Hotel Data Security
An introduction to PCI and GDPR, and the importance of compliance.

In today’s digital hospitality landscape, data security is becoming more and more important. The increase in online (distribution) channels that provide data to the hotels is growing each day. From guest data like address and credit card details to travel and profile information provided via Channel Managers and Booking sites. Because of this clustered data of personal information, the hospitality industry is especially vulnerable to attack. Trustwave published a 2016 article that shows that the hospitality sector had the second largest share of data incidents by industry at 14%.

This increase can be translated to the many vendors that are connected to today’s Hotel facilities. Not only the booking channels and online distribution providers can be held accountable for this increase. Also internal facilities like the hotel’s WIFI network are risk factors that distribute many guest and hotel data.

Because of these increasing risks, distribution vendors need to uphold strict security regulations. It is not only your job to find the right vendor based on their unique offer and fit with your hotel, but also if they are PCI and GDPR compliant. Your guests expect that you are following the same security rules. They might not be acquainted with terms like PCI and/or GDPR, but they are aware of hacking risks and are not always willing to provide all their personal information. As such, hotels have a heightened responsibility to protect this information at all costs. So this means that your hotel needs to safeguard digital data, meaning adhering to strict guidelines as outlined by the PCI (Payment Card Industry) and GDPR (General Data Protection Regulation) compliance.

SmartHOTEL pci dss compliant

An introduction to PCI compliance

Payment Card Industry Data Security Standard (PCI-DSS) is an international security regulation, developed in cooperation with credit card companies to regulate the security of storing, processing and transmitting transaction and personal details.

To ensure credit card data remains as secure as possible, the PCI Data Security Standard (PCI-DSS) offers a guideline with 12 central security areas. It consists of steps that mirror security best practices. The hotel will be held accountable if any breaches occur.

With a few steps, you can check if you meet some of the requirements for becoming PCI-DSS compliant. We do suggest to get in touch with a specialized office in helping you with your hotel security.

What is GDPR compliance?

From 25th May 2018 GDPR (General Data Protection Regulations) will be implemented in the European Union. This regulation was adopted on 27th April 2016 to extend and strengthen the rights of all EU citizens and residents concerning the collection, storing and processing of their personal data by companies and organizations. Personal data included an extensive list of details like a person’s name, passport number, bank account number, email address, IP address etc. Considering your property is linked to multiple sources that handle guest data like (online) travel agencies, distribution systems and loyalty programs that are integrated with your PMS and/or CRS, GDPR is something you need to be especially aware of.

With a few steps, you can check if you meet some of the requirements for becoming GDPR compliant. We do suggest to get in touch with a specialized office in helping you with your hotel security.

Results of not meeting the security standards

Imagine a data security breach that puts guest information and credit card details out in the open. Other than high financial charges, the hotel suffers huge losses on brand reputation. Especially if you are connected to a franchise chain, the consequences could be severe.

If you accept credit card payments, you are legally obliged to comply with PCI. If you fail to meet these obligations you can lose your right to accept credit card payments. The results of this are self-explanatory in today’s online payment landscape.

Prepare your Hotel Data Security PCI GDPR

Your first thought while reading this article might be: “Am I not already covered by my technology and distribution providers?” Although the same regulations count for your business partners, you might overlook several points of internal data storage. It is the hotel that holds all responsibility for data protection of its guests in the end. We have prepared a step-by-step program to help you properly prepare for PCI & GDPR compliance.

PCI-DSS

To ensure credit card data remains as secure as possible, the PCI Data Security Standard (PCI DSS) offers a guideline with 12 central security areas. It consists of steps that mirror security best practices. The hotel will be held accountable if any breaches occur.

With a few steps, you can check if you meet some of the requirements for becoming PCI-DSS compliant. We do suggest to get in touch with a specialized office in helping you with your hotel security.

Download our security certificates:

Download our security certificates:

SmartHOTEL pci dss compliant

All distribution vendors that help you to optimize your online revenue are handling hotel and guest data between systems. If your in-house property management system (PMS) is storing credit card details of your guests, it is mandatory that you adapt your infrastructure to the PCI requirements.

Put limitations on user rights when it comes to guest data. In many systems, you can add certain levels of user rights. Make sure that your staff members that need to handle credit card details are the only ones that have access to this data.

PCI compliance is not only applicable to the digital storage of credit card details. Hardcopies that store credit card or guest information are also covered by these rules. All printed documents containing such data should be securely stored and need to have restricted access as mentioned in step 2.

When accepting digital transactions an extra verification of the cardholder is sometimes required. With the so-called CVC code, you are not allowed to request this code from your guests unless you are PCI-DSS compliant.

If for some reason an incident occurs with a card, it is good to know who and what happened to the handling of the credit card. This goes hand in hand with unique user logins for your staff that handles the credit card details. But for an even better overview, assign unique ID’s to the staff who have access to the information.

In theory, all computers and other stored files located at the reception are easily accessible for people who want to cause harm. Make sure to move all guest related documents and machines that are accessing credit card details to a secured location. Make sure that this area is secured with security cameras and not accessible to hotel guests and other non-hotel staff members.

