudsters typically compromised point-of-sale (POS) systems to steal the payment card data embedded in the card’s magnetic strip. Now that more secure chip-enabled POS devices are being deployed, such an attack is much harder and fraudsters are shifting to committing card-not-present (CNP) fraud instead. They seek out industries where consumers are making reservations and payments over the phone – making hotel contact centers a prime target.
Falling victim to a data breach that compromises guests’ payment card data or other personal information can be disastrous for a hotel brand. The average cost businesses spent cleaning up after a data breach in 2016 was $4 million. This figure includes breach mitigation, crisis team management costs and business losses, but it’s impossible to estimate the cost of the damage to a hotel’s brand reputation. If the breach makes headlines, guests may vote with their feet and choose not to stay with that chain in the future for fear that they too may fall victim to a data breach.
Upcoming data security legislation is going to further add to that cost. The European Union’s General Data Protection Regulation (GDPR) is set to take effect in 2018 and applies to any business that holds or processes sensitive data belonging to EU citizens. So, even hotel chains based in the U.S. or other regions must comply with the GDPR or risk facing fines of up to 4 percent of their annual global revenue, or €20m.
Given the increasing pressure from cybercriminals and the changing regulatory environment, it is imperative for the hotel industry to strengthen its data security standards. According to Semafone, one of the best places to start is within the hotel contact center. New technologies can ensure that payment card data and other personally identifiable information (PII) taken over the phone is kept secure and never held in the contact center infrastructure. Some solutions allow customers calling to make a reservation or order additional services to simply type their card numbers into their telephone keypad, rather than reading them out loud to the hotel representative on the line. The keypad tones are masked so the representative (or even a malicious eavesdropper) cannot determine the numbers, and the data is automatically routed directly to the payment gateway. So in addition to not being seen or heard by the hotel’s representative, sensitive numerical data is never held in the contact center infrastructure or other unsecured areas of the hotelier’s business. This approach reduces the number of individuals with access to guests’ sensitive data, making the hotel contact center a less attractive target for criminals. It also makes it significantly easier for the hotel to comply with Payment Card Industry Data Security Standards (PCI DSS) by reducing the scope of compliance.
While hotels have long focused on maintaining the physical security of guests and their belongings during their stay, it is now necessary to apply that same thinking to guests’ data. With stronger security practices for handling sensitive information and by keeping payment card data out of their contact centers, hotels can make themselves less of a target for data breaches and significantly reduce the high costs and extensive time associated with maintaining PCI DSS compliance. Guests can sleep peacefully at night knowing the hotel is keeping their information safe, and the hotelier can rest assured that their name will only be making headlines for the right reasons.