Editor's note: This is the fourth installment in a seven-part series about hotel information data security.
Most people think if they are PCI Data Security Standard compliant they have nothing to worry about regarding credit card data. PCI is the bare minimum level and does not protect you from breach, or more likely employee dishonesty, which comprises 70 percent of all identity theft. The only real protection is total end-to-end integrated encryption and tokenization.
Most processors claim they offer tokenization, but except in only one case is it truly integrated into the platform and end-to-end. You must have all card data stored in a tokenized format offsite in the processor’s secure server to be truly secure. If not, there is a good chance you will lose data to an employee or to a hacker, and it will be terribly expensive. TJ Maxx, Wyndham Worldwide, Heartland Payment Systems and others were PCI compliant, but they all got breached. In the case of Wyndham, it was multiple times—and the cost was very high.
• Read “Secrets to credit-card processing savings.”
Massachusetts passed a law that says no matter where the event occurred, if a Massachusetts resident is a victim of ID theft, the merchant pays—that means you pay. Many other states are in the process of passing similar laws. The new focus is to make the merchant pay for any ID theft. It does not matter if you are PCI compliant—you still pay if there’s a breach.
If you have full end-to-end encryption at the moment of the swipe, full tokenization end to end, and encrypted charge-back processing with just the token number and not the card data, then you are protected. If you have less protection than that, you are not protected. Any time an employee has access to any card data, you are subject to ID theft. It will cost you dearly. You are the owner of the company. Not you directly, but it is your company money that gets paid to fines and lawyers.
If you think because you have firewalls, intrusion detection, locked file cabinets or whatever, then you are safe, you are not. Professional card-data hackers can get to you. Just ask the companies that have been breached. If any employee, no matter how limited and controlled, can access card data at any point, you are subject to ID theft. They can get bribed by card thieves. If you are an owner/operator and you are relying on your IT professional to make a decision as to what processor to use, and one is chosen based on transaction costs or partial tokenization, you have just turned over the entire financial risk decision making for your company to your IT advisor. If you hire a consultant to make the decision as to which processor to use, then you turn your company’s risk-management program over to a consultant who may have a hidden relationship with a processor and is only talking about lowest transaction fees. They are not always motivated by or loyal to your fee.
The hotel industry is at serious risk and seems not to understand what the risks are becoming, and how devastating a breach can be. Massachusetts is just the first state to pass these laws. Being PCI compliant will lull you into thinking you are safe, but that doesn’t mean you are completely safe. The new state laws like in Massachusetts can severely damage you if there is a breach. You need to get the data completely out of your system and residing in an encrypted and tokenized format on the processor servers that has end-to-end, fully tokenized and encrypted systems including charge-back processing.
Joel Ross is principal of Citadel Realty Advisors, successor to Ross Properties, the investment banking and real-estate financing firm he launched in 1981. A pioneer in commercial mortgage-backed securities, Ross, along with Lexington Mortgage and in conjunction with Nomura, effectively reopened Wall Street to the hotel industry. A member of Urban Land Institute, Ross conceived and co-authored with PricewaterhouseCoopers The Hotel Mortgage Performance Report. Ross is also the author of Ross Rant, a commentary on the economy, financial markets and politics that’s available through his website.
The opinions expressed in this column do not necessarily reflect the opinions of HotelNewsNow.com or its parent company, Smith Travel Research and its affiliated companies. Columnists published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.
