The July 2010 deadline has passed for achieving Payment Card Industry Data Security Standard compliance. The consultants have tried to sell complicated solutions, and the processors have tried to explain away their weaknesses and added fees for third-party solutions. Some claim it will cost US$40,000 or more to upgrade, and some IT managers recently claimed that full security does not yet exist. Neither statement is true. Seems like Y2K all over again.
The differences are meaningful and need to be focused on. You can achieve full encryption from the swipe plus tokenization to the point-of-sale system for almost no cost. The savings on PCI audits is many thousands of dollars per property.
First, securing data only is going to get more and more important. The crooks are getting smarter every day, and the costs of protecting the data are increasing every day.
Second, the July 2010 PCI Compliance standard was only the first level of what will be a bar that gets higher every time new compliance standards are introduced, which is becoming more frequent. All the issues were recently discussed in the June 2010 RSA Security Brief. This article is a must read for the people that manage the risk of the company, the owners and the people that have a real economic stake in the business.
In summary, the study reveals two critical items. Unless your company’s core competency is protecting data, you should not be trying to do it in house. It is too complicated and too expensive. Second, take the information and associated liability off your system. That shifts the risk to someone else and dramatically reduces your PCI audit requirements and PCI related costs.
The good news
The good news is that there is a simple and low-cost way that sophisticated companies are dealing with the protection of credit card data, the cost of managing the data and meeting PCI compliance standards.
In simple terms, to my knowledge, the property-management systems do not accept random generated tokens (the substitute for credit card data). They may in the future, but they do not now. The solution is to encrypt the data and eliminate clear hackable card data held in the system. This can be done with the purchase of a Magtek (iPad or Centurion) security swipe. The cost of this is between US$150 and US$300, depending on the type of reader. This reduces the threat and the PCI compliance cost.
The second step is to move to a tokenized electronic payment processor who has the tokenization integrated into the platform and so does not charge for it. The EPX technology has been available for years. They have successfully tokenized millions of transactions representing billions of dollars. This generates random alphanumeric tokens in place of credit card data. They store the credit card numbers in their secure servers, and they are responsible. This creates an environment that encrypts from the moment of swipe and tokenizes from the POS system forward. Simple, easy and cheap. Several of the other more well-known processors are starting to utilize third-party solutions for tokenization because they do not have it integrated into their platforms. This means more costs, higher complexity and growing pains.
This transfer of liability is discussed in detail in the RSA Security Brief. A recent Gartner Group study on one level three merchant identified a dramatic reduction in the cost of managing this data by transferring the risk. The savings for this company were estimated to be US$3 million—a nice large number to save. Furthermore, it stops the conversation about additional tasks and extra work for the management information systems department.
Reality is you can achieve the best available security for minimal cost, and still use your existing POS system and PMS.
Joel Ross is principal of Citadel Realty Advisors, successor to Ross Properties, the investment banking and real-estate financing firm he launched in 1981. A pioneer in commercial mortgage-backed securities, Ross, along with Lexington Mortgage and in conjunction with Nomura, effectively reopened Wall Street to the hotel industry. A member of Urban Land Institute, Ross conceived and co-authored with PricewaterhouseCoopers The Hotel Mortgage Performance Report. Ross is also the author of Ross Rant, a commentary on the economy, financial markets and politics that is available through his website, www.citadelrealty.com.
The opinions expressed in this column do not necessarily reflect the opinions of HotelNewsNow.com or its parent company, Smith Travel Research and its affiliated companies. Columnists published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.
