Tokenization key to data security
14 FEBRUARY 2014 9:28 AM
Hoteliers need to make credit card security a high priority due to the potential reputational and legal costs of a breach.
The whole credit card hacking problem is once again in the forefront for the hotel industry. One of my companies is in the business of specifically serving as a credit card processor for hotels, so I have deep knowledge of this topic.
As late as 2010, it was the Wyndham Hotel Group security breach, and now it’s White Lodging. The industry seems to have pretty much ignored the Wyndham breach and warnings of more to come. The White Lodging, Target and Neiman Marcus breaches should serve as wake-up calls.
Hoteliers in particular are at risk, as they oversee credit card transactions outside of the traditional single swipe required in retail or online shopping, which immediately sends data into encrypted storage.
In hotels there is first the reservation, often online or by phone or through a third-party booking source, followed by check-in at the front desk or kiosk. The card data then resides for days in the hotel system during the stay to accommodate added charges to the card in the restaurant, gift shop or spa. The charge information is often kept electronically, accessible in case of charge backs and other things.
Each time and at each point of access, there is a risk of a hacker gaining access in some way, just as Target has been hacked by going through a legitimate vendor to gain entry to the system then to the card swipe terminals. All hotel managers think they have secure systems, but even Wyndham and White Lodging, two very well-run companies with sophisticated and highly professional management, did not. Other hotel breaches have occurred, but you never hear about them.
Credit and debit card processing is much more complicated than most in the hotel industry realize or than CFOs want to acknowledge.
When we sign up new clients, we analyze their merchant charge statements from their existing processor. We often find that even at large ownership and management companies with sophisticated and highly qualified CFOs and controllers, with what they think are clear processing contracts as to the merchant rate, hoteliers do not really understand how much they are really paying for processing due to the complexity of how charges are levied and how the charge card system really works.
They are usually paying more than they think. Card security is far more complex. Finance associates often tell you they understand payment card industry compliance and related matters and that your systems are secure.
However, we find in most cases they don’t fully understand all the technology and hacking vulnerability aspects, and the IT staff often does not fully understand card processing security protocol, which often falls outside their regular expertise.
You need to make credit card security a high priority due to the potential reputational and legal costs of a breach.
Don’t assume when your CFO says, “We are PCI compliant and safe,” that he is right. He might honestly think so, but he might not have a full understanding of card security or areas of vulnerability.
As we have seen, many do not really understand what they are being charged despite their financial and accounting sophistication and insistence to you that they do. Credit card and debit card transactions are very complex. There is real risk you might not even know is happening until it’s too late. As we’ve all read in the news, there have been successful attacks on top-secret programs at defense companies that thought their military secrets were secure.
The cost of a payment breach is severe. Association fines alone can exceed $500,000, which would cripple many businesses. Plaintiff lawyers jump in. National news reports proliferate as they did with White Lodging. While breach insurance is an option, there needs to be a focus instead on eliminating exposure and avoiding a breach completely.
Protecting against a breach
While PCI compliance is the first step in security, an added layer of protection is that of point-to-point data encryption. Certain processors provide technology where data is encrypted at the point of entry, making it impossible for hackers to identify card data should they gain access to seemingly already secure POS systems.
There is available a dual-layered payment card security solution that combines software- or hardware-based encryption with tokenization technology. This system secures the transaction from the moment of swipe—prior to transmission and throughout the payment process—with encryption and prevents card data from entering the merchant’s card data environment by replacing the primary account number with a random-number token.
The process works like this:
- Consumer presents card to merchant.
- Card data is encrypted and transmitted to processor front end.
- The processor front end decrypts the data payload.
- Card data is sent to issuing bank for authorization and, in parallel, tokenized.
- Token is paired with authorization response and sent back to the merchant.
- Merchant stores token instead of card data in their environment and uses token for all subsequent business processes.
The process eliminates exposure and removes the costly liability of a payment breach. It reduces the costs and time associated with PCI-mandated security scans and questionnaires. It improves efficiencies by allowing merchants to focus on projects that contribute to revenue rather than securing cardholder data.
Credit card security and identity theft is the biggest risk you face, financially and legally. These risks are potentially far greater than a single incident on premises or some sort of storm or other damage short of a total destruction of the hotel. Just believing your systems are fully secure because your staff says so is not always good enough. The technology is complex and often outside the expertise of your CFO or IT officer and their staff.
Joel Ross is principal of Citadel Realty Advisors, successor to Ross Properties, the investment banking and real-estate financing firm he launched in 1981. A pioneer in commercial mortgage-backed securities, Ross, along with Lexington Mortgage and in conjunction with Nomura, effectively reopened Wall Street to the hotel industry. A member of Urban Land Institute, Ross conceived and co-authored with PricewaterhouseCoopers The Hotel Mortgage Performance Report. Ross is also the author of Ross Rant, a commentary on the economy, financial markets and politics that is available through his website, www.citadelrealty.com.
The opinions expressed in this column do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Columnists published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.