Is your hotel PCI compliant? Do you know what being PCI compliant even means? Well, if you’re confused about this now, good thing you’re reading this article because there is a deadline for hotels to be PCI compliant by July 1, 2010.
For those not in the know, and we’re worried there could be a good many of you, PCI stands for Payment Card Industry. Being PCI compliant essentially means you have taken the appropriate steps to make sure that any credit card data that you receive is safe and secure in your system. If your system is up to snuff, then you’ve met what’s called the Payment Card Industry’s Payment Application Data Security Standard (PA-DSS).
Get it? Whew, because those hotels that are not PCI compliant and find themselves with a security breach could be in for a costly and stressful experience that could cost much more than you could ever imagine.
“We have seen several companies put out of business because of a breach,” said Sean Mathena, managing consultant, Trust Wave, a data security firm, during a panel discussion held during this week’s Hospitality Industry Technology Exposition and Conference (HITEC).
That’s because fines and fees associated with a breach can literally cost your hotel millions depending on how much information has been stolen, how long the breach had gone undetected, and paying for the reimbursement of all costs related to the fraud – including picking up the tab for a thief’s spending spree. The actual calculation VISA uses is to take the number of cards compromised, calculate the total transactions you have as a merchant annually and calculate the fine based on a percentage of your overall sales per year. Be warned: The credit card company will take the money directly out of your account with your processing bank.
Currently, Mathena said there are about 20 breaches a month in the credit card industry.
At Millennium Hotels & Resorts, John Edwards, director of IT, North America, runs more than a million credit cards through its systems annually at its 14 North America-based properties. They own and manage their own PMS systems, and Edwards has become an evangelist of sorts for making sure your hotel is compliant.
He shared his knowledge on what happens if there is a breach. Incredibly informative, Edwards shared the process that occurs when there is a security breach.
He said the first thing you’ll get is a letter from credit card company informing you of the breach, to which you will have to respond with some sort of documentation. That packet will give you next steps you have to take, which are usually an analysis through a third-party forensic company, what fines you could expect and the expectations the credit card issuer has of you to ensure there will be no more lost data.
Edwards warned that the letter is sent to the hotel’s controller or GM, who may have no idea what they are dealing with and send the info back to the credit card company without notifying the main office or the hotel’s owners. Big mistake! You need to have a mechanism in place for this to be discussed immediately with IT and the corporation, he said.
Then you need to engage in a forensic analysis to determine exactly what happened and when. This will usually entail the firm copying all drives that could have been involved in the breach, which are then examined in detail in a lab.
“They want to determine the time period of exposure - how long the breach has been going on - which may have just been discovered but could have been there some time. Then they will come back with a report which will be shared with your bank and credit card company. That report will determine what you have to pay for,” said Mathena.
The good news is, though, if you were compliant at the time of breach your hotel will fall into safe harbor rules to lessen the fines, said Mathena.
The biggest warning, however, coming from these experts is that, although they have PCI compliant systems, those systems may not have been installed in a PCI compliant manner. “We have seen some third party vendors certified in the application but then don’t install it in a compliant manner because they do not use very strong passwords, for example,” said Mathena. So it’s critical you find a company that has past experience with this.
No comments:
Post a Comment