Passwords are not always top of mind after a holiday, so you might be tempted to leave memos with written account details under the keyboard or even attached to the screen. Again, PCI is not only about online stored data, but also the offline work environment should be as secure as possible. There are many tools to store passwords safely. Work out a system with your staff that ensures that written memos with harmful data are not part of the daily routine anymore. Written and storage of private information is not allowed and is not PCI compliant.

Make sure that all your guest and hotel data stored in your hotel software systems are encrypted. Your IT/software vendor can help you with that. It’s important to select your software partner based on their strict regulated security rules. If the data is not encrypted, hackers have an easy time to cause harm.

GDPR

GDPR is in place to strengthen the rights of all EU citizens and residents concerning the collection, storing and processing of their personal data by companies and organizations. Personal data included an extensive list of details like a person’s name, passport number, bank account number, email address, IP address etc. Considering your property is linked to multiple sources that handle guest data like (online) travel agencies, distribution systems and loyalty programs that might be integrated with your PMS and/or CRS, GDPR is something you need to be especially aware of.

With a few steps, you can check if you meet some of the requirements for becoming GDPR compliant. We do suggest to get in touch with a specialized office in helping you with your hotel security.

Perhaps all of this information is redundant and you already have a great system in place to adhere to the safety of guest data and their privacy. But are all employees aware of PCI and GDPR regulations? Practice what you preach. Make sure that the entire team is involved, from management to front office. Share your security procedures, create quick cheat sheets for the desks and inform them of the consequences.

Build trust towards your guests by showing that you follow strict security and privacy rules. You can do this by adding the once certified PCI logo to your website or a poster at the check-in desk. Also, let your guests feel safe during check-in by informing them about the safeguarding of all information.

All the information that flows through the hotel should be documented. Don’t worry, we are not talking about a huge log of every single activity. GDPR is talking about guest information, everything that can conflict with the privacy of your guests. A creation of a log that holds information for:

  • What data is stored,
  • Where is it stored,
  • Where does the data come from,
  • Who has access to this data
  • Which external parties are involved (like distribution channels and other data providers)
  • And most important, if the guest agreed to the terms of collecting his or her data.

All these processes should be recorded.

Ask for the guests’ approval of handling all required data. It’s important that this approval is documented in the process. Modern online check-ins already have this implemented in the process. Make sure that your legal statements and customer agreements are reviewed and amended to these new legislations. Inform your guests for which reason you collect the data and how long you will be storing it.

The European guest has several rights, and you need to ensure he can exercise his rights, which include:

  • The right of access to his data
  • The right to rectification
  • The right to erase
  • The right to restrict processing
  • The right to transfer his data to another party
  • The right to object
  • The right not to be included in automated marketing initiatives or profiling

When you are informing guests about your privacy policies and security rules, you can expect questions will be asked about their rights. You will need to be ready to handle these questions. You have a maximum of 1 month to provide an answer. If you refuse a request, you must inform the guests about your reasons, and provide any details about the Privacy Commission and the name and contact details of your main security contact, so that the guest understands how to file a complaint.

All information that you are asking from your guests should be for a lawful reason. Be aware of what you are asking. Review all data gathering moments and determine if all information requested is legitimate. Reservation details are required, but social details are harder to substantiate.

Storing guest data and using it for any valid reason is never agreed on by default.
A guest will always have to agree (“opt-in”) to your terms before you are allowed to handle his or her data. Also, have a process in place when a guest does not agree, or partially agree.

For all the above you should have actions in place. Next to that, you need to know how and when guests will be asked to agree on these terms. Agreeing to the terms of a booking site where the guest booked the stay is not a valid opt-in for all your internal Hotel procedures.

There is an additional consideration for children under 16. Authorization to process a minor’s data should be obtained from their parents or responsible adult.

The hotel should be ready to detect and handle any data breaches. The data register should be able to provide insight into which pieces of data are affected.

Make sure your network and storage systems are up-to-date with the latest intrusion detection programs.

Within your hotel or company, someone should be tasked to become the Data Protection
Officer (DPO). Make sure this is someone who knows and understands the importance of credit card and personal data processing. This can very well be an additional task for an existing employee or manager.

Large amounts of credit card details are processed in a hotel, so it is eminently sensible to have a DPO in place. The DPO should always understand and be aware of all data flows in the hotel, and he should ensure that there is an updated data register at all times, in case any queries arise.

The name of the DPO should be mentioned in all privacy statements on any media. When filing a complaint, the guest will reference the DPO by name.

If you are an independent hotel, this point does not apply.

For hotels with multiple properties and/or located in multiple EU countries, it is important to align the procedures and to identify who is taking the lead (presumably the country or regional office) for the coordinated PCI/GDPR efforts. If you are present in multiple EU countries, it is required to identify a “main establishment”, and also the lead country supervisory authority.

Reach out to us for any additional questions

We believe in a highly connected safe and secure world of deeply integrated technologies combined with service. If you have any questions regarding Hotel Data Security, get in touch!